The following files are missing the executable permission in the resulting Elastic Agent image stored in the IronBank container registry (File Type: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, Go BuildID=*, stripped):
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/pf-host-agent
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/auditbeat
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/osqueryd
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/fleet-server
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/filebeat
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/metricbeat
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/cloudbeat
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/heartbeat
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/osquerybeat
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/pf-elastic-symbolizer
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/apm-server
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/pf-elastic-collector
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/cloud-defend
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/endpoint-security
- /usr/share/elastic-agent/data/elastic-agent-xxxxxx/components/packetbeat
They (and potentially others like elastic-agent-shipper, depending on version) can be identified via the following find command:
find /usr/share/elastic-agent/data/elastic-agent-*/components -maxdepth 1 -type f -not -name "*.*"
coordinator.go > GO func lobBasedOnState(...) produces error logging at elastic-agent/internal/pkg/agent/application/coordinator/coordinator.go at main · elastic/elastic-agent · GitHub and elastic-agent/internal/pkg/agent/application/coordinator/coordinator.go at main · elastic/elastic-agent · GitHub, respectively. A sample output of the log error message for package fleet_server is below (stack version 8.12.1):
{"log.level":"error","@timestamp":"2024-05-03T21:24:38.797Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":563},"message":"Spawned new component fleet-server-default: Failed: execution of component prevented: cannot be writeable by group or other","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"FAILED"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-05-03T21:24:38.797Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":570},"message":"Spawned new unit fleet-server-default-fleet-server: Failed: execution of component prevented: cannot be writeable by group or other","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"FAILED"},"unit":{"id":"fleet-server-default-fleet-server","type":"input","state":"FAILED"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-05-03T21:24:38.797Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":570},"message":"Spawned new unit fleet-server-default: Failed: execution of component prevented: cannot be writeable by group or other","log":{"source":"elastic-agent"},"component":{"id":"fleet-server-default","state":"FAILED"},"unit":{"id":"fleet-server-default","type":"output","state":"FAILED"},"ecs.version":"1.6.0"}
I believe the following find commands in the Dockerfile RUN directive for Elastic Agent permissions (Build Stage 0) (source) have permissions for files and directories in reverse order.
find /usr/share//elastic-agent/data -type d -exec chmod 0770 {} \; <=== Propose changing octals to something like '0660' or '0664'
find /usr/share//elastic-agent/data -type f -exec chmod 0660 {} \; <=== Propose changing octals to something like '0750' or '0755'