Permission denied when reading /proc/$pid/io

Elastic Observability
1

Dear all,

Please could you comment what is the reason behind specifying required capabilities NET_ADMIN and SETUID in the following document which describes how to setup a private location for synthetics monitoring:

More specifically, the documentation gives an example of a docker run and the following note: " The elastic-agent-complete Docker image requires additional capabilities to operate correctly. Ensure NET_RAW and SETUID are enabled on the container."

However when SETUID capability is enabled for the docker container AND "Collect Agent Metrics" options is enabled for the Elastic Agent policy, the following error messages start to appear in the docker container:

{"log.level":"error","@timestamp":"2024-02-11T16:20:26.106Z","message":"Error retrieving CPU percentages: error fetching PID 54: FillPidMetrics: error fetching IO metrics for pid 54: error fetching IO metrics: open /proc/54/io: permission denied","component":{"binary":"heartbeat","dataset":"elastic_agent.heartbeat","id":"synthetics/browser-b4d4ee1d-8ff3-403b-b82a-4e3ae9b4cc2a","type":"synthetics/browser"},"log":{"source":"synthetics/browser-b4d4ee1d-8ff3-403b-b82a-4e3ae9b4cc2a"},"log.logger":"metrics","log.origin":{"file.line":70,"file.name":"report/report.go","function":"github.com/elastic/elastic-agent-system-metrics/report.InstanceCPUReporter.func1"},"service.name":"heartbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}

Indeed, looking for the permissions of /proc/54/io, it shows:

-r--------  1 root          root          0 Feb 11 16:29 io

But the process itself runs with rUID = eUID = rGID = eGID = 1000 (elastic-agent):

  PID  PPID   UID   GID  EUID  EGID
   54     7     1000     1000     1000     1000

These two facts combined typically mean that a process did setuid during its run and thus kernel protected potentially sensitive files in /proc/$pid so that they are owned by root.

I don't understand why elastic-agent inside a docker container requires SETUID to switch to elastic-agent user? The default user of the docker container is elastic-agent and also all the directory hierarchy for elastic-agent is owned by elastic-agent.

I made an experiment by not specifying SETUID capability to the docker container. Elastic Agent works ok, files under /proc/$pid are owned by elastic-agent and no error messages about permissions.

Perhaps it's the time to revisit this requirement?

Kind regards,
Ivo Raisr