Unable to use mounted elastic-agent.yml if running in elastic-agent container


I am using elastic-agent-7.9.0-SNAPSHOT docker image (also tested and encountered the same error with elastic-agent-8.0.0-SNAPSHOT docker image).
My docker-compose.yml:

version: '3.7'
    image: docker.elastic.co/beats/elastic-agent:7.9.0-SNAPSHOT
    container_name: elastic-agent
    command: ["enroll", "http://kibana:5601", "<enrollment_token>"]
      - "FLEET_ENROLL=1"
      - "FLEET_SETUP=1"
      - "KIBANA_HOST=http://kibana:5601"
      - ./elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml

Error message:

fail to enroll: could not save enrollment information: could not backup /usr/share/elastic-agent/elastic-agent.yml: rename /usr/share/elastic-agent/elastic-agent.yml /usr/share/elastic-agent/elastic-agent.yml.2020-06-29T23-51-39.7743.bak: device or resource busy

This error leads to another issue: I am not able to specify the ca.crt for Metricbeat and Filebeat running in the elastic-agent container.

This also breaks if ES requires authentication, because I am not able to specify ES username and password in elastic-agent.yml for Metricbeat and Filebeat.

Hi @hendry.lim Thanks for trying out the Elastic Agent. Based on your error, I assume you are using the Elastic Agent together with the Ingest Manager and tried to enroll the agent?

The error indicates, that the elastic agent is missing the permissions to rename / backup the config. He needs to have these permissions because when enrolling into Ingest Manager, the existing config is backed up and overwritten by the config coming from Ingest Manager.

If you are using Ingest Manager, you don't need to copy your own configuration into the container. Also username / password are replaced by API Keys when used with Ingest Manager, so no need to specify it.

Did you perhaps wanted to run Agent in standalone mode? If yes, you need to remove the enrollment part.

Hi @ruflin Thank you for your prompt reply.

Based on your error, I assume you are using the Elastic Agent together with the Ingest Manager and tried to enroll the agent?

That is correct. I am trying out Elastic Agent with Ingest Manager and Fleet. I am able to get the Elastic Agent to run in container, but Filebeat and Metricbeat are unable to connect back to ES due to SSL error caused by using self-signed certificate.
How do I configure ca.crt or ca_sha256 for Filebeat and Metricbeat running in the same Elastic Agent container?

Ping request failed with: Get https://es01:9200: x509: certificate signed by unknown authority

I just found out that I am unable to edit the Elastic Agent configuration data source with the latest 7.9.0 snapshot. It's the same for a new configuration.

Saw this issue #19504 raised, hopefully this will be the solution for the custom certificate authority use case.

Yes, that should solve it. @pierhugues Can you think of a temporary workaround?

elastic-agent-7.8.0-x86_64.rpm and elastic-agent-7.8.0-linux-x86_64.tar.gz have the same issue, setting ssl.certificate_authorities in elastic-agent.yml didn't work as it does for the beats when they're not under the agent.