From 21cff7d560436fb46e89a64336b800f7e9066fbc Mon Sep 17 00:00:00 2001 From: michel-laterman Date: Tue, 9 Apr 2024 08:45:28 -0700 Subject: [PATCH] Backport elastic-agent#1867 Backport elastic-agent#1867 that forces the agent use use certificate verification instead of full verification when connecting to a local fleet-server instance. This change should resolve fleet-server#3435 which is a change in how certificates are verified when the beats lib in 7.17 is updated in fleet-server. Also fix linter issues --- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 1 + .../elastic-agent/pkg/agent/cmd/enroll_cmd.go | 26 ++++++++++++------- x-pack/elastic-agent/pkg/remote/client.go | 1 + 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index d434fdb3f40..adfccbf3da4 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -97,6 +97,7 @@ - Allow the - char to appear as part of variable names in eql expressions. {pull}32350[32350] - Allow the / char to appear as part of variable names in eql expressions. {pull}32528{32528} - Fix add_fields processor on Docker provider {pull}33269{33269} +- Change local fleet-server connection to localhost:8221. {pull}38785[38785] ==== New features diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go index 748704bfc65..1cb77f5abf8 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go @@ -9,7 +9,6 @@ import ( "context" "fmt" "io" - "io/ioutil" "math/rand" "os" "os/exec" @@ -269,7 +268,7 @@ func (c *enrollCmd) writeDelayEnroll(streams *cli.IOStreams) error { errors.TypeConfig, errors.M("path", enrollPath)) } - err = ioutil.WriteFile(enrollPath, data, 0600) + err = os.WriteFile(enrollPath, data, 0600) if err != nil { return errors.New( err, @@ -284,6 +283,9 @@ func (c *enrollCmd) writeDelayEnroll(streams *cli.IOStreams) error { func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig map[string]interface{}) (string, error) { c.log.Debug("verifying communication with running Elastic Agent daemon") agentRunning := true + if c.options.FleetServer.InternalPort == 0 { + c.options.FleetServer.InternalPort = defaultFleetServerInternalPort + } _, err := getDaemonStatus(ctx) if err != nil { if !c.options.FleetServer.SpawnAgent { @@ -321,6 +323,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m if err != nil { return "", err } + c.options.FleetServer.InternalPort = fleetConfig.Server.InternalPort configToStore := map[string]interface{}{ "agent": agentConfig, @@ -360,7 +363,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m func (c *enrollCmd) prepareFleetTLS() error { host := c.options.FleetServer.Host if host == "" { - host = "localhost" + host = defaultFleetServerInternalHost } port := c.options.FleetServer.Port if port == 0 { @@ -376,7 +379,7 @@ func (c *enrollCmd) prepareFleetTLS() error { if c.options.FleetServer.Insecure { // running insecure, force the binding to localhost (unless specified) if c.options.FleetServer.Host == "" { - c.options.FleetServer.Host = "localhost" + c.options.FleetServer.Host = defaultFleetServerInternalHost } c.options.URL = fmt.Sprintf("http://%s:%d", host, port) c.options.Insecure = true @@ -531,6 +534,9 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte // use internal URL for future requests if c.options.InternalURL != "" { fleetConfig.Client.Host = c.options.InternalURL + // fleet-server will bind the internal listenter to localhost:8221 + // InternalURL is localhost:8221, however cert uses $HOSTNAME, so we need to disable hostname verification. + fleetConfig.Client.Transport.TLS.VerificationMode = tlscommon.VerifyCertificate } } @@ -602,7 +608,7 @@ func (c *enrollCmd) startAgent(ctx context.Context) (<-chan *os.ProcessState, er func (c *enrollCmd) stopAgent() { if c.agentProc != nil { - c.agentProc.StopWait() + _ = c.agentProc.StopWait() c.agentProc = nil } } @@ -664,7 +670,7 @@ func waitForAgent(ctx context.Context, timeout time.Duration) error { for { backOff.Wait() _, err := getDaemonStatus(innerCtx) - if err == context.Canceled { + if errors.Is(err, context.Canceled) { resChan <- waitResult{err: err} return } @@ -714,7 +720,7 @@ func waitForFleetServer(ctx context.Context, agentSubproc <-chan *os.ProcessStat for { backExp.Wait() status, err := getDaemonStatus(innerCtx) - if err == context.Canceled { + if errors.Is(err, context.Canceled) { resChan <- waitResult{err: err} return } @@ -827,7 +833,7 @@ func safelyStoreAgentInfo(s saver, reader io.Reader) error { for i := 0; i <= maxRetriesstoreAgentInfo; i++ { backExp.Wait() err = storeAgentInfo(s, reader) - if err != filelock.ErrAppAlreadyRunning { + if !errors.Is(err, filelock.ErrAppAlreadyRunning) { break } } @@ -841,7 +847,9 @@ func storeAgentInfo(s saver, reader io.Reader) error { if err := fileLock.TryLock(); err != nil { return err } - defer fileLock.Unlock() + defer func() { + _ = fileLock.Unlock() + }() if err := s.Save(reader); err != nil { return errors.New(err, "could not save enrollment information", errors.TypeFilesystem) diff --git a/x-pack/elastic-agent/pkg/remote/client.go b/x-pack/elastic-agent/pkg/remote/client.go index 9dc8b322c81..2464418d231 100644 --- a/x-pack/elastic-agent/pkg/remote/client.go +++ b/x-pack/elastic-agent/pkg/remote/client.go @@ -175,6 +175,7 @@ func (c *Client) Send( if err != nil { return nil, errors.Wrapf(err, "fail to create HTTP request using method %s to %s", method, path) } + c.log.Debugf("Creating new request to request URL %s", req.URL.String()) // Add generals headers to the request, we are dealing exclusively with JSON. // Content-Type / Accepted type can be override from the called.