Work on privileged/unprivileged command.

Author: blakerouse

internal/pkg/agent/cmd/common.go

@@ -77,6 +77,8 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command {
 	cmd.AddCommand(newUpgradeCommandWithArgs(args, streams))
 	cmd.AddCommand(newEnrollCommandWithArgs(args, streams))
 	cmd.AddCommand(newInspectCommandWithArgs(args, streams))
+	cmd.AddCommand(newPrivilegedCommandWithArgs(args, streams))
+	cmd.AddCommand(newUnprivilegedCommandWithArgs(args, streams))
 	cmd.AddCommand(newWatchCommandWithArgs(args, streams))
 	cmd.AddCommand(newContainerCommand(args, streams))
 	cmd.AddCommand(newStatusCommand(args, streams))

internal/pkg/agent/cmd/enroll_cmd.go

@@ -38,6 +38,7 @@ import (
 	"github.com/elastic/elastic-agent/internal/pkg/release"
 	"github.com/elastic/elastic-agent/internal/pkg/remote"
 	"github.com/elastic/elastic-agent/pkg/control/v2/client"
+	"github.com/elastic/elastic-agent/pkg/control/v2/client/wait"
 	"github.com/elastic/elastic-agent/pkg/core/logger"
 	"github.com/elastic/elastic-agent/pkg/core/process"
 	"github.com/elastic/elastic-agent/pkg/utils"
@@ -324,7 +325,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m
 	if err != nil {
 		if !c.options.FleetServer.SpawnAgent {
 			// wait longer to try and communicate with the Elastic Agent
-			err = waitForAgent(ctx, c.options.DaemonTimeout)
+			err = wait.ForAgent(ctx, c.options.DaemonTimeout)
 			if err != nil {
 				return "", errors.New("failed to communicate with elastic-agent daemon; is elastic-agent running?")
 			}
@@ -711,54 +712,6 @@ type waitResult struct {
 	err             error
 }
 
-func waitForAgent(ctx context.Context, timeout time.Duration) error {
-	if timeout == 0 {
-		timeout = 1 * time.Minute
-	}
-	if timeout > 0 {
-		var cancel context.CancelFunc
-		ctx, cancel = context.WithTimeout(ctx, timeout)
-		defer cancel()
-	}
-	maxBackoff := timeout
-	if maxBackoff <= 0 {
-		// indefinite timeout
-		maxBackoff = 10 * time.Minute
-	}
-
-	resChan := make(chan waitResult)
-	innerCtx, innerCancel := context.WithCancel(context.Background())
-	defer innerCancel()
-	go func() {
-		backOff := expBackoffWithContext(innerCtx, 1*time.Second, maxBackoff)
-		for {
-			backOff.Wait()
-			_, err := getDaemonState(innerCtx)
-			if errors.Is(err, context.Canceled) {
-				resChan <- waitResult{err: err}
-				return
-			}
-			if err == nil {
-				resChan <- waitResult{}
-				break
-			}
-		}
-	}()
-
-	var res waitResult
-	select {
-	case <-ctx.Done():
-		innerCancel()
-		res = <-resChan
-	case res = <-resChan:
-	}
-
-	if res.err != nil {
-		return res.err
-	}
-	return nil
-}
-
 func waitForFleetServer(ctx context.Context, agentSubproc <-chan *os.ProcessState, log *logger.Logger, timeout time.Duration) (string, error) {
 	if timeout == 0 {
 		timeout = 2 * time.Minute

internal/pkg/agent/cmd/inspect.go

@@ -252,43 +252,12 @@ func inspectComponents(ctx context.Context, cfgPath string, opts inspectComponen
 		return err
 	}
 
-	// Load the requirements before trying to load the configuration. These should always load
-	// even if the configuration is wrong.
-	platform, err := component.LoadPlatformDetail()
-	if err != nil {
-		return fmt.Errorf("failed to gather system information: %w", err)
-	}
-	specs, err := component.LoadRuntimeSpecs(paths.Components(), platform)
-	if err != nil {
-		return fmt.Errorf("failed to detect inputs and outputs: %w", err)
-	}
-
-	isAdmin, err := utils.HasRoot()
-	if err != nil {
-		return fmt.Errorf("error checking for root/Administrator privileges: %w", err)
-	}
-
-	m, lvl, err := getConfigWithVariables(ctx, l, cfgPath, opts.variablesWait, !isAdmin)
+	comps, err := getComponentsFromPolicy(ctx, l, cfgPath, opts.variablesWait)
 	if err != nil {
+		// error already includes the context
 		return err
 	}
 
-	monitorFn, err := getMonitoringFn(ctx, m)
-	if err != nil {
-		return fmt.Errorf("failed to get monitoring: %w", err)
-	}
-
-	agentInfo, err := info.NewAgentInfoWithLog(ctx, "error", false)
-	if err != nil {
-		return fmt.Errorf("could not load agent info: %w", err)
-	}
-
-	// Compute the components from the computed configuration.
-	comps, err := specs.ToComponents(m, monitorFn, lvl, agentInfo)
-	if err != nil {
-		return fmt.Errorf("failed to render components: %w", err)
-	}
-
 	// Hide configuration unless toggled on.
 	if !opts.showConfig {
 		for i, comp := range comps {
@@ -349,6 +318,47 @@ func inspectComponents(ctx context.Context, cfgPath string, opts inspectComponen
 	return printComponents(allowed, blocked, streams)
 }
 
+func getComponentsFromPolicy(ctx context.Context, l *logger.Logger, cfgPath string, variablesWait time.Duration) ([]component.Component, error) {
+	// Load the requirements before trying to load the configuration. These should always load
+	// even if the configuration is wrong.
+	platform, err := component.LoadPlatformDetail()
+	if err != nil {
+		return nil, fmt.Errorf("failed to gather system information: %w", err)
+	}
+	specs, err := component.LoadRuntimeSpecs(paths.Components(), platform)
+	if err != nil {
+		return nil, fmt.Errorf("failed to detect inputs and outputs: %w", err)
+	}
+
+	isAdmin, err := utils.HasRoot()
+	if err != nil {
+		return nil, fmt.Errorf("error checking for root/Administrator privileges: %w", err)
+	}
+
+	m, lvl, err := getConfigWithVariables(ctx, l, cfgPath, variablesWait, !isAdmin)
+	if err != nil {
+		return nil, err
+	}
+
+	monitorFn, err := getMonitoringFn(ctx, m)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get monitoring: %w", err)
+	}
+
+	agentInfo, err := info.NewAgentInfoWithLog(ctx, "error", false)
+	if err != nil {
+		return nil, fmt.Errorf("could not load agent info: %w", err)
+	}
+
+	// Compute the components from the computed configuration.
+	comps, err := specs.ToComponents(m, monitorFn, lvl, agentInfo)
+	if err != nil {
+		return nil, fmt.Errorf("failed to render components: %w", err)
+	}
+
+	return comps, nil
+}
+
 func getMonitoringFn(ctx context.Context, cfg map[string]interface{}) (component.GenerateMonitoringCfgFn, error) {
 	config, err := config.NewConfigFrom(cfg)
 	if err != nil {

internal/pkg/agent/cmd/install.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"time"
 
 	"github.com/spf13/cobra"
 
@@ -230,7 +231,7 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command) error {
 			defer func() {
 				if err != nil {
 					progBar.Describe("Stopping Service")
-					innerErr := install.StopService(topPath)
+					innerErr := install.StopService(topPath, 30*time.Second, 250*time.Millisecond)
 					if innerErr != nil {
 						progBar.Describe("Failed to Stop Service")
 					} else {

internal/pkg/agent/cmd/privileged.go

@@ -0,0 +1,98 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+
+	"github.com/spf13/cobra"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/application/paths"
+	"github.com/elastic/elastic-agent/internal/pkg/agent/install"
+	"github.com/elastic/elastic-agent/internal/pkg/cli"
+	"github.com/elastic/elastic-agent/pkg/control/v2/client/wait"
+	"github.com/elastic/elastic-agent/pkg/utils"
+)
+
+func newPrivilegedCommandWithArgs(s []string, streams *cli.IOStreams) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "privileged",
+		Short: "Switch installed Elastic Agent to run as privileged",
+		Long: `This command converts the installed Elastic Agent from running unprivileged to running as privileged.
+
+By default this command will ask or a confirmation before making this change. You can bypass the confirmation request
+using the -f flag. This will always stop the running Elastic Agent (if running) before performing the switch it is
+possible that loss of metrics could occur during this small window of time. The command also always starts the
+Elastic Agent at the end (even if it was off to start). In the case that the Elastic Agent is already running
+privileged it will still perform all the same work, including stopping and starting the Elastic Agent.
+`,
+		Args: cobra.ExactArgs(0),
+		Run: func(c *cobra.Command, args []string) {
+			if err := privilegedCmd(streams, c); err != nil {
+				fmt.Fprintf(streams.Err, "Error: %v\n%s\n", err, troubleshootMessage())
+				os.Exit(1)
+			}
+		},
+	}
+
+	cmd.Flags().BoolP("force", "f", false, "Do not prompt for confirmation")
+	cmd.Flags().DurationP("daemon-timeout", "", 0, "Timeout waiting for Elastic Agent daemon")
+
+	return cmd
+}
+
+func privilegedCmd(streams *cli.IOStreams, cmd *cobra.Command) (err error) {
+	isAdmin, err := utils.HasRoot()
+	if err != nil {
+		return fmt.Errorf("unable to perform privileged command while checking for root/Administrator rights: %w", err)
+	}
+	if !isAdmin {
+		return fmt.Errorf("unable to perform privileged command, not executed with %s permissions", utils.PermissionUser)
+	}
+
+	// TODO(blakerouse): More work to get this working on macOS.
+	// Need to switch the vault from keystore based to file based vault.
+	if runtime.GOOS == "darwin" {
+		return errors.New("unable to perform unprivileged on macOS (not supported)")
+	}
+
+	topPath := paths.Top()
+	daemonTimeout, _ := cmd.Flags().GetDuration("daemon-timeout")
+	force, _ := cmd.Flags().GetBool("force")
+	if !force {
+		confirm, err := cli.Confirm("This will restart the running Elastic Agent and convert it to run in privileged mode. Do you want to continue?", true)
+		if err != nil {
+			return fmt.Errorf("problem reading prompt response")
+		}
+		if !confirm {
+			return fmt.Errorf("unprivileged switch was cancelled by the user")
+		}
+	}
+
+	pt := install.CreateAndStartNewSpinner(streams.Out, "Converting Elastic Agent to privileged...")
+	err = install.SwitchExecutingMode(topPath, pt, "", "")
+	if err != nil {
+		// error already adds context
+		return err
+	}
+
+	// wait for the service
+	if daemonTimeout >= 0 {
+		pt.Describe("Waiting for running service")
+		ctx := handleSignal(context.Background()) // allowed to be cancelled
+		err = wait.ForAgent(ctx, daemonTimeout)
+		if err != nil && !errors.Is(err, context.Canceled) {
+			pt.Describe("Failed waiting for running service")
+			return err
+		}
+		pt.Describe("Service is up and running")
+	}
+
+	return nil
+}