Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Agent install -f Leaves Orphaned Tamper-Protected Endpoint #4506

Closed
gabriellandau opened this issue Apr 2, 2024 · 4 comments · Fixed by #4965
Closed

Agent install -f Leaves Orphaned Tamper-Protected Endpoint #4506

gabriellandau opened this issue Apr 2, 2024 · 4 comments · Fixed by #4965
Assignees
@michel-laterman
Labels
bug Something isn't working Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@gabriellandau
Copy link

Using install -f on top of a tamper-protected Agent/Endpoint replaces Agent but leaves an orphaned Endpoint.

Observed in Agent 8.13.0 on Windows 10 22H2.

Repro

  1. Install Agent 8.11.2
  2. Enable Defend integration and Tamper Protection
  3. Install Agent 8.13.0 with install -f
  4. Observe mismatched Agent and Defend versions:
C:\>"C:\Program Files\Elastic\Agent\elastic-agent.exe" version
Binary: 8.12.2 (build: de80b0d70174ba45dc869fdf121109763bbfcce0 at 2024-02-19 17:01:34 +0000 UTC)
Daemon: 8.12.2 (build: de80b0d70174ba45dc869fdf121109763bbfcce0 at 2024-02-19 17:01:34 +0000 UTC)

C:\>"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" version
version: 8.13.0, compiled: Wed Mar 20 21:00:00 2024, branch: HEAD, commit: f90579240155fc17f659ed37f7864ab1194ed2ea

cc @cmacknz
@gabriellandau gabriellandau added the bug Something isn't working label Apr 2, 2024
@pierrehilbert pierrehilbert added the Team:Elastic-Agent Label for the Agent team label Apr 2, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

@cmacknz
Copy link
Member

cmacknz commented Apr 2, 2024

I suspect this is being caused by the call to Uninstall we make if we detect we are installing over a installed agent that is still functional.

elastic-agent/internal/pkg/agent/install/install.go

Lines 42 to 60 in d6f5035

// We only uninstall Agent if it is currently installed.
status, _ := Status(topPath)
if status == Installed {
// Uninstall current installation
//
// There is no uninstall token for "install" command.
// Uninstall will fail on protected agent.
// The protected Agent will need to be uninstalled first before it can be installed.
pt.Describe("Uninstalling current Elastic Agent")
err = Uninstall(cfgFile, topPath, "", log, pt)
if err != nil {
pt.Describe("Failed to uninstall current Elastic Agent")
return utils.FileOwner{}, errors.New(
err,
fmt.Sprintf("failed to uninstall Agent at (%s)", filepath.Dir(topPath)),
errors.M("directory", filepath.Dir(topPath)))
}
pt.Describe("Successfully uninstalled current Elastic Agent")
}

The "" argument in Uninstall(cfgFile, topPath, "", log, pt) is the uninstall token, so for a tamper protected agent this can never succeed. This should be failing with a tamper protection error though. I think that's really all we can do here is fail with a tamper protection error and have the user try again by calling elastic-agent uninstall with the token.

@intxgo
Copy link
Contributor

intxgo commented Apr 9, 2024

related to #4349

@ycombinator ycombinator added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label May 17, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

This was referenced Jun 19, 2024
Merged
Open
@mergify mergify bot mentioned this issue Jun 28, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michel-laterman michel-laterman

Labels
bug Something isn't working Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

"install -f" uses exec to uninstall an existing agent michel-laterman/elastic-agent
8 participants
@ycombinator @pierrehilbert @cmacknz @blakerouse @elasticmachine @intxgo @gabriellandau @michel-laterman