Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test framework incorrectly creates beat config file #42779

Open
AndersonQ opened this issue Feb 19, 2025 · 5 comments
Open

Test framework incorrectly creates beat config file #42779

AndersonQ opened this issue Feb 19, 2025 · 5 comments
Assignees
@AndersonQ
Labels
bug Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@AndersonQ
Copy link
Member

The tests using the new integration test framework fail to run locally on linux.
The config file is saved with 777, whereas it should only allow the owner to have write permissions.

beats/libbeat/testing/integration/run_beat.go

Line 140 in a6ab04f

err := os.WriteFile(cfgPath, []byte(opts.Config), 0777)

For confirmed bugs, please report:

  • Version: all
  • Operating System: Linux
  • Discuss Forum URL: N/A
  • Steps to Reproduce:
    run the sample integration tests from the new test framework
❯ cd filebeat/testing/integration
❯ go test -v -tags integration -run TestFilebeat/Filebeat_crashes_due_to_incorrect_config ./...
=== RUN   TestFilebeat
    run_beat.go:238: ensuring the filebeat binary is available...
    run_beat.go:315: searching for the filebeat directory, starting with /home/ainsoph/devel/github.com/elastic/beats/filebeat/testing/integration...
    run_beat.go:330: found filebeat directory at /home/ainsoph/devel/github.com/elastic/beats/filebeat
    run_beat.go:255: found outdated filebeat binary at /home/ainsoph/devel/github.com/elastic/beats/filebeat/filebeat, removing...
    run_beat.go:270: building /home/ainsoph/devel/github.com/elastic/beats/filebeat/filebeat binary with "mage build"... 
    run_beat.go:281: /home/ainsoph/devel/github.com/elastic/beats/filebeat/filebeat binary has been successfully built 
=== RUN   TestFilebeat/Filebeat_crashes_due_to_incorrect_config
    integration.go:151: running filebeat integration test...
    run_beat.go:132: preparing to run filebeat...
    run_beat.go:315: searching for the filebeat directory, starting with /home/ainsoph/devel/github.com/elastic/beats/filebeat/testing/integration...
    run_beat.go:330: found filebeat directory at /home/ainsoph/devel/github.com/elastic/beats/filebeat
    run_beat.go:145: temporary config has been created at /tmp/TestFilebeatFilebeat_crashes_due_to_incorrect_config3196164503/001/filebeat.yml
    run_beat.go:161: running /home/ainsoph/devel/github.com/elastic/beats/filebeat/filebeat -e -c /tmp/TestFilebeatFilebeat_crashes_due_to_incorrect_config3196164503/001/filebeat.yml -E logging.level=debug --path.home /tmp/TestFilebeatFilebeat_crashes_due_to_incorrect_config3196164503/001/home
    run_beat.go:215: /home/ainsoph/devel/github.com/elastic/beats/filebeat/filebeat is running (pid: 596056)
    integration.go:181: filebeat stopped, exit code 1
    integration.go:193: 
        
        Expectations are not met:
        
         * to have a substring "filebeat start running."
         * to have a substring "Exiting: Failed to start crawler: starting input failed: error while initializing input: no path is configured"
        
    integration.go:298: 
        
        Last 10 lines of the output:
        
        Exiting: error loading config file: config file ("/tmp/TestFilebeatFilebeat_crashes_due_to_incorrect_config3196164503/001/filebeat.yml") can only be writable by the owner but the permissions are "-rwxrwxr-x" (to fix the permissions use: 'chmod go-w /tmp/TestFilebeatFilebeat_crashes_due_to_incorrect_config3196164503/001/filebeat.yml')
        
--- FAIL: TestFilebeat (5.56s)
    --- FAIL: TestFilebeat/Filebeat_crashes_due_to_incorrect_config (0.03s)
FAIL
FAIL	github.com/elastic/beats/v7/filebeat/testing/integration	5.573s
FAIL
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 19, 2025
@AndersonQ AndersonQ removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 19, 2025
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 19, 2025
@AndersonQ AndersonQ added Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team and removed needs_team Indicates that the issue/PR needs a Team:* label labels Feb 19, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@AndersonQ AndersonQ added the bug label Feb 19, 2025
@pierrehilbert
Copy link
Collaborator

pierrehilbert commented Feb 19, 2025
edited
Loading

Looks like this is coming from your change @rdner.

@rdner
Copy link
Member

rdner commented Feb 19, 2025

Few things here:

  1. Why does it happen only locally but not on the CI?
  2. What would be the right permission? 655?

@rdner rdner self-assigned this Feb 19, 2025
@belimawr
Copy link
Contributor

The error mentions:

config file ("...") can only be writable by the owner

I believe the correct permission is 644 or rw-r--r--

@AndersonQ AndersonQ changed the title Test framework incorrectly creates beat config file - Test framework incorrectly creates beat config file Feb 20, 2025
@AndersonQ
Copy link
Member Author

Few things here:

  1. Why does it happen only locally but not on the CI?

It depends on the system umask. Most likely the umask on CI only allows the owner to write to the file, therefore it works. The permission passed to WriteFile is before umask:

// If the file does not exist, WriteFile creates it with permissions perm (before umask);
  1. What would be the right permission? 655?

I believe so. But I'd go with 644. As far as I could see, it needs to pass the following test:

beats/libbeat/common/config.go

Lines 115 to 150 in ba3bce4

// OwnerHasExclusiveWritePerms asserts that the current user or root is the
// owner of the config file and that the config file is (at most) writable by
// the owner or root (e.g. group and other cannot have write access).
func OwnerHasExclusiveWritePerms(name string) error {
if runtime.GOOS == "windows" {
return nil
}
info, err := file.Stat(name)
if err != nil {
return err
}
euid := os.Geteuid()
fileUID, _ := info.UID()
perm := info.Mode().Perm()
if fileUID != 0 && euid != fileUID {
return fmt.Errorf(`config file ("%v") must be owned by the user identifier `+
`(uid=%v) or root`, name, euid)
}
// Test if group or other have write permissions.
if perm&0022 > 0 {
nameAbs, err := filepath.Abs(name)
if err != nil {
nameAbs = name
}
return fmt.Errorf(`config file ("%v") can only be writable by the `+
`owner but the permissions are "%v" (to fix the permissions use: `+
`'chmod go-w %v')`,
name, perm, nameAbs)
}
return nil
}

@AndersonQ AndersonQ assigned AndersonQ and unassigned rdner Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndersonQ AndersonQ

Labels
bug Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@AndersonQ @belimawr @pierrehilbert @rdner @elasticmachine