Skip to content

[8.19] (backport #6907) Enhancement/6394 allow deb rpm to upgrade with endpoint tamper protection #8608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[8.19] (backport #6907) Enhancement/6394 allow deb rpm to upgrade with endpoint tamper protection #8608

wants to merge 1 commit into from

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Jun 20, 2025

  • Enhancement

What does this PR do?

Updates the preinstall script for deb and rpm to stop the endpoint security service and remove the vault

Why is it important?

Currently when users upgrade their deb or rpm agents using their respective package managers, if there is endpoint running and if endpoint has tamper protection enabled, endpoint will become unhealthy. This PR fixes it by replicating what enpoint-security uninstall --uninstall-token <token> does in the deb/rpm preinstall script.

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

There shouldn't be anything disruptive for the users.

How to test this PR locally

  • Start endpoint compatible VMs, one for deb one for rpm
  • Build the agent for these two platforms
  • Create an ESS deployment
  • Create a policy, add endpoint integration
  • Follow the "Add Agent" instructions and install the version that is shown on the instructions.
  • Validate that both the agent and endpoint are healthy
  • Upgrade the agent running either sudo apt install <Agent that you built> or sudo dnf install <Agent that you built>
  • After the upgrade is done, validate that both the agent and the endpoint are healthy
  • Just to be sure, validate that the new endpoint is still tamper protected
    • Try to uninstall agent without a token and see it fail
    • Try to uninstall agent with an uninstall token and validate that it is uninstalled
    • Beware that removing the agent using the package managers will indeed uninstall the agent but will leave endpoint. Use the elastic-agent command to uninstall.

Repeat the steps above but test same version upgrades.

  • Install the agent you packaged from the branch.
  • Enroll into fleet
  • Install the same agent again with dpkg -i or rpm -Uvh --force
  • Check the status of the agent and endpoint
  • Validate that tamper protection is enabled

Note: When testing you may run into the following error

┌─ fleet
│  └─ status: (STARTING)
└─ elastic-agent
   ├─ status: (DEGRADED) 1 or more components/units in a failed state
   └─ endpoint-default
      ├─ status: (FAILED) Elastic Defend cannot run on an emulated architecture
      ├─ endpoint-default
      │  └─ status: (FAILED) Elastic Defend cannot run on an emulated architecture
      └─ endpoint-default-b73c5b0f-3b0a-4877-a531-35fdd9f9204f
         └─ status: (FAILED) Elastic Defend cannot run on an emulated architecture

This is related to the following bug #6866

Related issues

@mergify
Enhancement/6394 allow deb rpm to upgrade with endpoint tamper protec…
c7faf6d 
…tion (#6907)

* Update pkg/testing/tools/tools.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* enhancement(6394): updated preinstall script, updated service to use uninstall token

* enhancmenet(6394): updated the preinstall script

* enchancement(6394): started adding integraiton tests

* enhancement(6394): updated fixture install, updated endpoint security tests

* enhancement(6394): cleaned up fixture_install, added function that exposes fixture's uninstall tokens, updated tests

* enhancement(6394): refactored test code so that I can use it with rpm

* enhancement(6394): added tests to assert that tamper protection works

* enhancement(6394): updated the endpoint testing tools, fixture install functions and the deb rpm upgrade tests

* enhancement(6394): added test logs, updated rpm installation to set agent socket path

* enhancement(6394): remove commented code

* enhancement(6394): remove print statements

* enhancement(6394): remove unnecessary comments, refactor unused function

* enhancement(6394): revert var name change

* enhancement(6394): added changelog

* enchancement(6394): update test logs, add non integrative config to deb installation

* enhancement(6394): updated the endpoint version comparison and assertion

* enhancement(6394): added log in tests

* enhancement(6394): resorted to using previous major instead of minor in upgrade test

* enhancement(6394): updated endpoint version function in the tests, updated function name in testing tools

* enhancement(6394): use previous minor, fix log

* enhancement(6394): added comment explaining motive behind simple install functions

* enhancement(6394): updated return in tools

* Update changelog/fragments/1740166208-allow-deb-rpm-upgrade-with-tamper-protected-endpoint.yaml

Co-authored-by: Craig MacKenzie <craig.mackenzie@elastic.co>

* enhancement(6394): fixed function call in tests

* enhancement(6394): added systemctl start in postinstall, refactored preinstall and added condition to make same version installations work

* enhancement(6394): updated the preinstall and postinstall scripts to troubleshoot

* enhancement(6394): updated preinstall and postinstall script templates

- Updated preinstall to stop endpoint if it is an available service regardless of the version of endpoint that's install
- Updated postintall to start endpoint if the old endpoint version and the new version match.

* enhancement(6394): removed error exit from postinstall

* enhancement(6394): updated postinstall and preinstall templates

- Preinstall now does not use a state file. Recovery from failure start ElasticEndpoint if it is not running
- Preinstall does not stop endpoint if tamper protection is not enabled
- Postinstall does not print an error if service is still running

* enhancement(6394): removed debug logs

* enhancement(6394): removed unnecessary comment

* enhancement(6394): store uninstall token as local var, uninstall through the agent

* enhancement(6394): added setclient function

* enhancement(6394): added getInstallCommand and replaced SimpleInstall

* enhancement(6394): added test case for error recovery. removed unused fixture functions

* enhancement(6394): refactored tests, consolidated test scenarios into one function

* enhancement(6394): remove unnecessary test functions

* enhancement(6394): remove unused fixture function

* enhancement(6394): revert unwanted installDeb changes

* enhancement(6394): remove unwanted changes in testing tools

* enhancement(6394): remove unused function call

* enhancement(6394): replacing systemctl instead of adding new one to path

* enhancement(6394): update real systemctl path in mock systemctl script

* enhancement(6394): fix linting errors

* Update changelog/fragments/1740166208-allow-deb-rpm-upgrade-with-tamper-protected-endpoint.yaml

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update dev-tools/packaging/templates/linux/postinstall.sh.tmpl

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update pkg/testing/tools/tools.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update dev-tools/packaging/templates/linux/postinstall.sh.tmpl

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update dev-tools/packaging/templates/linux/postinstall.sh.tmpl

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* Update pkg/testing/tools/tools.go

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>

* enhancement(6394): updated print statement

* enhancement(6394): remove unnecessary command

* enhancement(6394): use addressFromPath and SetClient

* enhancement(6394): using service name, fixed indentation

* test(debug): add detailed logging to Fixture.SetClient and installDeb for agent client setup debugging

* Revert "test(debug): add detailed logging to Fixture.SetClient and installDeb for agent client setup debugging"

This reverts commit 390c561.

* enhancement(6394): renamed SetClient to SetDebRpmClient. Using hardcoded working dir as fixture working dir does not work for determining socket path

* enhancement(6394): consolidated same version upgrade and regular upgrdade test functions

* enhancement(6394): simplify preinstall script and enhance upgrade tests for tamper protection
- Removed unnecessary endpoint handling logic from preinstall script.
- Improved checks for service installation and status before upgrade.
- Updated upgrade test functions to handle stopping the endpoint service before upgrades.

* enhancement(6394): remove
mock systemctl script for tamper protection tests

* enhancement(6394): remove unused import

* enhancement(6394): fixed order of execution in preinstall

* enhancement(6394): added tests to make sure deb/rpm upgrades work when endpoint is not tamper protected

---------

Co-authored-by: Paolo Chilà <paolo.chila@elastic.co>
Co-authored-by: Craig MacKenzie <craig.mackenzie@elastic.co>
(cherry picked from commit 8a6531f)

# Conflicts:
#	dev-tools/packaging/templates/linux/preinstall.sh.tmpl
@mergify mergify bot added backport conflicts There is a conflict in the backported pull request labels Jun 20, 2025
@mergify mergify bot requested a review from a team as a code owner June 20, 2025 14:49
@mergify mergify bot requested review from michel-laterman and swiatekm and removed request for a team June 20, 2025 14:49
@mergify
Copy link
Contributor Author

mergify bot commented Jun 20, 2025

Cherry-pick of 8a6531f has failed:

On branch mergify/bp/8.19/pr-6907
Your branch is up to date with 'origin/8.19'.

You are currently cherry-picking commit 8a6531f43.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   changelog/fragments/1740166208-allow-deb-rpm-upgrade-with-tamper-protected-endpoint.yaml
	modified:   dev-tools/packaging/templates/linux/postinstall.sh.tmpl
	modified:   pkg/testing/fixture.go
	modified:   pkg/testing/fixture_install.go
	modified:   pkg/testing/tools/tools.go
	modified:   testing/integration/endpoint_security_test.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   dev-tools/packaging/templates/linux/preinstall.sh.tmpl

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@github-actions github-actions bot added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Jun 20, 2025
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 20, 2025

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 20, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @kaanyalti

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jun 20, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@mergify
Copy link
Contributor Author

mergify bot commented Jun 23, 2025

This pull request has not been merged yet. Could you please review and merge it @kaanyalti? 🙏

@pkoutsovasilis
Copy link
Contributor

pkoutsovasilis commented Jun 23, 2025
edited
Loading

let's not merge this one until #8613 is resolved. For main and 9.0 where this is merged, we are gonna have to skip it for now #8626

@pkoutsovasilis
Copy link
Contributor

pkoutsovasilis commented Jun 24, 2025

closing in favour of #8646

@mergify mergify bot deleted the mergify/bp/8.19/pr-6907 branch June 24, 2025 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michel-laterman michel-laterman Awaiting requested review from michel-laterman michel-laterman is a code owner automatically assigned from elastic/elastic-agent-control-plane

@swiatekm swiatekm Awaiting requested review from swiatekm swiatekm is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@kaanyalti kaanyalti

Labels

backport conflicts There is a conflict in the backported pull request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@elasticmachine @pkoutsovasilis @kaanyalti