Add a "Need to run as root" option in package spec

[jlind23]

We are working towards providing an option for Elastic Agent to run without superuser privileges. we stumbled over a couple of use cases where integrations need to be run as root in order to access some system metrics and others admin settings.

In order to automatically know what integrations need root permission we should add an option in the package spec manifest just as follow:

name: system
title: System
version: 1.33.0
license: basic
description: Collect system logs and metrics from your servers with Elastic Agent (TSDB Beta).
type: integration
categories:
  - os_system
release: ga
conditions:
  kibana.version: '^8.8.0'
  **need.root: 'true'**
screenshots:
  - src: /img/kibana-system.png

[jsoriano]

Discussed about this with Julien, and we see this more like an agent configuration that could go in a new block in the manifest, rather than a condition.

[jlind23]

@nimarezainia Do we already have a kibana follow up issue for this? As we discussed we should at least display a a information message when users install integrations that needs "root" privileges.

[jsoriano]

@nimarezainia @jlind23 for integration packages, is this needed at the package level, or at the data stream level? For example the cpu and memory data streams of the system packages don't require root, and can be valuable on their own on unprivileged deployments.

[jlind23]

@jsoriano I wonder how users will react if some datastreams are not working/populated? I think this should be applied at the package level but shouldn't prevent the user from installing a package.
@strawgate @nimarezainia thoughts?

[jsoriano]

I wonder how users will react if some datastreams are not working/populated?

I guess it depends on how this is reported to the user, the experience could be quite similar at the package or the data stream level: If a policy includes a package or a data stream with root: true, we do whatever action we do in these cases (informing the user, running components as root...).

So it is more a question about the granularity we want to have, and if we want to support use cases like running data streams that don't require root privileges, but are included in packages that contain data streams that require them.

shouldn't prevent the user from installing a package.

I think that package installation shouldn't be prevented on any case. Packages can be installed without being associated to any policy or agent.

[cmacknz]

So it is more a question about the granularity we want to have, and if we want to support use cases like running data streams that don't require root privileges, but are included in packages that contain data streams that require them.

I think we need both package level and data_stream granularity. For Elastic Defend we want to require root at the package level, for the system integration we'd want it at the data stream level.

[jsoriano]

@cmacknz sounds good 👍 Thanks.

[nimarezainia]

@nimarezainia Do we already have a kibana follow up issue for this? As we discussed we should at least display a a information message when users install integrations that needs "root" privileges.

looks like we don't. I created elastic/kibana#166784
had no choice but to include in sp18 should be a small change.