Beats: Start Filebeat Service failed on argument test when it executed by non-root user

Created on 17 May 2017 · 10Comments · Source: elastic/beats

From the code, the argument test will be failed on test function. Cause the checker.
https://github.com/elastic/beats/blob/master/dev-tools/packer/platforms/centos/init.j2#L45

+ /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat -e -configtest
filebeat2017/05/17 11:02:41.103321 beat.go:339: CRIT Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") must be owned by the beat user (uid=0) or root
Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") must be owned by the beat user (uid=0) or root

For confirmed bugs, please report:

Version: 5.3.2
Operating System: CentOS5
Steps to Reproduce:
- Install the latest filebeat yum install filebeat
- config the file permission of binary and configs chown monitor:monitor /etc/filebeat/filebeat.yml /usr/share/filebeat/bin/filebeat
- Lauch the filebeat service. /etc/init.d/filebeat start

Filebeat question

Source

dreampuf

All 10 comments

This looks like the expected behavior to me. See the documentation here. Why are you changing the owner of the binary and config file?

andrewkroh on 17 May 2017

👍1

@andrewkroh I want to execute the filebeat with a non-root user.

dreampuf on 17 May 2017

Changing the owner of the file won't cause it to be executed as a different user. You also need to modify the init.d script to change the user that the process executes as. The script will probably require multiple changes to execute the beat as a user other than root. It's not something that's easily configurable today.

andrewkroh on 17 May 2017

I think you would need to add -u user -g group to the wrapperopts at https://github.com/elastic/beats/blob/master/dev-tools/packer/platforms/centos/init.j2#L31.

The arguments are described here for daemon process: https://github.com/tsg/go-daemon/blob/master/god.c#L35-L36

In addition, the test() func will need modified to execute as the correct user. Or you could just have the test not check the file permissions by using -strict.perms=false.

andrewkroh on 17 May 2017

@andrewkroh sorry for something missed.
I had a patch for it.

```diff -urpN packages/output_orig/etc/init.d/filebeat packages/output/etc/init.d/filebeat
--- packages/output_orig/etc/init.d/filebeat 2017-05-17 20:53:36.000000000 +0800
+++ packages/output/etc/init.d/filebeat 2017-05-17 20:55:44.000000000 +0800
@@ -27,8 +27,13 @@ pidfile=${PIDFILE-/var/run/filebeat.pid}
agent=${BEATS_AGENT-/usr/share/filebeat/bin/filebeat}
args="-c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat"
test_args="-e -configtest"
-wrapper="/usr/share/filebeat/bin/filebeat-god"
-wrapperopts="-r / -n -p $pidfile"
+if grep -q -i "release 7" /etc/redhat-release; then

wrapper="/usr/share/filebeat/bin/filebeat-god"
+else
wrapper="/usr/share/filebeat/bin/filebeat-god-el5"
+fi
+beat_user="monitor"
+wrapperopts="-r / -n -p $pidfile -u $beat_user"
RETVAL=0

# Source function library.
@@ -42,7 +47,7 @@ if status | grep -q -- '-p' 2>/dev/null;
fi

test() {
- $agent $args $test_args
+ runuser -s /bin/bash $beat_user -c "$agent $args $test_args"
}

start() {
diff -urpN packages/output_orig/lib/systemd/system/filebeat.service packages/output/lib/systemd/system/filebeat.service
--- packages/output_orig/lib/systemd/system/filebeat.service 2017-05-17 20:53:36.000000000 +0800
+++ packages/output/lib/systemd/system/filebeat.service 2017-05-17 20:54:10.000000000 +0800
@@ -6,6 +6,7 @@ After=network-online.target

[Service]
ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
+User=monitor
Restart=always

[Install]
```

I'm not asking to implement it totally(it's just my practice to execute beats from non-root user). What I need is fixing the test function in /etc/init.d/beats incompatible to non-root user's case.

dreampuf on 17 May 2017

Haven't seen your latest comment. Anyway thanks for the response so quickly.
Do you mind I send a merge request about the test function?

dreampuf on 17 May 2017

I think it would be ideal to have the init script source a file like /etc/default/{{.beat_name}} if it exists. That file can optionally set BEAT_USER=someuser. Then make the init script to use $BEAT_USER in the wrapperopts and in the runuser command.

Do you mind I send a merge request about the test function?

I wouldn't want to merge a change only for the test function. I would prefer a slightly more complete change to make it possible to runas a custom user.

andrewkroh on 17 May 2017

@andrewkroh I created an MR. Do you have a chance to check it? #4340

dreampuf on 17 May 2017

@andrewkroh I have exact same problem as you describe but even I change permission noting change and also I add -u user to -g group as you said but still noting change do you have any Idea what should I do ?

this is what it show me each time :

filebeat2017/08/07 04:04:32.717139 beat.go:339: CRIT Exiting: error loading config file: config file ("filebeat.yml") must be owned by the beat user (uid=0) or root
Exiting: error loading config file: config file ("filebeat.yml") must be owned by the beat user (uid=0) or root

hadivarp on 7 Aug 2017

I think you would need to add -u user -g group to the wrapperopts at https://github.com/elastic/beats/blob/master/dev-tools/packer/platforms/centos/init.j2#L31.

The arguments are described here for daemon process: https://github.com/tsg/go-daemon/blob/master/god.c#L35-L36

In addition, the test() func will need modified to execute as the correct user. Or you could just have the test not check the file permissions by using -strict.perms=false.

Where exactly you use or place the -stric.perms=false?