[Unprivileged] Adjust integration tests to use unprivileged by default #3931
Conversation
blakerouse
added
Team:Elastic-Agent
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
|
All integration tests pass! Only issue is with the Windows 10 test, that is affecting every PR. |
| func (i InstallOpts) IsUnprivileged(operatingSystem string) bool { | ||
| if i.Unprivileged == nil { | ||
| // not explicitly set, default to true on Linux only (until other platforms support it) | ||
| return operatingSystem == "linux" |
There was a problem hiding this comment.
Reading:
installOpts := atesting.InstallOpts{
NonInteractive: true,
Force: true,
Unprivileged: atesting.NewBool(false),
}Should we just invert the name so we don't have to use a pointer type here? I'd rather use Privileged: true as the exception and have it not exactly match the argument name then have to deal with using NewBool.
There was a problem hiding this comment.
Because the InstallOpts will conditional change IsUnprivileged depending on the operating system that is being tested, the code needs it to be a tristate boolean.
- Unset
- True
- False
In the case that it was never set it will we set to true on Linux and false on Windows (for now). If specifically set then that value is used instead. If we didn't use a tristate then the default of false versus setting false explicitly would be unknown so on Linux it would always be changed to true even on a test where false should be forced. Even if we flip this logic by renaming the variable Privileged it results in the same issue.
I also really prefer it to match the command line arguments, all other fields match, don't think we should deviant now.
There was a problem hiding this comment.
Thanks, I don't feel that strongly about it and there's a technical reason for it to be like this. I'd be in favour of removing it if it turns out we don't need it once all the platforms support unprivileged.
|
All tests pass except for the Windows 10 unit tests. This is showing that unprivileged on Linux, is ready to start being used! |
|
@blakerouse FYI #4123 |
|
🚀 |
|
0.0% Duplication on New Code
|
@pierrehilbert @cmacknz Are all integrations tests run in both mode on every PRs? |
|
No, the ones where we know there are differences or that are important are run in both modes (install, upgrade, etc). The philosophy is that if it works in unprivileged mode it will work as root, so many things don't need to be tested twice. Running without privileges is harder to get right because it is sensitive to directories and file permissions where as running as root is not. |
|
@blakerouse could we please make sure tests names also contains an indicator about whether or not they are running as root? |
|
@jlind23 That is already done. A test that is testing specific unprivileged vs privileged has it in the name of the test. If the test by default uses unprivileged then it is not in the name, because on Linux it will be unprivileged and then on Windows it will be privileged (at least currently, until Windows support unprivileged). Once unprivileged becomes the default it seems redundant to repeat it everywhere, it would be better to just call out the privileged mode. |
|
@blakerouse thanks for the prompt answer, happy to see this already covered 👍🏼 |
| @@ -29,6 +30,8 @@ var ( | |||
| Version_8_10_0_SNAPSHOT = version.NewParsedSemVer(8, 10, 0, "SNAPSHOT", "") | |||
| // Version_8_11_0_SNAPSHOT is the minimum version for uninstall command to kill the watcher upon uninstall | |||
| Version_8_11_0_SNAPSHOT = version.NewParsedSemVer(8, 11, 0, "SNAPSHOT", "") | |||
| // Version_8_13_0 is the minimum version for proper unprivileged execution | |||
| Version_8_13_0 = version.NewParsedSemVer(8, 13, 0, "", "") | |||
There was a problem hiding this comment.
@blakerouse shouldn't we have 8.13.0-SNAPSHOT here too?
What does this PR do?
Adjusts all the integration tests to use
--unprivilegedby default. This is done in a way that makes sure that anytime install is used its installed with--unprivilegedunless the install is explicit that it should be installed privileged.The upgrade tests use a mechanism to determine if its possible to install and upgrade in unprivileged mode it will. For the standalone upgrade scenarios both privileged and unprivileged with upgrade is also enabled.
Why is it important?
Provides the best coverage for
--unprivilegedwhich is more restrictive in how Elastic Agent runs. If it can run in--unprivilegedit can most certainly run privileged.Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature works[ ] I have added an entry in./changelog/fragmentsusing the changelog toolRelated issues