Dockerized standalone Fleet Server

[jsoriano]

What is the problem this PR solves?

Allow to run Fleet Server standalone without check in in production builds.

How does this PR solve the problem?

• Standalone mode previously used in development mode can be also used now in release builds.
• Elasticsearch version check is not done in standalone mode.
• Migrations are not done in standalone mode.
• Health is checked in standalone mode by checking that the service can read the policies index.

After this, fleet-server only needs an Elasticsearch service account to start.

How to test this PR locally

fleet-server -c ./fleet-server.yml -E output.elasticsearch.ssl.verification_mode=none -E fleet.agent.checkin=false -E output.elasticsearch.service_token=....

Or make release-docker, and use the built docker image in your docker or kubernetes environment.

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Fix Remove self-registration code for standalone mode #2351
• Fix Add a Dockerfile for running Fleet Server in standalone mode #2294

[jsoriano]

I am assuming by now that "check in" and "standalone" mode are two different things, but I wonder if there is any use case for running standalone with check in (maybe only for development?), or to run in agent without checkin.

[jsoriano]

More about this in #2359 (comment)

[nchaulet]

I do not think there is some value to support checkin at all in standalone, but for these we probably need to make a change in Kibana to remove the restrictions of having an healthy fleet server agent, I can make a PR that introduce that change with a feature flag if you need it for testing.

[michel-laterman]

I agree with @nchaulet, registration + checkin was added just to get around the kibana restrictions.
If we wanted to release a true "stand-alone" server it should not even need to enroll itself

[jsoriano]

We can then fully remove standAloneSetup and standAloneCheckin?

[jsoriano]

I can make a PR that introduce that change with a feature flag if you need it for testing.

@nchaulet that would be great. I guess this would solve part of the "Add Fleet Server" UI Components in https://github.com/elastic/ingest-dev/issues/1530. Instead of using a feature flag we could maybe use the check mentioned there if it is already available.

[jsoriano]

Why is this mandatory now?

[michel-laterman]

By default elasticsearch runs in https

[jsoriano]

@michel-laterman please take a look to this draft to check if I am going in the good direction 🙂 Thanks!

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-03-06T16:22:24.994+0000

• Duration: 13 min 23 sec

Test stats 🧪

Test	Results
Failed	0
Passed	605
Skipped	1
Total	606

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[amitkanfer]

@jsoriano won't it be best to have a new "standalone" config that will toggle the new checkin flag you're adding here? i guess that in the future we'll need to control more configs than just this one...
WDYT?

[alexsapran]

We discussed this with @joshdover.

We could use the internal docker registry and publish the container image under the employees path.

After some quick searching in GH I noticed how it's done in endpoint-dev repo for some dockery-related builds, setting an NS (namespace) to docker.elastic.co/employees/ instead of docker.elastic.co/.

[jsoriano]

@jsoriano won't it be best to have a new "standalone" config that will toggle the new checkin flag you're adding here? i guess that in the future we'll need to control more configs than just this one... WDYT?

Yeah, I guess this is related to my other question in #2359 (comment). It will depend on the use cases we support, if for all standalone Fleet Servers we want to disable the checkin, then we can have a single "standalone" config that also disables the checkin.

But, currently we also have an -agent-mode flag that disables standalone, and I think that we may have cases where we want to enable or disable the checkin independently of running in agent mode or in standalone mode:

Use case	-agent-mode (no standalone)	Check in
Current Fleet Server managed by Agent	true	true
Current standalone Fleet Server for development	false	true
Standalone Fleet Server on premise	false	true
Standalone managed Fleet Server (this PR)	false	false

This is why, in principle, I considered to have this as an explicit setting.

[jsoriano]

We discussed this with @joshdover.

We could use the internal docker registry and publish the container image under the employees path.

After some quick searching in GH I noticed how it's done in endpoint-dev repo for some dockery-related builds, setting an NS (namespace) to docker.elastic.co/employees/ instead of docker.elastic.co/.

@alexsapran sounds good. There is a separate issue about publishing the image being added here. Let's keep the discussion about this there. It is #2352.

[alexsapran]

We discussed this with @joshdover.

We could use the internal docker registry and publish the container image under the employees path.

After some quick searching in GH I noticed how it's done in endpoint-dev repo for some dockery-related builds, setting an NS (namespace) to docker.elastic.co/employees/ instead of docker.elastic.co/.

@alexsapran sounds good. There is a separate issue about publishing the image being added here. Let's keep the discussion about this there. It is #2352.

Makes sense, thanks for the link, I was not aware of that other issue, will cross post my comment there.

[michel-laterman]

Why are we using this instead of the same image as we base https://github.com/elastic/fleet-server/blob/main/Dockerfile.build off of?

[jsoriano]

Both Dockerfiles have different purpouses, Dockerfile.build is used to build the release packages for all platforms, and writes the generated packages to the working copy. This one only builds the binary in the platform it is executed, without writing to the working copy, and from it builds the docker image.

I could make a common Dockerfile for both to import, but I think they wouldn't have so much common code. We would also need to somehow handle the different platforms here.

It would be good though to use here make release, to ensure that we are building the same release artifacts in both cases.

I will give another thought to this. I am mainly using this Dockerfile now to have an image for testing on Kubernetes. We could have a more final Dockerfile later.

[jsoriano]

I have replaced the build command in the Dockerfile to use make release-linux/amd64 instead, so we build with the same options as other release builds.

We will have to revisit this if we support other OSs or architectures.

[mergify]

This pull request is now in conflicts. Could you fix it @jsoriano? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fleet-server-standalone-build upstream/fleet-server-standalone-build
git merge upstream/main
git push upstream fleet-server-standalone-build

[jsoriano]

Opening for review. @michel-laterman @nchaulet please take another look.

[juliaElastic]

This is great! It would be nice to add the example command to start to the README.

[nchaulet]

Looks great to me, I tested this locally and it worked well!

[michel-laterman]

lgtm; the only other thing I can think of is to add instructions in the readme's dev section on how to run Kibana so that you can run a stand-alone fleet-server.

[michel-laterman]

(nitpick) I don't think we need the // + directives

[jsoriano]

👍 Removed from all files.

[jsoriano]

It would be nice to add the example command to start to the README.

the only other thing I can think of is to add instructions in the readme's dev section on how to run Kibana so that you can run a stand-alone fleet-server.

Added docs about building the docker image for standalone and about the experimental flag to be able to use the Fleet UI. @juliaElastic @michel-laterman please take another look.

[juliaElastic]

LGTM, thanks for adding the commands to the README.

[joshdover]

We should make it very clear in migration.go that no new migrations should be added going forward. Even better if we make the application crash if a new one is added