Fleet and Elastic Agent 8.10.0

edit

Review important information about the Fleet and Elastic Agent 8.10.0 release.

Breaking changes

edit

Breaking changes can prevent your application from optimal operation and performance. Before you upgrade, review the breaking changes, then mitigate the impact to your application.

Elastic Agent diagnostics unavailable with Fleet Server below 8.10.0.

Details
The mechanism that Fleet uses to generate diagnostic bundles has been updated. To collect Elastic Agent diagnostics, Fleet Server needs to be at version 8.10.0 or higher.

Impact
If you need to access a diagnostic bundle for an agent, ensure that Fleet Server is at the required version.

Known issues

edit
PGP key download fails in an air-gapped environment

Details

If you’re using an air-gapped environment, we recommended installing version 8.10.3 or any higher version, to avoid being unable to upgrade.

Starting from version 8.9.0, when Elastic Agent tries to perform an upgrade, it first verifies the binary signature with the key bundled in the agent. This process has a backup mechanism that will use the key coming from https://artifacts.elastic.co/GPG-KEY-elastic-agent instead of the one it already has.

In an air-gapped environment, the agent won’t be able to download the remote key and therefore cannot be upgraded.

Impact

For the upgrade to succeed, the agent needs to download the remote key from a server accessible from the air-gapped environment. Two workarounds are available.

Option 1

If an HTTP proxy is available to be used by the Elastic Agents in your Fleet, add the proxy settings using environment variables as explained in Proxy Server connectivity using default host variables. Please note that you need to enable HTTP Proxy usage for artifacts.elastic.co to bypass this problem, so you can craft the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables to be used exclusively for it.

Option 2

As the upgrade URL is not customizable, we have to "trick" the system by pointing https://artifacts.elastic.co/ to another host that will have the file.

The following examples require a server in your air-gapped environment that will expose the key you will have downloaded from https://artifacts.elastic.co/GPG-KEY-elastic-agent`.

Example 1: Manual

Edit the Elastic Agent server hosts file to add the following content:

<YOUR_HOST_IP> artifacts.elastic.co

The Linux hosts file path is /etc/hosts.

Windows hosts file path is C:\Windows\System32\drivers\etc\hosts.

Example 2: Puppet

host { 'elastic-artifacts':
  ensure       => 'present'
  comment      => 'Workaround for PGP check'
  ip           => '<YOUR_HOST_IP>'
}

Example 3: Ansible

- name  : 'elastic-artifacts'
  hosts : 'all'
  become: 'yes'

  tasks:
    - name: 'Add entry to /etc/hosts'
      lineinfile:
        path: '/etc/hosts'
        line: '<YOUR_HOST_IP> artifacts.elastic.co'
Filtering Elastic Agents in Kibana generates an "Error fetching agents" message

Details

A KQL query in a Fleet search field now returns a 400 error when the query is not valid.

Previously, the search fields would accept any type of query, but with the merge of #161064 any type of KQL sent to Fleet needs to have a valid field name, otherwise it returns an error.

Cause

Entering an invalid KQL query on one of the Fleet KQL search fields or through the API produces the error.

Affected search fields in the Fleet UI:

  • Agent list
  • Agent policies
  • Enrollment Keys

Affected endpoints in the Kibana Fleet APIs (these are the endpoints that accept the parameter ListWithKuery):

  • GET api/fleet/agents
  • GET api/fleet/agent_status
  • GET api/fleet/agent_policies
  • GET api/fleet/package_policies
  • GET api/fleet/enrollment_api_keys
  • GET api/fleet/agent_status

Impact

To avoid getting the 400 error, the queries should be valid.

For instance, entering the query 8.10.0 results in an error. The correct query should be: local_metadata.agent.version="8.10.0".

As another example, when viewing the Agents tab in Fleet, typing a hostname such as a0c8c88ef2f5 in the search field results in an error. The correct query should have the correct field name, taken from among the allowed ones, for example local_metadata.host.hostname: a0c8c88ef2f5.

The list of available field names is visible by clicking on any of the search fields.

New features

edit

The 8.10.0 release Added the following new and notable features.

Fleet
  • Enable agent policy secret storage when all fleet servers are above 8.10.0 #163627.
  • Kafka integration API #159110.
Fleet Server
  • Add a new policy token that can be used to enroll Elastic Agent into fleet server. #2654
  • Add a Kafka output type for agent policies. #2850
  • Fleet Server support to handle agent policy secrets. #2863 #2485
Elastic Agent
  • Report the version from the Elastic Agent package instead of the agent binary to enhance release process. #2908
  • Implement tamper protection for Elastic Endpoint uninstall use cases. #2781
  • Add component-level diagnostics and CPU profiling. #3118
  • Improve upgrade process to use upgraded version of Watcher to ensure a successful upgrade. #3140 #2873

Enhancements

edit
Fleet
  • Add support for runtime fields. #161129.
Fleet Server
  • Keep the Fleet Server service running when Elasticsearch is not available. #2693 #2683
  • Add APM trace fields to HTTP request logs. #2743
  • File transfers with integrations now use datastreams. #2741
  • Use a unique ID for agent action results to ensure accurate counts on Fleet UI. #2782 #2596
Elastic Agent
  • Redundant calls to /api/fleet/setup were removed in favor of Kibana-initiated calls. #2985 #2910
  • Updated Go version to 1.20.7. #3177
  • Add runtime prevention to prevent Elastic Defend from running if Elastic Agent is not installed in the default location. #3114
  • Add a new flag complete to agent metadata to signal that the instance running is synthetics-capable. #3190 #1754
  • Add support for setting GOMAXPROCS to limit CPU usage through the agent policy. #3179
  • Add logging to the restart step of the Elastic Agent upgrade rollback process. #3245 #3305

Bug fixes

edit
Fleet
  • Only show agent dashboard links if there is more than one non-server agent and if the dashboards exist. #164469.
  • Exclude synthetics from per-policy-outputs. #161949.
  • Fix the path for hint templates for auto-discover. #161075.
Elastic Agent
  • Don’t trigger Indicator of Compromise (IoC) alert on Windows uninstall. #3014 #2970
  • Fix credential redaction in diagnostic bundle collection. #3165
  • Ensure that Elastic Agent upgrades are rolled back even when the upgraded agent crashes immediately and repeatedly. #3220 #3123
  • Ensure that Elastic Agent is restarted during rollback. #3268
  • Fix how the diagnostics command handles the custom path to save the diagnostics. #3340 #3339