Fleet and Elastic Agent 8.9.0

Details

Starting from version 8.9.0, when Elastic Agent tries to perform an upgrade, it first verifies the binary signature with the key bundled in the agent. This process has a backup mechanism that will use the key coming from https://artifacts.elastic.co/GPG-KEY-elastic-agent instead of the one it already has.

In an air-gapped environment, the agent won’t be able to download the remote key and therefore cannot be upgraded.

Impact

For the upgrade to succeed, the agent needs to download the remote key from a server accessible from the air-gapped environment. Two workarounds are available.

Option 1

If an HTTP proxy is available to be used by the Elastic Agents in your Fleet, add the proxy settings using environment variables as explained in Proxy Server connectivity using default host variables. Please note that you need to enable HTTP Proxy usage for artifacts.elastic.co to bypass this problem, so you can craft the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables to be used exclusively for it.

Option 2

As the upgrade URL is not customizable, we have to "trick" the system by pointing https://artifacts.elastic.co/ to another host that will have the file.

The following examples require a server in your air-gapped environment that will expose the key you will have downloaded from https://artifacts.elastic.co/GPG-KEY-elastic-agent`.

Example 1: Manual

Edit the Elastic Agent server hosts file to add the following content:

<YOUR_HOST_IP> artifacts.elastic.co

The Linux hosts file path is /etc/hosts.

Windows hosts file path is C:\Windows\System32\drivers\etc\hosts.

Example 2: Puppet

host { 'elastic-artifacts':
  ensure       => 'present'
  comment      => 'Workaround for PGP check'
  ip           => '<YOUR_HOST_IP>'
}

Example 3: Ansible

- name  : 'elastic-artifacts'
  hosts : 'all'
  become: 'yes'

  tasks:
    - name: 'Add entry to /etc/hosts'
      lineinfile:
        path: '/etc/hosts'
        line: '<YOUR_HOST_IP> artifacts.elastic.co'

Details
The Elastic Agent status command has been changed so that the default human output now uses a list format and summaries output.

Impact
Full human output can be obtained with the new full option. For for information, refer to #2890.

Details
Previously, when Fleet Server encountered an unexpected error it resulted in a Bad Request response.

Impact
Now, any unexpected error returns an Internal Server Error response while keeping most of the current behavior unchanged. On expected failure paths (for example, Agent Inactive, Missing Agent ID, Missing Auth Header) a Bad Request response is returned. For more information, refer to #2531.

Details
In Elastic Agent output the host.name field has been changed to lowercase to match Elastic Common Schema (ECS) guidelines. The agent name is also reported in lowercase (AGENT-name becomes agent-name).

Impact
After upgrading Elastic Agent to version 8.9.0 or higher, any case-sensitive searches may result in false-positive alerts. For example, a case-sensitive search based on the upper-case AGENT-name could result in an alert such as system.load.1 reported no data in the last 5m for AGENT-name. After upgrading, you may need to manually clear alerts and adjust some searches to match the new host.name format.