Add cap_net_raw requirements to heartbeat docs (#32816) (#33124)

(cherry picked from commit 2aeefb9) Co-authored-by: Emilio Alvarez Piñeiro <[email protected]>
elastic · Sep 19, 2022 · 31e009c · 31e009c
1 parent 46cb310
commit 31e009c
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/heartbeat/docs/running-on-docker.asciidoc b/heartbeat/docs/running-on-docker.asciidoc
@@ -1 +1,13 @@
 include::{libbeat-dir}/shared-docker.asciidoc[]
+
+[float]
+==== Required network capabilities
+
+Under Docker, {beatname_uc} runs as a non-root user, but requires some privileged
+network capabilities to operate correctly. Ensure that the +NET_RAW+
+capability is available to the container.
+
+["source","sh",subs="attributes"]
+----
+docker run --cap-add=NET_RAW {dockerimage}
+----
diff --git a/heartbeat/docs/running-on-kubernetes.asciidoc b/heartbeat/docs/running-on-kubernetes.asciidoc
@@ -74,3 +74,22 @@ $ kubectl --namespace=kube-system get deployment/{beatname_lc}
 NAME        READY   UP-TO-DATE   AVAILABLE   AGE
 {beatname_lc}   1/1     1            1           1m
 ------------------------------------------------
+
+[float]
+==== Running {beatname_uc} as unprivileged user
+
+Under Kubernetes, {beatname_uc} can run as a non-root user, but requires some privileged
+network capabilities to operate correctly. Ensure that the +NET_RAW+
+capability is available to the container.
+
+["source","yaml",subs="attributes"]
+----
+containers:
+- name: heartbeat
+  image: {dockerimage}
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    capabilities:
+      add: [ NET_RAW ]
+----
diff --git a/libbeat/docs/shared-docker.asciidoc b/libbeat/docs/shared-docker.asciidoc
@@ -74,6 +74,7 @@ ifeval::["{beatname_lc}"=="heartbeat"]
 ["source", "sh", subs="attributes"]
 --------------------------------------------
 docker run \
+--cap-add=NET_RAW \
 {dockerimage} \
 setup -E setup.kibana.host=kibana:5601 \
 -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>
@@ -206,6 +207,7 @@ docker run -d \
   --name={beatname_lc} \
   --user={beatname_lc} \
   --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \
+  --cap-add=NET_RAW \
   {dockerimage} \
   --strict.perms=false -e \
   -E output.elasticsearch.hosts=["elasticsearch:9200"] <1> <2>