Fix install/enroll command not failing when the daemon restart fails

[belimawr]

For the agent to be enrolled it needs to restart after the enrol process is completed, in order to pickup the new config and "connect" to fleet-server.

This change makes the enrol command to fail if it cannot restart the agent after enrolling on fleet. A --skip-daemon-reload CLI flag is also added to the enroll command because the container command calls enroll, however there is no running daemon to restart. Skipping the daemon reload on this case allows the container command to succeed.

This PR brings back the changes introduced by #3554 that were reverted due to the container command not working and fixes the issues with the container command.

665cbe9 does not belong to this PR but is required to get the integration tests to pass. I'll remove it once #3917 is merged

What does this PR do?

This change makes the enroll command to fail if it cannot restart the agent after enrolling on fleet

Why is it important?

For the agent to be enrolled it needs to restart after the enrol process is completed, in order to pickup the new config and "connect" to fleet-server.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
  - [ ] I have made corresponding changes to the documentation
  - [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Author's Checklist

• Remove 665cbe9 from this PR once Remove flaky integration test assertion #3917 is merged

How to test this PR locally

Export the follwing environment variables

export FLEET_ENROLL=1
export FLEET_URL=https://testing-this-PR.elastic-cloud.com:443
export FLEET_ENROLLMENT_TOKEN=my-secret-token

Then execute the container command:

./elastic-agent container -e -v -d "*"

The Elastic-Agent should enrol in Fleet and start working.

Related issues

• Closes Enrolling into Fleet can fail because the control socket doesn't exist #3664
• Brings back: install fails if enroll fails and surface errors #3554
• Blocked by: [8.12] Upgrades being incorrectly rolled back because the agent cannot parse the upgrade marker #3947

## Use cases
## Screenshots
## Logs

Questions to ask yourself

• How are we going to support this in production?
• How are we going to measure its adoption?
• How are we going to debug this?
• What are the metrics I should take care of?
• ...

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[mergify]

This pull request does not have a backport label. Could you fix it @belimawr? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[pchila]

A couple of nitpicks here and there, overall the change looks ok

[belimawr]

buildkite test this

[cmacknz]

I tried this out by modifying agent so that it unconditionally retried restarting the daemon with the following patch applied:

diff --git a/internal/pkg/agent/cmd/enroll_cmd.go b/internal/pkg/agent/cmd/enroll_cmd.go
index e704990426..a1facdf185 100644
--- a/internal/pkg/agent/cmd/enroll_cmd.go
+++ b/internal/pkg/agent/cmd/enroll_cmd.go
@@ -452,10 +452,10 @@ func (c *enrollCmd) prepareFleetTLS() error {
 }

 func (c *enrollCmd) daemonReloadWithBackoff(ctx context.Context) error {
-       err := c.daemonReload(ctx)
-       if err == nil {
-               return nil
-       }
+       err := errors.New("this is a test error")
+       // if err == nil {
+       //      return nil
+       // }
        if errors.Is(err, context.DeadlineExceeded) ||
                errors.Is(err, context.Canceled) {
                return fmt.Errorf("could not reload daemon: %w", err)
@@ -470,9 +470,7 @@ func (c *enrollCmd) daemonReloadWithBackoff(ctx context.Context) error {
                c.log.Info("Retrying to restart...")

                err = c.daemonReload(ctx)
-               if err == nil {
-                       return nil
-               }
+
                if errors.Is(err, context.DeadlineExceeded) ||
                        errors.Is(err, context.Canceled) {
                        return fmt.Errorf("could not reload daemon after %d retries: %w",
(END)

I got the following output. Note that the existing implementation of the progress bar seems to buffer all logs until the step completes, so I didn't see any output until it failed completely and then everything was dumped out.

❯ sudo ./elastic-agent install --url=https://574feabc9fff4d4fbc4d6994e7f0d556.fleet.eastus2.staging.azure.foundit.no:443 --enrollment-token=d0tZZUFvd0J2M1UxSW91VlRDX3c6SFVTRlpJWXBTY200VXM3RlRlT1VZQQ==
Elastic Agent will be installed at /Library/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:y
[  ==] Service Started  [13s] Elastic Agent successfully installed, starting enrollment.
[==  ] Waiting For Enroll...  [14s] {"log.level":"info","@timestamp":"2023-11-28T15:27:18.441-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":497},"message":"Starting enrollment to URL: https://574feabc9fff4d4fbc4d6994e7f0d556.fleet.eastus2.staging.azure.foundit.no:443/","ecs.version":"1.6.0"}
[==  ] Waiting For Enroll...  [36s] {"log.level":"info","@timestamp":"2023-11-28T15:27:40.866-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":470},"message":"Retrying to restart...","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [1m16s] {"log.level":"info","@timestamp":"2023-11-28T15:28:20.870-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":470},"message":"Retrying to restart...","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [2m16s] {"log.level":"info","@timestamp":"2023-11-28T15:29:20.873-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":470},"message":"Retrying to restart...","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [3m16s] {"log.level":"info","@timestamp":"2023-11-28T15:30:20.886-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":470},"message":"Retrying to restart...","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [4m16s] {"log.level":"info","@timestamp":"2023-11-28T15:31:20.887-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":470},"message":"Retrying to restart...","ecs.version":"1.6.0"}
[=   ] Waiting For Enroll...  [4m16s] {"log.level":"error","@timestamp":"2023-11-28T15:31:20.895-0500","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":283},"message":"Elastic Agent might not be running; unable to trigger restart: could not reload agent's daemon, all retries failed. Last error: %!w(<nil>)","ecs.version":"1.6.0"}
Something went wrong while enrolling the Elastic Agent: could not reload agent's daemon, all retries failed. Last error: %!w(<nil>)
Error: could not reload agent daemon, unable to trigger restart: could not reload agent's daemon, all retries failed. Last error: %!w(<nil>)
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.12/fleet-troubleshooting.html
[==  ] Uninstalled  [5m17s] Error: enroll command failed for unknown reason: exit status 1
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.12/fleet-troubleshooting.html

There are several problems here:

1. As already noted, we don't actually log the error we get on retry attempts: "message":"Retrying to restart...".
2. The time between retries is too long. The exponential backoff is almost pointless because it maxes out after two iterations. The retry timestamps are at 14s, 36s, 1m16s, 2m16s, 3m16s, 4m16s. So we spend 4 minutes retrying but only retry 5 times. I think 4 minutes is too long to wait before giving up here, we could cut this in half to 2 minutes. I'm also not sure the exponential backoff is doing anything for us when trying to restart the agent, we could just use a constant backoff retrying every 1s with better results I think.
3. The error formatter in could not reload agent's daemon, all retries failed. Last error: %!w(<nil> is wrong.
4. [== ] Uninstalled [5m17s] Error: enroll command failed for unknown reason: exit status 1 is wrong, we know the reason but say it is unknown.

[AndersonQ]

you missed a check on one of the tests, but apart from that all good

[belimawr]

@cmacknz

The time between retries is too long. The exponential backoff is almost pointless because it maxes out after two iterations. The retry timestamps are at 14s, 36s, 1m16s, 2m16s, 3m16s, 4m16s. So we spend 4 minutes retrying but only retry 5 times. I think 4 minutes is too long to wait before giving up here, we could cut this in half to 2 minutes. I'm also not sure the exponential backoff is doing anything for us when trying to restart the agent, we could just use a constant backoff retrying every 1s with better results I think.

I see your point there, I reduced the time so iterations are faster now. How many times do you think we should retry?

I don't know the details of the shutdown process from the Elastic-Agent so I'm really not sure what makes sense here. If there is any sort of communication with Fleet-Server or even waiting Beats finishing to flush some data, it might make sense to have longer wait times in case ES is overloaded.

[== ] Uninstalled [5m17s] Error: enroll command failed for unknown reason: exit status 1 is wrong, we know the reason but say it is unknown.

That comes from a totally different bit of the codebase, the bit that logs it is waiting for an external process to finish, hence it does not know the reason of the failure.

elastic-agent/internal/pkg/agent/cmd/install.go

Lines 256 to 262 in e3c0695

	err = enrollCmd.Wait()
	if err != nil {
	progBar.Describe("Failed to Enroll")
	// uninstall doesn't need to be performed here the defer above will
	// catch the error and perform the uninstall
	return fmt.Errorf("enroll command failed for unknown reason: %w", err)
	}

[belimawr]

I'll remove this change once #3917 is merged. I kept it here so the integration tests will, hopefully, pass.

[belimawr]

Folks, I've resolved all comments, some I implemented what was asked, others I explained why it is implemented the way it is.

Once all tests are passing I'll ask for a re-review.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix-docker-2 upstream/fix-docker-2
git merge upstream/main
git push upstream fix-docker-2

[cmacknz]

How many times do you think we should retry?

In a situation where the control socket isn't available yet, most likely it will become available fairly quickly once the agent creates it. The problem is we previously only waited once, when really we probably needed to wait a few seconds.

I would say retrying every 1s is reasonable for 120 total retries over 2 minutes.

I don't know the details of the shutdown process from the Elastic-Agent so I'm really not sure what makes sense here. If there is any sort of communication with Fleet-Server or even waiting Beats finishing to flush some data, it might make sense to have longer wait times in case ES is overloaded.

Does this retry logic actually impact the shutdown process? This wasn't something I was expecting to have to consider.

[AndersonQ]

buildkite test this

[elastic-sonarqube]

Quality Gate failed

Failed conditions

35.1% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube

[jlind23]

Sonarqube is failing due to code coverage below 40%, force merging it.