[Enhancement Request] Allow configuring a different install directory for Endpoint

[IanLee1521]

Hi there --

I was just trying to enable the Elastic Defend integration in my Elastic deployment, and found that currently, it appears to require being installed into /opt/Elastic:

# elastic-agent status
┌─ fleet
│  └─ status: (HEALTHY) Connected
└─ elastic-agent
   ├─ status: (DEGRADED) 1 or more components/units in a failed state
   └─ endpoint-default
      ├─ status: (FAILED) failed install endpoint service: 2024-03-19 17:56:48: error: Internal.cpp:311 Unable to create directory /opt/Elastic: exit status 214
      ├─ endpoint-default
      │  └─ status: (FAILED) failed install endpoint service: 2024-03-19 17:56:48: error: Internal.cpp:311 Unable to create directory /opt/Elastic: exit status 214
      └─ endpoint-default-36297671-98bd-4b89-92b3-61d772686db4
         └─ status: (FAILED) failed install endpoint service: 2024-03-19 17:56:48: error: Internal.cpp:311 Unable to create directory /opt/Elastic: exit status 214

This is an issue for us in our environment as we have many hosts that are stateless, often without a harddrive in them, where /opt is almost always a RO mount from another host.

Ideally, we would be able to configure a different (local) path on those stateless nodes. It's very likely that this path might be a RAM filesystem which would disappear if the host rebooted, so ideally there would not be very much state in that directory, and it would be able to easily regenerate itself by re-enrolling / re-starting the elastic agent process.

I'd be happy to collaborate on how this might look and / or to do any early testing if that would be helpful. Cheers!

[IanLee1521]

Just to add some additional context that I received internally:

if this is for config files, FHS says they should be using "/etc/opt | Configuration files for add-on packages stored in /opt"

see also (from that same link):

Package files that are variable (change in normal operation) must be installed in /var/opt. See the section on /var/opt for more information.

Host-specific configuration files must be installed in /etc/opt. See the section on /etc for more information.

[nfritts]

Thanks for raising this @IanLee1521

I think we can at least investigate changing our install to something more compliant with FHS, but I can't give any kind of timeline on how long that might take us.

We've used a non-configurable install location thus far to avoid a lot of problematic edge cases around when customers change their minds about where they want software installed.

In the meantime, would you be able to work around this issue by having /opt/Elastic be a separate mount?

I will caution you though that Endpoint isn't designed to be stateless. There are cache files and temp files used to try and reduce multiple scans of the same file and to minimize the data loss if the endpoint upgrades/host reboots/crashes.

[IanLee1521]

@nfritts - Makes sense why you'd do it that way.

A separate mount is tricky for us, but I did find that using a symlink to the RAM Filesystem seems to be a workaround in this situation. So I can do this on the host that is serving /opt for now to work around this limitation:

ln -s /var/opt/Elastic /opt/Elastic

/var/opt/ seems to be a bit more compliant of a path, that still meets your needs to have stateful content in there.