fix(ssi): ensure found datadog-installer has necessary commands

Author: maattdd

pkg/fleet/installer/packages/apminject/systemd.go

@@ -13,7 +13,9 @@ import (
 	_ "embed"
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"time"
 
 	"github.com/DataDog/datadog-agent/pkg/fleet/installer/packages/service/systemd"
 	"github.com/DataDog/datadog-agent/pkg/fleet/installer/telemetry"
@@ -56,8 +58,17 @@ type SystemdServiceManager struct {
 //   - Regular OCI agent install: datadog-agent is installed before
 //     datadog-apm-inject, so the agent's embedded installer is in place.
 //   - Legacy deb/rpm: /usr/bin/datadog-installer ships with the package.
+//
+// Candidates are additionally verified to support the `apm instrument-start`/
+// `instrument-stop` subcommands the unit invokes. This matters on upgrade from
+// an older agent: a stale installer (e.g. the previous version's embedded
+// binary still pointed to by a `stable` symlink, or an old standalone installer
+// at a higher-priority candidate path) would otherwise be baked into ExecStart
+// and fail on every boot, silently breaking host injection. resolveInstallerPath
+// skips such binaries and falls through to a candidate that actually supports
+// the subcommands (e.g. the freshly-copied datadog-installer-ssi).
 func NewSystemdServiceManager() *SystemdServiceManager {
-	installerPath, err := resolveInstallerPath(installerPathCandidates)
+	installerPath, err := resolveInstallerPath(installerPathCandidates, supportsInstrumentSubcommands)
 	if err != nil {
 		log.Warnf("could not resolve datadog-installer path for APM inject service: %v; writeServiceFile will refuse to render the unit", err)
 	}
@@ -144,7 +155,30 @@ func (s *SystemdServiceManager) writeServiceFile() error {
 	return nil
 }
 
-func resolveInstallerPath(candidates []string) (string, error) {
+// installerVerifier reports whether the datadog-installer binary at path
+// supports the subcommands the apm-inject unit invokes. It is a parameter of
+// resolveInstallerPath so tests can exercise pure path resolution without an
+// executable installer on disk.
+type installerVerifier func(path string) bool
+
+// supportsInstrumentSubcommands reports whether the installer at path exposes
+// the `apm instrument-start` and `apm instrument-stop` subcommands. Installers
+// shipped before the systemd-managed preload feature have an `apm` command
+// without them, so `apm --help` lists neither. Inspecting the help output is
+// side-effect free, unlike actually running instrument-start.
+func supportsInstrumentSubcommands(path string) bool {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+	out, err := exec.CommandContext(ctx, path, "apm", "--help").CombinedOutput()
+	if err != nil {
+		log.Debugf("installer candidate %s does not support instrument subcommands: %v", path, err)
+		return false
+	}
+	return bytes.Contains(out, []byte("instrument-start")) && bytes.Contains(out, []byte("instrument-stop"))
+}
+
+func resolveInstallerPath(candidates []string, verify installerVerifier) (string, error) {
+	var skippedUnsupported []string
 	for _, p := range candidates {
 		info, err := os.Stat(p)
 		// Skip if doesn't exist.
@@ -155,7 +189,16 @@ func resolveInstallerPath(candidates []string) (string, error) {
 		if info.IsDir() || info.Mode()&0111 == 0 {
 			continue
 		}
+		// Skip binaries too old to support the subcommands the unit invokes,
+		// so we never bake a doomed ExecStart into the service file.
+		if verify != nil && !verify(p) {
+			skippedUnsupported = append(skippedUnsupported, p)
+			continue
+		}
 		return p, nil
 	}
+	if len(skippedUnsupported) > 0 {
+		return "", fmt.Errorf("found datadog-installer binaries but none support `apm instrument-start` (too old): %v", skippedUnsupported)
+	}
 	return "", fmt.Errorf("no datadog-installer binary found among %v", candidates)
 }

pkg/fleet/installer/packages/apminject/systemd_test.go

@@ -126,7 +126,7 @@ func TestResolveInstallerPath(t *testing.T) {
 	executable := filepath.Join(tmpDir, "executable")
 	require.NoError(t, os.WriteFile(executable, []byte("#!/bin/sh\n"), 0755))
 
-	got, err := resolveInstallerPath([]string{missing, nonExec, executable})
+	got, err := resolveInstallerPath([]string{missing, nonExec, executable}, alwaysSupported)
 	require.NoError(t, err)
 	assert.Equal(t, executable, got)
 }
@@ -136,7 +136,7 @@ func TestResolveInstallerPath_AllMissing(t *testing.T) {
 	_, err := resolveInstallerPath([]string{
 		filepath.Join(tmpDir, "a"),
 		filepath.Join(tmpDir, "b"),
-	})
+	}, alwaysSupported)
 	assert.Error(t, err)
 }
 
@@ -147,11 +147,41 @@ func TestResolveInstallerPath_SkipsDirectory(t *testing.T) {
 	exe := filepath.Join(tmpDir, "candidate-exe")
 	require.NoError(t, os.WriteFile(exe, []byte{}, 0755))
 
-	got, err := resolveInstallerPath([]string{dir, exe})
+	got, err := resolveInstallerPath([]string{dir, exe}, alwaysSupported)
 	require.NoError(t, err)
 	assert.Equal(t, exe, got)
 }
 
+// TestResolveInstallerPath_SkipsUnsupportedInstaller guards the upgrade case:
+// a higher-priority candidate that is on disk and executable but too old to
+// support `apm instrument-start` must be skipped in favor of a newer candidate.
+func TestResolveInstallerPath_SkipsUnsupportedInstaller(t *testing.T) {
+	tmpDir := t.TempDir()
+	stale := filepath.Join(tmpDir, "stale-installer")
+	require.NoError(t, os.WriteFile(stale, []byte{}, 0755))
+	fresh := filepath.Join(tmpDir, "fresh-installer")
+	require.NoError(t, os.WriteFile(fresh, []byte{}, 0755))
+
+	verify := func(p string) bool { return p == fresh }
+
+	got, err := resolveInstallerPath([]string{stale, fresh}, verify)
+	require.NoError(t, err)
+	assert.Equal(t, fresh, got, "stale installer (no instrument-start) must be skipped")
+}
+
+// TestResolveInstallerPath_AllUnsupported asserts we fail loudly rather than
+// return a stale installer that would produce a unit doomed to fail on boot.
+func TestResolveInstallerPath_AllUnsupported(t *testing.T) {
+	tmpDir := t.TempDir()
+	exe := filepath.Join(tmpDir, "old-installer")
+	require.NoError(t, os.WriteFile(exe, []byte{}, 0755))
+
+	_, err := resolveInstallerPath([]string{exe}, func(string) bool { return false })
+	assert.ErrorContains(t, err, "too old")
+}
+
+func alwaysSupported(string) bool { return true }
+
 func TestSystemdServiceManager_Uninstall(t *testing.T) {
 	tmpDir := t.TempDir()
 	testServicePath := filepath.Join(tmpDir, "test-service.service")

test/new-e2e/tests/installer/script/ssi_upgrade_script_test.go

@@ -0,0 +1,195 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2016-present Datadog, Inc.
+
+package installscript
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	e2eos "github.com/DataDog/datadog-agent/test/e2e-framework/components/os"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/scenarios/aws/ec2"
+	"github.com/DataDog/datadog-agent/test/e2e-framework/testing/e2e"
+	awshost "github.com/DataDog/datadog-agent/test/e2e-framework/testing/provisioners/aws/host"
+	installer "github.com/DataDog/datadog-agent/test/new-e2e/tests/installer/unix"
+)
+
+const (
+	// apmInjectServicePath is where the apminject package writes its systemd unit.
+	// Mirrors systemd.UserUnitsPath ("/etc/systemd/system") + the unit name.
+	apmInjectServicePath = "/etc/systemd/system/datadog-apm-inject.service"
+	apmInjectServiceName = "datadog-apm-inject.service"
+	// launcherPreloadPath is the line the apm-inject service must keep in
+	// /etc/ld.so.preload for host instrumentation to be effective.
+	launcherPreloadPath = "/opt/datadog-packages/datadog-apm-inject/stable/inject/launcher.preload.so"
+	// productionSSIScriptURL installs the current GA SSI stack. That stack predates
+	// the systemd-managed ld.so.preload feature and ships an installer whose
+	// `apm` command has no `instrument-start`/`instrument-stop` subcommands.
+	productionSSIScriptURL = "https://install.datadoghq.com/scripts/install-ssi.sh"
+)
+
+// execStartInstallerRe extracts the installer binary path baked into the unit's
+// ExecStart line, e.g. "ExecStart=/opt/.../installer apm instrument-start host".
+var execStartInstallerRe = regexp.MustCompile(`(?m)^ExecStart=(\S+) apm instrument-start`)
+
+// ssiUpgradeSuite verifies that upgrading a host that already has an older SSI
+// stack (whose datadog-installer lacks the `apm instrument-start`/`instrument-stop`
+// subcommands) to a build that enables systemd-managed ld.so.preload produces a
+// datadog-apm-inject.service that points at a *working* installer — and that host
+// instrumentation survives a reboot, when only the service (not the install-time
+// direct fallback) is responsible for populating /etc/ld.so.preload.
+type ssiUpgradeSuite struct {
+	installerScriptBaseSuite
+}
+
+// TestSSIUpgrade provisions a single host and runs the upgrade suite. The upgrade
+// target is the current pipeline build, so a pipeline id (or commit sha) is required.
+func TestSSIUpgrade(t *testing.T) {
+	requirePipeline(t)
+
+	flavor := e2eos.Ubuntu2404
+	flavor.Architecture = e2eos.AMD64Arch
+
+	suite := &ssiUpgradeSuite{
+		installerScriptBaseSuite: newInstallerScriptSuite(
+			"installer-ssi-upgrade", flavor, flavor.Architecture,
+			awshost.WithRunOptions(ec2.WithoutFakeIntake()),
+			awshost.WithRunOptions(ec2.WithoutAgent()),
+		),
+	}
+
+	opts := []awshost.ProvisionerOption{
+		awshost.WithRunOptions(
+			ec2.WithEC2InstanceOptions(ec2.WithOSArch(flavor, flavor.Architecture)),
+			ec2.WithoutAgent(),
+		),
+	}
+	opts = append(opts, suite.ProvisionerOptions()...)
+
+	e2e.Run(t, suite,
+		e2e.WithProvisioner(awshost.Provisioner(opts...)),
+		e2e.WithStackName(suite.Name()),
+	)
+}
+
+func (s *ssiUpgradeSuite) TestUpgradePreservesHostInjection() {
+	defer s.Purge()
+
+	// 1. Install the current GA SSI stack from production. This lands an older
+	//    datadog-installer on disk — one whose `apm` command has no
+	//    instrument-start/instrument-stop subcommands.
+	s.installProductionSSI()
+	s.host.AssertPackageInstalledByInstaller("datadog-apm-inject")
+	s.assertLDPreloadInstrumented("after fresh GA install")
+
+	// 2. Upgrade to the pipeline build and opt into systemd-managed preload.
+	s.RunInstallScript(
+		s.scriptURLPrefix+"install-ssi.sh",
+		"DD_SITE=datadoghq.com",
+		"DD_APM_INSTRUMENTATION_LIBRARIES=python:4",
+		"DD_APM_INSTRUMENTATION_ENABLED=host",
+		"DD_APM_INSTRUMENTATION_PRELOAD_MODE=systemd",
+		"DD_NO_AGENT_INSTALL=true",
+		"DD_INSTALLER_REGISTRY_URL_AGENT_PACKAGE=installtesting.datad0g.com.internal.dda-testing.com",
+	)
+
+	// 3. The unit must exist, be enabled, and — crucially — reference an installer
+	//    that actually supports the subcommand it invokes. A stale installer
+	//    resolved from a higher-priority candidate path would silently break SSI
+	//    on the next boot.
+	state := s.host.State()
+	state.AssertFileExists(apmInjectServicePath, 0644, "root", "root")
+	state.AssertUnitsLoaded(apmInjectServiceName)
+	state.AssertUnitsEnabled(apmInjectServiceName)
+
+	installerPath := s.execStartInstallerPath()
+	_, err := s.Env().RemoteHost.Execute(fmt.Sprintf("sudo %s apm instrument-start --help", installerPath))
+	require.NoErrorf(s.T(), err,
+		"datadog-apm-inject.service ExecStart references %q, which does not support `apm instrument-start`; "+
+			"the service would fail on every boot and host injection would silently break", installerPath)
+
+	// Right after the upgrade, ld.so.preload is correct regardless of the service
+	// because Instrument() also writes it directly. The reboot below is what proves
+	// the *service* (and thus the resolved installer) is healthy.
+	s.assertLDPreloadInstrumented("after upgrade, before reboot")
+
+	// 4. Reboot. Now only datadog-apm-inject.service's ExecStart can populate
+	//    /etc/ld.so.preload — the install-time direct write does not run again.
+	s.reboot()
+
+	require.EventuallyWithT(s.T(), func(c *assert.CollectT) {
+		out, err := s.Env().RemoteHost.Execute("systemctl is-active " + apmInjectServiceName)
+		assert.NoErrorf(c, err, "apm-inject service not active after reboot (status: %s)", strings.TrimSpace(out))
+	}, 2*time.Minute, 5*time.Second)
+	s.assertLDPreloadInstrumented("after reboot")
+}
+
+// installProductionSSI installs the GA SSI stack directly from production, without
+// any pipeline/testing registry overrides, so a genuinely older installer ends up
+// on disk.
+func (s *ssiUpgradeSuite) installProductionSSI() {
+	s.Env().RemoteHost.MustExecute(fmt.Sprintf("curl -L %s > install_ssi_prod", productionSSIScriptURL))
+	params := []string{
+		"DD_API_KEY=" + installer.GetAPIKey(),
+		"DD_SITE=datadoghq.com",
+		"DD_APM_INSTRUMENTATION_LIBRARIES=python:4",
+		"DD_APM_INSTRUMENTATION_ENABLED=host",
+		"DD_NO_AGENT_INSTALL=true",
+	}
+	_, err := s.Env().RemoteHost.Execute(strings.Join(params, " ") + " bash install_ssi_prod")
+	require.NoError(s.T(), err, "failed to install production SSI stack")
+}
+
+// execStartInstallerPath returns the installer binary path baked into the unit's
+// ExecStart line.
+func (s *ssiUpgradeSuite) execStartInstallerPath() string {
+	content, err := s.host.ReadFile(apmInjectServicePath)
+	require.NoError(s.T(), err)
+	m := execStartInstallerRe.FindStringSubmatch(string(content))
+	require.Lenf(s.T(), m, 2, "could not find ExecStart installer path in unit:\n%s", string(content))
+	return m[1]
+}
+
+// assertLDPreloadInstrumented asserts the injector launcher is present in
+// /etc/ld.so.preload.
+func (s *ssiUpgradeSuite) assertLDPreloadInstrumented(when string) {
+	out := s.Env().RemoteHost.MustExecute("cat /etc/ld.so.preload || true")
+	require.Containsf(s.T(), out, launcherPreloadPath,
+		"injector launcher missing from /etc/ld.so.preload (%s); contents:\n%s", when, out)
+}
+
+// reboot reboots the host and waits for it to come back with a new boot id.
+func (s *ssiUpgradeSuite) reboot() {
+	before := strings.TrimSpace(s.Env().RemoteHost.MustExecute("cat /proc/sys/kernel/random/boot_id"))
+	// The connection drops as the host goes down; ignore the error.
+	_, _ = s.Env().RemoteHost.Execute("sudo reboot")
+	require.EventuallyWithT(s.T(), func(c *assert.CollectT) {
+		if err := s.Env().RemoteHost.Reconnect(); err != nil {
+			assert.NoError(c, err)
+			return
+		}
+		out, err := s.Env().RemoteHost.Execute("cat /proc/sys/kernel/random/boot_id")
+		if !assert.NoError(c, err) {
+			return
+		}
+		assert.NotEqualf(c, before, strings.TrimSpace(out), "host has not rebooted yet")
+	}, 5*time.Minute, 10*time.Second)
+}
+
+func requirePipeline(t *testing.T) {
+	t.Helper()
+	_, hasPipeline := os.LookupEnv("E2E_PIPELINE_ID")
+	_, hasSHA := os.LookupEnv("CI_COMMIT_SHA")
+	if !hasPipeline && !hasSHA {
+		t.Skip("E2E_PIPELINE_ID / CI_COMMIT_SHA not set; this test upgrades to the current pipeline build")
+	}
+}