Osquerybeat: Strip osqueryd binary for linux

[aleksmaus]

Proposed commit message

Strip osqueryd binary for linux that is unstripped in the official osquery tar.gz distro.
Size reduction
ARM: 273,418,504 -> 78,956,480 bytes
x86: 270,282,072 -> 86,097,240 bytes

Changed dev-tools code for linux crossbuilds.
Noticed that the image docker.elastic.co/beats-dev/golang-crossbuild:1.21.9-arm currently exists for both ARM and x86 archs and is being used randomly, which causes a problem for strip tool when arch of binaries are mismatched with the arch of the tool. This affects only linux builds.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Ensure that everything builds as before. The size of osqueryd is 3x smaller than before on linux OS, currently is under 90M.

Related issues

• Closes Package stripped osqueryd executable with osquerybeat on all platforms #38890

Screenshots

Before:

After:

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[botelastic]

This pull request doesn't have a Team:<team> label.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @aleksmaus? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[cmacknz]

Thanks!

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 140 min 12 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[blakerouse]

I ask that this be changed to support agentbeat as well as osquerybeat. Agentbeat must also ship with osqueryd or the osquerybeat subcommand will not work.

See this PR for the changes to make it work with agentbeat - #38951

[aleksmaus]

Updated PR in order to address agentbeat build as well.

Couple of things worth mentioning:

1. Needed to have the "strip" called from within the container the arch of the binary and the "strip" tool have to match otherwise it fails complaining on the binary architecture, so kept the stripping in GolangCrossBuild still
2. Didn't see a good way to detect if the crossbuild was initiated from osquerybeat or agentbeat. The build/install directory where osqueryd is unpacked is different. So the script now searched in two locations for osqueryd binary: osquerybeat and if not found agentbeat.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feature/strip_linux_oquerybeat upstream/feature/strip_linux_oquerybeat
git merge upstream/main
git push upstream feature/strip_linux_oquerybeat

[blakerouse]

With agentbeat merged, lets get the conflicts resolved and then I can take a better look.

[aleksmaus]

Picked up the latest main, resolved conflicts, improved code slightly

[cmacknz]

Adding the backport-v8.14 label, IMO not stripping osqueryd is a bug.

[aleksmaus]

Adding the backport-v8.14 label, IMO not stripping osqueryd is a bug.

Or a feature upstream ;-)

[blakerouse]

Why is this still here? The code has changed to not need this specifically in osquerybeat.

[aleksmaus]

This a mistake on conflict resolution (context switching), the function is not used. Removed.

[blakerouse]

How does this work for agentbeat? Agentbeat doesn't import the magefile from osquerybeat.

[aleksmaus]

This works because agent beat calls out to osquerybeat to build the extension

beats/x-pack/agentbeat/magefile.go

Line 112 in 5e16f25

return callForBeat("crossBuildExt", "osquerybeat")

This path is also followed for stanalone osquerybeat crossbuild.

[blakerouse]

Okay. I forgot I did it that way. ;-)

[pkoutsovasilis]

As stripping the osqueryd binary goes this LGTM! but I am not familiar with AgentBeat and I can't guarantee that nothing erupts there but I trust @aleksmaus comment here

[amitkanfer]

Sweet!!