elastic · AndersonQ · Sep 8, 2025 · Sep 3, 2025 · Sep 5, 2025 · Sep 5, 2025
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -151,6 +151,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403]
 - The Elasticsearch output now correctly applies exponential backoff when being throttled by 429s ("too many requests") from Elasticsarch. {issue}36926[36926] {pull}45073[45073]
 - Fixed case where Beats would silently fail due to invalid input configuration, now the error is correctly reported. {issue}43118[43118] {pull}45733[45733]
 - Fix a race condition during metrics initialization which could cause a panic. {issue}45822[45822] {pull}46054[46054]
+- Fixed a panic when the beat restarts itself by adding 'eventfd2' to default seccomp policy {issue}46372[46372]
 - Update Go version to 1.24.7 {pull}46070[46070].
 
 *Auditbeat*

@@ -22,18 +22,16 @@ package instance
 import (
 	"fmt"
 	"os"
-	"path/filepath"
 
 	"golang.org/x/sys/unix"
 )
 
 func (b *Beat) doReexec() error {
-	pwd, err := os.Getwd()
+	binary, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("could not get working directory: %w", err)
 	}
 
-	binary := filepath.Join(pwd, os.Args[0])
 	if err := unix.Exec(binary, os.Args, os.Environ()); err != nil {
 		return fmt.Errorf("could not exec '%s', err: %w", binary, err)
 	}

@@ -46,6 +46,7 @@ func init() {
 					"epoll_create1",
 					"epoll_ctl",
 					"epoll_wait",
+					"eventfd2",
 					"execve",
 					"exit",
 					"exit_group",

@@ -51,6 +51,7 @@ func init() {
 					"epoll_ctl",
 					"epoll_pwait",
 					"epoll_wait",
+					"eventfd2",
 					"execve",
 					"exit",
 					"exit_group",

@@ -23,12 +23,16 @@
 	"context"
 	"fmt"
 	"net/url"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
 	sdkmetric "go.opentelemetry.io/otel/sdk/metric"
 	"go.opentelemetry.io/otel/sdk/metric/metricdata"
+
+	"github.com/elastic/elastic-agent-libs/testing/certutil"
 )
 
 var esCfg = `
@@ -98,6 +102,60 @@
 	s.Close()
 }
 
+func TestReloadCA(t *testing.T) {
+	mockbeat := NewBeat(t, "mockbeat", "../../libbeat.test")
+
+	s, esAddr, _, _ := StartMockES(t, ":4242", 0, 0, 0, 0, 0)
+	defer s.Close()
+
+	_, _, pair, err := certutil.NewRootCA()
+	require.NoError(t, err, "could not generate root CA")
+	caPath := filepath.Join(os.TempDir(), "ca.pem")
+	err = os.WriteFile(caPath, pair.Cert, 0644)
+	require.NoError(t, err, "could not write CA")
+
+	mockbeat.WriteConfigFile(fmt.Sprintf(`
+output.elasticsearch:
+  allow_older_versions: true
+  hosts: ["%s"]
+  ssl:
+    certificate_authorities: "%s"
+    restart_on_cert_change.enabled: true
+    restart_on_cert_change.period: 1s
+logging.level: debug
+`, esAddr, caPath))
+
+	mockbeat.Start()
+
+	// 1. wait mockbeat to start
+	mockbeat.WaitLogsContains(
+		fmt.Sprint("mockbeat start running"),
+		10*time.Second,
+		"did not find 'mockbeat start running' log")
+
+	// 2. "rotate" the CA. Just write it again
+	err = os.WriteFile(caPath, pair.Cert, 0644)
+	require.NoError(t, err, "could not rotate CA")
+
+	// 3. Wait for cert change detection logs
+	mockbeat.WaitLogsContains(
+		fmt.Sprintf("some of the following files have been modified: [%s]", caPath),
+		10*time.Second,
+		"did not detect CA rotation")
+
+	// 4. Wait for CA load log
+	mockbeat.WaitLogsContains(
+		fmt.Sprintf("Successfully loaded CA certificate: %s", caPath),
+		10*time.Second,
+		"did not find 'Successfully loaded CA' log")
+
+	// 5. wait mockbeat to start again
+	mockbeat.WaitLogsContains(
+		fmt.Sprint("mockbeat start running"),
+		10*time.Second,
+		"did not find 'mockbeat start running' log again")
+}
+
 // waitForEventToBePublished waits for at least one event published
 // by inspecting the count for `bulk.create.total` in `mr`. Once
 // the counter is > 1, waitForEventToBePublished returns. If that
@@ -118,7 +176,7 @@
 			for _, m := range sm.Metrics {
 				if m.Name == "bulk.create.total" {
 					total := int64(0)
-					//nolint: errcheck // It's a test
+					//nolint:errcheck // It's a test
 					for _, dp := range m.Data.(metricdata.Sum[int64]).DataPoints {
 						total += dp.Value
 					}