elastic · mjwolf · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
@@ -12,5 +12,6 @@ source .buildkite/scripts/common.sh
 export SNAPSHOT="true"
 export EXTERNAL="true"
 export USE_PACKAGE_VERSION="true"
+export MAGEFILE_VERBOSE="true"
 
 mage package
diff --git a/changelog/fragments/1764188813-add-cloud-defend-packaging.yaml b/changelog/fragments/1764188813-add-cloud-defend-packaging.yaml
@@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Add cloud-defend to container image agent packages
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+# pr: https://github.com/owner/repo/1234
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234
@@ -95,6 +95,16 @@ components:
       - *linux-amd64
       - *linux-arm64
     packageTypes: *all-package-types
+  - &comp-cloud-defend
+    projectName: cloud-defend
+    packageName: cloud-defend-{{.Version}}-{{.Platform}}.{{.Ext}}
+    rootDir: cloud-defend-{{.Version}}-{{.Platform}}
+    binaryName: cloud-defend
+    fips: false
+    platforms:
+      - *linux-amd64
+    packageTypes:
+      - *pkg-type-docker
   - &comp-connectors
     projectName: connectors
     packageName: connectors-{{.Version}}.zip
@@ -241,6 +251,20 @@ shared:
 
   # components included in elastic-agent package specs defined before components support in this YAML
   - &elastic_agent_components
+    components:
+      - *comp-agentbeat
+      - *comp-apm_server
+      - *comp-cloudbeat
+      - *comp-cloud-defend
+      - *comp-connectors
+      - *comp-endpoint
+      - *comp-fleet-server
+      - *comp-pf-elastic-collector
+      - *comp-pf-elastic-symbolizer
+      - *comp-pf-host-agent
+
+  # components for cloud/service variants (excludes cloud-defend)
+  - &elastic_agent_cloud_components
     components:
       - *comp-agentbeat
       - *comp-apm_server
@@ -436,6 +460,14 @@ shared:
       <<: *linux_otel_files
       <<: *agent_unpacked_components_files
 
+  - &agent_cloud_binary_spec
+    <<: *common
+    <<: *elastic_agent_cloud_components
+    files:
+      <<: *agent_binary_files
+      <<: *linux_otel_files
+      <<: *agent_unpacked_components_files
+
   - &agent_binary_fips_spec
     <<: *common_fips
     <<: *elastic_agent_fips_components
@@ -538,6 +570,31 @@ shared:
         source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
         mode: 0755
 
+  - &agent_cloud_docker_spec
+    <<: *agent_cloud_binary_spec
+    extra_vars:
+      dockerfile: 'Dockerfile.elastic-agent.tmpl'
+      docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
+      user: '{{ .BeatName }}'
+      linux_capabilities: ''
+      beats_install_path: "install"
+    files:
+      'elastic-agent.yml':
+        source: 'elastic-agent.docker.yml'
+        mode: 0600
+        config: true
+      'otel.yml':
+        source: 'otel.yml'
+        mode: 0600
+        config: true
+      '.elastic-agent.active.commit':
+        content: >
+          {{ commit }}
+        mode: 0644
+      'hints.inputs.d':
+        source: '{{ repo.RootDir }}/deploy/kubernetes/elastic-agent-standalone/templates.d'
+        mode: 0755
+
   - &agent_docker_fips_spec
     <<: *agent_binary_fips_spec
     extra_vars:
@@ -1458,7 +1515,7 @@ specs:
       arch: amd64
       types: [docker]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1471,7 +1528,7 @@ specs:
       arch: arm64
       types: [docker]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The cloud image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec
@@ -1485,7 +1542,7 @@ specs:
       arch: amd64
       types: [ docker ]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The service image is always based on Wolfi
         <<: *docker_wolfi_spec
         <<: *docker_builder_spec
@@ -1499,7 +1556,7 @@ specs:
       arch: arm64
       types: [ docker ]
       spec:
-        <<: *agent_docker_spec
+        <<: *agent_cloud_docker_spec
         # The service image is always based on Wolfi
         <<: *docker_wolfi_arm_spec
         <<: *docker_builder_arm_spec

@@ -39,6 +39,7 @@ RUN true && \
     chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/*beat && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/osquery* || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/apm-server || true) && \
+    (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/cloud-defend || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/endpoint-security || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/fleet-server || true) && \
     (chmod 0755 {{ $beatHome }}/data/elastic-agent-*/components/pf-elastic-collector || true) && \

@@ -74,13 +74,14 @@ RUN find / -xdev -perm -4000 -exec chmod u-s {} +
 # Provide a non-root user to run the process.
 RUN groupadd --gid 1000 ${ELASTIC_PRODUCT} && useradd --uid 1000 --gid 1000 --groups 0 --home-dir /usr/share/${ELASTIC_PRODUCT} --no-create-home ${ELASTIC_PRODUCT}
 
-# Elastic Agent permissions
+# Elastic Agent permissions
 RUN find /usr/share//elastic-agent/data -type d -exec chmod 0777 {} \; && \
     find /usr/share//elastic-agent/data -type f -exec chmod 0666 {} \; && \
     chmod 0755 /usr/share//elastic-agent/data/elastic-agent-*/elastic-agent && \
     chmod 0755 /usr/share//elastic-agent/data/elastic-agent-*/components/*beat && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/osquery* || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/apm-server || true) && \
+    (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/cloud-defend || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/endpoint-security || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/fleet-server || true) && \
     (chmod 0755 /usr/share/elastic-agent/data/elastic-agent-*/components/pf-elastic-collector || true) && \