https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
s

Shawn Maddock

09/08/2022, 2:41 PM
Having an issue configuring Fleet with a YAML file. The password is specified in the file, but when I attempt to start it up using 
fleet serve --config /etc/fleet/fleet.yml
, I’m getting:
Copy code
mysql="could not connect to db: Error 1045: Access denied for user 'fleet'@'localhost' (using password: NO), sleeping 0s"
If instead I specify the password with a CLI flag, it works fine. The config file is fairly simple:
Copy code
apiVersion: v1
kind: config
spec:
  mysql:
    password: '<my password>'
  server:
    address: 0.0.0.0:443
    cert: '/etc/letsencrypt/live/<my domain>/fullchain.pem'
    key: '/etc/letsencrypt/live/<my domain>/privkey.pem'
Anyone know why fleet would seem to be ignoring my config file?
l

Lucas Rodriguez

09/08/2022, 2:47 PM
Hi @Shawn Maddock! Could you try with:
Copy code
mysql:
  password: '<my password>'
server:
  address: 0.0.0.0:443  
  cert: '/etc/letsencrypt/live/<my domain>/fullchain.pem'
  key: '/etc/letsencrypt/live/<my domain>/privkey.pem'
See https://fleetdm.com/docs/deploying/configuration#using-a-yaml-config-file
s

Shawn Maddock

09/08/2022, 2:51 PM
l

Lucas Rodriguez

09/08/2022, 2:52 PM
Yes, probably outdated docs. I'll open an issue and link this thread.
s

Shawn Maddock

09/08/2022, 2:53 PM
Yikes. I mean, thanks, but yikes. I hope that top level structure is the only thing outdated.
l

Lucas Rodriguez

09/08/2022, 2:54 PM
Oh seems we already have an issue for this: https://github.com/fleetdm/fleet/issues/7557
Oh and we have a PR to fix it 🙂 https://github.com/fleetdm/fleet/pull/7449/files
s

Shawn Maddock

09/08/2022, 2:57 PM
That “two different configs” is very confusing, and needs to be called out.
l

Lucas Rodriguez

09/08/2022, 3:03 PM
Indeed. Thanks for the feedback!
s

Shawn Maddock

09/08/2022, 3:11 PM
So since I’m still a little confused and a newb, can all 
config
type settings be specified in the one passed by 
fleet --config
, or are there some that can only be set via 
fleetctl apply
?
l

Lucas Rodriguez

09/08/2022, 3:30 PM
No, only some settings can be applied via 
fleetctl apply
, like queries, packs, osquery agent settings. These settings are defined here: https://fleetdm.com/docs/using-fleet/configuration-files
The 
fleet --config
ones are more operational settings (which cannot be changed by 
fleetctl apply
like MySQL connection settings, etc.)
s

Shawn Maddock

09/08/2022, 3:49 PM
I think that makes sense. I’ll keep playing around and reach back out if I run into other issues. Thanks!
Is there a way to export settings set in the web UI to YAML?
Also, in some docs, I’m seeing the yaml section defined as 
vulnerabilities
and other places 
vulnerability_settings
… same with other section names. Are these interchangeable?
I found 
fleet config_dump
but that only includes what I have in the 
--config
file, and 
fleetctl get config
which only includes what was set in the UI. It looks like 
vulnerability_settings
moved from the 
fleetctl
config to 
vulnerabilities
in the 
fleet
config, making it even more confusing.
Having one, API-style doc that lists all the config settings and all the ways they can be applied would be lovely. This mix of explanatory docs, tutorials, reference docs, and help text does not a happy developer make. If there’s any way i can contribute to making that happen, let me know.
k

Kathy Satterlee

09/09/2022, 1:48 PM
Hi @Shawn Maddock! You can pull the full config with 
fleetctl get config --include-server-config
. I'm sorry about the weirdness in the docs, I'll dig in to that and make sure everything is up to date.
s

Shawn Maddock

09/09/2022, 1:58 PM
That flag is not actually adding anything to the output on my instance
k

Kathy Satterlee

09/09/2022, 4:15 PM
That's really odd! Can you share that output with anything sensitive removed? I know there's been a lot of back and forth on this already, so I'd also be happy to jump on a quick Zoom call so you can do some show and tell to streamline things if you'd like.
7 Views
Powered by