Hi new friends I just set up the fleetdm preview and I m con osquery #fleet

Hi new friends! I just set up the fleetdm preview,...

Alex Fornuto

08/21/2025, 6:28 PM

Hi new friends! I just set up the fleetdm preview, and I'm concerned that the log shows the Admin login coming from a public GitHub IP address.

Alex Fornuto

08/21/2025, 6:30 PM

Does the preview just load random fake data?

Unthread

08/21/2025, 6:34 PM

Let me take a look! I'm assuming you set this up through the website rather than running locally? If so, I'm betting that there's a job that does the initial setup step for you (and potentially adds you as a user.. I haven't played with that too recently).

Alex Fornuto

08/21/2025, 6:36 PM

I set it up locally as a docker compose stack

Alex Fornuto

08/21/2025, 6:53 PM

Tried again with incognito window. Fleet is running on a separate device in my network. I'm logging in to the web UI from my local workstation. The activity log is reporting the login is coming from an IP address that WHOIS reports is owned by GitHub

Unthread

08/21/2025, 6:54 PM

There is an automated step there that creates the admin login. Looking at how that's accomplished.

Unthread

08/21/2025, 7:30 PM

I double-checked and everything that's happening automatically is done locally. I spun up a new instance and saw only my IP address. Did you do anything like set up a GitOps repository to manage configuration?

Alex Fornuto

08/21/2025, 7:31 PM

Nope. I just downloaded

<https://fleetdm.com/resources/install-fleetctl.sh>

and ran it, then ran

~/.fleetctl/fleetctl preview

. I signed in with the default login.

Alex Fornuto

08/21/2025, 8:08 PM

I'd also like to point out that the

fleetctl

CLI tool doesn't have an explicitly defined command to stop all the containers. maybe

logout

does, but that's not what the word means. I stopped the docker stack, but it left all the preview devices running.

Unthread

08/21/2025, 8:39 PM

The command for that is 'fleetctl preview stop`. If you spin that instance back up, can you grab a screenshot of the activity you're seeing?

Unthread

08/21/2025, 8:40 PM

I'm definitely concerned about that login, nothing I can see should be causing that.

Alex Fornuto

08/21/2025, 8:40 PM

stop isn't in the help output, FYI

Alex Fornuto

08/21/2025, 8:40 PM

image.png

Unthread

08/21/2025, 8:47 PM

That's also very odd.

Unthread

08/21/2025, 8:47 PM

I confirmed that I'm seeing it in the latest version.

Unthread

08/21/2025, 8:55 PM

Can you show me what output you're seeing?

Unthread

08/21/2025, 8:55 PM

I'm also testing preview with a completely fresh start just to make sure nothing odd there happens.

Unthread

08/21/2025, 8:56 PM

I'd be curious to see what IP was listed when you logged in as well.

Alex Fornuto

08/21/2025, 9:00 PM

I'm not sure what output you're referring to, other than this. And this is the IP being logged by my logins.

Alex Fornuto

08/22/2025, 5:25 PM

Any update from your local testing?

Unthread

08/25/2025, 2:38 PM

It sounds like there's something in your local configuration that's causing that IP address to be used. Fleet is just grabbing the address from the headers of requests. I'm much less concerned since those logins are yours. The output I was referring to was the output of 'fleetctl preview --help`

4 Views

Open in Slack

Previous Next