Title
#general
Michael Barrientos

Michael Barrientos

09/17/2020, 6:50 AM
Sorry if this is the wrong channel… can’t find a more specific one that looks appropriate. Is it just me, or is the Yum repo for osquery broken? Following the instructions on the website from a fresh VM, I get the snippet that I’m including in the thread:
6:51 AM
$ curl -L <https://pkg.osquery.io/rpm/GPG> | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
...snip...
$ sudo yum-config-manager --add-repo <https://pkg.osquery.io/rpm/osquery-s3-rpm.repo>
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
adding repo from: <https://pkg.osquery.io/rpm/osquery-s3-rpm.repo>
grabbing file <https://pkg.osquery.io/rpm/osquery-s3-rpm.repo> to /etc/yum.repos.d/osquery-s3-rpm.repo
repo saved to /etc/yum.repos.d/osquery-s3-rpm.repo
$ sudo yum-config-manager --enable osquery-s3-rpm
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
$ sudo yum install osquery
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
<https://s3.amazonaws.com/osquery-packages/rpm/x86_64/repodata/repomd.xml>: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
...snip...
failure: repodata/repomd.xml from osquery-s3-rpm-repo: [Errno 256] No more mirrors to try.
<https://s3.amazonaws.com/osquery-packages/rpm/x86_64/repodata/repomd.xml>: [Errno 14] HTTPS Error 403 - Forbidden
theopolis

theopolis

09/17/2020, 11:26 AM
Ah, let me fix this
11:33 AM
It looks like I messed up permission on bucket objects. It will take me a few hours to fix since I have a few things to do before I can jump onto a laptop this morning.
2:02 PM
I just corrected the permissions, can you try again?
r

ryanw

09/17/2020, 4:36 PM
I am following this issue regarding rpm packages: https://github.com/osquery/osquery/issues/6653 We are seeing this yum error:
"Error: requested datatype primary not available"
4:39 PM
Full log output:
---- Begin output of yum -q -y makecache --disablerepo=* --enablerepo=osquery ----
       STDOUT: 
       STDERR: Error: requested datatype primary not available
       ---- End output of yum -q -y makecache --disablerepo=* --enablerepo=osquery ----
       Ran yum -q -y makecache --disablerepo=* --enablerepo=osquery returned 1
4:55 PM
a little bit more information on the error:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>PermanentRedirect</Code><Message>The bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint.</Message><Endpoint><http://osquery-packages.s3.amazonaws.com|osquery-packages.s3.amazonaws.com></Endpoint><Bucket>osquery-packages</Bucket><RequestId>8280D830C4E0E8E6</RequestId><HostId>JRa9l1M9/PlK//UZNt1Zq+Mnw2X63P+pNYEbaPH9QJQeAdlZr7uzXLXP7QfcDYnGJAgV9z7AdKQ=</HostId></Error>
Our yum config:
[osquery]
name=Yum Repository
baseurl=<https://s3.amazonaws.com/osquery-packages/rpm/$basearch/>
enabled=1
fastestmirror_enabled=0
gpgcheck=1
gpgkey=<https://pkg.osquery.io/rpm/GPG>
4:58 PM
Found that
<https://osquery-packages.s3.amazonaws.com/rpm/$basearch/>
works!https://stackoverflow.com/a/39889337 Looks like this will need to be updated: https://pkg.osquery.io/rpm/osquery-s3-rpm.repo
theopolis

theopolis

09/17/2020, 5:20 PM
I will move the bucket back to us-east-1 in a few hours. I moved it to another account that has all infra on east-2.
5:22 PM
But I’ll see if I can update that repo file
5:42 PM
If I update that repo file then it fixes it for new installs right? But not for those with the yum repo already added.
r

ryanw

09/17/2020, 7:39 PM
I believe so, it appears the migration worked and is working now
theopolis

theopolis

09/17/2020, 8:06 PM
Yeap, I think the correct thing to do was to move the bucket back to us-east-1.
Michael Barrientos

Michael Barrientos

09/17/2020, 8:23 PM
My teammate is having the following problem now:
+ sh -c apt-get update -qq >/dev/null
E: Failed to fetch <https://osquery-packages.s3.amazonaws.com/deb/dists/deb/InRelease>  301  Moved Permanently [IP: 52.219.100.196 443]
E: The repository '<https://osquery-packages.s3.amazonaws.com/deb> deb InRelease' is no longer signed.
8:33 PM
(Obviously for a debian-based install on the most recent one)
theopolis

theopolis

09/17/2020, 9:12 PM
I think this is an AWS/CloudFront caching bug. Let me know if it still occurs after a few retries.