Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
pvirani
04/26/2022, 4:01 PMtrying to enroll a container with osquery on it into Fleet but this error occurs when running
osquerydosqueryi# osqueryd --verbose --tls_dump
I0426 15:59:05.960875 265 init.cpp:357] osquery initialized [version=5.2.3]
I0426 15:59:05.960927 265 init.cpp:364] Using default flagfile: /etc/osquery/osquery.flags.default
I0426 15:59:05.979229 265 system.cpp:354] Found stale process for osqueryd (157)
I0426 15:59:05.979316 265 system.cpp:386] Writing osqueryd pid (265) to /var/run/osqueryd.pidfile
I0426 15:59:05.979460 265 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0426 15:59:05.979648 265 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55ba6f2c72d8) to thread: 140231381698112 (0x55ba6f2b4dc0) in process 265
I0426 15:59:05.980381 266 watcher.cpp:656] osqueryd watcher (265) executing worker (267)
I0426 15:59:05.986223 267 init.cpp:354] osquery worker initialized [watcher=265]
I0426 15:59:05.986275 267 init.cpp:364] Using default flagfile: /etc/osquery/osquery.flags.default
I0426 15:59:05.986357 267 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x5567575220d8) to thread: 140552803788352 (0x55675751a9d0) in process 267
I0426 15:59:05.986425 267 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0426 15:59:06.008972 267 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x5567575fef38) to thread: 140552259495488 (0x556757608310) in process 267
I0426 15:59:06.009070 267 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x5567575fed18) to thread: 140552267888192 (0x556757529ee0) in process 267
I0426 15:59:06.009122 366 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
E0426 15:59:06.009130 267 shutdown.cpp:79] Cannot activate tls && --enroll_secret_path=/etc/osquery/osquery.secret && --enroll_tls_endpoint=/api/v1/osquery/enroll&& --config_tls_endpoint=/api/v1/osquery/config && --tls_hostname=<http://fleetdm.segment.com|fleetdm.segment.com> && --config_refresh=300 && --config_tls_accelerated_refresh=300 && --config_tls_max_attempts=9999 && --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read && --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write && --carver_start_endpoint=/api/v1/osquery/carve/begin && --carver_continue_endpoint=/api/v1/osquery/carve/block config plugin: Unknown registry plugin: tls && --enroll_secret_path=/etc/osquery/osquery.secret && --enroll_tls_endpoint=/api/v1/osquery/enroll&& --config_tls_endpoint=/api/v1/osquery/config && --tls_hostname=<http://fleetdm.segment.com|fleetdm.segment.com> && --config_refresh=300 && --config_tls_accelerated_refresh=300 && --config_tls_max_attempts=9999 && --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read && --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write && --carver_start_endpoint=/api/v1/osquery/carve/begin && --carver_continue_endpoint=/api/v1/osquery/carve/block
I0426 15:59:06.009331 267 dispatcher.cpp:149] Thread: 140552803806784 requesting a stop
I0426 15:59:06.009389 267 dispatcher.cpp:156] Service: 0x5567575220d8 has been interrupted
I0426 15:59:06.009459 267 dispatcher.cpp:156] Service: 0x5567575fef38 has been interrupted
I0426 15:59:06.009536 267 dispatcher.cpp:156] Service: 0x5567575fed18 has been interrupted
I0426 15:59:06.009622 267 dispatcher.cpp:122] Thread: 140552803806784 requesting a join
I0426 15:59:06.010021 267 dispatcher.cpp:140] Service thread: 0x556757529ee0 has joined
I0426 15:59:06.010056 267 dispatcher.cpp:140] Service thread: 0x556757608310 has joined
I0426 15:59:06.010100 267 dispatcher.cpp:140] Service thread: 0x55675751a9d0 has joined
I0426 15:59:06.010123 267 dispatcher.cpp:144] Services and threads have been cleared
E0426 15:59:08.981992 266 shutdown.cpp:79] Worker returned exit status
I0426 15:59:08.983098 265 dispatcher.cpp:149] Thread: 140231381716544 requesting a stop
I0426 15:59:08.983296 265 dispatcher.cpp:122] Thread: 140231381716544 requesting a join
I0426 15:59:08.983441 265 dispatcher.cpp:140] Service thread: 0x55ba6f2b4dc0 has joined
I0426 15:59:08.983824 265 dispatcher.cpp:144] Services and threads have been clearedIt's an Ubuntu container and this is what the Dockerfile looks like
FROM ubuntu:22.04
RUN apt update && apt-get install --yes \
curl \
wget \
software-properties-common
# Add Osquery Binary
#Adding GPG settings
RUN gpg_key_url="<https://packagecloud.io/segment/infra/gpgkey>" \
&& gpg_keyring_path="/usr/share/keyrings/segment_infra-archive-keyring.gpg" \
&& echo -n "Importing packagecloud gpg key... " \
&& curl -fsSL "${gpg_key_url}" | gpg --dearmor > ${gpg_keyring_path} \
&& echo "done."
# Install Osquery
RUN apt-key adv --keyserver <http://keyserver.ubuntu.com|keyserver.ubuntu.com> --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B \
&& add-apt-repository "deb [arch=amd64] <https://osquery-packages.s3.amazonaws.com/deb> deb main" \
&& apt-get install osquery
RUN rm -f /etc/osquery/osquery.secret \
&& rm -f /etc/osquery/osquery.flags \
&& rm -f /etc/osquery/osquery.flags.default
RUN echo "28ZojsUf7zpOTQWAOrqSuadZCxWBEX14" > /etc/osquery/osquery.secret
# Fill osquery.flags.default with stuff
RUN echo "--config_plugin=tls \
&& --enroll_secret_path=/etc/osquery/osquery.secret \
&& --enroll_tls_endpoint=/api/v1/osquery/enroll\
&& --config_tls_endpoint=/api/v1/osquery/config \
&& --tls_hostname=<our_hostname> \
&& --config_refresh=300 \
&& --config_tls_accelerated_refresh=300 \
&& --config_tls_max_attempts=9999 \
&& --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
&& --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
&& --carver_start_endpoint=/api/v1/osquery/carve/begin \
&& --carver_continue_endpoint=/api/v1/osquery/carve/block" > /etc/osquery/osquery.flags.default
RUN ln -s /etc/osquery/osquery.flags.default /etc/osquery/osquery.flags
CMD ["bash"]z
zwass
04/26/2022, 4:23 PMAh, I think the issue is all the
&&p
pvirani
04/26/2022, 4:25 PMgeez good catch! Thanks Zach!
🍻 1
spoke too soon. Same error even after removing the `&&`s
will continue to debug with our SRE folks and report here once I find a solution
in case I haven't mentioned, this config works perfectly fine on our EC2 base images. It only fails on Docker for some reason.
z
zwass
04/26/2022, 6:33 PMCan you just copy the working flagfile into the container in your build?
p
pvirani
04/28/2022, 4:11 PMyeah .. Punted on it for now. I was gonna start with a clean default Ubuntu base image and run the commands manually but we mostly have the data we need so decided no point spending much time trying to get it to work just yet ... I'll keep doing it on the side in evenings if/when I have time
z
zwass
04/28/2022, 4:31 PMThe same flagfile will almost definitely work assuming the container has network connectivity. Happy to help when you get back to it.
:ty: 1
💯 1