https://github.com/osquery/osquery logo
Join Slack
Powered by
After exploring fleet with `fleetctl preview` I wa...
# fleet
a
After exploring fleet with 
fleetctl preview
I want to install 
fleet
on a public node with 
docker-compose
using 
traefic
to provide the 
HTTPs
cert via 
letsencrypt
. Is there any example / guide available which I can use as a template?
b
Wild. I was just talking about this with @Kathy Satterlee
👍 1
😁 1
k
Hi, @Andreas Piening That's actually what I'm working on now! Should be out soon, just working on sorting out the HTTPS portion,
a
That’s great to hear! What is the current issue with the 
HTTPs
portion if I may ask?
Providing 
HTTPs
for the 
HTTP
service port should be easy I guess, but I found something related to the 
SSL
certificate that is needed to be exported so that the clients can use it to check the authentication against the server. Maybe I completely misunderstood this.
k
@Andreas Piening Nothing wrong with the process, just the practitioner 🙂. Both Docker and SSL are things that I am relatively unfamiliar with setting up (which made me the obvious choice to put this together because I'm going to hit all of the pain points and learn a ton).
a
k
That's exactly what my next step was, thanks! Cleaning up my repo a little and I'll send that over shortly if you'd like to take a look.
👍 1
a
Using these example config I was able to spin up a 
traefic
instance with working 
SSL
via 
letsenvcrypt
within under 15 minutes.
k
Brilliant.
a
Yes @Kathy Satterlee I would love to take a look at your repo. I could give it a try and provide feedback then.
Regarding 
traefik
I use a 
docker-compose
project dedicated to to 
traefik
. I then can have multiple 
docker-compose
projects and expose them with just a few labels. You can use this as an example for a HTTP based service based on a simple 
docker
container: https://github.com/cbirkenbeul/docker-homelab/blob/master/compose-files/applications/yourls/docker-compose.yaml
The relevant part for 
traefik
is the 
labels
section and the 
networks
section, because the container that needs to be exposed must be attached to the same network that 
traefik
uses. In this case it is called 
traefik_proxy
.
k
Here's the repo! You're more than welcome to contribute if that's something you'd enjoy. I'd also be happy to answer any questions here or hop on a Zoom meeting,
Your timing genuinely could not have been more perfect on this.
a
Did you paste the url? I can’t see it.
k
I did not
I'd tweaked some things when I realized my previous approach wasn't working for SSL, just pushed fixes to the paths I broke.
a
Ok I’ll give it a try
docker-com config
says: ERROR: Service ‘fleet’ depends on service ‘certs’ which is undefined.
There is in fact an option 
certs
under 
depends_on
for the 
fleet
container. But the service is not defined.
k
Odd that it didn't err for me.
Must not have cleaned things up as well as I thought before my last test.
a
I’ve just removed the dependency and now it is starting.
🙌 1
I added traefik to the docker-compose.yml but at the moment I get an error when I access the web interface: Client sent an HTTP request to an HTTPS server.
I think 
fleet
needs to be configured to serve 
HTTP
while 
traefic
is doing the 
HTTPS
encryption.
I’ll take a look at the docs. Maybe it is enough to remove the 
FLEET_SERVER_CERT
from the env.
b
yeah you would set 
FLEET_SERVER_TLS=false
💯 1
👍 1
@Andreas Piening what is the lets encrypt default resolver? https://doc.traefik.io/traefik/https/acme/#the-different-acme-challenges personally I have only ever used DNS Challenge
a
It works!
I’m using tlsChallenge at the moment, this works without any additional setup but does not support wild card DNS.
b
Ok cool. Where do you keep your acme credentials?
a
I’m using 
dnsChallenge
on another system where I need wildcard-DNS and it works fine with my DNS-Provider (hetzner), but many DNS APIs are supported.
b
Yeah I've used DigitalOcean successfully too with dnsChallenge
a
I’ve set the 
storage
parameter in the 
traefik.toml
to a 
acme.json
file.
b
Ok right on. And that file is mounted into the Traefik container?
a
Exactly.
I’ve mapped a config folder like this:
Copy code
- ./config:/etc/traefik
b
Lol I wish I found this project when I was doing this a few years ago. Figuring it out from scratch was brutal. Traefik is amazing, but it has so many configuration options it's almost overwhelming
a
YES! It can be a nightmare to dive into traefik. Agree.
😅 1
💯 1
But once it works it is super easy 😉
b
I remember when Traefik 2 came out and I had to rewrite all the tag stuff…omg. Got through it but damn.
a
LOL same here. Borked my production system and had to go back to Traefik 1 and plan the migration.
😅 1
b
Traefik 1 > 2 migration was tough. Loving Traefik 2 though. Now that it's clicked for me.
I'm so glad I'm not the only one. It made me feel stupid haha
a
Doing a clean Traefik config, starting from scratch turned out to be easier for me instead of converting everything to the new format and missing importing things
💯 1
Wow I’ve just created a 
.deb
package with the command provided by the 
fleet
web-ui and installed it on another system and it worked right away.
I’m surprised how easy the deployment is. I have searched for a 
docker-compose
example for hours and now it is working perfectly fine. Thank you very much @Kathy Satterlee
k
That's exactly what I was going for. I'm so glad you reached out!
If you'd like to DM me your shipping info, I'd love to send a "thanks for being my guinea pig" your way.
a
I had to change a few minor things, for example I had to remove the quotes from the 
default.env
files.
Copy code
FLEET_MYSQL_ADDRESS="mysql:3306" => FLEET_MYSQL_ADDRESS=mysql:3306
k
I feel like docker compose treats .env files with some kind of random selection of rules it'll choose to apply to any given build
a
On my first 
docker-compose up
I get an error because the variable FLEET_OSQUERY_LABEL_UPDATE_INTERVAL=\“FLEET_SOMETHING\” was not a valid value. After removing the quotes all was fine.
Can I assist you to get your setup up and running with traefik?
k
That would be amazing, I'll send over a scheduling link so you can have my full attention.
5 Views
Open in Slack
PreviousNext
Powered by