https://github.com/osquery/osquery logo
Title
j

Jason

01/28/2022, 1:37 PM
Hm, I know I've done this before -- but I'm getting a 500 when trying to
fleetctl apply -f
it lists
fleetctl get options > options.yaml
when it should be
fleetctl get config > <filename>
l

Lucas Rodriguez

01/28/2022, 2:03 PM
Hi! Could you share us the full output when running
fleetctl apply -f
?
Also this page - https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md needs a small fix
That's the old repository: https://github.com/kolide/fleet#fleet-is-retired This is the official fleet repository: https://github.com/fleetdm/fleet
Apart from the docs in Github, we have: https://fleetdm.com/docs
j

Jason

01/28/2022, 2:10 PM
oh ha - sorry about that. Google messed me up there 🙂
❯ ./fleetctl apply -f ./fleetconfig.yml
applying fleet config: apply config received status 500 forbidden: forbidden
Thanks @Lucas Rodriguez!
l

Lucas Rodriguez

01/28/2022, 2:11 PM
Also, please share `fleetctl`'s version. If you get a 500 you could check
fleet serve
logs.
j

Jason

01/28/2022, 2:12 PM
❯ ./fleetctl --version
fleetctl - version 4.9.0
  branch: 	HEAD
  revision: 	3018ad0fb45f7f6422b3d12e6a9f4e17d1079420
  build date: 	2022-01-22
  build user: 	runner
  go version: 	go1.17.2
l

Lucas Rodriguez

01/28/2022, 2:15 PM
OK, let us know if you can get
fleet serve
logs that correspond to the 500 (anything with
level=error
)
j

Jason

01/28/2022, 2:37 PM
Ok will do
l

Lucas Rodriguez

01/28/2022, 2:39 PM
forbidden
generally means the user you are logged in as in
fleetctl
is not authorized to apply the config. But the server logs should tell us what's really going on.
j

Jason

01/28/2022, 2:58 PM
hi @Lucas Rodriguez - I've got this
{
  "component": "http",
  "err": "forbidden",
  "internal": "Missing authorization check",
  "level": "info",
  "path": "/api/v1/fleet/config",
  "ts": "2022-01-28T14:10:40.330143989Z"
}
my config for fleetctl is using an API token and not username/pw - if that helps
l

Lucas Rodriguez

01/28/2022, 3:02 PM
OK, by grabbing the token from the UI and editing
~/.fleet/config
?
Also, what's the
Role
of the account? (under "My Account")
Are you able get config?
fleetctl get config
j

Jason

01/28/2022, 3:08 PM
correct on the config file
My role is "Admin"
yes, I can
get config
- that's how I grabbed the config to edit, now trying to upload the revised version
l

Lucas Rodriguez

01/28/2022, 3:17 PM
OK, could you share the config you are trying to apply? (please do redact any sensitive information) We'll be trying to reproduce on our end.
j

Jason

01/28/2022, 3:20 PM
I can tell you exactly what I am doing (it's very simply)
I just want to change the host decorator
so I am dumping the config and changing one line
- SELECT hostname AS hostname FROM system_info;
to
- SELECT computer_name AS hostname FROM system_info;
l

Lucas Rodriguez

01/28/2022, 3:22 PM
OK, that makes sense. Will open a Github issue. One last thing, can you confirm the version of the fleet server is also 4.9.0?
j

Jason

01/28/2022, 3:22 PM
yes it is
I will try using a username/pw in a minute to see if that fixes it
l

Lucas Rodriguez

01/28/2022, 3:24 PM
{"component":"http","err":"forbidden","internal":"Missing authorization check","level":"info","path":"/api/v1/fleet/config","ts":"2022-01-28T14:10:40.330143989Z"}
Any other error logs around this? (to add to the Github issue.)
Also, you mentioned you were admin, are you a global admin? as in:
j

Jason

01/28/2022, 3:27 PM
checking now
l

Lucas Rodriguez

01/28/2022, 3:27 PM
j

Jason

01/28/2022, 3:27 PM
it seems I also cannot create a new user (probably same root case)
oh nevermind - that one was because of a duplicate email address
l

Lucas Rodriguez

01/28/2022, 3:31 PM
Also, you mentioned you were admin, are you a global admin? as in:
Under "My Account"
(My mistake, you are probably running Fleet Free, which doesn't have Teams support 🙂
Here it is: https://github.com/fleetdm/fleet/issues/3913, feel free to add any extra information there.
j

Jason

01/28/2022, 3:32 PM
thx
l

Lucas Rodriguez

01/28/2022, 3:33 PM
Like the error logs surrounding the "Missing authorization check" error.
j

Jason

01/28/2022, 3:33 PM
ok
also - I created that local user
(deleted my config file)
and i can
fleetctl login
but when I get config - it wants me to log in again
❯ ./fleetctl get config
Invalid session. Please log in with: fleetctl login
running fleetctl on an m1 mac, btw
l

Lucas Rodriguez

01/28/2022, 3:34 PM
OK, does
fleetctl login
run successfully?
j

Jason

01/28/2022, 3:36 PM
[+] Fleet login successful and context configured!
l

Lucas Rodriguez

01/28/2022, 3:37 PM
Could this be a mixture of running a local
./fleetctl
vs a system installed
fleetctl
(without
./
)?
j

Jason

01/28/2022, 3:37 PM
oh, I'm running it with ./
./fleetctl xyz
l

Lucas Rodriguez

01/28/2022, 3:38 PM
Ack
j

Jason

01/28/2022, 3:38 PM
I should try it with linux maybe
m1 strangeness maybe ? haven't run into it yet, but thats not to say it couldn't happen
l

Lucas Rodriguez

01/28/2022, 3:38 PM
Could be, added that to the issue.
You could inspect the
~/.fleet/config
file and check if the content makes sense.
(that's what
fleetctl
uses/sets)
E.g. in my test case:
contexts:
  default:
    address: <https://localhost:8080>
    email: <mailto:lucas@fleetdm.com|lucas@fleetdm.com>
    token: [...]
j

Jason

01/28/2022, 3:51 PM
yeah, I checked that too - seems fine
rootca is blank, but it's a publicly trusted cert
l

Lucas Rodriguez

01/28/2022, 5:21 PM
OK, feel free to post any updates on the linked issue.
n

Noah Talerman

02/02/2022, 2:36 PM
Hey @Jason, were you able to resolve this issue?
j

Jason

02/02/2022, 10:07 PM
hi @Noah Talerman - I have not.... I've been stuck on another "on fire" thing and have not had a chance.
👍 1
l

Lucas Rodriguez

02/04/2022, 6:05 PM
@Jason Whenever possible, please attach the
config.yml
you were trying to apply here or in https://github.com/fleetdm/fleet/issues/3913 (with sensitive fields redacted). We cannot seem to reproduce :/ /cc @Reed Haynes
j

Jason

02/04/2022, 6:30 PM
Thanks Lucas - I am going to try once more and get back to you. It's possible it was our WAF, I will investigate.