https://github.com/osquery/osquery logo
Join Slack
Powered by
Hm, I know I've done this before -- but I'm gettin...
# fleet
j
Hm, I know I've done this before -- but I'm getting a 500 when trying to 
fleetctl apply -f
it lists
Copy code
fleetctl get options > options.yaml
when it should be
Copy code
fleetctl get config > <filename>
l
Hi! Could you share us the full output when running 
fleetctl apply -f
?
Also this page - https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md needs a small fix
That's the old repository: https://github.com/kolide/fleet#fleet-is-retired This is the official fleet repository: https://github.com/fleetdm/fleet
Apart from the docs in Github, we have: https://fleetdm.com/docs
j
oh ha - sorry about that. Google messed me up there 🙂
Copy code
❯ ./fleetctl apply -f ./fleetconfig.yml
applying fleet config: apply config received status 500 forbidden: forbidden
Thanks @Lucas Rodriguez!
l
Also, please share `fleetctl`'s version. If you get a 500 you could check 
fleet serve
logs.
j
Copy code
❯ ./fleetctl --version
fleetctl - version 4.9.0
  branch: 	HEAD
  revision: 	3018ad0fb45f7f6422b3d12e6a9f4e17d1079420
  build date: 	2022-01-22
  build user: 	runner
  go version: 	go1.17.2
l
OK, let us know if you can get 
fleet serve
logs that correspond to the 500 (anything with 
level=error
)
j
Ok will do
l
forbidden
generally means the user you are logged in as in 
fleetctl
is not authorized to apply the config. But the server logs should tell us what's really going on.
j
hi @Lucas Rodriguez - I've got this
Copy code
{
  "component": "http",
  "err": "forbidden",
  "internal": "Missing authorization check",
  "level": "info",
  "path": "/api/v1/fleet/config",
  "ts": "2022-01-28T14:10:40.330143989Z"
}
my config for fleetctl is using an API token and not username/pw - if that helps
l
OK, by grabbing the token from the UI and editing 
~/.fleet/config
?
Also, what's the 
Role
of the account? (under "My Account")
Are you able get config? 
fleetctl get config
j
correct on the config file
My role is "Admin"
yes, I can 
get config
- that's how I grabbed the config to edit, now trying to upload the revised version
l
OK, could you share the config you are trying to apply? (please do redact any sensitive information) We'll be trying to reproduce on our end.
j
I can tell you exactly what I am doing (it's very simply)
I just want to change the host decorator
so I am dumping the config and changing one line
Copy code
- SELECT hostname AS hostname FROM system_info;
to
Copy code
- SELECT computer_name AS hostname FROM system_info;
l
OK, that makes sense. Will open a Github issue. One last thing, can you confirm the version of the fleet server is also 4.9.0?
j
yes it is
I will try using a username/pw in a minute to see if that fixes it
l
{"component":"http","err":"forbidden","internal":"Missing authorization check","level":"info","path":"/api/v1/fleet/config","ts":"2022-01-28T141040.330143989Z"}
Any other error logs around this? (to add to the Github issue.)
Also, you mentioned you were admin, are you a global admin? as in:
j
checking now
l
j
it seems I also cannot create a new user (probably same root case)
oh nevermind - that one was because of a duplicate email address
l
Also, you mentioned you were admin, are you a global admin? as in:
Under "My Account"
(My mistake, you are probably running Fleet Free, which doesn't have Teams support 🙂
Here it is: https://github.com/fleetdm/fleet/issues/3913, feel free to add any extra information there.
j
thx
l
Like the error logs surrounding the "Missing authorization check" error.
j
ok
also - I created that local user
(deleted my config file)
and i can
Copy code
fleetctl login
but when I get config - it wants me to log in again
Copy code
❯ ./fleetctl get config
Invalid session. Please log in with: fleetctl login
running fleetctl on an m1 mac, btw
l
OK, does 
fleetctl login
run successfully?
j
Copy code
[+] Fleet login successful and context configured!
l
Could this be a mixture of running a local 
./fleetctl
vs a system installed 
fleetctl
(without 
./
)?
j
oh, I'm running it with ./
./fleetctl xyz
l
Ack
j
I should try it with linux maybe
m1 strangeness maybe ? haven't run into it yet, but thats not to say it couldn't happen
l
Could be, added that to the issue.
You could inspect the 
~/.fleet/config
file and check if the content makes sense.
(that's what 
fleetctl
uses/sets)
E.g. in my test case:
Copy code
contexts:
  default:
    address: <https://localhost:8080>
    email: <mailto:lucas@fleetdm.com|lucas@fleetdm.com>
    token: [...]
j
yeah, I checked that too - seems fine
rootca is blank, but it's a publicly trusted cert
l
OK, feel free to post any updates on the linked issue.
n
Hey @Jason, were you able to resolve this issue?
j
hi @Noah Talerman - I have not.... I've been stuck on another "on fire" thing and have not had a chance.
👍 1
l
@Jason Whenever possible, please attach the 
config.yml
you were trying to apply here or in https://github.com/fleetdm/fleet/issues/3913 (with sensitive fields redacted). We cannot seem to reproduce :/ /cc @Reed Haynes
j
Thanks Lucas - I am going to try once more and get back to you. It's possible it was our WAF, I will investigate.
4 Views
Open in Slack
PreviousNext
Powered by