https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
j

jby

12/01/2021, 10:53 AM
So, if I’m running fleetctl preview and the preview is updated (don’t know if it ever is), can I somehow easily update it?
r

Rachel Perkins

12/01/2021, 3:40 PM
Hiya, you can check which version of fleet you're running on the bottom right of the My Account page or with 
npm view fleetctl version
We're on 4.6.1 but feel free to update if you're not!
j

jby

12/01/2021, 3:53 PM
So, how do I update then?
Feel free to point me to any documentation that I’ve neglected to read
Can I upgrade with the data in the system intact - including the enrollment secret?
r

Rachel Perkins

12/01/2021, 4:58 PM
Ok sweet, yeah, I just smoke tested by downgrading to 4.5.0, created a query, upgraded to 4.6.1 and it was still there
If you just run 
fleetctl preview
, it should automatically upgrade to 4.6.1
j

jby

12/01/2021, 5:00 PM
Great, I'll test tomorrow - it's 6pm here noe
r

Rachel Perkins

12/01/2021, 5:00 PM
Enjoy your evening!
I'm going to go ahead and file an issue to document this
Sorry, run 
fleetctl --version
instead of 
npm view fleetctl version
j

jby

12/01/2021, 5:12 PM
Do you really mean that I'm to run the preview command again in a running environment?
r

Rachel Perkins

12/01/2021, 5:42 PM
You can run 
fleetctl preview stop
first if you'd like, but it works without it
j

jby

12/01/2021, 5:45 PM
Ok, I’ll test tomorrow morning, and since I have a puppy that wants to go out early you might still be working when I start tomorrow… 😉
😅 1
🐶 1
So, I ran the 
fleetctl preview
and now I can’t login anymore… 😞
Ok, I got in with the 
<mailto:admin@example.com|admin@example.com>
user, but all my data from before the 
upgrade
seems to be gone… 😞
So, I ended up with an empty fleet instance with a new enroll secret and a new certificate… 😞
@Rachel Perkins?
r

Rachel Perkins

12/03/2021, 3:41 PM
So sorry this got buried!
That's weird because the most recent 
fleetctl preview
automatically logs you in
Let me loop in @Lucas Rodriguez a BE engineer and see if he knows what could've happened. We both smoked tested this
j

jby

12/03/2021, 4:13 PM
No users, no hosts, no data (not even any example data), new certificate and new enrollment secret was my result of running 
fleetctl preview
“on top” of the one I already had running…
l

Lucas Rodriguez

12/03/2021, 4:16 PM
Hi folks, will take a look at this soon and get back to you.
ty 1
j

jby

12/03/2021, 4:17 PM
👍
Oh, it's after 5pm Friday here so don't expect me to do anything else until Monday morning
BTW, these are the stdout-logs from when I ran 
fleetctl preview
to upgrade the existing, running preview that I had:
Copy code
Downloading dependencies from production into /root/.fleet/preview...
Pulling Docker dependencies...
Starting Docker containers...
Waiting for server to start up...
Initializing server...
Configured fleetctl in the 'preview' context to avoid overwriting existing config.
Loading standard query library...
Applying Policies...
Fleet will now enroll your device and log you into the UI automatically.
You can also open the UI at this URL: <http://localhost:1337/previewlogin>.
Email: <mailto:admin@example.com|admin@example.com>
Password: admin123#
Downloading Orbit and osqueryd...
Orbit is already running.
Waiting for current host to enroll...
wait for current host: checking host count: no hosts yet
l

Lucas Rodriguez

12/06/2021, 7:51 PM
@jby Can you look for the following docker volume: 
docker volume list | grep preview
In my case I get 
local     fleet-preview-server_data01
after running 
preview
j

jby

12/06/2021, 7:52 PM
Copy code
docker volume list
DRIVER    VOLUME NAME
local     34a78f9c63dc93fc533c362a5c00f04ffa2b43cfc555062ad2ca979a18fa4f4c
local     625e94d725d58ea087bcee640687433cb40f58daed0a3ae8714afd6aed4bbfc4
local     fleet-preview-server_data01
And:
Copy code
docker ps -a
CONTAINER ID   IMAGE                              COMMAND                  CREATED       STATUS       PORTS                                                  NAMES
88b39d78b8d7   fleetdm/fleet:latest               "sh -c '/usr/bin/fle…"   4 days ago    Up 4 days    0.0.0.0:1337->1337/tcp, :::1337->1337/tcp              fleet-preview-server_fleet02_1
878d60386228   fleetdm/fleet:latest               "sh -c '/usr/bin/fle…"   4 days ago    Up 4 days    0.0.0.0:8412->8412/tcp, :::8412->8412/tcp              fleet-preview-server_fleet01_1
b52496386962   mysql:5.7                          "docker-entrypoint.s…"   4 days ago    Up 4 days    33060/tcp, 0.0.0.0:3308->3306/tcp, :::3308->3306/tcp   fleet-preview-server_mysql01_1
d42f75ce59ee   redis:6                            "docker-entrypoint.s…"   4 days ago    Up 4 days    6379/tcp                                               fleet-preview-server_redis01_1
ac4363885609   dactiv/osquery:4.5.1-centos6       "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_centos6-osquery_1
393ee09aa659   dactiv/osquery:4.5.1-ubuntu18.04   "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_ubuntu18-osquery_1
b6e3aa740d4f   dactiv/osquery:4.5.1-centos7       "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_centos7-osquery_1
a2a4763bab36   dactiv/osquery:4.5.1-ubuntu16.04   "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_ubuntu16-osquery_1
bc112570d19b   dactiv/osquery:4.5.1-ubuntu14.04   "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_ubuntu14-osquery_1
9ee8c3357bb8   dactiv/osquery:4.5.1-centos8       "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_centos8-osquery_1
66b70a2e1d48   dactiv/osquery:4.5.1-ubuntu20.04   "osqueryd --flagfile…"   4 weeks ago   Up 4 weeks                                                          fleet-preview-devices_ubuntu20-osquery_1
From that output it would seem I have multiple previews running…
Or maybe I’m looking crooked here, sorry
l

Lucas Rodriguez

12/06/2021, 7:56 PM
That last output looks ok, 
preview
starts a set of simulated hosts so that people can start testing running queries etc with N > 1 hosts.
Regarding the volume command: It's possible 
fleet-preview-server_data01
is the new volume that started from scratch with no data (your current run) and one of the other two is the volume with the old data?
j

jby

12/06/2021, 7:58 PM
Ok, the simulated hosts have not provided any data into my new preview either though…
This is my dashboard 5 days after starting the updated preview:
The 
fleet-preview-server_data01
volume is since I started my first preview:
Copy code
# docker volume inspect fleet-preview-server_data01
[
    {
        "CreatedAt": "2021-11-04T05:59:38Z",
        "Driver": "local",
        "Labels": {
            "com.docker.compose.project": "fleet-preview-server",
            "com.docker.compose.version": "1.27.4",
            "com.docker.compose.volume": "data01"
        },
        "Mountpoint": "/var/lib/docker/volumes/fleet-preview-server_data01/_data",
        "Name": "fleet-preview-server_data01",
        "Options": null,
        "Scope": "local"
    }
]
The other two seems to have been created at login(from looking at the timestamp of 
CreatedAt
, my login after running 
fleetctl preview
last week:
Copy code
docker volume inspect 34a78f9c63dc93fc533c362a5c00f04ffa2b43cfc555062ad2ca979a18fa4f4c
[
    {
        "CreatedAt": "2021-12-02T06:44:22Z",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/34a78f9c63dc93fc533c362a5c00f04ffa2b43cfc555062ad2ca979a18fa4f4c/_data",
        "Name": "34a78f9c63dc93fc533c362a5c00f04ffa2b43cfc555062ad2ca979a18fa4f4c",
        "Options": null,
        "Scope": "local"
    }
]
And my login now:
Copy code
docker volume inspect 625e94d725d58ea087bcee640687433cb40f58daed0a3ae8714afd6aed4bbfc4
[
    {
        "CreatedAt": "2021-12-06T19:59:04Z",
        "Driver": "local",
        "Labels": null,
        "Mountpoint": "/var/lib/docker/volumes/625e94d725d58ea087bcee640687433cb40f58daed0a3ae8714afd6aed4bbfc4/_data",
        "Name": "625e94d725d58ea087bcee640687433cb40f58daed0a3ae8714afd6aed4bbfc4",
        "Options": null,
        "Scope": "local"
    }
]
l

Lucas Rodriguez

12/06/2021, 8:20 PM
OK, one option is running 1. 
preview stop
2. remove the new empty volume, 3. run 
preview
again and see if that uses the old volume.
j

jby

12/06/2021, 8:22 PM
Copy code
docker volume rm 625e94d725d58ea087bcee640687433cb40f58daed0a3ae8714afd6aed4bbfc4
Error response from daemon: remove 625e94d725d58ea087bcee640687433cb40f58daed0a3ae8714afd6aed4bbfc4: volume is in use - [d42f75ce59ee4d887c26097a4afa2939ee82aad99bf704fb2b10dd8b5bb47e9c]
l

Lucas Rodriguez

12/06/2021, 8:23 PM
Maybe that's not even a fleet volume.
j

jby

12/06/2021, 8:23 PM
I’m not running anything else in docker in that host
l

Lucas Rodriguez

12/06/2021, 8:23 PM
Also, any reason you are using preview instead of deploying fleet? (Mostly asking because preview is just made for demo purposes.) See https://fleetdm.com/docs/deploying#deployment
j

jby

12/06/2021, 8:24 PM
POC and testing
And the simplicity of docker
To see if it’s something we should put into production
And me not being comfortable to configure the relationships between docker containers (fleet, db, redis, persistent disk storage) myself
And also, I’m lazy busy doing other things - this sets everything up with one command… 😁
l

Lucas Rodriguez

12/06/2021, 9:05 PM
OK, one volume is probably one used by the fleet server. So we shouldn't delete it.
Can you provide fleet server logs?
docker logs $container_id_of_fleetdm/fleet
(
docker ps
).
j

jby

12/06/2021, 9:50 PM
Which one? The one running on port 8412 or the one running on port 1337?
Copy code
3dc39fc12db2   fleetdm/fleet:latest                "sh -c '/usr/bin/fle…"   About an hour ago   Up About an hour   0.0.0.0:8412->8412/tcp, :::8412->8412/tcp              fleet-preview-server_fleet01_1
dd454af52c6c   mysql:5.7                           "docker-entrypoint.s…"   About an hour ago   Up About an hour   33060/tcp, 0.0.0.0:3308->3306/tcp, :::3308->3306/tcp   fleet-preview-server_mysql01_1
75d2cc6a59ed   redis:6                             "docker-entrypoint.s…"   About an hour ago   Up About an hour   6379/tcp                                               fleet-preview-server_redis01_1
88b39d78b8d7   fleetdm/fleet:latest                "sh -c '/usr/bin/fle…"   4 days ago          Up About an hour   0.0.0.0:1337->1337/tcp, :::1337->1337/tcp              fleet-preview-server_fleet02_1
I’m off to bed now, it’s almost 11pm here
So, @Lucas Rodriguez - which fleetdm/fleet container do you wants logs from (see output from docker ps above)
l

Lucas Rodriguez

12/07/2021, 5:30 PM
Both, if possible.
j

jby

12/07/2021, 5:35 PM
Hmm, looking at multiple pages of logs I went to the dashboard and realised that the restart last night seem to have cleaned everything up and it found the persistent storage again. It’s back
I’m rebuilding my orbit-packages with the original enrollment secret now
l

Lucas Rodriguez

12/07/2021, 5:41 PM
OK, glad it's working again!, if you plan to continue using fleet we suggest a proper deployment 🙂 https://fleetdm.com/docs/deploying#deployment
j

jby

12/07/2021, 5:42 PM
Yes, I wont run this preview in production - it’s still eval
👍 1
I was wrong, it started with the new example data, not with the old data…
So, a recap: • I installed and ran 
fleetctl preview
and to an instance running, created a couple of users and created pkgs and installed on a couple of Macs and a couple of Linux clients. It worked great. • I thought I’d upgrade to newer versinos - asked here and got the info that re-running 
fleetctl preview
would upgrade what I had, and keep the data intact. • Re-ran the 
fleetctl preview
got a totally empty instance, no example data, and none of my old data in it, and no users. • Restarted (
fleetctl preview stop
followed by 
fleetctl preview
- this seems to have re-provisioned the instance with example data but still no sign of the data from my clients and my users are gone again…
Any further tips on this @Lucas Rodriguez or @Rachel Perkins?
Or am I at the end of the road with the preview and should setup a more permanent installation instead?
l

Lucas Rodriguez

12/08/2021, 4:27 PM
Hard to know what's going on. One last try would be (if containers are running), use mysql client to connect to the mysql container:
Copy code
mysql --host=127.0.0.1 --port=3308 --user=root --password

# password is toor
And check if your data is there running:
Copy code
select * from fleet.hosts;
Then check if the mysql container is using the one data volume in your system, if it is using it then it may have been overwritten accidentally or by 
fleetctl preview
. (We haven't gotten any reports about this yet.) @zwass Do you happen to know if 
fleetctl preview
could accidentally override a previous preview mysql volume? See https://osquery.slack.com/archives/C01DXJL16D8/p1638900269318900?thread_ts=1638356010.214300&amp;cid=C01DXJL16D8
z

zwass

12/08/2021, 4:30 PM
fleetctl preview reset
would clear out all the data -- additionally any change to the Docker installation could do this. If you find yourself creating multiple users and attaching multiple other hosts that you want to keep in there for an extended period of time I think you probably have outgrown preview and would want to set up a "real" environment (even if it's just on something like render.com: https://blog.fleetdm.com/deploying-fleet-on-render-2d743aed213f)
j

jby

12/08/2021, 4:31 PM
Yeah, my ITSec-guy is not too hot on sending this kind of data to the cloud…
I had created 2 users and added 5 real hosts just to be able to look att some real data and not just the example data that’s included
So, are you just going to leave me hanging here? @Rachel Perkins @Lucas Rodriguez
z

zwass

12/21/2021, 5:55 AM
Hi Jonas, I looked back through the last few messages in this thread and it's not clear what follow up you are asking for here. We always try to help community members get the most out of Fleet, but the team is also very busy with development work. If you have additional questions, please ask in this thread or a new one and our team and the community will provide assistance on a best-effort basis.
j

jby

12/21/2021, 6:27 AM
I initially asked how to upgrade the preview and was told it would upgrade “in-place” if I just re-ran the 
fleetctl preview
command. I specifically asked if that would affect the data in my running instance and was told it wouldn’t. I followed the given instructions and ended up without both my previous data and the example data. I found the docker container with my data and thought that I’d get help re-connecting that to the new preview instance - then just silence
I was just perplexed about, perhaps a misunderstanding from my side, that someone was actually looking into this and would get back to me with some help, and nothing but silence from your end. I understand that you’re busy with development, but I was led to believe that I would get more help
And - I’m pushing this to help you with similar situations in the future. If you now realise that a preview can’t be upgraded, then noone else would have to end up like me, especially not after asking about it explicitly…
29 Views
Powered by