https://github.com/osquery/osquery logo
Powered by
Title
j

jby

11/03/2021, 2:07 PM
I just tried to start over with 
osquery-in-a-box
, but one of the docker containers just crashes immediately after start… 
docker logs fleet-preview-server_fleet02_1
panic: unreachable
goroutine 1 [running]:
<http://github.com/fleetdm/goose.(*Client).GetDBVersion(0xc00003c300|github.com/fleetdm/goose.(*Client).GetDBVersion(0xc00003c300>, 0xc0005c81a0, 0x0, 0x0, 0x0)
        <http://github.com/fleetdm/goose@v0.0.0-20210209032905-c3c01484bacb/migrate.go:208|github.com/fleetdm/goose@v0.0.0-20210209032905-c3c01484bacb/migrate.go:208> +0x348
<http://github.com/fleetdm/fleet/v4/server/datastore/mysql.(*Datastore).MigrationStatus(0xc0000d5680|github.com/fleetdm/fleet/v4/server/datastore/mysql.(*Datastore).MigrationStatus(0xc0000d5680>, 0x1b08370, 0xc0000bc068, 0xc, 0xc000040015, 0x5)
        <http://github.com/fleetdm/fleet/v4/server/datastore/mysql/mysql.go:296|github.com/fleetdm/fleet/v4/server/datastore/mysql/mysql.go:296> +0x8c
main.createPrepareCmd.func2(0xc0000de840, 0xc0004fbc10, 0x0, 0x1)
        <http://github.com/fleetdm/fleet/v4/cmd/fleet/prepare.go:50|github.com/fleetdm/fleet/v4/cmd/fleet/prepare.go:50> +0x1af
<http://github.com/spf13/cobra.(*Command).execute(0xc0000de840|github.com/spf13/cobra.(*Command).execute(0xc0000de840>, 0xc0004fbc00, 0x1, 0x1, 0xc0000de840, 0xc0004fbc00)
        <http://github.com/spf13/cobra@v1.1.1/command.go:854|github.com/spf13/cobra@v1.1.1/command.go:854> +0x2c2
<http://github.com/spf13/cobra.(*Command).ExecuteC(0xc0000df340|github.com/spf13/cobra.(*Command).ExecuteC(0xc0000df340>, 0xc00063ff58, 0x1, 0x1)
        <http://github.com/spf13/cobra@v1.1.1/command.go:958|github.com/spf13/cobra@v1.1.1/command.go:958> +0x375
<http://github.com/spf13/cobra.(*Command).Execute(...)|github.com/spf13/cobra.(*Command).Execute(...)>
        <http://github.com/spf13/cobra@v1.1.1/command.go:895|github.com/spf13/cobra@v1.1.1/command.go:895>
main.main()
        <http://github.com/fleetdm/fleet/v4/cmd/fleet/main.go:29|github.com/fleetdm/fleet/v4/cmd/fleet/main.go:29> +0x1d3
🤔 1
l

Luke Heath

11/03/2021, 3:36 PM
Hello! Happy to help you troubleshoot. It may be worth clearing out your docker environment to make sure you're getting a clean start: 
docker-compose down
then 
docker system prune --volumes
then 
docker-compose up
.
j

jby

11/03/2021, 3:38 PM
I'm AFK at the moment. I've done all that during my tests during the day
l

Luke Heath

11/03/2021, 3:38 PM
You may also want to update to the latest version of `fleetctl`: https://fleetdm.com/get-started and use 
fleetctl preview
for your build instead. It uses 
osquery-in-a-box
under the hood, but provides more functionality and control.
Is there a reason you are choosing to use 
osquery-in-a-box
directly?
j

jby

11/03/2021, 3:39 PM
I've tried it before
l

Luke Heath

11/03/2021, 3:40 PM
Were you running into the same issues with that?
j

jby

11/03/2021, 3:41 PM
It's convenient without having to set up DB and redis manually
No I didn't have the same issues then
I'll be back at my keyboard in about half an hour
I’m gping to be AFK a bit longer, but I can tell you I’d love to try the setup from here instead: https://fleetdm.com/docs/deploying/installation - although it is a bit gruesome to setup MySQL and redis manually…
I'd have no problem with the hassle for a production setup, but for a demo/PoC for management and ITsec I'd rather not do it
l

Luke Heath

11/03/2021, 4:19 PM
Thanks for the feedback. I'll share with the team. Let me discuss with them and see if there are any tips to make this easier for you.
A couple of ideas... 1. If you need to deploy to AWS, we have an example Terraform repo that can help: https://github.com/fleetdm/fleet/tree/main/tools/terraform 2. If you're okay running the demo/PoC locally, you could stand up 
fleetctl preview
on your machine and expose it via something like ngrok: https://ngrok.com/
3. Consider running Fleet on render.com. https://github.com/edwardsb/fleet-on-render/blob/main/render.yaml will stand up a completely working fleet instance on render in about 3-5 minutes.
j

jby

11/03/2021, 4:49 PM
I really have to set it up on-prem, so all cloud-solutions is out
l

Luke Heath

11/03/2021, 4:49 PM
Gotcha
That rules out 1 and 3
ngrok might be a viable option, except you may run into certificate issues...
j

jby

11/03/2021, 4:50 PM
But doesn’t 
fleetctl preview
require MySQL and redis?
l

Luke Heath

11/03/2021, 4:50 PM
Yes, it does. You wouldn't be able to use your own instances, but you could modify the ones 
fleetctl preview
provides.
j

jby

11/03/2021, 4:50 PM
Ngrok IS an issue:
So, does 
fleetctl preview
setup MySQL and redis as well?
b

Benjamin Edwards

11/03/2021, 4:51 PM
Yes
j

jby

11/03/2021, 4:52 PM
So, kind of similar to osquery-in-a-box then?
So what are the requirements for me to run 
fleetctl preview
then? npm? docker?
l

Luke Heath

11/03/2021, 4:56 PM
Yes, 
fleetctl preview
runs 
osquery-in-a-box
under the hood, and provides other helpful functionality
To run 
fleetctl preview
you need to have Docker installed
This is what the default 
fleetctl preview
docker instances will look like: 
CONTAINER ID   IMAGE                              COMMAND                  CREATED          STATUS          PORTS                               NAMES
fd61d6341794   dactiv/osquery:4.5.1-ubuntu16.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu16-osquery-1
7935bfcb8871   dactiv/osquery:4.5.1-ubuntu14.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu14-osquery-1
efce9d727e87   dactiv/osquery:4.5.1-centos6       "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-centos6-osquery-1
14dc3de0acdf   dactiv/osquery:4.5.1-ubuntu18.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu18-osquery-1
d4e9ce15eec5   dactiv/osquery:4.5.1-centos8       "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-centos8-osquery-1
b7160c76bda0   dactiv/osquery:4.5.1-centos7       "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-centos7-osquery-1
bdfe2961d612   dactiv/osquery:4.5.1-ubuntu20.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu20-osquery-1
01446d708fdd   fleetdm/fleet:latest               "sh -c '/usr/bin/fle…"   8 seconds ago    Up 7 seconds    0.0.0.0:1337->1337/tcp              fleet-preview-server-fleet02-1
32e4d80634a4   fleetdm/fleet:latest               "sh -c '/usr/bin/fle…"   34 seconds ago   Up 32 seconds   0.0.0.0:8412->8412/tcp              fleet-preview-server-fleet01-1
c69a15ae6517   mysql:5.7                          "docker-entrypoint.s…"   34 seconds ago   Up 33 seconds   33060/tcp, 0.0.0.0:3308->3306/tcp   fleet-preview-server-mysql01-1
4bf61565a4aa   redis:6                            "docker-entrypoint.s…"   7 days ago       Up 33 seconds   6379/tcp                            fleet-preview-server-redis01-1
j

jby

11/03/2021, 4:57 PM
Ok, and how do I get 
fleetctl
on my Linux-server then?
Here it says `npm`: https://fleetdm.com/get-started
l

Luke Heath

11/03/2021, 4:58 PM
Yes using 
npm
j

jby

11/03/2021, 4:59 PM
Ok, I’ll try that then. Would I be able to get osquery-data from actual clients in to a preview-instance?
b

Benjamin Edwards

11/03/2021, 5:00 PM
You should only be using fleetctl preview. It mechanizes osquery-in-a-box and abstracts the complexity away.
j

jby

11/03/2021, 5:00 PM
Hmm, it fails… 
npm install -g fleetctl
/usr/bin/fleetctl -> /usr/lib/node_modules/fleetctl/run.js
/usr/lib
└─┬ fleetctl@4.5.0
  ├─┬ axios@0.21.4
  │ └── follow-redirects@1.14.5
  ├─┬ rimraf@3.0.2
  │ └─┬ glob@7.2.0
  │   ├── fs.realpath@1.0.0
  │   ├─┬ inflight@1.0.6
  │   │ └── wrappy@1.0.2
  │   ├── inherits@2.0.4
  │   ├─┬ minimatch@3.0.4
  │   │ └─┬ brace-expansion@1.1.11
  │   │   ├── balanced-match@1.0.2
  │   │   └── concat-map@0.0.1
  │   ├── once@1.4.0
  │   └── path-is-absolute@1.0.1
  └─┬ tar@6.1.11
    ├── chownr@2.0.0
    ├── fs-minipass@2.1.0
    ├── minipass@3.1.5
    ├── minizlib@2.1.2
    ├── mkdirp@1.0.4
    └── yallist@4.0.0
fleetctl preview
/usr/lib/node_modules/fleetctl/run.js:43
const install = async () => {
                      ^

SyntaxError: Unexpected token (
    at createScript (vm.js:56:10)
    at Object.runInThisContext (vm.js:97:10)
    at Module._compile (module.js:549:28)
    at Object.Module._extensions..js (module.js:586:10)
    at Module.load (module.js:494:32)
    at tryModuleLoad (module.js:453:12)
    at Function.Module._load (module.js:445:3)
    at Module.runMain (module.js:611:10)
    at run (bootstrap_node.js:394:7)
    at startup (bootstrap_node.js:160:9)
b

Benjamin Edwards

11/03/2021, 5:01 PM
What version of nodejs do you have installed?
j

jby

11/03/2021, 5:02 PM
nodejs-6.17.1-1.el7.x86_64
What version is required - and why wouldn’t that version be mentioned in the documentation?
Ok, I updated to v12 of nodejs, but got another error: 
fleetctl preview
Installing fleetctl v4.5.0...
Install completed.
Downloading dependencies from production into /root/.fleet/preview...
Pulling Docker dependencies...
The FLEET_LICENSE_KEY variable is not set. Defaulting to a blank string.
Pulling mysql01 ... error
Pulling redis01 ... done
Pulling fleet01 ... error
Pulling fleet02 ... error

ERROR: for fleet01  Impossible to perform platform-targeted pulls for API version < 1.35

ERROR: for mysql01  Impossible to perform platform-targeted pulls for API version < 1.35

ERROR: for fleet02  Impossible to perform platform-targeted pulls for API version < 1.35
Impossible to perform platform-targeted pulls for API version < 1.35
Impossible to perform platform-targeted pulls for API version < 1.35
Impossible to perform platform-targeted pulls for API version < 1.35

Failed to run docker-compose
l

Luke Heath

11/03/2021, 5:19 PM
Taking a look at this, will be with you shortly.
j

jby

11/03/2021, 5:19 PM
It appears that I have too old a docker version - upgrading now
👍 1
Oh, how I love it when this happens… :meep_frustrated: 
Loaded plugins: product-id, search-disabled-repos, subscription-manager, versionlock

This system is not registered with an entitlement server. You can use subscription-manager to register.

<https://download.docker.com/linux/rhel/7Server/x86_64/stable/repodata/repomd.xml>: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article

<https://access.redhat.com/articles/1320623>

If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.

<https://download.docker.com/linux/rhel/7Server/x86_64/stable/repodata/repomd.xml>: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
Oh, well - I’ll try more tomorrow. It’s almost 6:30pm here now and I need to have dinner with the family
l

Luke Heath

11/03/2021, 5:32 PM
I'll keep looking into this and will add any thoughts to this thread.
j

jby

11/03/2021, 5:32 PM
👍
l

Luke Heath

11/03/2021, 5:33 PM
Although at this point it looks like it's just Redhat blocking the server.
j

jby

11/03/2021, 5:34 PM
Nope the directory that ought to contain the rpms at docker is empty...
l

Luke Heath

11/03/2021, 5:34 PM
D'oh!
j

jby

11/03/2021, 5:34 PM
Yeah
l

Luke Heath

11/03/2021, 5:35 PM
I'll see if I can find anything helpful.
j

jby

11/03/2021, 7:15 PM
FYI: https://github.com/docker/for-linux/issues/1322
👍 1
l

Luke Heath

11/03/2021, 7:23 PM
Sounds like you're blocked by Docker for the time being. Please let me know how it goes, and if there's anything else I can assist with.
j

jby

11/03/2021, 8:01 PM
Will do
Ok, finally found this:
Adding the CentOS repo does solve it
l

Luke Heath

11/04/2021, 9:06 PM
Great, glad you got it solved!
6 Views
#fleetJoin Slack
Powered by