https://github.com/osquery/osquery logo
Join Slack
Powered by
I just tried to start over with `osquery-in-a-box`...
# fleet
j
I just tried to start over with 
osquery-in-a-box
, but one of the docker containers just crashes immediately after start…
Copy code
docker logs fleet-preview-server_fleet02_1
panic: unreachable
goroutine 1 [running]:
<http://github.com/fleetdm/goose.(*Client).GetDBVersion(0xc00003c300|github.com/fleetdm/goose.(*Client).GetDBVersion(0xc00003c300>, 0xc0005c81a0, 0x0, 0x0, 0x0)
        <http://github.com/fleetdm/goose@v0.0.0-20210209032905-c3c01484bacb/migrate.go:208|github.com/fleetdm/goose@v0.0.0-20210209032905-c3c01484bacb/migrate.go:208> +0x348
<http://github.com/fleetdm/fleet/v4/server/datastore/mysql.(*Datastore).MigrationStatus(0xc0000d5680|github.com/fleetdm/fleet/v4/server/datastore/mysql.(*Datastore).MigrationStatus(0xc0000d5680>, 0x1b08370, 0xc0000bc068, 0xc, 0xc000040015, 0x5)
        <http://github.com/fleetdm/fleet/v4/server/datastore/mysql/mysql.go:296|github.com/fleetdm/fleet/v4/server/datastore/mysql/mysql.go:296> +0x8c
main.createPrepareCmd.func2(0xc0000de840, 0xc0004fbc10, 0x0, 0x1)
        <http://github.com/fleetdm/fleet/v4/cmd/fleet/prepare.go:50|github.com/fleetdm/fleet/v4/cmd/fleet/prepare.go:50> +0x1af
<http://github.com/spf13/cobra.(*Command).execute(0xc0000de840|github.com/spf13/cobra.(*Command).execute(0xc0000de840>, 0xc0004fbc00, 0x1, 0x1, 0xc0000de840, 0xc0004fbc00)
        <http://github.com/spf13/cobra@v1.1.1/command.go:854|github.com/spf13/cobra@v1.1.1/command.go:854> +0x2c2
<http://github.com/spf13/cobra.(*Command).ExecuteC(0xc0000df340|github.com/spf13/cobra.(*Command).ExecuteC(0xc0000df340>, 0xc00063ff58, 0x1, 0x1)
        <http://github.com/spf13/cobra@v1.1.1/command.go:958|github.com/spf13/cobra@v1.1.1/command.go:958> +0x375
<http://github.com/spf13/cobra.(*Command).Execute(...)|github.com/spf13/cobra.(*Command).Execute(...)>
        <http://github.com/spf13/cobra@v1.1.1/command.go:895|github.com/spf13/cobra@v1.1.1/command.go:895>
main.main()
        <http://github.com/fleetdm/fleet/v4/cmd/fleet/main.go:29|github.com/fleetdm/fleet/v4/cmd/fleet/main.go:29> +0x1d3
🤔 1
l
Hello! Happy to help you troubleshoot. It may be worth clearing out your docker environment to make sure you're getting a clean start: 
docker-compose down
then 
docker system prune --volumes
then 
docker-compose up
.
j
I'm AFK at the moment. I've done all that during my tests during the day
l
You may also want to update to the latest version of `fleetctl`: https://fleetdm.com/get-started and use 
fleetctl preview
for your build instead. It uses 
osquery-in-a-box
under the hood, but provides more functionality and control.
Is there a reason you are choosing to use 
osquery-in-a-box
directly?
j
I've tried it before
l
Were you running into the same issues with that?
j
It's convenient without having to set up DB and redis manually
No I didn't have the same issues then
I'll be back at my keyboard in about half an hour
I’m gping to be AFK a bit longer, but I can tell you I’d love to try the setup from here instead: https://fleetdm.com/docs/deploying/installation - although it is a bit gruesome to setup MySQL and redis manually…
I'd have no problem with the hassle for a production setup, but for a demo/PoC for management and ITsec I'd rather not do it
l
Thanks for the feedback. I'll share with the team. Let me discuss with them and see if there are any tips to make this easier for you.
A couple of ideas... 1. If you need to deploy to AWS, we have an example Terraform repo that can help: https://github.com/fleetdm/fleet/tree/main/tools/terraform 2. If you're okay running the demo/PoC locally, you could stand up 
fleetctl preview
on your machine and expose it via something like ngrok: https://ngrok.com/
3. Consider running Fleet on render.com. https://github.com/edwardsb/fleet-on-render/blob/main/render.yaml will stand up a completely working fleet instance on render in about 3-5 minutes.
j
I really have to set it up on-prem, so all cloud-solutions is out
l
Gotcha
That rules out 1 and 3
ngrok might be a viable option, except you may run into certificate issues...
j
But doesn’t 
fleetctl preview
require MySQL and redis?
l
Yes, it does. You wouldn't be able to use your own instances, but you could modify the ones 
fleetctl preview
provides.
j
Ngrok IS an issue:
So, does 
fleetctl preview
setup MySQL and redis as well?
b
Yes
j
So, kind of similar to osquery-in-a-box then?
So what are the requirements for me to run 
fleetctl preview
then? npm? docker?
l
Yes, 
fleetctl preview
runs 
osquery-in-a-box
under the hood, and provides other helpful functionality
To run 
fleetctl preview
you need to have Docker installed
This is what the default 
fleetctl preview
docker instances will look like:
Copy code
CONTAINER ID   IMAGE                              COMMAND                  CREATED          STATUS          PORTS                               NAMES
fd61d6341794   dactiv/osquery:4.5.1-ubuntu16.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu16-osquery-1
7935bfcb8871   dactiv/osquery:4.5.1-ubuntu14.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu14-osquery-1
efce9d727e87   dactiv/osquery:4.5.1-centos6       "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-centos6-osquery-1
14dc3de0acdf   dactiv/osquery:4.5.1-ubuntu18.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu18-osquery-1
d4e9ce15eec5   dactiv/osquery:4.5.1-centos8       "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-centos8-osquery-1
b7160c76bda0   dactiv/osquery:4.5.1-centos7       "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-centos7-osquery-1
bdfe2961d612   dactiv/osquery:4.5.1-ubuntu20.04   "osqueryd --flagfile…"   5 seconds ago    Up 3 seconds                                        fleet-preview-devices-ubuntu20-osquery-1
01446d708fdd   fleetdm/fleet:latest               "sh -c '/usr/bin/fle…"   8 seconds ago    Up 7 seconds    0.0.0.0:1337->1337/tcp              fleet-preview-server-fleet02-1
32e4d80634a4   fleetdm/fleet:latest               "sh -c '/usr/bin/fle…"   34 seconds ago   Up 32 seconds   0.0.0.0:8412->8412/tcp              fleet-preview-server-fleet01-1
c69a15ae6517   mysql:5.7                          "docker-entrypoint.s…"   34 seconds ago   Up 33 seconds   33060/tcp, 0.0.0.0:3308->3306/tcp   fleet-preview-server-mysql01-1
4bf61565a4aa   redis:6                            "docker-entrypoint.s…"   7 days ago       Up 33 seconds   6379/tcp                            fleet-preview-server-redis01-1
j
Ok, and how do I get 
fleetctl
on my Linux-server then?
l
Yes using 
npm
j
Ok, I’ll try that then. Would I be able to get osquery-data from actual clients in to a preview-instance?
b
You should only be using fleetctl preview. It mechanizes osquery-in-a-box and abstracts the complexity away.
j
Hmm, it fails…
Copy code
npm install -g fleetctl
/usr/bin/fleetctl -> /usr/lib/node_modules/fleetctl/run.js
/usr/lib
└─┬ fleetctl@4.5.0
  ├─┬ axios@0.21.4
  │ └── follow-redirects@1.14.5
  ├─┬ rimraf@3.0.2
  │ └─┬ glob@7.2.0
  │   ├── fs.realpath@1.0.0
  │   ├─┬ inflight@1.0.6
  │   │ └── wrappy@1.0.2
  │   ├── inherits@2.0.4
  │   ├─┬ minimatch@3.0.4
  │   │ └─┬ brace-expansion@1.1.11
  │   │   ├── balanced-match@1.0.2
  │   │   └── concat-map@0.0.1
  │   ├── once@1.4.0
  │   └── path-is-absolute@1.0.1
  └─┬ tar@6.1.11
    ├── chownr@2.0.0
    ├── fs-minipass@2.1.0
    ├── minipass@3.1.5
    ├── minizlib@2.1.2
    ├── mkdirp@1.0.4
    └── yallist@4.0.0
Copy code
fleetctl preview
/usr/lib/node_modules/fleetctl/run.js:43
const install = async () => {
                      ^

SyntaxError: Unexpected token (
    at createScript (vm.js:56:10)
    at Object.runInThisContext (vm.js:97:10)
    at Module._compile (module.js:549:28)
    at Object.Module._extensions..js (module.js:586:10)
    at Module.load (module.js:494:32)
    at tryModuleLoad (module.js:453:12)
    at Function.Module._load (module.js:445:3)
    at Module.runMain (module.js:611:10)
    at run (bootstrap_node.js:394:7)
    at startup (bootstrap_node.js:160:9)
b
What version of nodejs do you have installed?
j
nodejs-6.17.1-1.el7.x86_64
What version is required - and why wouldn’t that version be mentioned in the documentation?
Ok, I updated to v12 of nodejs, but got another error:
Copy code
fleetctl preview
Installing fleetctl v4.5.0...
Install completed.
Downloading dependencies from production into /root/.fleet/preview...
Pulling Docker dependencies...
The FLEET_LICENSE_KEY variable is not set. Defaulting to a blank string.
Pulling mysql01 ... error
Pulling redis01 ... done
Pulling fleet01 ... error
Pulling fleet02 ... error

ERROR: for fleet01  Impossible to perform platform-targeted pulls for API version < 1.35

ERROR: for mysql01  Impossible to perform platform-targeted pulls for API version < 1.35

ERROR: for fleet02  Impossible to perform platform-targeted pulls for API version < 1.35
Impossible to perform platform-targeted pulls for API version < 1.35
Impossible to perform platform-targeted pulls for API version < 1.35
Impossible to perform platform-targeted pulls for API version < 1.35

Failed to run docker-compose
l
Taking a look at this, will be with you shortly.
j
It appears that I have too old a docker version - upgrading now
👍 1
Oh, how I love it when this happens… meep frustrated
Copy code
Loaded plugins: product-id, search-disabled-repos, subscription-manager, versionlock

This system is not registered with an entitlement server. You can use subscription-manager to register.

<https://download.docker.com/linux/rhel/7Server/x86_64/stable/repodata/repomd.xml>: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below knowledge base article

<https://access.redhat.com/articles/1320623>

If above article doesn't help to resolve this issue please open a ticket with Red Hat Support.

<https://download.docker.com/linux/rhel/7Server/x86_64/stable/repodata/repomd.xml>: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
Oh, well - I’ll try more tomorrow. It’s almost 6:30pm here now and I need to have dinner with the family
l
I'll keep looking into this and will add any thoughts to this thread.
j
👍
l
Although at this point it looks like it's just Redhat blocking the server.
j
Nope the directory that ought to contain the rpms at docker is empty...
l
D'oh!
j
Yeah
l
I'll see if I can find anything helpful.
j
l
Sounds like you're blocked by Docker for the time being. Please let me know how it goes, and if there's anything else I can assist with.
j
Will do
Ok, finally found this:
Adding the CentOS repo does solve it
l
Great, glad you got it solved!
7 Views
Open in Slack
PreviousNext
Powered by