I have a few question about the Vulnerability proc...
# fleet
b
I have a few question about the Vulnerability processing; 1. Will this work on a disconnected instance, with exception of the two pinholes to the links in the docs? 2. Do you enable this on only one instance, or does it need to be enabled on all of them? (via the environmental variable) a. I have multiple instances and would like to have one dedicated to the processing and only have that one with the access to the two urls if possible. 3. Is there a way to either host those two urls internally and have fleet reference them? 4. Can those DB’s be manually ingested/placed by an admin instead of providing internet access?
t
Hi!
Will this work on a disconnected instance, with exception of the two pinholes to the links in the docs?
when you say instance, do you mean fleet server instance? If so, yes, once it downloads the different data sources, all the processing happens within the fleet instance
Do you enable this on only one instance, or does it need to be enabled on all of them? (via the environmental variable)
You enable them in all the instances through applying a config, we added a way to configure software inventory through config as well: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/13-Vulnerability-Processing.md And then only one instance does the work
I have multiple instances and would like to have one dedicated to the processing and only have that one with the access to the two urls if possible. 
The instance selected for the work is dynamic, at this time it's not possible to tag a specific instance for this. If you would like that functionality added, make sure to create a feature request: https://github.com/fleetdm/fleet/issues/new?assignees=&labels=idea&template=feature-request.md&title=
Is there a way to either host those two urls internally and have fleet reference them?
Not currently, the data feeds are updated almost daily. So we need to keep them up to date.
Can those DB’s be manually ingested/placed by an admin instead of providing internet access?
That could work, yes, but not in the current iteration. Please file a feature request and we can take it from there.
👍 2
b
Sounds good. I have an single fleet instance with 3 servers - 2 behind a load balancer and one that is an admin/reserved node. The idea is to have the admin/reserve node potentially have the access to those two urls only. Would this work with the current implementation?
I can go ahead and enable the vulnerability detection on all nodes, but only one would be able to reach out.
t
it's not going to always work, because the node that checks for vulnerabilities does it so by obtaining a lock. If the instance obtaining the lock happens to be one of the two behind the LB, then it won't work
b
Fair enough. How often will it try, and is it a round robin type of thing?
Where if the node that tries fails, will another node try again later?
t
it gets or refreshes the lock once an hour, basically, whichever instance wins is the one to make the vulnerability check at that point
b
Fair enough. So in that instance, it would work on average every 3 hours - in a perfect world.
t
not sure I follow, why every 3 hours?
b
2 are not internet facing, and one would be. So 1/3. 🙂
t
oh, right
I suppose, depends on the world and how your infra is setup. This is the first iteration, we anticipated a lot of different use cases such as yours that we are not covering, so feature requests are very important here
👍 2
b
As the primary pre-processed DB is updated daily, the law of averages would indicate that it would work at least one to two times a day at a minimum, pulling the data in.
Fair enough - I do plan on opening feature requests.
t
the preprocessed db is updated once a day, but the CVE data feeds might be updated more often
b
That makes sense.