I have a few question about the Vulnerability processing; 1. Will this work on a disconnected instance, with exception of the two pinholes to the links in the docs? 2. Do you enable this on only one instance, or does it need to be enabled on all of them? (via the environmental variable) a. I have multiple instances and would like to have one dedicated to the processing and only have that one with the access to the two urls if possible. 3. Is there a way to either host those two urls internally and have fleet reference them? 4. Can those DB’s be manually ingested/placed by an admin instead of providing internet access?

Hi!

Will this work on a disconnected instance, with exception of the two pinholes to the links in the docs?

when you say instance, do you mean fleet server instance? If so, yes, once it downloads the different data sources, all the processing happens within the fleet instance

Do you enable this on only one instance, or does it need to be enabled on all of them? (via the environmental variable)

You enable them in all the instances through applying a config, we added a way to configure software inventory through config as well: https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/13-Vulnerability-Processing.md And then only one instance does the work

I have multiple instances and would like to have one dedicated to the processing and only have that one with the access to the two urls if possible. 

The instance selected for the work is dynamic, at this time it's not possible to tag a specific instance for this. If you would like that functionality added, make sure to create a feature request: https://github.com/fleetdm/fleet/issues/new?assignees=&labels=idea&template=feature-request.md&title=

Is there a way to either host those two urls internally and have fleet reference them?

Not currently, the data feeds are updated almost daily. So we need to keep them up to date.

Can those DB’s be manually ingested/placed by an admin instead of providing internet access?

That could work, yes, but not in the current iteration. Please file a feature request and we can take it from there.

Sounds good. I have an single fleet instance with 3 servers - 2 behind a load balancer and one that is an admin/reserved node. The idea is to have the admin/reserve node potentially have the access to those two urls only. Would this work with the current implementation?

it's not going to always work, because the node that checks for vulnerabilities does it so by obtaining a lock. If the instance obtaining the lock happens to be one of the two behind the LB, then it won't work

Fair enough. How often will it try, and is it a round robin type of thing?

it gets or refreshes the lock once an hour, basically, whichever instance wins is the one to make the vulnerability check at that point

Fair enough. So in that instance, it would work on average every 3 hours - in a perfect world.

not sure I follow, why every 3 hours?

2 are not internet facing, and one would be. So 1/3. 🙂

oh, right

As the primary pre-processed DB is updated daily, the law of averages would indicate that it would work at least one to two times a day at a minimum, pulling the data in.

the preprocessed db is updated once a day, but the CVE data feeds might be updated more often

That makes sense.