I jumped a few fleet versions in upgrading to 3 8 0 so I hav

Question

I jumped a few fleet versions in upgrading to 3 8 0 so I have a question that might go back a few releases If clients attempt to enroll with the same host identifier they ll get rate limited enroll will fail I don t know how long but I think that s been going for a few releases My question is about what status 403 4xx 500 5xx etc codes are returned when those enrolls fail and if those status codes have changed over the last few releases

zwass · Answer

The status codes have not changed and the enrollment cooldown goes back to 3 5 0 Are you encountering some issues here

nyanshak · Answer

What is the status code for these enrollment issues

nyanshak · Answer

I wouldn t say I m having issues around this per se My understanding correct me if I m wrong is that before 3 5 0 there was still an issue with conflicts happening if there were multiple hosts with the same identifier enrolling but that 3 5 0+ made the issue visible Is that correct ^

zwass · Answer

That should return a 401

zwass · Answer

Before 3 5 0 if there were multiple hosts using the same identifier they were likely to be successfully enrolling each attempt but then overwriting each other s node keys since they appear to be the same host to Fleet yet the node key is invalidated due to a new successful enrollment After 3 5 0 they are rate limited in how often they can enroll which means that not every enroll request will succeed

zwass · Answer

Are you able to see Fleet server logs that indicate multiple hosts are using the same identifier

nyanshak · Answer

Yes I was aware from release notes that I would see this It s not a new problem just one that I m more aware of can quantify now

zwass · Answer

There was actually extensive discussion about this in osquery office hours yesterday if you re curious to dig deeper

nyanshak · Answer

Ah interesting I ll go find the notes recording