Title
#fleet
n

nyanshak

03/03/2021, 4:11 PM
I jumped a few fleet versions in upgrading to 3.8.0, so I have a question that might go back a few releases. If clients attempt to enroll with the same host identifier, they'll get rate limited / enroll will fail. I don't know how long but I think that's been going for a few releases. My question is about what status (403, 4xx, 500, 5xx, etc) codes are returned when those enrolls fail, and if those status codes have changed over the last few releases.
zwass

zwass

03/03/2021, 4:28 PM
The status codes have not changed, and the enrollment cooldown goes back to 3.5.0. Are you encountering some issues here?
n

nyanshak

03/03/2021, 4:29 PM
What is the status code for these enrollment issues?
4:31 PM
I wouldn't say I'm having issues around this per se. My understanding (correct me if I'm wrong) is that before 3.5.0 there was still an issue with conflicts happening if there were multiple hosts with the same identifier enrolling, but that 3.5.0+ made the issue visible. Is that correct ? ^
zwass

zwass

03/03/2021, 4:35 PM
That should return a 401.
4:37 PM
Before 3.5.0 if there were multiple hosts using the same identifier they were likely to be successfully enrolling each attempt but then overwriting each other's node keys (since they appear to be the same host to Fleet yet the node key is invalidated due to a new successful enrollment). After 3.5.0 they are rate limited in how often they can enroll which means that not every enroll request will succeed.
4:38 PM
Are you able to see Fleet server logs that indicate multiple hosts are using the same identifier?
n

nyanshak

03/03/2021, 4:39 PM
Yes - I was aware from release notes that I would see this. It's not a new problem, just one that I'm more aware of / can quantify now.
zwass

zwass

03/03/2021, 4:42 PM
There was actually extensive discussion about this in osquery office hours yesterday if you're curious to dig deeper.
n

nyanshak

03/03/2021, 4:42 PM
Ah interesting, I'll go find the notes / recording