https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey everyone, I've got an issue where some hosts a...
# kolide
c
Hey everyone, I've got an issue where some hosts are not calling the 
enroll
endpoint so I don't see them in the Kolide UI, but those hosts read the config from Kolide just fine and also send logs without any issues. The installation is the same on many hosts and this behaviour only happens on some of them. I've tried using the 
--tls_dump --verbose
flags to see if there was any pointer, but I didn't see any, there's no info about enrollment Any ideas?
I used the flag 
--enroll_always
on one of the machines and it was enrolled correctly, yay! The flag is not documented and I found it here https://github.com/osquery/osquery/pull/2827/files Does anyone have any info about the implications of having that flag permanently?
t
I was not aware this flag existed either, this code sees to imply that each time the daemon is restarted it will enroll as a new device. This likely will result in a duplicate device time osquery restarts
c
@terracatta just tried and it doesn't duplicate hosts in kolide. I haven't checked the code but it could be checking the host_identifier as well and just updated the node_key on every enrollment
t
very possible if your host identifier is stable
s
That seems like an interesting workaround to a real problem.
c
So, I've done more tests today and confirmed that there are no side effects to having the 
--enroll_always
flag enabled if you have stable host identifiers as @terracatta pointed out. If a host already exists on Kolide and there's a new enrollment request, Kolide justs updates the node_key: https://github.com/kolide/fleet/blob/7494513400b1d15d3e770358350d227ffbe2e4ce/server/datastore/mysql/hosts.go#L231 For background context in case it helps someone: Our problem is that some hosts are being built based on images where osquery was already installed and enrolled so all of them had the same node_key which means that the enrollment process was never executed. And the last reference because I didn't find an answer on the internet, this is how I read the node_key on a host:
Copy code
grep -l 'nodeKey' /var/osquery/osquery.db/*.sst
strings /var/osquery/osquery.db/{FILE_NAME}.sst | grep nodeKey -A 1
t
ideally before you cut your image you delete the osquery database
and then you won't need this special flag
c
yea, that would be the ideal solution! I'll check how standardised is our image baking process is to propose that change 🙂
j
what do you exactly mean with a 
stable
host identifier? We specify the host identifier to our own UUID on every host. Does that means stable?
c
@Julian Scala I'd say yes, I understand a stable identifier is something that is static per host and unique across your fleet
j
Thanks!
Open in Slack
PreviousNext
Powered by