Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jon O'Brien
03/07/2019, 4:59 PMHey folks - I raised this issue https://github.com/kolide/fleet/issues/2008 yesterday regarding
fleetctlfleetctl--debugz
zwass
03/07/2019, 5:43 PMAre you able to query via the Fleet UI?
j
Jon O'Brien
03/07/2019, 5:47 PMyes
z
zwass
03/07/2019, 5:51 PMWhen you do that, look in the network panel in the devtools and see whether it is using a websocket or XHR requests.
Is your Fleet server behind a load balancer?
j
Jon O'Brien
03/07/2019, 5:51 PMyes - I believe it is
z
zwass
03/07/2019, 5:51 PMAh yes I see that it is
Does your load balancer support websockets?
j
Jon O'Brien
03/07/2019, 5:52 PM...checking
z
zwass
03/07/2019, 5:52 PMI suspect that your load balancer doesn't support websockets... On the browser we have a good library for getting around this with XHR requests. In Go (where fleetctl is written) we don't.
r
ralph
03/07/2019, 10:32 PMZack, if we run fleetctl directly on 1 backend kolide server, would it help?
z
zwass
03/07/2019, 10:41 PMYeah if you connect fleetctl directly to one of the servers it ought to work fine.
r
ralph
03/07/2019, 10:41 PMone more thing, if I enable session persistence on the L7 LB , would that help too?
z
zwass
03/07/2019, 11:20 PMWhat matters is whether the LB supports websockets. It doesn't matter which Fleet server the client connects to as long as (1) Redis is working and (2) websockets are supported for communication with the client.
j
Jon O'Brien
03/08/2019, 12:31 PMIt does appear that websockets is supported in the LB - is there a configuration setting which is required to ensure fleetctl can communicate through them?
Also, how might I be able to see more debug information coming back from
fleetctlz
zwass
03/08/2019, 4:48 PMI did some testing and it does seem that fleetctl should print an error if it is unable to establish the websocket connection. It will also print any errors it encounters from the server, and errors reading from the websocket connection. Can you check a couple more things please? What version of fleetctl are you running (
fleetctl --versionj
Jon O'Brien
03/08/2019, 4:50 PMfleetctl - version 2.0.2
branch: master
revision: 8ca0358bf28173685815b79d8683a4239d629a14
build date: 2019-01-18T00:39:59Z
build user: zwass
go version: go1.11.3z
zwass
03/08/2019, 5:19 PMYeah, on the Fleet server. They are printed to stderr of the Fleet process.
Can you please clarify one more thing... In the examples in https://github.com/kolide/fleet/issues/2008 are both of those commands exiting immediately (or near immediately)?
j
Jon O'Brien
03/08/2019, 7:52 PMI will try and get the stderr output - in the meantime, yes, they exit immediately.
z
zwass
03/08/2019, 7:54 PMCan you show the output of
fleetctl get label 'All Hosts'j
Jon O'Brien
03/08/2019, 7:56 PM$ fleetctl get label 'All Hosts'
apiVersion: v1
kind: label
spec:
ID: 0
description: All hosts which have enrolled in Kolide
label_type: 1
name: All Hosts
query: select 1;
$z
zwass
03/09/2019, 8:57 PMI am still interested in the Fleet server logs. Also, are you able to create a label with a query like
select 1j
Jon O'Brien
03/11/2019, 11:57 AMOK - I can see that although the
fleetctl/var/log/kolide/status.logThe number of hosts online has greatly reduced now (not sure why)
...and now, queries are working as expected for 171 hosts online
6% responded (99% online) | 170/2680 targeted hosts (170/171 online)I created a label `test label`:
$ fleetctl get label --context my_context 'test label'
apiVersion: v1
kind: label
spec:
ID: 0
description: ""
label_type: 0
name: test label
query: select 1
$@zwass - any more thoughts on this please?
Current situation is that when hosting fleet on multiple servers through a load balancer,
fleetctl[----------]$ fleetctl query --timeout 25m --query 'select name,version from os_version' --labels 'All Hosts' --exit
⠋ [----------]$
[----------]$ fleetctl query --timeout 25m --query 'select name,version from os_version' --labels 'All Hosts'
0% responded (0% online) | 0/0 targeted hosts (0/0 online)
[----------]$/var/log/kolide/status.logfleetctlfleetctlz
zwass
03/13/2019, 6:52 PMAre you able to query that test label?
j
Jon O'Brien
03/14/2019, 10:38 AMYes - I can query against my 'test label' and 'All Hosts'.
fleetctlz
zwass
03/15/2019, 7:04 PMWhen you query the test label you get results? What about if you query individual hosts?
j
Jon O'Brien
03/18/2019, 10:19 AMI don't think the problem is to do with the label or individual host queries - it appears to be related to how load balanced fleet servers communicate back to
fleetctlfleetctlHi @zwass - I'm still having issues with this environment despite reducing the number of fleet servers to 1 through the load balancer.
I've managed to look in the fleet stderr log in docker and I get a few of the following errors occurring around the time that
fleetctl{"log":"{\"err\":\"sending: sockjs: session not in open state\",\"msg\":\"error writing to channel\",\"ts\":\"2019-03-24T04:08:13.081053265Z\"}\n","stream":"stderr","time":"2019-03-24T04:08:13.08115086Z"}
{"log":"{\"component\":\"service\",\"err\":null,\"ip_addr\":\"192.168.20.3:60635\",\"method\":\"SubmitDistributedQueryResults\",\"took\":\"8.070283ms\",\"ts\":\"2019-03-24T04:08:13.086910133Z\"}\n","stream":"stderr","time":"2019-03-24T04:08:13.087039196Z"}
{"log":"{\"err\":\"write status\",\"msg\":\"error updating status\",\"ts\":\"2019-03-24T04:08:13.322847484Z\"}\n","stream":"stderr","time":"2019-03-24T04:08:13.32299169Z"}z
zwass
03/25/2019, 11:19 PMHave you tried connecting directly to Fleet rather than through the LB? This seems like an LB issue.