Title
#kolide
a

andrew

11/14/2017, 8:17 PM
fleet works great in https mode behind an ALB, no problems
maxwhite

maxwhite

11/14/2017, 8:20 PM
Yes, but launcher cannot communicate with it because it uses gRPC, from what I understood
a

andrew

11/14/2017, 8:23 PM
this is true
g

groob

11/14/2017, 8:37 PM
grpc uses http2 which uses TLS by default
8:38 PM
outside of local development we don't use grpc without TLS
8:39 PM
launcher should be able to communicate to a TCP proxy, but I hear from andrew that it doesn't. I havent seen logs about what is failing though
a

andrew

11/14/2017, 8:39 PM
I'll stand back up the ELB and get some logs for you @groob
g

groob

11/14/2017, 8:39 PM
thanks that would be great
8:40 PM
I've been meaning to do that as well but it's not high on my priority list right now 😞
maxwhite

maxwhite

11/14/2017, 8:47 PM
Just to add a small precision: An ALB =/= ELB there are couple of differences: for instance, the ALB is only Layer7 and can manage "target groups", ELB can be set to TCP mode but points to specific instances. Thanks again everyone for all the help 😉
g

groob

11/14/2017, 8:48 PM
so which one are you using application or tcp?
8:48 PM
with grpc you cannot use an ALB, but with osquery tls you could
maxwhite

maxwhite

11/14/2017, 8:50 PM
I was using ALB because I wished to use ECS Containers, but I will be fine if it works with ELB I will just spin-up a normal instance 😉
g

groob

11/14/2017, 8:50 PM
you can't use ECS with ELB?
8:50 PM
heh
8:51 PM
anyway, the changes I'm making will allow you to use ALB for anything moving forward
maxwhite

maxwhite

11/14/2017, 8:51 PM
👍 🙂 🎉
8:53 PM
But to answer, ALB isn't completely compatible with ECS without some manual tweaking (because random port mappings assigned to services)
a

andrew

11/14/2017, 8:53 PM
$ ./build/launcher --debug \
--hostname=kolide.corp.domain.tld:443 \
--enroll_secret="hunter2"
{"allowed_level":"debug","caller":"log.go:24","component":"launcher","level":"info","msg":"allowed log level set","ts":"2017-11-14T20:51:53.203243Z"}
{"caller":"launcher.go:72","component":"launcher","level":"info","msg":"using default system root directory","path":"/var/folders/ld/78vsh4p55zz0j21h5ssr8qmr0000gn/T/launcher-root","ts":"2017-11-14T20:51:53.203527Z"}
{"build":"58e680750ea2ab159aea3493622da1b304aade5e","caller":"launcher.go:102","component":"launcher","level":"info","msg":"started kolide launcher","ts":"2017-11-14T20:51:53.203602Z","version":"0.3.0-10-g58e6807"}
{"caller":"launcher.go:292","component":"launcher","grpc_secure":true,"level":"info","msg":"dialing grpc server","server":"<http://kolide.corp.zenefits.com:443|kolide.corp.zenefits.com:443>","tls_secure":true,"ts":"2017-11-14T20:51:53.20501Z"}
{"caller":"logging.go:28","component":"launcher","enrollSecret":"hunter2","err":"rpc error: code = Unavailable desc = transport is closing","errcode":"","hostIdentifier":"fc179b0c-a1ee-4f37-b1bf-e0a81beea252","level":"debug","method":"RequestEnrollment","reauth":false,"took":"431.520478ms","ts":"2017-11-14T20:51:53.638556Z","uuid":"03fd3319-22ff-4156-b591-57dbd670cba3"}
{"caller":"launcher.go:144","component":"launcher","err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = transport is closing","level":"info","ts":"2017-11-14T20:51:53.638842Z"}
8:54 PM
I have an ALB and a Classic ELB, this is the response pointed at the ELB in layer4 mode
g

groob

11/14/2017, 8:54 PM
interesting
8:55 PM
looking
maxwhite

maxwhite

11/14/2017, 8:55 PM
@andrew I have exaclty the same, without ELB, directly on an instance on the VPN, with TLS disabled just for testing
g

groob

11/14/2017, 8:56 PM
i'll play with the ELB and get back to you guys
a

andrew

11/14/2017, 8:56 PM
ah i wonder, does fleet need to be told to serve grpc without tls explicitly if termination is happening on the LB?
g

groob

11/14/2017, 8:56 PM
it checks to see if traffic is grpc traffic
8:57 PM
it can't be insecure, it has to be TLS for that to work
a

andrew

11/14/2017, 8:57 PM
ah so I'd need to use tls between the LB and fleet anyway
g

groob

11/14/2017, 8:57 PM
you need fleet to terminate your TLS
8:57 PM
not the LB
8:57 PM
or yes, reterminate tls in fleet
a

andrew

11/14/2017, 8:59 PM
I'll try that soon
8:59 PM
I'm not married to ACM, but gosh it's convenient
g

groob

11/14/2017, 8:59 PM
i need to play with this and document it. I use LE for my certs because it's also convenient
9:00 PM
but yeah, fleet will only care about grpc if it's coming over tls
a

andrew

11/14/2017, 9:00 PM
I wouldn't be opposed to using LE/lego or something, just haven't messed with using it in the context of other containers
maxwhite

maxwhite

11/14/2017, 11:18 PM
I confirm, using Let's Encrypt and it's fullchain certificate fixes the issue 🎉