Channels
#kolide
Title
# kolide
a
andrew
11/14/2017, 8:17 PMfleet works great in https mode behind an ALB, no problems
m
maxwhite
11/14/2017, 8:20 PMYes, but launcher cannot communicate with it because it uses gRPC, from what I understood
a
andrew
11/14/2017, 8:23 PMthis is true
g
groob
11/14/2017, 8:37 PM
grpc uses http2 which uses TLS by default
outside of local development we don't use grpc without TLS
launcher should be able to communicate to a TCP proxy, but I hear from andrew that it doesn't. I havent seen logs about what is failing though
a
andrew
11/14/2017, 8:39 PMI'll stand back up the ELB and get some logs for you @groob
g
groob
11/14/2017, 8:39 PM
thanks that would be great
I've been meaning to do that as well but it's not high on my priority list right now 😞
m
maxwhite
11/14/2017, 8:47 PMJust to add a small precision: An ALB =/= ELB there are couple of differences: for instance, the ALB is only Layer7 and can manage "target groups", ELB can be set to TCP mode but points to specific instances.
Thanks again everyone for all the help 😉
g
groob
11/14/2017, 8:48 PM
so which one are you using application or tcp?
with grpc you cannot use an ALB, but with osquery tls you could
m
maxwhite
11/14/2017, 8:50 PMI was using ALB because I wished to use ECS Containers, but I will be fine if it works with ELB I will just spin-up a normal instance 😉
g
groob
11/14/2017, 8:50 PM
you can't use ECS with ELB?
heh
anyway, the changes I'm making will allow you to use ALB for anything moving forward
m
maxwhite
11/14/2017, 8:51 PM👍 🙂 🎉
But to answer, ALB isn't completely compatible with ECS without some manual tweaking (because random port mappings assigned to services)
a
andrew
11/14/2017, 8:53 PM Copy code
$ ./build/launcher --debug \
--hostname=kolide.corp.domain.tld:443 \
--enroll_secret="hunter2"
{"allowed_level":"debug","caller":"log.go:24","component":"launcher","level":"info","msg":"allowed log level set","ts":"2017-11-14T20:51:53.203243Z"}
{"caller":"launcher.go:72","component":"launcher","level":"info","msg":"using default system root directory","path":"/var/folders/ld/78vsh4p55zz0j21h5ssr8qmr0000gn/T/launcher-root","ts":"2017-11-14T20:51:53.203527Z"}
{"build":"58e680750ea2ab159aea3493622da1b304aade5e","caller":"launcher.go:102","component":"launcher","level":"info","msg":"started kolide launcher","ts":"2017-11-14T20:51:53.203602Z","version":"0.3.0-10-g58e6807"}
{"caller":"launcher.go:292","component":"launcher","grpc_secure":true,"level":"info","msg":"dialing grpc server","server":"<http://kolide.corp.zenefits.com:443|kolide.corp.zenefits.com:443>","tls_secure":true,"ts":"2017-11-14T20:51:53.20501Z"}
{"caller":"logging.go:28","component":"launcher","enrollSecret":"hunter2","err":"rpc error: code = Unavailable desc = transport is closing","errcode":"","hostIdentifier":"fc179b0c-a1ee-4f37-b1bf-e0a81beea252","level":"debug","method":"RequestEnrollment","reauth":false,"took":"431.520478ms","ts":"2017-11-14T20:51:53.638556Z","uuid":"03fd3319-22ff-4156-b591-57dbd670cba3"}
{"caller":"launcher.go:144","component":"launcher","err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = transport is closing","level":"info","ts":"2017-11-14T20:51:53.638842Z"}I have an ALB and a Classic ELB, this is the response pointed at the ELB in layer4 mode
g
groob
11/14/2017, 8:54 PM
interesting
looking
m
maxwhite
11/14/2017, 8:55 PM@andrew I have exaclty the same, without ELB, directly on an instance on the VPN, with TLS disabled just for testing
g
groob
11/14/2017, 8:56 PM
i'll play with the ELB and get back to you guys
a
andrew
11/14/2017, 8:56 PMah i wonder, does fleet need to be told to serve grpc without tls explicitly if termination is happening on the LB?
g
groob
11/14/2017, 8:56 PM
it checks to see if traffic is grpc traffic
it can't be insecure, it has to be TLS for that to work
a
andrew
11/14/2017, 8:57 PMah so I'd need to use tls between the LB and fleet anyway
g
groob
11/14/2017, 8:57 PM
you need fleet to terminate your TLS
not the LB
or yes, reterminate tls in fleet
👍 1
a
andrew
11/14/2017, 8:59 PMI'll try that soon
I'm not married to ACM, but gosh it's convenient
g
groob
11/14/2017, 8:59 PM
i need to play with this and document it. I use LE for my certs because it's also convenient
but yeah, fleet will only care about grpc if it's coming over tls
a
andrew
11/14/2017, 9:00 PMI wouldn't be opposed to using LE/lego or something, just haven't messed with using it in the context of other containers
m
maxwhite
11/14/2017, 11:18 PMI confirm, using Let's Encrypt and it's fullchain certificate fixes the issue 🎉