Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
andrew
11/14/2017, 8:17 PMfleet works great in https mode behind an ALB, no problems
m
maxwhite
11/14/2017, 8:20 PMYes, but launcher cannot communicate with it because it uses gRPC, from what I understood
a
andrew
11/14/2017, 8:23 PMthis is true
g
groob
11/14/2017, 8:37 PMgrpc uses http2 which uses TLS by default
outside of local development we don't use grpc without TLS
launcher should be able to communicate to a TCP proxy, but I hear from andrew that it doesn't. I havent seen logs about what is failing though
a
andrew
11/14/2017, 8:39 PMI'll stand back up the ELB and get some logs for you @groob
g
groob
11/14/2017, 8:39 PMthanks that would be great
I've been meaning to do that as well but it's not high on my priority list right now 😞
m
maxwhite
11/14/2017, 8:47 PMJust to add a small precision: An ALB =/= ELB there are couple of differences: for instance, the ALB is only Layer7 and can manage "target groups", ELB can be set to TCP mode but points to specific instances.
Thanks again everyone for all the help 😉
g
groob
11/14/2017, 8:48 PMso which one are you using application or tcp?
with grpc you cannot use an ALB, but with osquery tls you could
m
maxwhite
11/14/2017, 8:50 PMI was using ALB because I wished to use ECS Containers, but I will be fine if it works with ELB I will just spin-up a normal instance 😉
g
groob
11/14/2017, 8:50 PMyou can't use ECS with ELB?
heh
anyway, the changes I'm making will allow you to use ALB for anything moving forward
m
maxwhite
11/14/2017, 8:51 PM👍 🙂 🎉
But to answer, ALB isn't completely compatible with ECS without some manual tweaking (because random port mappings assigned to services)
a
andrew
11/14/2017, 8:53 PM$ ./build/launcher --debug \
--hostname=kolide.corp.domain.tld:443 \
--enroll_secret="hunter2"
{"allowed_level":"debug","caller":"log.go:24","component":"launcher","level":"info","msg":"allowed log level set","ts":"2017-11-14T20:51:53.203243Z"}
{"caller":"launcher.go:72","component":"launcher","level":"info","msg":"using default system root directory","path":"/var/folders/ld/78vsh4p55zz0j21h5ssr8qmr0000gn/T/launcher-root","ts":"2017-11-14T20:51:53.203527Z"}
{"build":"58e680750ea2ab159aea3493622da1b304aade5e","caller":"launcher.go:102","component":"launcher","level":"info","msg":"started kolide launcher","ts":"2017-11-14T20:51:53.203602Z","version":"0.3.0-10-g58e6807"}
{"caller":"launcher.go:292","component":"launcher","grpc_secure":true,"level":"info","msg":"dialing grpc server","server":"<http://kolide.corp.zenefits.com:443|kolide.corp.zenefits.com:443>","tls_secure":true,"ts":"2017-11-14T20:51:53.20501Z"}
{"caller":"logging.go:28","component":"launcher","enrollSecret":"hunter2","err":"rpc error: code = Unavailable desc = transport is closing","errcode":"","hostIdentifier":"fc179b0c-a1ee-4f37-b1bf-e0a81beea252","level":"debug","method":"RequestEnrollment","reauth":false,"took":"431.520478ms","ts":"2017-11-14T20:51:53.638556Z","uuid":"03fd3319-22ff-4156-b591-57dbd670cba3"}
{"caller":"launcher.go:144","component":"launcher","err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = transport is closing","level":"info","ts":"2017-11-14T20:51:53.638842Z"}I have an ALB and a Classic ELB, this is the response pointed at the ELB in layer4 mode
g
groob
11/14/2017, 8:54 PMinteresting
looking
m
maxwhite
11/14/2017, 8:55 PM@andrew I have exaclty the same, without ELB, directly on an instance on the VPN, with TLS disabled just for testing
g
groob
11/14/2017, 8:56 PMi'll play with the ELB and get back to you guys
a
andrew
11/14/2017, 8:56 PMah i wonder, does fleet need to be told to serve grpc without tls explicitly if termination is happening on the LB?
g
groob
11/14/2017, 8:56 PMit checks to see if traffic is grpc traffic
it can't be insecure, it has to be TLS for that to work
a
andrew
11/14/2017, 8:57 PMah so I'd need to use tls between the LB and fleet anyway
g
groob
11/14/2017, 8:57 PMyou need fleet to terminate your TLS
not the LB
or yes, reterminate tls in fleet
👍 1
a
andrew
11/14/2017, 8:59 PMI'll try that soon
I'm not married to ACM, but gosh it's convenient
g
groob
11/14/2017, 8:59 PMi need to play with this and document it. I use LE for my certs because it's also convenient
but yeah, fleet will only care about grpc if it's coming over tls
a
andrew
11/14/2017, 9:00 PMI wouldn't be opposed to using LE/lego or something, just haven't messed with using it in the context of other containers
m
maxwhite
11/14/2017, 11:18 PMI confirm, using Let's Encrypt and it's fullchain certificate fixes the issue 🎉