https://github.com/osquery/osquery logo
Join Slack
Powered by
fleet works great in https mode behind an ALB, no ...
# kolide
a
fleet works great in https mode behind an ALB, no problems
m
Yes, but launcher cannot communicate with it because it uses gRPC, from what I understood
a
this is true
g
grpc uses http2 which uses TLS by default
outside of local development we don't use grpc without TLS
launcher should be able to communicate to a TCP proxy, but I hear from andrew that it doesn't. I havent seen logs about what is failing though
a
I'll stand back up the ELB and get some logs for you @groob
g
thanks that would be great
I've been meaning to do that as well but it's not high on my priority list right now 😞
m
Just to add a small precision: An ALB =/= ELB there are couple of differences: for instance, the ALB is only Layer7 and can manage "target groups", ELB can be set to TCP mode but points to specific instances. Thanks again everyone for all the help 😉
g
so which one are you using application or tcp?
with grpc you cannot use an ALB, but with osquery tls you could
m
I was using ALB because I wished to use ECS Containers, but I will be fine if it works with ELB I will just spin-up a normal instance 😉
g
you can't use ECS with ELB?
heh
anyway, the changes I'm making will allow you to use ALB for anything moving forward
m
👍 🙂 🎉
But to answer, ALB isn't completely compatible with ECS without some manual tweaking (because random port mappings assigned to services)
a
Copy code
$ ./build/launcher --debug \
--hostname=kolide.corp.domain.tld:443 \
--enroll_secret="hunter2"
{"allowed_level":"debug","caller":"log.go:24","component":"launcher","level":"info","msg":"allowed log level set","ts":"2017-11-14T20:51:53.203243Z"}
{"caller":"launcher.go:72","component":"launcher","level":"info","msg":"using default system root directory","path":"/var/folders/ld/78vsh4p55zz0j21h5ssr8qmr0000gn/T/launcher-root","ts":"2017-11-14T20:51:53.203527Z"}
{"build":"58e680750ea2ab159aea3493622da1b304aade5e","caller":"launcher.go:102","component":"launcher","level":"info","msg":"started kolide launcher","ts":"2017-11-14T20:51:53.203602Z","version":"0.3.0-10-g58e6807"}
{"caller":"launcher.go:292","component":"launcher","grpc_secure":true,"level":"info","msg":"dialing grpc server","server":"<http://kolide.corp.zenefits.com:443|kolide.corp.zenefits.com:443>","tls_secure":true,"ts":"2017-11-14T20:51:53.20501Z"}
{"caller":"logging.go:28","component":"launcher","enrollSecret":"hunter2","err":"rpc error: code = Unavailable desc = transport is closing","errcode":"","hostIdentifier":"fc179b0c-a1ee-4f37-b1bf-e0a81beea252","level":"debug","method":"RequestEnrollment","reauth":false,"took":"431.520478ms","ts":"2017-11-14T20:51:53.638556Z","uuid":"03fd3319-22ff-4156-b591-57dbd670cba3"}
{"caller":"launcher.go:144","component":"launcher","err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = transport is closing","level":"info","ts":"2017-11-14T20:51:53.638842Z"}
I have an ALB and a Classic ELB, this is the response pointed at the ELB in layer4 mode
g
interesting
looking
m
@andrew I have exaclty the same, without ELB, directly on an instance on the VPN, with TLS disabled just for testing
g
i'll play with the ELB and get back to you guys
a
ah i wonder, does fleet need to be told to serve grpc without tls explicitly if termination is happening on the LB?
g
it checks to see if traffic is grpc traffic
it can't be insecure, it has to be TLS for that to work
a
ah so I'd need to use tls between the LB and fleet anyway
g
you need fleet to terminate your TLS
not the LB
or yes, reterminate tls in fleet
👍 1
a
I'll try that soon
I'm not married to ACM, but gosh it's convenient
g
i need to play with this and document it. I use LE for my certs because it's also convenient
but yeah, fleet will only care about grpc if it's coming over tls
a
I wouldn't be opposed to using LE/lego or something, just haven't messed with using it in the context of other containers
m
I confirm, using Let's Encrypt and it's fullchain certificate fixes the issue 🎉
Open in Slack
PreviousNext
Powered by