Hi team, do you know how long does fleet update th...
# fleet
Hi team, do you know how long does fleet update the Software Inventory? Right now, it's been 7 days since last update. And it seems it will update the inventory when I update fleet server to a new version.
Hi @Jincheng YinWhat version of Fleet are you running? The default interval for vulnerability and software updates is 1 hour.
@Kathy Satterlee 4.25
Are your hosts otherwise checking in properly? Any errors in the Fleet logs?
Let me double check the logs. it seems it only updated the inventory when restarts the pods or update fleet server
@Kathy Satterlee
Can you verify that the path set for
is present and that the fleet user has read and write privileges?
There is /tmp/ folder, but it's empty. Checking the privileges.
@Kathy Satterlee we have these settings in the fleet yaml file
@Kathy Satterlee We got debug logs. And it's showing
unable to acquire lock
Is the “unable to acquire lock” error showing up consistently, or was that a one-off? How many Fleet instances do you have running?
@Kathy Satterlee We have 3 fleet instances, it's showing up consistently. When it's not showing up, we can get the new Software Inventory update, last time is 3 days ago.
We had another error is
syncing NVD CVE feed
when we pass the acquire lock, it should relate to our Firewall rules.
Can you show me that exact error?
Got it. Fleet should continue processing even if the databases can't sync. Just to clarify:
When it's not showing up, we can get the new Software Inventory update, last time is 3 days ago.
Does that mean you last saw that error 3 days ago and software is currently updating, or that the error is still coming up and you haven't seen a software update in 3 days?
the error(unable to acquire lock) is still coming up and I haven't seen a software update in 3 days
Thanks. just wanted to make sure. Do you have access to the Fleet database? I'd like to see what shows up in the `locks`table:
Copy code
select * from locks where name = 'vulnerabilities';
And are you using the default value for current_instance_checks ?
Last question for now... how much memory do you have allocated to each Fleet instance?
We did not change the current_instance_checks Only add the vul_path
Can't access the MySQL database 🫠
Do you think restart DB can help?
This is the suggested resource allocation in Kubernetes from the documentation:
Copy code
            memory: "64Mi"
            cpu: "250m"
            memory: "2048Mi" # vulnerability processing
            cpu: "500m"
That memory limit is likely the culprit.
Thanks! We will have a try.
Awesome! Let me know if that doesn't do the trick.
@Kathy Satterlee Sorry, last time check the wrong file. We have this settings in our deployment file, I think it should be OK
VulnAutomationEnabled: ""
This is the last log we seen in the container which running the
Vuln check
5mins later, it start ticking again
Last time when it's working, the jobID is
Now the jobID is
Hi @Kathy Satterlee , do you have any suggestion? Basically the log shows the Vul check started, and then nothing happened. Last time it works is 7 days ago, when it works, we have more logs about software things. (Error logs as we don't have CVE files in the container)
Vulnerabilities processing requires a minimum of 4GB of memory (it looks like the recommendation in that example I shared is even too low, sorry about the oversight!). That’s still the most likely culprit.
@Kathy Satterlee Thanks. It's working now. It's Memory issue and caused by the GKE autopilot modified resource limit to match resource request.