https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi team, do you know how long does fleet update th...
# fleet
j
Hi team, do you know how long does fleet update the Software Inventory? Right now, it's been 7 days since last update. And it seems it will update the inventory when I update fleet server to a new version.
k
Hi @Jincheng YinWhat version of Fleet are you running? The default interval for vulnerability and software updates is 1 hour.
j
@Kathy Satterlee 4.25
k
Are your hosts otherwise checking in properly? Any errors in the Fleet logs?
j
Let me double check the logs. it seems it only updated the inventory when restarts the pods or update fleet server
@Kathy Satterlee
image.png
k
Can you verify that the path set for 
database_path
is present and that the fleet user has read and write privileges?
j
There is /tmp/ folder, but it's empty. Checking the privileges.
@Kathy Satterlee we have these settings in the fleet yaml file
@Kathy Satterlee We got debug logs. And it's showing 
unable to acquire lock
k
Is the “unable to acquire lock” error showing up consistently, or was that a one-off? How many Fleet instances do you have running?
j
@Kathy Satterlee We have 3 fleet instances, it's showing up consistently. When it's not showing up, we can get the new Software Inventory update, last time is 3 days ago.
We had another error is 
syncing NVD CVE feed
when we pass the acquire lock, it should relate to our Firewall rules.
k
Can you show me that exact error?
j
image.png,image.png
k
Got it. Fleet should continue processing even if the databases can't sync. Just to clarify:
When it's not showing up, we can get the new Software Inventory update, last time is 3 days ago.
Does that mean you last saw that error 3 days ago and software is currently updating, or that the error is still coming up and you haven't seen a software update in 3 days?
j
the error(unable to acquire lock) is still coming up and I haven't seen a software update in 3 days
k
Thanks. just wanted to make sure. Do you have access to the Fleet database? I'd like to see what shows up in the `locks`table:
Copy code
select * from locks where name = 'vulnerabilities';
And are you using the default value for current_instance_checks ?
Last question for now... how much memory do you have allocated to each Fleet instance?
j
We did not change the current_instance_checks Only add the vul_path
Can't access the MySQL database 🫠
Do you think restart DB can help?
k
This is the suggested resource allocation in Kubernetes from the documentation:
Copy code
resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "2048Mi" # vulnerability processing
            cpu: "500m"
That memory limit is likely the culprit.
j
Thanks! We will have a try.
k
Awesome! Let me know if that doesn't do the trick.
j
@Kathy Satterlee Sorry, last time check the wrong file. We have this settings in our deployment file, I think it should be OK
VulnAutomationEnabled: ""
This is the last log we seen in the container which running the 
Vuln check
5mins later, it start ticking again
Last time when it's working, the jobID is 
cron_sync_host_software
Now the jobID is 
cron_vulnerabilities
Hi @Kathy Satterlee , do you have any suggestion? Basically the log shows the Vul check started, and then nothing happened. Last time it works is 7 days ago, when it works, we have more logs about software things. (Error logs as we don't have CVE files in the container)
k
Vulnerabilities processing requires a minimum of 4GB of memory (it looks like the recommendation in that example I shared is even too low, sorry about the oversight!). That’s still the most likely culprit.
j
@Kathy Satterlee Thanks. It's working now. It's Memory issue and caused by the GKE autopilot modified resource limit to match resource request.
3 Views
Open in Slack
PreviousNext
Powered by