From f75a2fc7396490c56e4c83c90d8d3114e87a4a0e Mon Sep 17 00:00:00 2001 From: Zach Wasserman Date: Mon, 7 Jun 2021 13:34:17 -0700 Subject: [PATCH] Fix up test osquery tooling (#996) - Update certificate paths. - Update documentation to point to the appropriate docs. --- docs/4-Contribution/2-Testing.md | 7 ++++++- tools/osquery/README.md | 25 +++++++++++++++---------- tools/osquery/docker-compose.yml | 2 +- tools/osquery/example_osquery.flags | 2 +- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/docs/4-Contribution/2-Testing.md b/docs/4-Contribution/2-Testing.md index 05eae914e..9f644df9b 100644 --- a/docs/4-Contribution/2-Testing.md +++ b/docs/4-Contribution/2-Testing.md @@ -3,6 +3,7 @@ - [License key](#license-key) - [Test suite](#test-suite) - [End-to-end tests](#end-to-end-tests) +- [Test hosts](#test-hosts) - [Email](#email) - [Database backup/restore](#database-backuprestore) - [Teams seed data](#teams-seed-data) @@ -193,6 +194,10 @@ CYPRESS_FLEET_TIER=basic yarn cypress run Tests will run automatically and results are reported to the shell. +## Test hosts + +The Fleet repo includes tools to start test osquery hosts. Please see the documentation in [/tools/osquery](../../tools/osquery) for more information. + ## Email #### Manually testing email with MailHog @@ -244,7 +249,7 @@ Next, set the `FLEET_ENV_PATH` to point to the `env` file. This will let the scr export FLEET_ENV_PATH=/Users/victor/fleet_env ``` -Finally run one of the bash scripts located in the [/tools/api](../../tools/api/README.md) directory. +Finally run one of the bash scripts located in the [/tools/api](../../tools/api/README.md) directory. The `fleet/create_core` script will generate an environment to roughly reflect an installation of Fleet Core. The script creates 3 users with different roles. diff --git a/tools/osquery/README.md b/tools/osquery/README.md index db870b5f0..7c05eed64 100644 --- a/tools/osquery/README.md +++ b/tools/osquery/README.md @@ -2,16 +2,15 @@ The files in this directory are intended to assist with Fleet development. -* `docker-compose.yml`: This docker-compose file helps with starting `osqueryd` instances for testing Fleet. More on this [below](#testing-with-containerized-osqueryd). +- `docker-compose.yml`: This docker-compose file helps with starting `osqueryd` instances for testing Fleet. More on this [below](#testing-with-containerized-osqueryd). -* `example_config.json`: An example config file with insecure default passwords. Useful for testing in a local dev environment, but should /never/ be used in production. +- `example_config.json`: An example config file with insecure default passwords. Useful for testing in a local dev environment, but should /never/ be used in production. -* `example_osquery.conf`: An example osquery config file that sets up basic configuration for distributed queries. +- `example_osquery.conf`: An example osquery config file that sets up basic configuration for distributed queries. -* `example_osquery.flags`: An example osquery flagfile setting the config options that must be loaded before the full JSON config. - -* `kolide.crt` & `kolide.key`: Self-signed SSL certificate & key useful for testing locally with `osqueryd`. Works with the domain `host.docker.internal` (exposed within docker containers as the host's IP). Should /never/ be used in production. +- `example_osquery.flags`: An example osquery flagfile setting the config options that must be loaded before the full JSON config. +- `fleet.crt` & `fleet.key`: Self-signed SSL certificate & key useful for testing locally with `osqueryd`. Works with the domain `host.docker.internal` (exposed within docker containers as the host's IP). Should **never** be used in production. ## Testing with containerized osqueryd @@ -23,8 +22,6 @@ Docker and docker-compose are the only dependencies. The necessary container ima Set the environment variable `ENROLL_SECRET` to the value of your Fleet enroll secret (available on the manage hosts page, or via `fleetctl get enroll-secret`). -(Optionally) Set `KOLIDE_OSQUERY_VERSION` if you want to run an osquery container besides `latest`. - (Optionally) Set `FLEET_SERVER` if you want to connect to a fleet server besides `host.docker.internal:8080`. @@ -57,7 +54,9 @@ If you want to only start one instance of `osqueryd`, use: ``` docker-compose run ubuntu14-osquery ``` + or + ``` docker-compose run centos7-osquery ``` @@ -87,23 +86,29 @@ We have had no trouble running up to 100 containerized osqueryd instances on a s ### Generating a osqueryd core file The docker containers are configured to allow core files to be generated if osqueryd -crashes for some reason. You can attach to the container hosting the errant osqueryd +crashes for some reason. You can attach to the container hosting the errant osqueryd instance, install gdb and use it to read the core file to find out where the crash occurred. The other scenario where you might find a core dump useful is if osqueryd -stops responding. In this case you can generate a core dump using the following instructions. +stops responding. In this case you can generate a core dump using the following instructions. 1. Open a shell session on a container + ``` docker exec -t -i /bin/bash ``` + 2. Find the process ID of osqueryd + ``` ps aux ``` + There will be two osqueryd processes, you'll probably be interested in the child process (the one with the higher pid) 3. Send a signal to the process to core dump + ``` kill -3 ``` + The core file should be in your current working directory on the container. diff --git a/tools/osquery/docker-compose.yml b/tools/osquery/docker-compose.yml index eb46b7070..ddc9e307b 100644 --- a/tools/osquery/docker-compose.yml +++ b/tools/osquery/docker-compose.yml @@ -3,7 +3,7 @@ version: '2' x-default-settings: volumes: &default-volumes - - ./kolide.crt:/etc/osquery/kolide.crt + - ./fleet.crt:/etc/osquery/fleet.crt - ./example_osquery.flags:/etc/osquery/osquery.flags environment: &default-environment ENROLL_SECRET: "${ENROLL_SECRET:?ENROLL_SECRET must be set for server authentication}" diff --git a/tools/osquery/example_osquery.flags b/tools/osquery/example_osquery.flags index 427322aeb..fb2201121 100644 --- a/tools/osquery/example_osquery.flags +++ b/tools/osquery/example_osquery.flags @@ -4,7 +4,7 @@ --debug --tls_dump=true ---tls_server_certs=/etc/osquery/kolide.crt +--tls_server_certs=/etc/osquery/fleet.crt --enroll_secret_env=ENROLL_SECRET --enroll_tls_endpoint=/api/v1/osquery/enroll