allow enrolling docker hosts #5
Conversation
demo.sh
Outdated
| for i in $(seq 1 $total_hosts); do | ||
| docker run --rm -d \ | ||
| --add-host "${CN}:$kolide_container_ip" \ | ||
| --network "kolidedemo_default" \ |
There was a problem hiding this comment.
Docker compose uses a different network than docker does by default so we have to attach to that network.
There was a problem hiding this comment.
here instead of doing run, we could add a second compose file and use --scale=$total_hosts. We'd still have have to provide the same network name. I had trouble finding a flag under
docker-compose up --help
but maybe it's a param in the compose file yaml?
It doesn't make a big different but it would be more idempotent.
| function get_cn() { | ||
| docker run -v $(pwd):/certs kolide/openssl x509 -noout -subject -in /certs/server.crt | sed -e 's/^subject.*CN=\([a-zA-Z0-9\.\-]*\).*$/\1/' | ||
| docker run --rm -v $(pwd):/certs kolide/openssl x509 -noout -subject -in /certs/server.crt | sed -e 's/^subject.*CN=\([a-zA-Z0-9\.\-]*\).*$/\1/' |
There was a problem hiding this comment.
added the --rm flag here because otherwise every time get_cn() is called, we add a new dead container to the user's environment. rm ensures the container is cleaned up.
demo.sh
Outdated
| @@ -20,7 +78,7 @@ function wait_mysql() { | |||
|
|
|||
| function up() { | |||
| if [ ! -f server.key ]; then | |||
| DEFAULT_CN='localhost' | |||
| DEFAULT_CN='kolide' | |||
There was a problem hiding this comment.
I switched the default CN to kolide because there are too many edge cases with leaving it to localhost.
The user won't be able to enroll a remote host, or a container host if the cert is signed for localhost.
I think having kolide as the default is acceptable. This strategy is also used by other services, notably puppet, which uses puppet as the default hostname, and asks you to create a CNAME.
demo.sh
Outdated
| total_hosts=$1 | ||
| ENROLL_SECRET=$2 | ||
| if [ -z $ENROLL_SECRET ]; then | ||
| echo "Please provide an enroll secret to be used by osquery." |
There was a problem hiding this comment.
needs better text string
There was a problem hiding this comment.
Text from the mac package PR is good:
echo "You can find find out the enroll secret by going to https://${CN}:8412/hosts/manage"
echo "and clicking Add Hosts on the top right side of the page."
There was a problem hiding this comment.
Actually, it's "Add New Host" which we should probably change in the mac echos as well.
Adds the ability to enroll a number of osquery containers to kolide
Example: