-
Notifications
You must be signed in to change notification settings - Fork 19
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pointed out a few interesting bits.
demo.sh
Outdated
for i in $(seq 1 $total_hosts); do | ||
docker run --rm -d \ | ||
--add-host "${CN}:$kolide_container_ip" \ | ||
--network "kolidedemo_default" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docker compose uses a different network than docker does by default so we have to attach to that network.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here instead of doing run, we could add a second compose file and use --scale=$total_hosts
. We'd still have have to provide the same network name. I had trouble finding a flag under
docker-compose up --help
but maybe it's a param in the compose file yaml?
It doesn't make a big different but it would be more idempotent.
function get_cn() { | ||
docker run -v $(pwd):/certs kolide/openssl x509 -noout -subject -in /certs/server.crt | sed -e 's/^subject.*CN=\([a-zA-Z0-9\.\-]*\).*$/\1/' | ||
docker run --rm -v $(pwd):/certs kolide/openssl x509 -noout -subject -in /certs/server.crt | sed -e 's/^subject.*CN=\([a-zA-Z0-9\.\-]*\).*$/\1/' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added the --rm flag here because otherwise every time get_cn() is called, we add a new dead container to the user's environment. rm
ensures the container is cleaned up.
demo.sh
Outdated
@@ -20,7 +78,7 @@ function wait_mysql() { | |||
|
|||
function up() { | |||
if [ ! -f server.key ]; then | |||
DEFAULT_CN='localhost' | |||
DEFAULT_CN='kolide' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I switched the default CN to kolide
because there are too many edge cases with leaving it to localhost
.
The user won't be able to enroll a remote host, or a container host if the cert is signed for localhost
.
I think having kolide
as the default is acceptable. This strategy is also used by other services, notably puppet
, which uses puppet
as the default hostname, and asks you to create a CNAME.
demo.sh
Outdated
total_hosts=$1 | ||
ENROLL_SECRET=$2 | ||
if [ -z $ENROLL_SECRET ]; then | ||
echo "Please provide an enroll secret to be used by osquery." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs better text string
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Text from the mac package PR is good:
echo "You can find find out the enroll secret by going to https://${CN}:8412/hosts/manage"
echo "and clicking Add Hosts on the top right side of the page."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it's "Add New Host" which we should probably change in the mac echos as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am happy with this.
Adds the ability to enroll a number of osquery containers to kolide
Example: