FS#72251 - [osquery] Wants to read server certificates from /opt/osquery/share/osquery/certs/certs.pem
Attached to Project:
Community Packages
Opened by Martin Pöhlmann (mpdeimos) - Monday, 27 September 2021, 10:56 GMT
Last edited by Anatol Pomozov (anatolik) - Monday, 04 October 2021, 20:24 GMT
Opened by Martin Pöhlmann (mpdeimos) - Monday, 27 September 2021, 10:56 GMT
Last edited by Anatol Pomozov (anatolik) - Monday, 04 October 2021, 20:24 GMT
|
Details
Description:
Getting the following error of the osquerd systemd daemon: W0927 12:14:29.831859 542989 tls.cpp:101] Cannot read TLS server certificate(s): /opt/osquery/share/osquery/certs/certs.pem Additional info: * package version(s): 5.0.1-1 * config and/or log files etc. * link to upstream bug report, if any Steps to reproduce: * Upgrade the package to 5.0.1-1 * Be connected to a TLS encrypted control server (e.g. fleet) I think this is due to the move of osqery default install to /opt/osquery which arch did not follow. If we need to keep the files in /usr the following location needs to be patched: https://github.com/osquery/osquery/blob/2cd5b42c8f8fa52c6d251c6537595c7c59c90f4c/osquery/utils/config/default_paths.h#L29 |
This task depends upon
Closed by Anatol Pomozov (anatolik)
Monday, 04 October 2021, 20:24 GMT
Reason for closing: Fixed
Additional comments about closing: 5.0.1-3
Monday, 04 October 2021, 20:24 GMT
Reason for closing: Fixed
Additional comments about closing: 5.0.1-3
I get another error now where I am unsure whether it's coming from the switch to 5.0, from removing some patches or just corruption of the DB on my side:
Okt 01 09:11:32 xps13 osqueryd[40300]: I1001 09:11:32.587299 40300 rocksdb.cpp:67] RocksDB: [WARN] [db/db_impl/db_impl_compaction_flush.cc:1217] [configurations] [JOB 0] Compaction error: Corruption: Unsupported compression method or corrupted compressed block contents: Snappy
Okt 01 09:11:32 xps13 osqueryd[40300]: I1001 09:11:32.587396 40300 rocksdb.cpp:165] Cannot compact column family queries: Corruption: Unsupported compression method or corrupted compressed block contents: Snappy
After the next restart I get the following:
Okt 01 09:16:03 xps13 osqueryd[40300]: W1001 09:16:03.990754 40300 rocksdb.cpp:249] Backing up RocksDB database: /var/osquery/osquery.db.backup
Okt 01 09:16:03 xps13 osqueryd[40300]: W1001 09:16:03.990839 40300 rocksdb.cpp:256] Destroying RocksDB database due to corruption
With this a new DB is created and yields new host identifiers => duplicated hosts in fleet.
I can also create a separate ticket for this, if you've an idea whether it's an upstream or packaging issue.
My suspicion is that previously with linked libraries we were using rocksdb 6.23 with enabled Snappy support (see https://github.com/facebook/rocksdb/blob/35d8e36ef1b8e3e0759ca81215f855226a0a54bd/CMakeLists.txt#L132) and now we're back at 6.14 that does not contain Snappy.
To get it fixed we'd need to add Snappy to the osquery deps. I'm wondering whether we could just enable WITH_SNAPPY and link to the arch provided library - although I know you want the package to be more based on the default osquery setting.
Another idea would be submitting a patch for the scenario to osquery. The rocksdb table holding the device identifier is not compressed with Snappy, hence the identifier could be recovered before trashing the DB.
I do not see a simple way to enable rocksdb/snappy. The osquery has its own version of build cmake file here https://github.com/osquery/osquery/blob/master/libraries/cmake/source/rocksdb/CMakeLists.txt that differs from the upstream rocksdb.
Could you please file this snappy request to osquery upstream to track it there?
Please do, I am interested to look at this change.
Something else I'd like to tackle (but not for fixing 5.0.1) is getting support of the packman_packages table back in. I took the same approach as with Snappy and included libalpm as a source dependency. So far I struggled with getting it compiled correctly, but I did not give up yet ;) I have to admit that I'm more confident with Java/C# than C/C++ and CMake. My goal would be to submit this patch directly upstream.
This sounds great!
I can help you with C/C++ part. I am not proficient in CMake though.
Please look at osquery-5.0.1-3 that includes these changes.
I'll follow-up regarding pacman_packages table on GitHub once I find time and have something working.