Elastic-agent install -f

Greetings
I'm trying to set up fleet. All along the doc I see:

elastic-agent install -f 

but the -f flag is not documented anywhere (and make the elastic-agent choke in the docker version). What is it for? My goal is to use the Docker version, but I don't know what to specify in the compose file to have the agent set up itself...

Thanks in advance

Regards

Removes the interactive prompts i believe

Makes sense! Thanks!
Do you know which parameters to pass to the elastic-agent to have it set up inside a container?

Regards

@Greg_R

Have you looked at the container command.

Yes but I keep having error messages:

2021-10-15T08:23:46.021Z        ERROR   status/reporter.go:236  Elastic Agent status changed to: 'error'
2021-10-15T08:23:46.022Z        ERROR   log/reporter.go:36      2021-10-15T08:23:46Z - message: Application: fleet-server--7.15.0[]: State changed to FAILED: Error - EOF - type: 'ERROR' - sub_type: 'FAILED'
2021-10-15T08:23:46.278Z        INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - EOF
2021-10-15T08:23:52.286Z        INFO    cmd/enroll_cmd.go:729   Fleet Server - Error - EOF

It says EOF but does'nt say which file :frowning:

Can you share the steps and commands you are using ? is this for the Fleet Server or Agent ?

I'm trying to start the first element, which I think is the "server"?

  fleet-root:
    image: docker.elastic.co/beats/elastic-agent:7.15.0
    container_name: fleet-root
    user: root
    environment:
      - FLEET_SERVER_SERVICE_TOKEN=AAE....
      - FLEET_SERVER_POLICY_ID=5d...
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://172.20.0.2:9200
      - FLEET_SERVER_ENABLE=true
      - FLEET_SERVER_INSECURE_HTTP=true
      - FLEET_INSECURE=true
      - FLEET_ENROLL=1
      - FLEET_URL=https://10.10.11.42:8220
    expose:
      - 8220
    ports:
      - 0.0.0.0:8220:8220

I guess it has something to do with the server being accessible on https by IP. I don't know how to disable cert check (communications are already encrypted):

2021-10-15T08:53:54.133Z        ERROR   log/reporter.go:36      2021-10-15T08:53:54Z - message: Application: fleet-server--7.15.0[]: State changed to FAILED: Error - x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs - type: 'ERROR' - sub_type: 'FAILED'
2021-10-15T08:53:54.785Z        INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs
2021-10-15T08:54:00.792Z        INFO    cmd/enroll_cmd.go:729   Fleet Server - Error - x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs

If I try with the container name, I get:

2021-10-15T08:59:23.817Z        ERROR   log/reporter.go:36      2021-10-15T08:59:23Z - message: Application: fleet-server--7.15.0[]: State changed to FAILED: Error - x509: certificate is not valid for any names, but wanted to match elasticsearch03 - type: 'ERROR' - sub_type: 'FAILED'
2021-10-15T08:59:23.932Z        INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - x509: certificate is not valid for any names, but wanted to match elasticsearch03

Why not leave the server as https and connect the agent using the insecure flag.

Anyway, the ip addresses you are using dont match what are in your certificate.

What certificates are you using ?

Why not leave the server as https and connect the agent using the insecure flag.

how can I do that?

What certificates are you using ?

None, I didn't understand how to do that, furthermore I don't want encryption since the connection is encrypted already :slight_smile: (and in this case it's local)

set it to false or remove it so it is set to the default vale.

If you don't specify your own certificates, fleet will generates it owns which is why it runs over the https protocol. Either it uses its own or you provide them.

Yes I tried to add it because I couldn't make it work, but it's not working. Without this line, the error is:

x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs 

I wanted a way to prevent the agent from validating the certificate of ES (which I know nothing about).

It will work with the default setup, using the self-signed certificates, so you don't have to know anything about the certificates.

To ensure that communication with Fleet Server is encrypted, Fleet Server requires Elastic Agents to present a signed certificate. In a self-managed cluster, if you don’t specify certificates when you set up Fleet Server, self-signed certificates are generated automatically.

Great, so how can I make the magic happen? :smile: -D