Elastic-agent install -f

Greg_R · October 14, 2021, 4:11pm

Greetings
I'm trying to set up fleet. All along the doc I see:

elastic-agent install -f

but the -f flag is not documented anywhere (and make the elastic-agent choke in the docker version). What is it for? My goal is to use the Docker version, but I don't know what to specify in the compose file to have the agent set up itself...

Thanks in advance

Regards

zx8086 · October 14, 2021, 4:47pm

Removes the interactive prompts i believe

Greg_R · October 15, 2021, 8:06am

Makes sense! Thanks!
Do you know which parameters to pass to the elastic-agent to have it set up inside a container?

Regards

zx8086 · October 15, 2021, 8:11am

@Greg_R

Have you looked at the container command.

Greg_R · October 15, 2021, 8:24am

Yes but I keep having error messages:

2021-10-15T08:23:46.021Z        ERROR   status/reporter.go:236  Elastic Agent status changed to: 'error'
2021-10-15T08:23:46.022Z        ERROR   log/reporter.go:36      2021-10-15T08:23:46Z - message: Application: fleet-server--7.15.0[]: State changed to FAILED: Error - EOF - type: 'ERROR' - sub_type: 'FAILED'
2021-10-15T08:23:46.278Z        INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - EOF
2021-10-15T08:23:52.286Z        INFO    cmd/enroll_cmd.go:729   Fleet Server - Error - EOF

It says EOF but does'nt say which file

zx8086 · October 15, 2021, 8:36am

Can you share the steps and commands you are using ? is this for the Fleet Server or Agent ?

Greg_R · October 15, 2021, 8:40am

I'm trying to start the first element, which I think is the "server"?

  fleet-root:
    image: docker.elastic.co/beats/elastic-agent:7.15.0
    container_name: fleet-root
    user: root
    environment:
      - FLEET_SERVER_SERVICE_TOKEN=AAE....
      - FLEET_SERVER_POLICY_ID=5d...
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://172.20.0.2:9200
      - FLEET_SERVER_ENABLE=true
      - FLEET_SERVER_INSECURE_HTTP=true
      - FLEET_INSECURE=true
      - FLEET_ENROLL=1
      - FLEET_URL=https://10.10.11.42:8220
    expose:
      - 8220
    ports:
      - 0.0.0.0:8220:8220

I guess it has something to do with the server being accessible on https by IP. I don't know how to disable cert check (communications are already encrypted):

2021-10-15T08:53:54.133Z        ERROR   log/reporter.go:36      2021-10-15T08:53:54Z - message: Application: fleet-server--7.15.0[]: State changed to FAILED: Error - x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs - type: 'ERROR' - sub_type: 'FAILED'
2021-10-15T08:53:54.785Z        INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs
2021-10-15T08:54:00.792Z        INFO    cmd/enroll_cmd.go:729   Fleet Server - Error - x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs

Greg_R · October 15, 2021, 9:00am

If I try with the container name, I get:

2021-10-15T08:59:23.817Z        ERROR   log/reporter.go:36      2021-10-15T08:59:23Z - message: Application: fleet-server--7.15.0[]: State changed to FAILED: Error - x509: certificate is not valid for any names, but wanted to match elasticsearch03 - type: 'ERROR' - sub_type: 'FAILED'
2021-10-15T08:59:23.932Z        INFO    cmd/enroll_cmd.go:724   Fleet Server - Error - x509: certificate is not valid for any names, but wanted to match elasticsearch03

zx8086 · October 15, 2021, 9:07am

Why not leave the server as https and connect the agent using the insecure flag.

Anyway, the ip addresses you are using dont match what are in your certificate.

What certificates are you using ?

Greg_R · October 15, 2021, 9:20am

Why not leave the server as https and connect the agent using the insecure flag.

how can I do that?

What certificates are you using ?

None, I didn't understand how to do that, furthermore I don't want encryption since the connection is encrypted already (and in this case it's local)

zx8086 · October 15, 2021, 9:26am

set it to false or remove it so it is set to the default vale.

If you don't specify your own certificates, fleet will generates it owns which is why it runs over the https protocol. Either it uses its own or you provide them.

Greg_R · October 15, 2021, 9:39am

Yes I tried to add it because I couldn't make it work, but it's not working. Without this line, the error is:

x509: cannot validate certificate for 172.20.0.2 because it doesn't contain any IP SANs

I wanted a way to prevent the agent from validating the certificate of ES (which I know nothing about).

zx8086 · October 15, 2021, 10:10am

It will work with the default setup, using the self-signed certificates, so you don't have to know anything about the certificates.

To ensure that communication with Fleet Server is encrypted, Fleet Server requires Elastic Agents to present a signed certificate. In a self-managed cluster, if you don’t specify certificates when you set up Fleet Server, self-signed certificates are generated automatically.

Greg_R · October 19, 2021, 9:03am

Great, so how can I make the magic happen? -D

system · November 16, 2021, 11:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.