Install errors when running distributor on instances with the Sensor already installed

[clrosier]

Hello team! I am so excited that this finally exists as it's been difficult managing outlier instances in our AWS environment for some time now.

I am trying to run the distributor package against our entire infrastructure and it seems all of our linux hosts are failing like so:

install errors: debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
dpkg-preconfigure: unable to re-open stdin:
CID is set, but -f was not specified
ERROR: failed to process the option --cid
Usage: falconctl -g GET_OPTIONS
falconctl -s [ -f ] SET_OPTIONS
falconctl -d [ -f ] DEL_OPTIONS
where GET_OPTIONS := { --cid for CustomerId |
--aid for AgentId |
--apd for App Proxy Disable |
--aph for App Proxy Host |
--app for App Proxy Port |
--trace for determining the configured trace level |
--pcpt preferred connection protocol type |
--feature to determine the configured sensor feature flags |
--metadata-query to determine the configured sensor cloud provider metadata query flags |
--version for version of sensor currently running |
--billing to configure the sensor billing type |
--tags for sensor grouping tags |
--provisioning-token for Provisioning Token |
--systags for system tags currently applied to a running sensor |
--backend for sensor backend |
--rfm-state for indicating whether the sensor is in Reduced Functionality Mode |
--rfm-reason to determine reason for sensor running in Reduced Functionality Mode |
--rfm-history to show history of sensor Reduced Functionality Mode reasons |
--message-log for logging messages to disk |
--logcounters for determining if Telemetry logging is enabled }
where SET_OPTIONS := { --cid="{<uuid string>}" |
--apd=true | --apd=false |
--aph=<app proxy host name> |
--app=<app proxy port> |
--trace=[none|err|warn|info|debug] |
--pcpt=[auto|ipv4|ipv6] |
--feature=[none,[enableLog[,disableLogBuffer[,disableOsfm[,emulateUpdate]]]]] |
--metadata-query=[[dis|en]able|[dis|en]ableAWS[,[dis|en]ableAzure[,[dis|en]ableGCP]]] |
--update SIGHUP the sensor for immediate trace/feature update |
--billing=[default|metered] |
--tags=<comma separated list of tags for sensor grouping> (allowed characters: all alphanumerics, '/', '-', '_', and ',') |
--provisioning-token=<provisioning token value> |
--backend=auto | --backend=bpf | --backend=kernel |
--message-log=true | --message-log=false |
--logcounters=true | --logcounters=false }
where DEL_OPTIONS := { --cid for CustomerId |
--aid for AgentId |
--apd for App Proxy Disable |
--aph for App Proxy Host |
--app for App Proxy Port |
--trace for determining the configured trace level |
--billing to configure the sensor billing type |
--tags for sensor grouping tags |
--provisioning-token for Provisioning Token |
--backend for sensor backend |
--logcounters for determining if Telemetry logging is enabled }
failed to run commands: exit status 255
Failed to install package; install status Failed

Our linux hosts run Ubuntu 18.04 AWS EC2 instances.

It sort of seems like there may be a missing dependency on the hosts, but I am not sure. Any thoughts?

[clrosier]

Also for further context there is like a falcon sensor already installed on 99% of our hosts through our base images being targetted

[ffalor]

Hey @clrosier based on the error, it looks like this instance already has the sensor. Can you confirm this?

[clrosier]

Hi @ffalor that is right, this instance does have the sensor installed. Would it be possible to return success if the instance already has the sensor? It would be cool from an 'idempotence' standpoint. Also if I were to report on failures, it would be hard to tell without digging that the installation failed just based on an already existing sensor

[ffalor]

@clrosier thanks for confirming. This is exactly what I am planning to do - just need a little time to implement it.

[clrosier]

Perfect, really appreciate your work @ffalor , I am excited for all of the upgrades!

[ffalor]

Hey @clrosier this is now in place. The plan has always been for upgrades/downgrades of sensor versions to be handled by Sensor Update Policies. This integration is meant to bootstrap a version on instances. The most recent distributor package version v1.0.0 will now cleanly exit without error and print the following message:

Falcon Sensor already installed... if you want to update or downgrade, please use Sensor Update Policies in the CrowdStrike console. 
Please see: https://falcon.crowdstrike.com/documentation/66/sensor-update-policies for more information.