search

CrowdStrike / falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
The Unlicense
145 stars 85 forks source link

falcon-container-sensor-pull: recurrent login failures #198

Closed hazcod closed 8 months ago

hazcod commented 1 year ago

Hi,

Trying to run this script. I created a clientid with permissions 'sensor download', 'image download', 'falcon container image download'. All read.

% ./falcon-container-sensor-pull.sh --region eu-1 --type falcon-sensor --list-tags --client-id REDACTED --client-secret REDACTED
Fatal error: ERROR: /usr/local/bin/docker login failed. Error message: Error response from daemon: Get "https://registry.crowdstrike.com/v2/": unknown: This request is blocked due to recurrent login failures, please try again in 40 seconds
carlosmmatos commented 1 year ago

@hazcod I would try running the script with verbosity on to see if you can get more information as to what is going on around running docker login. 

bash -x falcon-container-sensor-pull.sh --region eu-1 --type falcon-sensor --list-tags --client-id REDACTED --client-secret REDACTED

I don't think this is an API key scope issue. This issue is with your ability to use docker to log into a registry. Are you able to log in to any registries? For example, for dockerhub you can just type in docker login, enter your creds, and see what happens.

hazcod commented 1 year ago

@carlosmmatos I was wondering, because .docker/config.json only lists:

{
    "auths": {},
    "credsStore": "desktop",
....
}
hazcod commented 1 year ago

Really odd, we're getting cases were sometimes it works and sometimes it just fails to fetch the tags...

% bash -x ./falcon-container-sensor-pull.sh --client-id d07c93fa7df9448bb21da64ad4cXXXX --client-secret REDACTDED  --cid FE7DF61336C64D108D4CXXXXXX-EA  --region eu-1 --type falcon-sensor --platform x86_64 --runtime docker --copy foo.dkr.ecr.eu-west-1.amazonaws.com/falcon-sensor/falcon:latest

...

+ case "${CONTAINER_TOOL}" in
++ echo '-u fc-XXX:XXX'
++ curl -s -L 'https://registry.crowdstrike.com/v2/token?=fc-XXX&scope=repository:falcon-sensor/eu-1/release/falcon-sensor:pull&service=registry.crowdstrike.com' -K-
++ json_value token
++ KEY=token
++ num=
++ sed 's/ *$//g'
++ awk '-F[,:}]' '{for(i=1;i<=NF;i++){if($i~/token\042/){print $(i+1)}}}'
++ sed 's/^ *//g'
++ tr -d '"'
++ sed -n p
+ REGISTRYBEARER=
++ curl_command '' https://registry.crowdstrike.com/v2/falcon-sensor/eu-1/release/falcon-sensor/tags/list
++ local token=
++ set -- '' https://registry.crowdstrike.com/v2/falcon-sensor/eu-1/release/falcon-sensor/tags/list
++ '[' 1 -eq 0 ']'
++ awk -v 'RS= ' '{print}'
++ echo 'Authorization: Bearer '
++ grep ''
++ curl -s -L -H @- '' https://registry.crowdstrike.com/v2/falcon-sensor/eu-1/release/falcon-sensor/tags/list
++ grep x86_64
++ grep -o '[0-9a-zA-Z_\.\-]*'
++ tail -1
+ LATESTSENSOR=
+ '[' '' ']'
+ FULLIMAGEPATH=registry.crowdstrike.com/falcon-sensor/eu-1/release/falcon-sensor:
+ grep -qw skopeo /usr/local/bin/docker
+ /usr/local/bin/docker pull registry.crowdstrike.com/falcon-sensor/eu-1/release/falcon-sensor:
invalid reference format
carlosmmatos commented 12 months ago

@hazcod you still seeing this issue? It does look weird from the output as to why it would be blank tag.. even stranger if it works sometimes but not all the times. I've seen strange glitches with API calls sometimes, but usually not for long.

hazcod commented 12 months ago

We've not tried again because it was so unpredictable while debugging it got frustrating

carlosmmatos commented 8 months ago

Closing due to inactivity. If you are still facing an issue please reopen the issue or create a new one. Thanks.