search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.01k stars 418 forks source link

Bootstrap package and fleetd are not sent if the server has a DB replica configured #11604

Closed roperzh closed 1 year ago

roperzh commented 1 year ago

Fleet version: 4.31.0

🧑‍💻  Expected behavior

All DEP enrolled devices receive a bootstrap package (if uploaded) and the fleetd agent on unboxing

💥  Actual behavior

Machines are correctly enrolled in MDM but we never send the commands to install both packages if a database replica is configured in the Fleet server.

👣 Reproduction steps

  1. Configure a cloud instance with a database replica for reads
  2. Assign a DEP device to this Fleet instance in ABM
  3. Enroll the machine

More info

On Authenticate, we store information about the device using the database writer:

https://github.com/fleetdm/fleet/blob/c460e70e94c855ee18917f811bb5e09bf775b3a6/server/service/apple_mdm.go#L2187-L2189

On TokenUpdate we try to read information about the device using the replica

https://github.com/fleetdm/fleet/blob/c460e70e94c855ee18917f811bb5e09bf775b3a6/server/service/apple_mdm.go#L2218-L2221

There's a race condition where we try to read information before it propagated to the replica, from the logs:

level=info ts=2023-05-04T20:45:04.224859044Z component=http-mdm-apple-mdm id=<redacted> type=Device sub_service=1 err=": MDM <redacted> was not found in the datastore"
fleet-release commented 1 year ago

Database replica fix, Fleet unboxing seamless, Nature's harmony.