orb
orb copied to clipboard
orb-community
Agents: when agent is provisioned through config file without auto_provision with agent tags which matches existent groups, the agent fails to subscribe to the groups
Steps to reproduce:
- Create an agent on orb without any orb tags
- Create a group on orb (in this example the group has tag
test:policy) - Provision the agent using a config file using agent tags that matches the group:
Your config file must be like this and you must save it as agent.yaml on orb root path (you can change it, must will need to make the necessary adaptations):
**important: put your network on iface: eth0 if you are not using eth0.
orb:
backends:
pktvisor:
api_port: '46545'
binary: /usr/local/sbin/pktvisord
config_file: /usr/local/orb/agent.yaml
cloud:
api:
address: https://stg.orb.live
mqtt:
address: tls://stg.orb.live:8883
id: "f2ff2f13-0bce-4364-b66b-a45dbd25b5ca"
key: "7e0fd8c3-95dc-4c71-8bb4-67efd6ed43f5"
channel_id: "4154c5bc-725e-4ce1-9ea4-95f2230f45aa"
tags:
test: policy
tls:
verify: true
version: '1.0'
visor:
taps:
default_pcap:
config:
iface: eth0
input_type: pcap
Use this command to provision your agent:
docker run -d -v /<path_to_orb>/orb:/usr/local/orb --net=host ns1labs/orb-agent:develop run -c /usr/local/orb/agent.yaml
Expected behavior:
- Agent must be online and subscribed to the group created previously
- Check thread and fix suggestion: -- https://ns1labs.slack.com/archives/C01UNG6UK37/p1662573661293519?thread_ts=1662573347.256709&cid=C01UNG6UK37
Current behavior:
- Agent fails to connect to subscribe to groups
Full logs:
https://app.zenhub.com/files/340174841/574dc21d-7bb2-494a-8cba-640997828636/download
Please unmute this scenarios when the issue is solved:
-
agent with only agent tags subscription to a group with policies created before provision the agent (config file - auto_provision=false)
-
agent with mixed tags subscription to a group with policies created before provision the agent (config file - auto_provision=false)
@manrodrigues In the comment above, add the files and lines like this "something.feature:232", so it is more accurate.
@mclcavalcante I think this has the higher priority
This is probably because of the way we handle the agent tags in Orb. This needs investigating, the root cause is in the fleet, somewhere when the fleet receives the capabilities of the agent, something fails. I would start there.
The issue is around the channel connection. The agent receives back which topic it has to subscribe to but fails because it isn't connected to the group channel. https://netdev-community.slack.com/archives/C041B9204CF/p1671126785235799
@weyrick hey, so we found the issue and we have a trade-off here
We want to connect the agent with the group using agent-tags, from config-file To be able to connect the group, we use the mainflux-sdk, Connect method which requires a token, generated by the login of the user, usually.
So, my thoughts, we generate a 2 step, we include an action that the user can "accept" or "deny" the group membership, for the agents with that tag. With that approve/deny, we make it easier for the user, and we can use the session's token to connect with mainflux.
how is making the mainflux sdk call to do this any different from the way we do it for orb tags?
because the mainflux-sdk Connect method
Connect(conns ConnectionIDs, token string) errors.SDKError
need a token which is why we can't call while handling capabilities or any other internal action only triggered by the agent. Managing orb tags always starts with the user on UI or API calls both issuing a token.
And by orb-tags we always pass this token down to mfsdk in all scenarios of the group membership. when we edit/create agent changing tags, when we edit/create group changing tags.