-
Notifications
You must be signed in to change notification settings - Fork 276
Forseti Issues, Not able to create module. Inventory is also showing zero count. Forseti Broken #3766
Comments
Thank you for opening an issue. Our team's interrupts engineer will review your issue shortly. Issue Resolution:
|
Hi @agupta-1, thanks for creating an issue. I recommend to upgrade to the latest Forset patch v2.25.1. There was an issue fixed with the version you are on; it might not resolve the issue, but don't want you to run into another issue. You can upgrade with Terraform by setting the version in the Forseti configuration to I don't see any errors in the log that you sent that indicate why the inventory didn't get created. It doesn't look like you have configured the Service Account to use Domain wide delegation, which is required for scanning G Suite resources. If you do not want to scan those resources, then I recommend you also set the following variables in the Terraform config:
Please try those changes and then let me know if you are still running into issues. Instead of sharing the log file, if there are issues, you can search Stackdriver Logging for any errors coming from the VM during inventory, and include those error messages; just in case you accidentally share sensitive information. |
Currently, reinstalling one more time and will check. Will upload the logs as requested |
After re-installation same issue. Inventory is not getting collected even after 14 hours. @forseti-server-vm-4e3a596a:~# forseti inventory list --Forseti model list is not listing any model
Forseti.log 2020-07-02 13:06:39,767 INFO [forseti-security][2.25.0] google.cloud.forseti.services.inventory.inventory(purge): retention_days is: |
Hi Team, Can you please check and confirm. The same version which i deployed was somehow working however after re-deployment again it is not collecting inventory and is not able to create module. I am already on latest version (2.25). |
I did installed 2.25.1 i.e. the latest version however still facing the same issue. It is still not creating inventory and unable to create model. Please assist. |
Can you give more clarity on "Update model creation to ignore the case of the permission.". How to achieve this task? |
I will be providing a fix. I might have something available today from the main branch, if not then next week; and we will provide a patch release as well. |
@gkowalski-google Waiting for your update. Thanks |
Hi @agupta-1, the fix has been merged into the master branch. You can deploy this version with Terraform by setting I am working on a patch release that will be out next week. |
@gkowalski-google Hi as i can see it was merged in master branch, i did went for clean installation again. And guess what - Issue remains the same. Not sure how to resolve this now. Its almost a month. |
@agupta-1 Can you provide your terraform configuration? And can you also provide the error that you are seeing? |
@gkowalski-google Do you want me to provide main.tf file? |
@agupta-1 Yes, the main.tf would be helpful (please remove any sensitive info). To be sure, can you please filter the Stackdriver VM logs for errors? Some errors can be ignored, I am interested to know if you see anything like that contains |
I tried with both 5.2.0 and 5.2.1 version Here is main.tf file: module "forseti" { Configure the Cloud Security Command Centrecscc_source_id = var.cscc_source_id enabled config validatorconfig_validator_enabled = var.config_validator_enabled enable policy librarycommented out as tcp/22 is not available via nat gatewaypolicy_library_sync_enabled = var.policy_library_sync_enabledpolicy_library_repository_url = var.policy_library_repository_urlEnter the type of instance that you want to create. Defaults to n1-standard-2 if left emptyserver_type = var.server_type Enter the locations where resources are to be createdstorage_bucket_location = "#####" Tell forseti to run every 30 minsforseti_run_frequency = "0 */1 * * *" This stops the client and server instance from getting a public ipclient_private = "true" Enter the Network details if you want the Forseti cluster to be created in a specific location. If not Forseti will create its own network environmentnetwork = var.network Enter the tags for the instances created.server_tags = ["removed"] Enter an IP range in CIDR notation if you want to allow ssh access to the box. OPTIONALserver_ssh_allow_ranges = [] manage_rules_enabled = false module "rules" { bucket_id = module.forseti.forseti-cai-storage-bucket --Also as per stack driver logs: Error 1: [forseti-security][2.25.1] google.cloud.forseti.services.inventory.crawler(visit): (pymysql.err.OperationalError) (2013, 'Lost connection to MySQL server during query') (Background on this error at: http://sqlalche.me/e/e3q8) Traceback (most recent call last): File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/base.py", line 2228, in _wrap_pool_connect return fn() File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 425, in connect return _ConnectionFairy._checkout(self) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 822, in _checkout fairy = _ConnectionRecord.checkout(pool) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 559, in checkout rec._checkin_failed(err) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/util/langhelpers.py", line 67, in exit compat.reraise(exc_type, exc_value, exc_tb) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/util/compat.py", line 277, in reraise raise value File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 556, in checkout dbapi_connection = rec.get_connection() File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 683, in get_connection self.__connect() File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 701, in __connect connection = pool._invoke_creator(self) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/strategies.py", line 114, in connect return dialect.connect(*cargs, **cparams) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/default.py", line 437, in connect return self.dbapi.connect(*cargs, **cparams) File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/init.py", line 94, in Connect return Connection(*args, **kwargs) File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 325, in init self.connect() File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 599, in connect self._request_authentication() File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 861, in _request_authentication auth_packet = self._read_packet() File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 657, in _read_packet packet_header = self._read_bytes(4) File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 707, in _read_bytes CR.CR_SERVER_LOST, "Lost connection to MySQL server during query") pymysql.err.OperationalError: (2013, 'Lost connection to MySQL server during query') The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/forseti_security-2.25.1-py3.6.egg/google/cloud/forseti/services/inventory/crawler.py", line 126, in visit self.write(resource) File "/usr/local/lib/python3.6/dist-packages/forseti_security-2.25.1-py3.6.egg/google/cloud/forseti/services/inventory/crawler.py", line 148, in write self.config.storage.write(resource) File "/usr/local/lib/python3.6/dist-packages/forseti_security-2.25.1-py3.6.egg/google/cloud/forseti/services/inventory/storage.py", line 995, in write result = self.engine.execute(Inventory.table.insert(), resource_row) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/base.py", line 2143, in execute connection = self.contextual_connect(close_with_result=True) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/base.py", line 2192, in contextual_connect self._wrap_pool_connect(self.pool.connect, None), File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/base.py", line 2232, in _wrap_pool_connect e, dialect, self File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/base.py", line 1528, in _handle_dbapi_exception_noconnection util.raise_from_cause(sqlalchemy_exception, exc_info) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/util/compat.py", line 296, in raise_from_cause reraise(type(exception), exception, tb=exc_tb, cause=cause) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/util/compat.py", line 276, in reraise raise value.with_traceback(tb) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/base.py", line 2228, in _wrap_pool_connect return fn() File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 425, in connect return _ConnectionFairy._checkout(self) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 822, in _checkout fairy = _ConnectionRecord.checkout(pool) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 559, in checkout rec._checkin_failed(err) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/util/langhelpers.py", line 67, in exit compat.reraise(exc_type, exc_value, exc_tb) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/util/compat.py", line 277, in reraise raise value File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 556, in checkout dbapi_connection = rec.get_connection() File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 683, in get_connection self.__connect() File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/pool.py", line 701, in __connect connection = pool._invoke_creator(self) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/strategies.py", line 114, in connect return dialect.connect(*cargs, **cparams) File "/home/ubuntu/forseti-security/.eggs/SQLAlchemy-1.2.18-py3.6-linux-x86_64.egg/sqlalchemy/engine/default.py", line 437, in connect return self.dbapi.connect(*cargs, **cparams) File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/init.py", line 94, in Connect return Connection(*args, **kwargs) File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 325, in init self.connect() File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 599, in connect self._request_authentication() File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 861, in _request_authentication auth_packet = self._read_packet() File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 657, in _read_packet packet_header = self._read_bytes(4) File "/home/ubuntu/forseti-security/.eggs/PyMySQL-0.9.3-py3.6.egg/pymysql/connections.py", line 707, in _read_bytes CR.CR_SERVER_LOST, "Lost connection to MySQL server during query") sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError) (2013, 'Lost connection to MySQL server during query') (Background on this error at: http://sqlalche.me/e/e3q8) Error2: |
@agupta-1 The |
@gkowalski-google I am fine to re-deploy. Hence will wait for your patch. module "forseti" { As yoy can see version is already set to 5.2.1 Do i need to remove this one while entering forseti_version = "master" |
@agupta-1 Sorry for the confusion. Once patch is released then you can just set |
@agupta-1 The latest Forseti release is out to fix the model creation issue. Please upgrade at your convenience and let me know if the your issue is resolved. You can upgrade with Terraform by setting the Forseti module version to |
@gkowalski-google Did updated however same issue. Apologies however i am sure that something is wrong in the code itself which is not allowing to create the model. If you want i can re-deploy complete forseti once again. But i have a strong feeling it will produce the same results. |
Hi @agupta-1, can you please send any errors that you are seeing in the Stackdriver logs? Can you also please schedule a meeting with me so that we can troubleshoot? My email is gkowalski at google.com. I am available now if you are. |
@gkowalski-google Hi, Sure let me do a fresh install one more time with version 5.2.2 (by changing the version in main.tf) so that it will be easier for you to troubleshoot. Let me drop you a direct email to connect with the schedule. |
@gkowalski-google Please find the update as of now:
$ forseti model list I am nor sure if the above model is completed or not. Because Still we are not receiving any notification in GCP Security center CSCC even though it is enabled. Note: I increased forseti security resources to n1-standard-8 as you mentioned earlier. Let me know. |
Hi @agupta-1, sorry I missed your update. Can you run |
@agupta-1 Were you able to see what the model issues were? A partial success for model creation is fairly typical. There are some warnings that get reported when Forseti is trying to process the roles, and these do not break anything. If you are still not seeing any CSCC findings, can you please check the server VM logs for any errors and confirm you followed all steps to set up CSCC integration? |
Hi team,
We are facing issues after deploying Forseti server.
##Forseti Version:
"""Google Cloud Forseti."""
version = '2.25.0'
package_name = 'forseti-security'
--We are having an issue with Inventory and Model Module. Also scanner/violation is not working. Inventory is not getting collected. Showing as zero. Also not able to create Model. Even when i list it says no model found. When i try to create a module manually, it shows as broken.
--We also applied a policy however it is not being a being scanned and not showing any violations in security command center
forseti service
--It is running
--We deployed Forseti through terraform code.
--Server is deployed successfully however when we login into server and running inventory command it is not working. CSCC id was provided with correct service credentials.
Logs
--attached is the logs:
a) forseti.log
syslog file it is not allowing to upload as very big. please provide ftp
Please assist asap
[forseti.log](https://github.com/forseti-security/forseti-security/files/48463
forseti.log
The text was updated successfully, but these errors were encountered: