CI: Add shell cmd for windows runner and add some debug logs to help troubleshoot (#13592)

After @rfairburn made the DNS change the clouldflared tunnel started
working again (after months of being broken).

#13547

Run: https://github.com/fleetdm/fleet/actions/runs/6025182774

This PR adds some fixes to the two workflows that make use of
cloudflared.
There are still some issues to fix but these are some changes needed to
continue/help troubleshooting.

.github/workflows/fleet-and-orbit.yml

@@ -29,7 +29,7 @@ defaults:
     shell: bash
 
 env:
-  OSQUERY_VERSION: 5.5.1
+  OSQUERY_VERSION: 5.9.1
 
 permissions:
   contents: read
@@ -74,13 +74,20 @@ jobs:
       env:
         CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }}
       run: |
+        # Increase maximum receive buffer size to roughly 2.5 MB.
+        # Cloudflared uses quic-go. This buffer holds packets that have been received by the kernel,
+        # but not yet read by the application (quic-go in this case). Once this buffer fills up, the
+        # kernel will drop any new incoming packet.
+        # See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size.
+        sudo sysctl -w net.core.rmem_max=2500000
+
         # Install cloudflared
         wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
         sudo dpkg -i cloudflared-linux-amd64.deb
         # Add secret
         echo "$CERT_PEM" | base64 -d > cert.pem
         # Start tunnel
-        cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} &
+        cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} --logfile cloudflared.log &
         until [[ $(cloudflared tunnel --origincert cert.pem info -o json ${{ needs.gen.outputs.subdomain }} | jq '.conns[0].conns[0].is_pending_reconnect') = false ]]; do
           echo "Awaiting tunnel ready..."
           sleep 5
@@ -124,6 +131,7 @@ jobs:
           sleep 30
         done
         ./build/fleetctl get hosts
+        ./build/fleetctl get hosts --json
         echo "Success! $EXPECTED hosts enrolled."
 
     - name: Cleanup tunnel
@@ -138,6 +146,13 @@ jobs:
         path: |
           fleet_log
 
+    - name: Upload cloudflared logs
+      if: always()
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      with:
+        name: cloudflared.log
+        path: cloudflared.log
+
   # Sets the enroll secret of the Fleet server.
   #
   # This job also makes sure the Fleet server is up and running.
@@ -393,7 +408,7 @@ jobs:
 
   orbit-windows:
     timeout-minutes: 60
-    needs: [run-tuf-and-gen-pkgs]
+    needs: [gen, run-tuf-and-gen-pkgs]
     runs-on: windows-latest
     steps:
 

.github/workflows/integration.yml

@@ -45,13 +45,20 @@ jobs:
       env:
         CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }}
       run: |
+        # Increase maximum receive buffer size to roughly 2.5 MB.
+        # Cloudflared uses quic-go. This buffer holds packets that have been received by the kernel,
+        # but not yet read by the application (quic-go in this case). Once this buffer fills up, the
+        # kernel will drop any new incoming packet.
+        # See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size.
+        sudo sysctl -w net.core.rmem_max=2500000
+
         # Install cloudflared
         wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
         sudo dpkg -i cloudflared-linux-amd64.deb
         # Add secret
         echo "$CERT_PEM" | base64 -d > cert.pem
         # Start tunnel
-        cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} &
+        cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} --logfile cloudflared.log &
         until [[ $(cloudflared tunnel --origincert cert.pem info -o json ${{ needs.gen.outputs.subdomain }} | jq '.conns[0].conns[0].is_pending_reconnect') = false ]]; do
           echo "Awaiting tunnel ready..."
           sleep 5
@@ -86,7 +93,7 @@ jobs:
           echo " / $EXPECTED"
           sleep 10
         done
-        ./build/fleetctl get hosts
+        ./build/fleetctl get hosts --json
         echo "Success! $EXPECTED hosts enrolled."
 
     - name: Slack Notification
@@ -114,6 +121,13 @@ jobs:
       if: always()
       run: cloudflared tunnel --origincert cert.pem delete --force ${{ needs.gen.outputs.subdomain }}
 
+    - name: Upload cloudflared logs
+      if: always()
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      with:
+        name: cloudflared.log
+        path: cloudflared.log
+
   login:
    runs-on: ubuntu-latest
    needs: gen
@@ -146,7 +160,7 @@ jobs:
         echo "token=$TOKEN" >> $GITHUB_OUTPUT
 
   orbit-macos:
-    timeout-minutes: 15
+    timeout-minutes: 10
     strategy:
       matrix:
         orbit-channel: [ 'stable', 'edge' ]
@@ -197,7 +211,7 @@ jobs:
         ./orbit/tools/cleanup/cleanup_macos.sh
 
   orbit-ubuntu:
-    timeout-minutes: 15
+    timeout-minutes: 10
     strategy:
       matrix:
         orbit-channel: [ 'stable', 'edge' ]
@@ -257,7 +271,7 @@ jobs:
         sudo apt remove fleet-osquery -y
 
   orbit-windows-build:
-    timeout-minutes: 15
+    timeout-minutes: 10
     strategy:
       matrix:
         orbit-channel: [ 'stable', 'edge' ]
@@ -288,7 +302,7 @@ jobs:
         path: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi
 
   orbit-windows:
-    timeout-minutes: 15
+    timeout-minutes: 10
     strategy:
       matrix:
         orbit-channel: [ 'stable', 'edge' ]
@@ -308,8 +322,8 @@ jobs:
       with:
         name: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi
 
-
     - name: Install Orbit
+      shell: cmd
       run: |
         msiexec /i ${{steps.download.outputs.download-path}}\orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi /quiet /passive /lv log.txt
         sleep 30
@@ -318,6 +332,13 @@ jobs:
     # overlap and we can't control the hostnames. Instead we just return and have the run-server job
     # wait until the expected number of hosts enroll.
 
+    - name: Upload orbit install log
+      if: always()
+      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
+      with:
+        name: msiexec-install-log
+        path: log.txt
+
     - name: Upload Orbit logs
       if: always()
       uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2

tools/tuf/test/create_repository.sh

@@ -29,7 +29,7 @@ SWIFT_DIALOG_MACOS_APP_VERSION=2.1.0
 SWIFT_DIALOG_MACOS_APP_BUILD_VERSION=4148
 
 if [[ -z "$OSQUERY_VERSION" ]]; then
-    OSQUERY_VERSION=5.8.1
+    OSQUERY_VERSION=5.9.1
 fi
 
 mkdir -p $TUF_PATH/tmp