Hi everyone, does anyone else has issues when registering an extension when restarting osquery? On a subset of our hosts, we see this log

"Refusing to register duplicate extension "

in osqueryd syslogs. It comes from ExtensionManagerInterface::registerExtension. The issue usually solves itself after a few retries, but not always.

That sounds a bit like https://github.com/osquery/osquery/issues/7118 which has been fixed in HEAD.

thanks, I don't think it is though, the problem is the reverse: a new extension process cannot come up after the previous one died. Let me dig up and scrap some log sequence (apologies for wall of text):

extensions.cpp:] Found autoloadable extension: 
watcher.cpp:] Created and monitoring extension child (18659): 
interface.cpp:] Extension manager service starting: /var/osquery/osquery.em
our extension logs it's starting with pid 18659
 interface.cpp:] Registering extension (ais_audit_client, 36068, version=, sdk=)
our extension logs it dies
watcher.cpp:] Created and monitoring extension child (18840): 
interface.cpp:] Refusing to register duplicate extension
our extension, through osquery-go shows the error status 1 registering extension: Duplicate extension registered

I think the issue comes from the following sequence of events: 1. osqueryd starts an extension and a watcher that will ping the extension regularly to see if it's still alive 2. the extension name is added to osqueryd's register (the uuid is not relevant here) 3. for "reason" the extension dies and shuts down properly 4. the extension is restarted and tries to register its name and be granted a uuid 5. the watcher hasn't had time to try to ping and remove the old extension from the register 6. the error shows up.

Note that the URL is internal to your Corp

I assume you pinged me because a lot of that `git blame`s to me? 😉 I don't think there's a specific reason it's missing... IIRC we modeled much of osquery-go off of osquery-python and I see that while osquery-python does include the method there's no automatic call to it there either.

I suggested you get pinged since you wrote most of it :)

Apologies for the internal link, it should be https://github.com/osquery/osquery/blob/master/osquery/extensions/interface.h#L65-L78 @zwass for the ping: @seph is right, it because you're famous in that part of osquery land. I'll send a PR this way soon.

Haha! Please feel free to tag me in that PR for review.

Pasting the deleted message above with one with the correct links to keep context: Though for the most part osquery-go works great, this duplicate problem is very annoying in parts of our deployment. In tests, I can fix it if I implement the

deregisterExtension

endpoint mentioned in the osquery specs https://github.com/osquery/osquery/blob/master/osquery/extensions/interface.h#L65-L78, but missing from the osquery-go library https://github.com/osquery/osquery-go/blob/master/client.go#L14-L23. I'd be happy to share what I have done, but also wondering if there is a good reason it is missing in the first place

No I don't think there's a good reason.