Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/orbit/pkg/packaging/packaging.go

323 lines
12 KiB
Go
Raw Normal View History

added package command from orbit as fleetctl command (#1802) * added package command from orbit as fleetctl command * update deployment docs * add changes file * added tests for package command, run go mod tidy & go mod verify * validate that package files exist * comment out msi packaging test until we can investigate github runner permission issues
2021-09-09 05:34:12 +00:00
// Package packaging provides tools for building Orbit installation packages.
update documentation of orbit/pkg/packaging (#6819) This updates the documentation of orbit/pkg/packaging mainly to note that the exported functions are not safe for concurrent usage (subject to change.)
2022-07-25 23:14:20 +00:00
//
// The functions exported by this package are not safe for concurrent use at
// the moment.
Refactor Deb functionality into packaging package
2021-02-08 23:55:36 +00:00
package packaging
macOS packaging works with launchd
2021-02-17 02:05:18 +00:00
import (
Package osquery certificate bundle with orbit (#3033) - Include the osquery certs.pem with Orbit installers. - Use the certs.pem if available and no other certificate specified.
2021-11-19 01:17:05 +00:00
_ "embed"
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
"encoding/json"
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
"fmt"
macOS packaging works with launchd
2021-02-17 02:05:18 +00:00
"os"
"path/filepath"
Make Orbit update interval configurable (#5032) * Make Orbit update interval configurable - Also increase default interval from 10s to 15m * Add update-interval configuration to fleetctl package (#5050) Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2022-04-11 20:42:36 +00:00
"time"
macOS packaging works with launchd
2021-02-17 02:05:18 +00:00
Make creating dirs and files more secure by checking permissions (#1566) * Add safe mkdirall and open * Use secure as much as possible and merge gomodules for orbit to fleet * Improve openfile and mkdirall to check for permissiveness instead of equality * Don't shift * Fix links * Address review comments
2021-08-11 14:02:22 +00:00
"github.com/fleetdm/fleet/v4/orbit/pkg/constant"
"github.com/fleetdm/fleet/v4/orbit/pkg/update"
"github.com/fleetdm/fleet/v4/orbit/pkg/update/filestore"
Add osquery flagfile support in Orbit (#3006) - Orbit automatically loads the flagfile when it exists in the orbit root. - Add packaging support to include flagfile with package. - Fix a panic when osquery fails to start up.
2021-11-18 23:06:33 +00:00
"github.com/fleetdm/fleet/v4/pkg/file"
Add fleetctl debug connection command (#1706) Adds the `fleetctl debug connection` command to investigate connection issues to the fleet server. Closes #1579 .
2021-08-24 12:50:03 +00:00
"github.com/fleetdm/fleet/v4/pkg/secure"
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
"github.com/rs/zerolog/log"
macOS packaging works with launchd
2021-02-17 02:05:18 +00:00
)
Refactor Deb functionality into packaging package
2021-02-08 23:55:36 +00:00
// Options are the configurable options provided for the package.
type Options struct {
// FleetURL is the URL to the Fleet server.
FleetURL string
// EnrollSecret is the enroll secret used to authenticate to the Fleet
// server.
EnrollSecret string
Partial progress on macOS packaging
2021-02-09 03:23:50 +00:00
// Version is the version number for this package.
Version string
// Identifier is the identifier (eg. com.fleetdm.orbit) for the package product.
Identifier string
Refactor Deb functionality into packaging package
2021-02-08 23:55:36 +00:00
// StartService is a boolean indicating whether to start a system-specific
// background service.
StartService bool
// Insecure enables insecure TLS connections for the generated package.
Insecure bool
Code signing and Notarization for macOS
2021-02-17 21:25:56 +00:00
// SignIdentity is the codesigning identity to use (only macOS at this time)
SignIdentity string
Make macOS notarization optional for packaging
2021-02-18 00:22:03 +00:00
// Notarize sets whether macOS packages should be Notarized.
Notarize bool
Add mTLS support to fleetd (#11319) #7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-27 11:44:39 +00:00
// FleetCertificate is a file path to a Fleet server certificate to include in the package.
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
FleetCertificate string
Add mTLS support to fleetd (#11319) #7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-27 11:44:39 +00:00
// FleetTLSClientCertificate is a file path to a client certificate to use when
// connecting to the Fleet server.
//
// If set, then FleetTLSClientKey must be set too.
FleetTLSClientCertificate string
// FleetTLSClientKey is a file path to a client private key to use when
// connecting to the Fleet server.
//
// If set, then FleetTLSClientCertificate must be set too.
FleetTLSClientKey string
// FleetDesktopAlternativeBrowserHost is an alternative host:port to use for Fleet Desktop in the browser.
//
// This may be required when using TLS client authentication for connecting to Fleet via a proxy.
// Otherwise users would need to configure client certificates on their browsers.
//
// If not set, then FleetURL is used instead.
FleetDesktopAlternativeBrowserHost string
Allow disabling auto updates in `fleetctl package` and `orbit` (#4296) * Add disable-updates flag to fleetctl and orbit * Fix ruleguard execution error on make lint-go * Introduce dev-mode for ease of development of orbit * Add changes file
2022-02-18 18:42:39 +00:00
// DisableUpdates disables auto updates on the generated package.
DisableUpdates bool
Use symlink for current orbit binary
2021-03-02 19:24:32 +00:00
// OrbitChannel is the update channel to use for Orbit.
OrbitChannel string
Add support for configuring update channels in packaging
2021-03-10 00:27:35 +00:00
// OsquerydChannel is the update channel to use for Osquery (osqueryd).
OsquerydChannel string
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
// DesktopChannel is the update channel to use for the Fleet Desktop application.
DesktopChannel string
Make update server URL configurable Configurable in both packaging and orbit invocations
2021-03-10 22:42:02 +00:00
// UpdateURL is the base URL of the update server (TUF repository).
UpdateURL string
Take update root keys as a packaging flag (#8) This allows specifying the root key metadata which was the remaining requirement to allow working with a self-hosted update server.
2021-03-23 00:38:32 +00:00
// UpdateRoots is the root JSON metadata for update server (TUF repository).
UpdateRoots string
Add mTLS support to fleetd (#11319) #7970 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-04-27 11:44:39 +00:00
// UpdateTLSServerCertificate is a file path to an update server certificate to include in the package.
UpdateTLSServerCertificate string
// UpdateTLSClientCertificate is a file path to a client certificate to use when
// connecting to the update server.
//
// If set, then UpdateTLSClientKey must be set too.
UpdateTLSClientCertificate string
// UpdateTLSClientKey is a file path to a client private key to use when
// connecting to the update server.
//
// If set, then UpdateTLSClientCertificate must be set too.
UpdateTLSClientKey string
Add osquery flagfile support in Orbit (#3006) - Orbit automatically loads the flagfile when it exists in the orbit root. - Add packaging support to include flagfile with package. - Fix a panic when osquery fails to start up.
2021-11-18 23:06:33 +00:00
// OsqueryFlagfile is the (optional) path to a flagfile to provide to osquery.
OsqueryFlagfile string
Add debug flag support for packaging
2021-03-09 23:22:17 +00:00
// Debug determines whether to enable debug logging for the agent.
Debug bool
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
// Desktop determines whether to package the Fleet Desktop application.
Desktop bool
Make Orbit update interval configurable (#5032) * Make Orbit update interval configurable - Also increase default interval from 10s to 15m * Add update-interval configuration to fleetctl package (#5050) Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2022-04-11 20:42:36 +00:00
// OrbitUpdateInterval is the interval that Orbit will use to check for updates.
OrbitUpdateInterval time.Duration
Amend `fleetctl package` to support `/var/lib` legacy orbit (legacy would mean <= 0.0.11) (#5532) * Add logs to troubleshoot orbit * Run journalctl on a different step * Add legacy orbit support to opt version of fleetctl * Fix macos logs permission error * Checkout repository * Compile fleetctl from branch
2022-05-03 19:46:02 +00:00
// LegacyVarLibSymlink indicates whether Orbit is legacy (< 0.0.11),
// which assumes it is installed under /var/lib.
LegacyVarLibSymlink bool
implement a docker image to package orbit natively in Linux (#6504) Related to #6364 and #6363, this: - Adds a new Docker image, `fleetdm/fleetctl` equipped with all necessary dependencies to build Fleet-osquery binaries for all platforms - Modifies the package generation logic to special case this scenario via an environment variable `FLEETCTL_NATIVE_TOOLING` - Adds a new GitHub workflow to test this There are more details in the README, but part of the special-casing logic is in place to output the binaries to a folder named `build` when they are run with `FLEETCTL_NATIVE_TOOLING`, this is so we can persist the binary generated by the docker container via a bind mount: ```bash docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi ``` To test this changeset, I have generated packages for all platforms, both via the new Docker image and via the classic `fleetctl package`.
2022-07-11 12:49:13 +00:00
// Native tooling is used to determine if the package should be built
// natively instead of via Docker images.
NativeTooling bool
add support for notarization in fleetdm/fleetctl images (#6818) #6674
2022-07-25 23:06:10 +00:00
// MacOSDevIDCertificateContent is a string containing a PEM keypair used to
// sign a macOS package via NativeTooling
MacOSDevIDCertificateContent string
// AppStoreConnectAPIKeyID is the Appstore Connect API key provided by Apple
AppStoreConnectAPIKeyID string
// AppStoreConnectAPIKeyIssuer is the issuer of App Store API Key
AppStoreConnectAPIKeyIssuer string
// AppStoreConnectAPIKeyContent is the content of the App Store API Key
AppStoreConnectAPIKeyContent string
explicitly enable orbit to read config from the system (#10980) in #10134 we added a silent mechanism to try to read configuration values from macOS configuration profiles if --fleet-url and --enroll-secret weren't present. while using this logic to test #9459 I have found that there's a race condition where sometimes `fleetd` is installed before the configuration profile with the values delivered by Fleet, causing orbit to get stuck forever. I added logic to loop every 30 seconds and try to fetch the values again if none are found, but I didn't felt comfortable adding this logic without also adding an extra flag to explicitly enable this behavior.
2023-04-05 18:02:18 +00:00
// UseSystemConfiguration tells fleetd to try to read FleetURL and
// EnrollSecret from a system configuration that's present on the host.
// Currently only macOS profiles are supported.
UseSystemConfiguration bool
Allow to configure `fleetd` for script execution (#13564) Related to #13310 and #13304 this adds two ways to enable script execution in `fleetd` (the orbit component) - By building a package with `--enable-scripts` - By providing a setting via a configuration profile (macOS only) Due to how the profile assignment works, this change automatically updates the `com.fleetdm.fleetd.config` for hosts that already have the profile installed. > [!NOTE] > Documentation is in [#13577](https://github.com/fleetdm/fleet/pull/13577) to decouple reviews.
2023-08-30 13:18:34 +00:00
// EnableScripts enables script execution on the agent.
EnableScripts bool
Add ability for `fleetctl package` to use local WiX v3 binaries when generating installer .msi (#14033)
2023-09-22 15:49:01 +00:00
// LocalWixDir uses a Windows machine's local WiX installation instead of a containerized
// emulation to build an MSI fleetd installer
LocalWixDir string
Allow enrolling fleetd using osquery's `instance` identifier (#15570) #14879 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2023-12-15 18:26:32 +00:00
// HostIdentifier is the host identifier to use in osquery.
HostIdentifier string
Fix backward compatibility bug with Windows MSI END_USER_EMAIL (#20116) #19219 Fix unreleased backward compatibility bug with Windows MSI END_USER_EMAIL # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Manual QA for all new/changed functionality
2024-07-01 15:49:59 +00:00
// EnableHostIdentifierProperty is a boolean indicating whether to enable END_USER_EMAIL property in Windows MSI package.
EnableEndUserEmailProperty bool
Custom email device-mapping: implement the CLI (fleetd + fleetctl) changes (#15763) Co-authored-by: Sarah Gillespie <73313222+gillespi314@users.noreply.github.com>
2023-12-21 17:22:59 +00:00
// EndUserEmail is the email address of the end user that uses the host on
// which the agent is going to be installed.
EndUserEmail string
Enroll secret in macOS keychain and Windows Credential Manager (#16068) #13832 For macOS hosts, fleetd now stores and retrieves enroll secret from macOS keychain. - this feature must use the official signed and notarized version of fleetd - for contributors, this feature can disabled with either: - fleetctl package flag: --disable-keystore - fleetd runtime flag: --disable-keystore This feature does not cover the MDM usecase where enroll secret is stored in the MDM profile. This usecase will hopefully be worked on next sprint with the MDM team. For Windows hosts, fleetd now stores and retrieves enroll secret from Windows Credential Manager. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Added/updated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-01-16 12:51:37 +00:00
// DisableKeystore disables the use of the keychain on macOS and Credentials Manager on Windows
DisableKeystore bool
Allow custom osquery database on fleetd (#16554) #16014 - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-02-05 12:41:06 +00:00
// OsqueryDB is the directory to use for the osquery database.
// If not set, then the default is `$ORBIT_ROOT_DIR/osquery.db`.
OsqueryDB string
Add support for Linux ARM64 (#19931) #1845 Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Roberto Dip <rroperzh@gmail.com>
2024-07-17 20:07:59 +00:00
// Architecture that the package is being built for. (amd64, arm64)
Architecture string
Orbit for Windows ARM64 (#27882) #27275 and #27274 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)). - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). --------- Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2025-04-11 14:18:28 +00:00
// TUF platform name. windows, windows-arm64, linux, linux-arm64, darwin
NativePlatform string
Adding optional parameter outfile to fleetctl package (#29579) Fixes #29581 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [ ] If database migrations are included, checked table schema to confirm autoupdate - For new Fleet configuration settings - [ ] Verified that the setting can be managed via GitOps, or confirmed that the setting is explicitly being excluded from GitOps. If managing via Gitops: - [ ] Verified that the setting is exported via `fleetctl generate-gitops` - [ ] Added the setting to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - [ ] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [ ] Verified that any relevant UI is disabled when GitOps mode is enabled - For database migrations: - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [ ] Added/updated automated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). - [ ] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2025-06-12 15:25:40 +00:00
// CustomOutfile is the custom output file name for the package.
CustomOutfile string
Rename flags and types for TPM work (#31176) Victor suggested the following renames on previous PRs: - Consider updating TEE terminology to SecureHW or TPM. - https://fleetdm.slack.com/archives/C084F4MKYSJ/p1752834365688019?thread_ts=1752600813.175889&cid=C084F4MKYSJ
2025-07-23 17:30:44 +00:00
// FleetManagedHostIdentityCertificate configures fleetd to use TPM-backed key to sign HTTP requests.
FleetManagedHostIdentityCertificate bool
Refactor Deb functionality into packaging package
2021-02-08 23:55:36 +00:00
}
macOS packaging works with launchd
2021-02-17 02:05:18 +00:00
Add support for Linux ARM64 (#19931) #1845 Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> Co-authored-by: Roberto Dip <rroperzh@gmail.com>
2024-07-17 20:07:59 +00:00
const (
ArchAmd64 string = "amd64"
ArchArm64 string = "arm64"
)
Updates and fixes for packaging (#2682) - Fix Windows MSI generation by changing permissions (#2655). - Refactor temp directory initialization. - Use root user for Wine in WiX Docker container. - Support .pkg packaging on Linux without dependencies (besides Docker)
2021-10-27 23:17:41 +00:00
func initializeTempDir() (string, error) {
// Initialize directories
chore: remove refs to deprecated io/ioutil (#14485) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes (docs/Using Fleet/manage-access.md) - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
2023-10-27 18:28:54 +00:00
tmpDir, err := os.MkdirTemp("", "orbit-package")
Updates and fixes for packaging (#2682) - Fix Windows MSI generation by changing permissions (#2655). - Refactor temp directory initialization. - Use root user for Wine in WiX Docker container. - Support .pkg packaging on Linux without dependencies (besides Docker)
2021-10-27 23:17:41 +00:00
if err != nil {
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return "", fmt.Errorf("failed to create temp dir: %w", err)
Updates and fixes for packaging (#2682) - Fix Windows MSI generation by changing permissions (#2655). - Refactor temp directory initialization. - Use root user for Wine in WiX Docker container. - Support .pkg packaging on Linux without dependencies (besides Docker)
2021-10-27 23:17:41 +00:00
}
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
if err := os.Chmod(tmpDir, 0o755); err != nil {
Updates and fixes for packaging (#2682) - Fix Windows MSI generation by changing permissions (#2655). - Refactor temp directory initialization. - Use root user for Wine in WiX Docker container. - Support .pkg packaging on Linux without dependencies (besides Docker)
2021-10-27 23:17:41 +00:00
_ = os.RemoveAll(tmpDir)
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return "", fmt.Errorf("change temp directory permissions: %w", err)
Updates and fixes for packaging (#2682) - Fix Windows MSI generation by changing permissions (#2655). - Refactor temp directory initialization. - Use root user for Wine in WiX Docker container. - Support .pkg packaging on Linux without dependencies (besides Docker)
2021-10-27 23:17:41 +00:00
}
log.Debug().Str("path", tmpDir).Msg("created temp directory")
return tmpDir, nil
}
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
type UpdatesData struct {
OrbitPath string
OrbitVersion string
OsquerydPath string
OsquerydVersion string
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
DesktopPath string
DesktopVersion string
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
}
func (u UpdatesData) String() string {
return fmt.Sprintf(
"orbit={%s,%s}, osqueryd={%s,%s}",
u.OrbitPath, u.OrbitVersion,
u.OsquerydPath, u.OsquerydVersion,
)
}
func InitializeUpdates(updateOpt update.Options) (*UpdatesData, error) {
Changes to migrate to new TUF repository (#23588) # Changes - orbit >= 1.38.0, when configured to connect to https://tuf.fleetctl.com (existing fleetd deployments) will now connect to https://updates.fleetdm.com and start using the metadata in path `/opt/orbit/updates-metadata.json`. - orbit >= 1.38.0, when configured to connect to some custom TUF (not Fleet's TUFs) will copy `/opt/orbit/tuf-metadata.json` to `/opt/orbit/updates-metadata.json` (if it doesn't exist) and start using the latter. - fleetctl `4.63.0` will now generate artifacts using https://updates.fleetdm.com by default (or a custom TUF if `--update-url` is set) and generate two (same file) metadata files `/opt/orbit/updates-metadata.json` and the legacy one to support downgrades `/opt/orbit/tuf-metadata.json`. - fleetctl `4.62.0` when configured to use custom TUF (not Fleet's TUF) will generate just the legacy metadata file `/opt/orbit/tuf-metadata.json`. ## User stories See "User stories" in https://github.com/fleetdm/confidential/issues/8488. - [x] Update `update.defaultRootMetadata` and `update.DefaultURL` when the new repository is ready. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [X] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2025-01-10 17:27:30 +00:00
localStore, err := filestore.New(filepath.Join(updateOpt.RootDirectory, update.MetadataFileName))
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
if err != nil {
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
return nil, fmt.Errorf("failed to create local metadata store: %w", err)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
}
updateOpt.LocalStore = localStore
Orbit: Add early update checks before starting sub-systems (#5885) * Make orbit do a early check of updates * Support orbit dev-mode * Add test for NewRunner and Runner.UpdateAction * Remove unnecessary parallel test
2022-06-01 17:47:04 +00:00
updater, err := update.NewUpdater(updateOpt)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
if err != nil {
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
return nil, fmt.Errorf("failed to init updater: %w", err)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
}
if err := updater.UpdateMetadata(); err != nil {
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
return nil, fmt.Errorf("failed to update metadata: %w", err)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
}
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
osquerydLocalTarget, err := updater.Get(constant.OsqueryTUFTargetName)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
if err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s: %w", constant.OsqueryTUFTargetName, err)
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
}
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
osquerydPath := osquerydLocalTarget.ExecPath
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
osquerydMeta, err := updater.Lookup(constant.OsqueryTUFTargetName)
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
if err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s metadata: %w", constant.OsqueryTUFTargetName, err)
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
}
type custom struct {
Version string `json:"version"`
}
var osquerydCustom custom
if err := json.Unmarshal(*osquerydMeta.Custom, &osquerydCustom); err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s version: %w", constant.OsqueryTUFTargetName, err)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
}
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
orbitLocalTarget, err := updater.Get(constant.OrbitTUFTargetName)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
if err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s: %w", constant.OrbitTUFTargetName, err)
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
}
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
orbitPath := orbitLocalTarget.ExecPath
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
orbitMeta, err := updater.Lookup(constant.OrbitTUFTargetName)
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
if err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s metadata: %w", constant.OrbitTUFTargetName, err)
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
}
var orbitCustom custom
if err := json.Unmarshal(*orbitMeta.Custom, &orbitCustom); err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s version: %w", constant.OrbitTUFTargetName, err)
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
}
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
var (
desktopPath string
desktopCustom custom
)
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
if _, ok := updateOpt.Targets[constant.DesktopTUFTargetName]; ok {
desktopLocalTarget, err := updater.Get(constant.DesktopTUFTargetName)
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
if err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s: %w", constant.DesktopTUFTargetName, err)
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
}
desktopPath = desktopLocalTarget.ExecPath
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
desktopMeta, err := updater.Lookup(constant.DesktopTUFTargetName)
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
if err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s metadata: %w", constant.DesktopTUFTargetName, err)
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
}
if err := json.Unmarshal(*desktopMeta.Custom, &desktopCustom); err != nil {
fleetd to start up when TUF signatures are expired (#23102) #22740 Full QA is still a WIP but this is ready for review. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [x] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [x] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [x] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2024-10-28 23:40:19 +00:00
return nil, fmt.Errorf("failed to get %s version: %w", constant.DesktopTUFTargetName, err)
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
}
}
Changes to migrate to new TUF repository (#23588) # Changes - orbit >= 1.38.0, when configured to connect to https://tuf.fleetctl.com (existing fleetd deployments) will now connect to https://updates.fleetdm.com and start using the metadata in path `/opt/orbit/updates-metadata.json`. - orbit >= 1.38.0, when configured to connect to some custom TUF (not Fleet's TUFs) will copy `/opt/orbit/tuf-metadata.json` to `/opt/orbit/updates-metadata.json` (if it doesn't exist) and start using the latter. - fleetctl `4.63.0` will now generate artifacts using https://updates.fleetdm.com by default (or a custom TUF if `--update-url` is set) and generate two (same file) metadata files `/opt/orbit/updates-metadata.json` and the legacy one to support downgrades `/opt/orbit/tuf-metadata.json`. - fleetctl `4.62.0` when configured to use custom TUF (not Fleet's TUF) will generate just the legacy metadata file `/opt/orbit/tuf-metadata.json`. ## User stories See "User stories" in https://github.com/fleetdm/confidential/issues/8488. - [x] Update `update.defaultRootMetadata` and `update.DefaultURL` when the new repository is ready. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [X] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
2025-01-10 17:27:30 +00:00
// Copy the new metadata file to the old location (pre-migration) to
// support orbit downgrades to 1.37.0 or lower.
//
// Once https://tuf.fleetctl.com is brought down (which means downgrades to 1.37.0 or
// lower won't be possible), we can remove this copy.
oldMetadataPath := filepath.Join(updateOpt.RootDirectory, update.OldMetadataFileName)
newMetadataPath := filepath.Join(updateOpt.RootDirectory, update.MetadataFileName)
if err := file.Copy(newMetadataPath, oldMetadataPath, constant.DefaultFileMode); err != nil {
return nil, fmt.Errorf("failed to create %s copy: %w", oldMetadataPath, err)
}
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
return &UpdatesData{
OrbitPath: orbitPath,
OrbitVersion: orbitCustom.Version,
OsquerydPath: osquerydPath,
OsquerydVersion: osquerydCustom.Version,
Fleet Desktop MVP (#4530) * WIP * WIP2 * Fix orbit and fleetctl tests * Amend macos-app default * Add some fixes * Use fleetctl updates roots command * Add more fixes to Updater * Fixes to app publishing and downloading * Add more changes to support fleetctl cross generation * Amend comment * Add pkg generation to ease testing * Make more fixes * Add changes entry * Add legacy targets (until our TUF system exposes the new app) * Fix fleetctl preview * Fix bool flag * Fix orbit logic for disabled-updates and dev-mode * Fix TestPreview * Remove constant and fix zip-slip attack (codeql) * Return unknown error * Fix updater's checkExec * Add support for executable signing in init_tuf.sh * Try only signing orbit * Fix init_tuf.sh targets, macos-app only for osqueryd * Specify GOARCH to support M1s * Add workflow to generate osqueryd.app.tar.gz * Use 5.2.2 on init_tuf.sh * Add unit test for tar.gz target * Use artifacts instead of releases * Remove copy paste residue * Fleet Desktop Packaging WIP * Ignore gosec warning * Trigger on PR too * Install Go in workflow * Pass url parameter to desktop app * Fix fleetctl package * Final set of changes for v1 of Fleet Desktop * Add changes * PR fixes * Fix CI build * add larger menu bar icon * Add transparency item * Delete host_device_auth entry on host deletion * Add SetTargetChannel * Update white logo and add desktop to update runner * Add fleet-desktop monitoring to orbit * Define fleet-desktop app exec name * Fix update runner creation * Add API test before enabling the My device menu item Co-authored-by: Zach Wasserman <zach@fleetdm.com>
2022-03-21 17:53:53 +00:00
DesktopPath: desktopPath,
DesktopVersion: desktopCustom.Version,
Amend `fleetctl package` tests to not hardcode orbit version (#3898) * Amend fleetctl package tests to not hardcode orbit version * Readd Version, it is indeed used * Fix bool logic * Readd opt.Version usage
2022-01-31 13:41:11 +00:00
}, nil
Add support for packaging certificates - Refactor update initialization
2021-02-25 20:38:21 +00:00
}
Add support for Windows MSI packaging (#13) - Support building Windows MSIs. - Refactor some of the general update/packaging code. - Update documentation. Windows codesigning support still to come.
2021-04-17 18:52:37 +00:00
Write an enroll secret to osquery when it's read from config profile (#11066) #11065 Since `secret.txt` is written when the installer is built, but installers using `--use-system-config` don't have an enroll secret at build time, this file was empty and causing osquery to have trouble enrolling. This PR writes the file when the values are read from a configuration profile.
2023-04-07 22:34:16 +00:00
// writeSecret writes the orbit enroll secret to the designated file.
//
// This implementation is very similar to the one in orbit/cmd/orbit but
// intentionally kept separate to prevent issues since the writes happen at two
// completely different circumstances.
Add support for Windows MSI packaging (#13) - Support building Windows MSIs. - Refactor some of the general update/packaging code. - Update documentation. Windows codesigning support still to come.
2021-04-17 18:52:37 +00:00
func writeSecret(opt Options, orbitRoot string) error {
Write an enroll secret to osquery when it's read from config profile (#11066) #11065 Since `secret.txt` is written when the installer is built, but installers using `--use-system-config` don't have an enroll secret at build time, this file was empty and causing osquery to have trouble enrolling. This PR writes the file when the values are read from a configuration profile.
2023-04-07 22:34:16 +00:00
path := filepath.Join(orbitRoot, constant.OsqueryEnrollSecretFileName)
Make creating dirs and files more secure by checking permissions (#1566) * Add safe mkdirall and open * Use secure as much as possible and merge gomodules for orbit to fleet * Improve openfile and mkdirall to check for permissiveness instead of equality * Don't shift * Fix links * Address review comments
2021-08-11 14:02:22 +00:00
if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return fmt.Errorf("mkdir: %w", err)
Add support for Windows MSI packaging (#13) - Support building Windows MSIs. - Refactor some of the general update/packaging code. - Update documentation. Windows codesigning support still to come.
2021-04-17 18:52:37 +00:00
}
fix SELinux issue (#5335) Install orbit to /opt instead of /var/lib. When installing to /var/lib, the default selinux context of var_lib_t gets applied, which results in an AVC error when running via systemd. Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2022-05-02 18:18:59 +00:00
if err := os.WriteFile(path, []byte(opt.EnrollSecret), constant.DefaultFileMode); err != nil {
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return fmt.Errorf("write file: %w", err)
Add support for Windows MSI packaging (#13) - Support building Windows MSIs. - Refactor some of the general update/packaging code. - Update documentation. Windows codesigning support still to come.
2021-04-17 18:52:37 +00:00
}
return nil
}
Add osquery flagfile support in Orbit (#3006) - Orbit automatically loads the flagfile when it exists in the orbit root. - Add packaging support to include flagfile with package. - Fix a panic when osquery fails to start up.
2021-11-18 23:06:33 +00:00
func writeOsqueryFlagfile(opt Options, orbitRoot string) error {
fix SELinux issue (#5335) Install orbit to /opt instead of /var/lib. When installing to /var/lib, the default selinux context of var_lib_t gets applied, which results in an AVC error when running via systemd. Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2022-05-02 18:18:59 +00:00
path := filepath.Join(orbitRoot, "osquery.flags")
Add osquery flagfile support in Orbit (#3006) - Orbit automatically loads the flagfile when it exists in the orbit root. - Add packaging support to include flagfile with package. - Fix a panic when osquery fails to start up.
2021-11-18 23:06:33 +00:00
if opt.OsqueryFlagfile == "" {
// Write empty flagfile
fix SELinux issue (#5335) Install orbit to /opt instead of /var/lib. When installing to /var/lib, the default selinux context of var_lib_t gets applied, which results in an AVC error when running via systemd. Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2022-05-02 18:18:59 +00:00
if err := os.WriteFile(path, []byte(""), constant.DefaultFileMode); err != nil {
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return fmt.Errorf("write empty flagfile: %w", err)
Add osquery flagfile support in Orbit (#3006) - Orbit automatically loads the flagfile when it exists in the orbit root. - Add packaging support to include flagfile with package. - Fix a panic when osquery fails to start up.
2021-11-18 23:06:33 +00:00
}
return nil
}
fix SELinux issue (#5335) Install orbit to /opt instead of /var/lib. When installing to /var/lib, the default selinux context of var_lib_t gets applied, which results in an AVC error when running via systemd. Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2022-05-02 18:18:59 +00:00
if err := file.Copy(opt.OsqueryFlagfile, path, constant.DefaultFileMode); err != nil {
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return fmt.Errorf("copy flagfile: %w", err)
Add osquery flagfile support in Orbit (#3006) - Orbit automatically loads the flagfile when it exists in the orbit root. - Add packaging support to include flagfile with package. - Fix a panic when osquery fails to start up.
2021-11-18 23:06:33 +00:00
}
return nil
}
Package osquery certificate bundle with orbit (#3033) - Include the osquery certs.pem with Orbit installers. - Use the certs.pem if available and no other certificate specified.
2021-11-19 01:17:05 +00:00
// Embed the certs file that osquery uses so that we can drop it into our installation packages.
Fixes to fleetctl debug connection and TLS certs documentation (#20166) #6085 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-07-09 17:04:23 +00:00
// This file is generated and updated by .github/workflows/update-certs.yml.
Bump go to 1.19.1 (#7690) * Bump go to 1.19.1 * Bump remaining go-version to the 1.19.1 * Add extra paths for test-go * Oops, putting the right path in the right place * gofmt file * gofmt ALL THE THINGS * Moar changes * Actually, go.mod doesn't like minor versions
2022-09-12 23:32:43 +00:00
//
Package osquery certificate bundle with orbit (#3033) - Include the osquery certs.pem with Orbit installers. - Use the certs.pem if available and no other certificate specified.
2021-11-19 01:17:05 +00:00
//go:embed certs.pem
Fixes to fleetctl debug connection and TLS certs documentation (#20166) #6085 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-07-09 17:04:23 +00:00
var OsqueryCerts []byte
Package osquery certificate bundle with orbit (#3033) - Include the osquery certs.pem with Orbit installers. - Use the certs.pem if available and no other certificate specified.
2021-11-19 01:17:05 +00:00
func writeOsqueryCertPEM(opt Options, orbitRoot string) error {
fix SELinux issue (#5335) Install orbit to /opt instead of /var/lib. When installing to /var/lib, the default selinux context of var_lib_t gets applied, which results in an AVC error when running via systemd. Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
2022-05-02 18:18:59 +00:00
path := filepath.Join(orbitRoot, "certs.pem")
if err := secure.MkdirAll(filepath.Dir(path), constant.DefaultDirMode); err != nil {
return fmt.Errorf("mkdir: %w", err)
}
Package osquery certificate bundle with orbit (#3033) - Include the osquery certs.pem with Orbit installers. - Use the certs.pem if available and no other certificate specified.
2021-11-19 01:17:05 +00:00
Fixes to fleetctl debug connection and TLS certs documentation (#20166) #6085 - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Added/updated tests - [x] Manual QA for all new/changed functionality
2024-07-09 17:04:23 +00:00
if err := os.WriteFile(path, OsqueryCerts, 0o644); err != nil {
Use new error handling approach in other packages (#2954)
2021-11-22 14:13:26 +00:00
return fmt.Errorf("write file: %w", err)
Package osquery certificate bundle with orbit (#3033) - Include the osquery certs.pem with Orbit installers. - Use the certs.pem if available and no other certificate specified.
2021-11-19 01:17:05 +00:00
}
return nil
}
Reference in a new issue Copy permalink