fleet/tools/fleetctl-docker/Dockerfile

FROM rust:latest@sha256:563b33de55d0add224b2e301182660b59bf3cf7219e9dc0fda68f8500e5fe14a AS builder

ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin

RUN cargo install --locked --version 0.28.0 apple-codesign \
  && curl -sSf $transporter_url -o transporter_install.sh \
  && sh transporter_install.sh --target transporter --accept --noexec

FROM debian:stable-slim@sha256:e5365b94db65754594422a8a101c873728711c6a4df029677f4a7f7200d6e1c3

ARG binpath=build/binary-bundle/linux/fleetctl

RUN apt-get update \
  && dpkg --add-architecture i386 \
  && apt update \
  && apt upgrade -y \
  && apt install -y --no-install-recommends ca-certificates cpio libxml2 wine wine32 libgtk-3-0 \
  && rm -rf /var/lib/apt/lists/* 

# copy macOS dependencies
COPY --from=fleetdm/bomutils:latest /usr/bin/mkbom /usr/local/bin/xar /usr/bin/
COPY --from=fleetdm/bomutils:latest /usr/local/lib /usr/local/lib/
COPY --from=builder /transporter/itms /usr/local/
COPY --from=builder /usr/local/cargo/bin/rcodesign /usr/local/bin

# copy Windows dependencies
COPY --from=fleetdm/wix:latest /home/wine /home/wine

# copy fleetctl
COPY ${binpath} /usr/bin/fleetctl

ENV FLEETCTL_NATIVE_TOOLING=1 WINEPREFIX=/home/wine/.wine WINEARCH=win32 PATH="/home/wine/bin:$PATH" WINEDEBUG=-all

ENTRYPOINT ["fleetctl"]
Update Rust in `fleetctl-docker` image (#27907) The merged changed in https://github.com/fleetdm/fleet/pull/23843 requires updating Rust in the builder image. 2025-04-04 21:09:30 +00:00			`FROM rust:latest@sha256:563b33de55d0add224b2e301182660b59bf3cf7219e9dc0fda68f8500e5fe14a AS builder`
add support for notarization in fleetdm/fleetctl images (#6818) #6674 2022-07-25 23:06:10 +00:00
			`ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin`

Fix notarization after latest Apple changes (#23843) Notarization from the fleetctl-docker image is broken actually: ``` fleetctl package --type=pkg --fleet-url=myurl --enroll-secret=mysecret --macos-devid-pem-content=XYZ --notarize --app-store-connect-api-key-id=XYZ --app-store-connect-api-key-issuer=XYZ --app-store-connect-api-key-content=XYZ [..] transporter error> Package Summary: transporter error> transporter error> 1 package(s) were not uploaded because they had problems: transporter error> /tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp - Error Messages: transporter error> Notarization of MacOS applications using altool has been decommissioned. Please use notarytool. See: https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool (4200) transporter error> [2024-11-15 13:35:47 UTC] <main> DBG-X: Returning 1 Error: I/O error: command ["/usr/local/bin/iTMSTransporter", "-m", "upload", "-apiIssuer", "XYZ", "-apiKey", "XYZ", "-f", "/tmp/apple-codesign-QAsKT8/17081d03-fdc8-46cd-873a-2970f7be9c7c.itmsp", "-vp", "json"] exited with code 1 Error: rcodesign notarize: exit status 1 ``` Luckily, bumping `rcodesign` version is enough to make it work again. # Checklist for submitter - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes - [ ] If database migrations are included, checked table schema to confirm autoupdate - For database migrations: - [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration. - [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects. - [ ] Ensured the correct collation is explicitly set for character columns (`COLLATE utf8mb4_unicode_ci`). - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2025-04-04 19:53:39 +00:00			`RUN cargo install --locked --version 0.28.0 apple-codesign \`
add support for notarization in fleetdm/fleetctl images (#6818) #6674 2022-07-25 23:06:10 +00:00			`&& curl -sSf $transporter_url -o transporter_install.sh \`
			`&& sh transporter_install.sh --target transporter --accept --noexec`

Update `fleetdm/fleetctl`, `fleetdm/wix` and `fleetdm/bomutils` docker images (#21063) #20571 ## Summary of changes We have a few moving parts in fleetctl land (`fleetdm/wix` is used to build `msi`s and `fleetdm/bomutils` is used to build `pkg`s, and `fleetdm/fleetctl` can be used to build packages using docker, no need for fleetctl executable): ```mermaid graph LR fleetctl_exec[fleetctl<br>executable]; wix_image[fleetdm/wix<br>docker image]; bomutils_image[fleetdm/bomutils<br>docker image]; fleetctl_image[fleetdm/fleetctl<br>docker image]; fleetctl_exec -- uses --> wix_image; fleetctl_image -- COPY dependencies<br>FROM --> wix_image; fleetctl_exec -- uses --> bomutils_image; fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image; ``` So, we'll need to update the three images: `fleetdm/bomutils`, `fleetdm/wix` & `fleetdm/fleetctl`. - `tools/bomutils-docker/Dockerfile`, `tools/wix-docker/Dockerfile` and `tools/fleetctl-docker/Dockerfile`: Updating the base image to fix the CRITICAL vulnerabilities. - Modified existing+unused `.github/workflows/build-and-check-fleetctl-docker-and-deps.yml` to run every day to check for CRITICAL vulnerabilities in `fleetdm/wix`, `fleetdm/bomutils` and `fleetdm/fleetctl`. - `.github/workflows/goreleaser-fleetctl-docker-deps.yaml`: `fleetdm/bomutils` and `fleetdm/wix` were pushed manually a few years ago (most likely by Zach), so I've added a new action to release them when we have changes to release (like now). It will basically release `fleetctl/bomutils` and `fleetdm/wix` when pushing a tag of the form `fleetctl-docker-deps-*` (we'll need to protect such tag prefix). - Changes in `.github/workflows/test-native-tooling-packaging.yml` to build `fleetdm/bomutils` and `fleetdm/wix` for `fleetdm/fleetctl` to use them instead of the ones in docker hub. -- Build before upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837 ![Screenshot 2024-08-05 at 5 24 25 PM](https://github.com/user-attachments/assets/8a7d3576-3eb6-474f-989a-079873fca4fa) Build after upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255550034 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality 2024-08-20 17:07:59 +00:00			`FROM debian:stable-slim@sha256:e5365b94db65754594422a8a101c873728711c6a4df029677f4a7f7200d6e1c3`
implement a docker image to package orbit natively in Linux (#6504) Related to #6364 and #6363, this: - Adds a new Docker image, `fleetdm/fleetctl` equipped with all necessary dependencies to build Fleet-osquery binaries for all platforms - Modifies the package generation logic to special case this scenario via an environment variable `FLEETCTL_NATIVE_TOOLING` - Adds a new GitHub workflow to test this There are more details in the README, but part of the special-casing logic is in place to output the binaries to a folder named `build` when they are run with `FLEETCTL_NATIVE_TOOLING`, this is so we can persist the binary generated by the docker container via a bind mount: ```bash docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi ``` To test this changeset, I have generated packages for all platforms, both via the new Docker image and via the classic `fleetctl package`. 2022-07-11 12:49:13 +00:00
use image containing installer deps for fleetdm/fleetctl (#7040) 2022-08-24 12:10:16 +00:00			`ARG binpath=build/binary-bundle/linux/fleetctl`

implement a docker image to package orbit natively in Linux (#6504) Related to #6364 and #6363, this: - Adds a new Docker image, `fleetdm/fleetctl` equipped with all necessary dependencies to build Fleet-osquery binaries for all platforms - Modifies the package generation logic to special case this scenario via an environment variable `FLEETCTL_NATIVE_TOOLING` - Adds a new GitHub workflow to test this There are more details in the README, but part of the special-casing logic is in place to output the binaries to a folder named `build` when they are run with `FLEETCTL_NATIVE_TOOLING`, this is so we can persist the binary generated by the docker container via a bind mount: ```bash docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi ``` To test this changeset, I have generated packages for all platforms, both via the new Docker image and via the classic `fleetctl package`. 2022-07-11 12:49:13 +00:00			`RUN apt-get update \`
			`&& dpkg --add-architecture i386 \`
			`&& apt update \`
Testing a fix for fleet ci packaging (#12610) 2023-07-27 23:00:51 +00:00			`&& apt upgrade -y \`
implement a docker image to package orbit natively in Linux (#6504) Related to #6364 and #6363, this: - Adds a new Docker image, `fleetdm/fleetctl` equipped with all necessary dependencies to build Fleet-osquery binaries for all platforms - Modifies the package generation logic to special case this scenario via an environment variable `FLEETCTL_NATIVE_TOOLING` - Adds a new GitHub workflow to test this There are more details in the README, but part of the special-casing logic is in place to output the binaries to a folder named `build` when they are run with `FLEETCTL_NATIVE_TOOLING`, this is so we can persist the binary generated by the docker container via a bind mount: ```bash docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi ``` To test this changeset, I have generated packages for all platforms, both via the new Docker image and via the classic `fleetctl package`. 2022-07-11 12:49:13 +00:00			`&& apt install -y --no-install-recommends ca-certificates cpio libxml2 wine wine32 libgtk-3-0 \`
			`&& rm -rf /var/lib/apt/lists/*`

			`# copy macOS dependencies`
			`COPY --from=fleetdm/bomutils:latest /usr/bin/mkbom /usr/local/bin/xar /usr/bin/`
			`COPY --from=fleetdm/bomutils:latest /usr/local/lib /usr/local/lib/`
add support for notarization in fleetdm/fleetctl images (#6818) #6674 2022-07-25 23:06:10 +00:00			`COPY --from=builder /transporter/itms /usr/local/`
			`COPY --from=builder /usr/local/cargo/bin/rcodesign /usr/local/bin`
implement a docker image to package orbit natively in Linux (#6504) Related to #6364 and #6363, this: - Adds a new Docker image, `fleetdm/fleetctl` equipped with all necessary dependencies to build Fleet-osquery binaries for all platforms - Modifies the package generation logic to special case this scenario via an environment variable `FLEETCTL_NATIVE_TOOLING` - Adds a new GitHub workflow to test this There are more details in the README, but part of the special-casing logic is in place to output the binaries to a folder named `build` when they are run with `FLEETCTL_NATIVE_TOOLING`, this is so we can persist the binary generated by the docker container via a bind mount: ```bash docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi ``` To test this changeset, I have generated packages for all platforms, both via the new Docker image and via the classic `fleetctl package`. 2022-07-11 12:49:13 +00:00
			`# copy Windows dependencies`
			`COPY --from=fleetdm/wix:latest /home/wine /home/wine`

			`# copy fleetctl`
use image containing installer deps for fleetdm/fleetctl (#7040) 2022-08-24 12:10:16 +00:00			`COPY ${binpath} /usr/bin/fleetctl`
implement a docker image to package orbit natively in Linux (#6504) Related to #6364 and #6363, this: - Adds a new Docker image, `fleetdm/fleetctl` equipped with all necessary dependencies to build Fleet-osquery binaries for all platforms - Modifies the package generation logic to special case this scenario via an environment variable `FLEETCTL_NATIVE_TOOLING` - Adds a new GitHub workflow to test this There are more details in the README, but part of the special-casing logic is in place to output the binaries to a folder named `build` when they are run with `FLEETCTL_NATIVE_TOOLING`, this is so we can persist the binary generated by the docker container via a bind mount: ```bash docker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi ``` To test this changeset, I have generated packages for all platforms, both via the new Docker image and via the classic `fleetctl package`. 2022-07-11 12:49:13 +00:00
			`ENV FLEETCTL_NATIVE_TOOLING=1 WINEPREFIX=/home/wine/.wine WINEARCH=win32 PATH="/home/wine/bin:$PATH" WINEDEBUG=-all`

			`ENTRYPOINT ["fleetctl"]`