mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
18f010f228
#20571 ## Summary of changes We have a few moving parts in fleetctl land (`fleetdm/wix` is used to build `msi`s and `fleetdm/bomutils` is used to build `pkg`s, and `fleetdm/fleetctl` can be used to build packages using docker, no need for fleetctl executable): ```mermaid graph LR fleetctl_exec[fleetctl<br>executable]; wix_image[fleetdm/wix<br>docker image]; bomutils_image[fleetdm/bomutils<br>docker image]; fleetctl_image[fleetdm/fleetctl<br>docker image]; fleetctl_exec -- uses --> wix_image; fleetctl_image -- COPY dependencies<br>FROM --> wix_image; fleetctl_exec -- uses --> bomutils_image; fleetctl_image -- COPY dependencies<br>FROM --> bomutils_image; ``` So, we'll need to update the three images: `fleetdm/bomutils`, `fleetdm/wix` & `fleetdm/fleetctl`. - `tools/bomutils-docker/Dockerfile`, `tools/wix-docker/Dockerfile` and `tools/fleetctl-docker/Dockerfile`: Updating the base image to fix the CRITICAL vulnerabilities. - Modified existing+unused `.github/workflows/build-and-check-fleetctl-docker-and-deps.yml` to run every day to check for CRITICAL vulnerabilities in `fleetdm/wix`, `fleetdm/bomutils` and `fleetdm/fleetctl`. - `.github/workflows/goreleaser-fleetctl-docker-deps.yaml`: `fleetdm/bomutils` and `fleetdm/wix` were pushed manually a few years ago (most likely by Zach), so I've added a new action to release them when we have changes to release (like now). It will basically release `fleetctl/bomutils` and `fleetdm/wix` when pushing a tag of the form `fleetctl-docker-deps-*` (we'll need to protect such tag prefix). - Changes in `.github/workflows/test-native-tooling-packaging.yml` to build `fleetdm/bomutils` and `fleetdm/wix` for `fleetdm/fleetctl` to use them instead of the ones in docker hub. -- Build before upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255391418/job/28372231837  Build after upgrading `debian:stable-slim`: https://github.com/fleetdm/fleet/actions/runs/10255550034 - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Manual QA for all new/changed functionality
34 lines
1.3 KiB
Docker
34 lines
1.3 KiB
Docker
FROM rust:latest@sha256:56418f03475cf7b107f87d7fabe99ce9a4a9f9904daafa99be7c50d9e7b8f84d AS builder
|
|
|
|
ARG transporter_url=https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/resources/download/public/Transporter__Linux/bin
|
|
|
|
RUN cargo install --version 0.16.0 apple-codesign \
|
|
&& curl -sSf $transporter_url -o transporter_install.sh \
|
|
&& sh transporter_install.sh --target transporter --accept --noexec
|
|
|
|
FROM debian:stable-slim@sha256:e5365b94db65754594422a8a101c873728711c6a4df029677f4a7f7200d6e1c3
|
|
|
|
ARG binpath=build/binary-bundle/linux/fleetctl
|
|
|
|
RUN apt-get update \
|
|
&& dpkg --add-architecture i386 \
|
|
&& apt update \
|
|
&& apt upgrade -y \
|
|
&& apt install -y --no-install-recommends ca-certificates cpio libxml2 wine wine32 libgtk-3-0 \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# copy macOS dependencies
|
|
COPY --from=fleetdm/bomutils:latest /usr/bin/mkbom /usr/local/bin/xar /usr/bin/
|
|
COPY --from=fleetdm/bomutils:latest /usr/local/lib /usr/local/lib/
|
|
COPY --from=builder /transporter/itms /usr/local/
|
|
COPY --from=builder /usr/local/cargo/bin/rcodesign /usr/local/bin
|
|
|
|
# copy Windows dependencies
|
|
COPY --from=fleetdm/wix:latest /home/wine /home/wine
|
|
|
|
# copy fleetctl
|
|
COPY ${binpath} /usr/bin/fleetctl
|
|
|
|
ENV FLEETCTL_NATIVE_TOOLING=1 WINEPREFIX=/home/wine/.wine WINEARCH=win32 PATH="/home/wine/bin:$PATH" WINEDEBUG=-all
|
|
|
|
ENTRYPOINT ["fleetctl"]
|