4fcbb57d23
## Summary - `checkPermFile` in `pkg/secure/secure.go` now self-heals incorrect file permissions via `os.Chmod` instead of returning a fatal error - Fixes orbit crash-looping indefinitely when `/opt/orbit/updates-metadata.json` has mode 755 instead of the expected 600 ## Problem Orbit refuses to start when `updates-metadata.json` has wrong permissions (e.g. 755 instead of 600), entering an infinite restart loop (`systemd` restart counter observed at 3447+). The manual workaround is `chmod 600 /opt/orbit/updates-metadata.json`, but the root cause — an external process changing file permissions — is intermittent and hard to track. The `checkPermFile` function in `pkg/secure/secure.go` was designed as a security check, but its behavior of fatally erroring on any permission mismatch causes a denial-of-service on the legitimate user. For comparison, `checkPermPath` (the directory equivalent) already tolerates permissions that are less permissive than expected. ## Fix When `checkPermFile` detects a permission mismatch, it now attempts `os.Chmod` to correct the permissions before proceeding. It only returns an error if the chmod itself fails (e.g. insufficient privileges). This preserves the security intent — files end up with correct permissions — while making orbit resilient to external permission drift. ## Test plan - [ ] `go test ./pkg/secure/ -v -run TestOpenFile` — verifies self-healing behavior - [ ] `go test ./pkg/secure/ -v -run TestMkdirAll` — unchanged, verifies directory checks still work - [ ] Manual: create `/opt/orbit/updates-metadata.json` with mode 755, start orbit, confirm it self-heals and starts normally --------- Co-authored-by: Bash Bandicoot <bash-bandicoot@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| changes | ||
| cmd | ||
| pkg | ||
| tools | ||
| .gitattributes | ||
| .gitignore | ||
| .gon.hcl | ||
| CHANGELOG.md | ||
| goreleaser-linux-arm64.yml | ||
| goreleaser-linux.yml | ||
| goreleaser-macos.yml | ||
| goreleaser-windows-arm64.yml | ||
| goreleaser-windows.yml | ||
| LICENSE | ||
| old-TUF.md | ||
| README.md | ||
| TUF.md | ||
Orbit is a lightweight osquery installer and autoupdater. With Orbit, it's easy to deploy osquery, manage configurations, and keep things up-to-date. Orbit eases the deployment of osquery connected with a Fleet server, and is a (near) drop-in replacement for osquery in a variety of deployment scenarios.
Orbit is the recommended agent for Fleet. But Orbit can be used with or without Fleet, and Fleet can be used with or without Orbit.
How to build from source
To build orbit we use goreleaser.
For reference, here are the build configuration files:
- Goreleaser github workflow
- Goreleaser configuration file for each platform:
Following are the commands to build in case you can't use goreleaser.
IMPORTANT: We recommend you build orbit natively and not cross compile to avoid any build or runtime errors.
macOS
CGO_ENABLED=1 \
CODESIGN_IDENTITY=$CODESIGN_IDENTITY \
ORBIT_VERSION=$VERSION \
ORBIT_BINARY_PATH=./orbit-macos \
go run ./orbit/tools/build/build.go
Windows
CGO_ENABLED=0 \
GOOS=windows \
GOARCH=amd64 \
go build \
-trimpath \
-ldflags="-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=$VERSION \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Commit=$COMMIT \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Date=$DATE" \
-o ./orbit.exe ./orbit/cmd/orbit
Linux
CGO_ENABLED=1 \
GOOS=linux \
GOARCH=amd64 \
go build \
-trimpath \
-ldflags="-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=$VERSION \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Commit=$COMMIT \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Date=$DATE" \
-o ./orbit-linux ./orbit/cmd/orbit
Bugs
To report a bug or request a feature, create an issue in the fleet GitHub repository.
Orbit Development
Run Orbit From Source
To execute orbit from source, use the following commands:
Connect to a Fleet server
Modify the fleet-url and enroll-secret as appropriate:
go run github.com/fleetdm/fleet/v4/orbit/cmd/orbit \
--dev-mode \
--disable-updates \
--root-dir /tmp/orbit \
--fleet-url https://localhost:8080 \
--insecure \
--enroll-secret Pz3zC0NMDdZfb3FtqiLgwoexItojrYh/ \
-- --verbose
Using a custom flagfile
With a flagfile.txt for osqueryd:
go run github.com/fleetdm/fleet/v4/orbit/cmd/orbit \
--dev-mode \
--disable-updates \
--root-dir /tmp/orbit \
-- --flagfile=flagfile.txt --verbose
Open an interactive shell to run SQL
This can be useful for building/testing extension tables:
go run github.com/fleetdm/fleet/v4/orbit/cmd/orbit \
--dev-mode \
--disable-updates \
--root-dir /tmp/orbit \
shell
Generate Installer Packages from Orbit Source
The fleetctl package command generates installers by fetching the targets/executables from a TUF repository.
To generate an installer that contains an Orbit built from source you need to setup a local TUF repository.
The following document explains how you can generate a TUF repository, and installers that use it tools/tuf/test.
FAQs
How does Orbit compare with Kolide Launcher?
Orbit is inspired by the success of Kolide Launcher, and approaches a similar problem domain with new strategies informed by the challenges encountered in real world deployments. Orbit does not share any code with Launcher.
- Both Orbit and Launcher use The Update Framework specification for managing updates. Orbit utilizes the official go-tuf library, while Launcher has it's own implementation of the specification.
- Orbit can be deployed as a (near) drop-in replacement for osquery, supporting full customization of the osquery flags. Launcher heavily manages the osquery flags making deployment outside of Fleet or Kolide's SaaS difficult.
- Orbit prefers the battle-tested plugins of osquery. Orbit uses the built-in logging, configuration, and live query plugins, while Launcher uses custom implementations.
- Orbit prefers the built-in osquery remote APIs. Launcher utilizes a custom gRPC API that has led to issues with character encoding, load balancers/proxies, and request size limits.
- Orbit encourages use of the osquery performance Watchdog, while Launcher disables the Watchdog.
Additionally, Orbit aims to tackle problems out of scope for Launcher:
- Configure updates via release channels, providing more granular control over agent versioning.
- Manage osquery startup flags from a remote (Fleet) server.
- Support for deploying and updating osquery extensions.
- Manage osquery versions from a remote (Fleet) server.
Is Orbit Free?
Yes! Orbit is licensed under an MIT license and all uses are encouraged.
How does orbit update osquery? And how do the stable and edge channels get triggered to update osquery on a self hosted Fleet instance?
Orbit uses a configurable update server. We expect that many folks will just use the update server we manage (similar to what Kolide does with Launcher's update server). We are also offering tooling for self-managing an update server as part of Fleet Premium (the subscription offering).
Community
Chat
Please join us in the #fleet channel on osquery Slack.
