mirror of
https://github.com/fleetdm/fleet
synced 2026-05-21 07:58:31 +00:00
e40c5b02c1
The macOS runners installing Docker are having problems initializing the new Docker version (4.11.0) which effectively blocks PRs with Go code. This locks the Docker version we install to 4.10.0, which works until we figure out a solution or a new Docker version goes out.
387 lines
12 KiB
YAML
387 lines
12 KiB
YAML
name: Test Fleetctl Package, Orbit & Fleet
|
|
|
|
# This workflow tests orbit code changes (compiles orbit from source).
|
|
# It uses a fleet instance also built and executed from source.
|
|
#
|
|
# It tests that orbit osquery agents enroll successfully to Fleet.
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- patch-*
|
|
paths:
|
|
- 'orbit/**.go'
|
|
pull_request:
|
|
paths:
|
|
- 'orbit/**.go'
|
|
workflow_dispatch: # Manual
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
gen:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
subdomain: ${{ steps.gen.outputs.subdomain }}
|
|
domain: ${{ steps.gen.outputs.domain }}
|
|
address: ${{ steps.gen.outputs.address }}
|
|
enroll_secret: ${{ steps.gen.outputs.enroll_secret }}
|
|
steps:
|
|
- id: gen
|
|
run: |
|
|
UUID=$(uuidgen)
|
|
echo "::set-output name=subdomain::fleet-test-$UUID"
|
|
echo "::set-output name=domain::fleet-test-$UUID.fleetuem.com"
|
|
echo "::set-output name=address::https://fleet-test-$UUID.fleetuem.com"
|
|
ENROLL=$(uuidgen)
|
|
echo "::set-output name=enroll_secret::$ENROLL"
|
|
|
|
run-server:
|
|
timeout-minutes: 60
|
|
strategy:
|
|
matrix:
|
|
go-version: ['^1.17.0']
|
|
mysql: ['mysql:5.7']
|
|
runs-on: ubuntu-latest
|
|
needs: gen
|
|
steps:
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
|
|
|
|
- name: Start tunnel
|
|
env:
|
|
CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }}
|
|
run: |
|
|
# Install cloudflared
|
|
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
|
|
sudo dpkg -i cloudflared-linux-amd64.deb
|
|
# Add secret
|
|
echo "$CERT_PEM" | base64 -d > cert.pem
|
|
# Start tunnel
|
|
cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} &
|
|
until [[ $(cloudflared tunnel --origincert cert.pem info -o json ${{ needs.gen.outputs.subdomain }} | jq '.conns[0].conns[0].is_pending_reconnect') = false ]]; do
|
|
echo "Awaiting tunnel ready..."
|
|
sleep 5
|
|
done
|
|
|
|
- name: Start Infra Dependencies
|
|
run: FLEET_MYSQL_IMAGE=${{ matrix.mysql }} docker-compose up -d mysql redis &
|
|
|
|
- name: Install JS Dependencies
|
|
run: make deps-js
|
|
|
|
- name: Generate and bundle go & js code
|
|
run: make generate
|
|
|
|
- name: Build fleet and fleetctl
|
|
# fleet-dev builds fleet with "race" enabled.
|
|
run: make fleet-dev fleetctl
|
|
|
|
- name: Run Fleet server
|
|
env:
|
|
FLEET_OSQUERY_HOST_IDENTIFIER: instance # use instance identifier to allow for duplicate UUIDs
|
|
FLEET_SERVER_ADDRESS: 0.0.0.0:1337
|
|
FLEET_SERVER_TLS: false
|
|
FLEET_LOGGING_DEBUG: true
|
|
run: |
|
|
mkdir ./fleet_log
|
|
make db-reset
|
|
./build/fleet serve --dev --dev_license 1>./fleet_log/stdout.log 2>./fleet_log/stderr.log &
|
|
./build/fleetctl config set --address http://localhost:1337 --tls-skip-verify
|
|
until ./build/fleetctl setup --email admin@example.com --name Admin --password preview1337# --org-name Example
|
|
do
|
|
echo "Retrying setup in 5s..."
|
|
sleep 5
|
|
done
|
|
# Wait for all of the hosts to be enrolled
|
|
EXPECTED=3
|
|
until [ $(./build/fleetctl get hosts --json | grep "hostname" | wc -l | tee hostcount) -ge $EXPECTED ]; do
|
|
echo -n "Waiting for hosts to enroll: "
|
|
cat hostcount | xargs echo -n
|
|
echo " / $EXPECTED"
|
|
sleep 30
|
|
done
|
|
./build/fleetctl get hosts
|
|
echo "Success! $EXPECTED hosts enrolled."
|
|
|
|
- name: Cleanup tunnel
|
|
if: always()
|
|
run: cloudflared tunnel --origincert cert.pem delete --force ${{ needs.gen.outputs.subdomain }}
|
|
|
|
- name: Upload fleet logs
|
|
if: always()
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: fleet-logs
|
|
path: |
|
|
fleet_log
|
|
|
|
|
|
# Sets the enroll secret of the Fleet server.
|
|
#
|
|
# This job also makes sure the Fleet server is up and running.
|
|
set-enroll-secret:
|
|
timeout-minutes: 60
|
|
strategy:
|
|
matrix:
|
|
go-version: ['^1.17.0']
|
|
runs-on: ubuntu-latest
|
|
needs: gen
|
|
steps:
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
|
|
|
|
- name: Build Fleetctl
|
|
run: make fleetctl
|
|
|
|
- id: enroll
|
|
name: Set enroll secret
|
|
run: |
|
|
./build/fleetctl config set --address ${{ needs.gen.outputs.address }}
|
|
until ./build/fleetctl login --email admin@example.com --password preview1337#
|
|
do
|
|
echo "Retrying in 30s..."
|
|
sleep 30
|
|
done
|
|
echo '---
|
|
apiVersion: v1
|
|
kind: enroll_secret
|
|
spec:
|
|
secrets:
|
|
- secret: ${{ needs.gen.outputs.enroll_secret }}
|
|
' > secrets.yml
|
|
./build/fleetctl apply -f secrets.yml
|
|
|
|
|
|
# TODO(lucas): Currently, to simplify the workflow we do all in one job:
|
|
# 1. Generate TUF repository (compile Orbit from source).
|
|
# 2. Run TUF server on localhost.
|
|
# 3. Generate packages using localhost TUF server.
|
|
#
|
|
# When installing the generated packages, Orbit will log "update errors"
|
|
# because the TUF URL is set to http://localhost:8081.
|
|
#
|
|
# TODO(lucas): Test the generated RPM package on a CentOS docker image.
|
|
run-tuf-and-gen-pkgs:
|
|
timeout-minutes: 60
|
|
strategy:
|
|
matrix:
|
|
go-version: ['^1.17.0']
|
|
# We can only generate all (PKG, MSI, DEB, RPM) packages from a macOS host.
|
|
runs-on: macos-latest
|
|
needs: gen
|
|
steps:
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a # v2
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
|
|
|
|
# Docker needs to be installed manually on macOS.
|
|
# From https://github.com/docker/for-mac/issues/2359#issuecomment-943131345
|
|
- name: Install Docker
|
|
run: |
|
|
# fixme: lock Docker version to 4.10.0 as newer versions fail to initialize
|
|
curl -L https://raw.githubusercontent.com/Homebrew/homebrew-cask/c65030146a5cf2070c2499b6c68e2c3495c99731/Casks/docker.rb > docker.rb && brew install docker.rb
|
|
sudo /Applications/Docker.app/Contents/MacOS/Docker --unattended --install-privileged-components
|
|
open -a /Applications/Docker.app --args --unattended --accept-license
|
|
echo "Waiting for Docker to start up..."
|
|
while ! /Applications/Docker.app/Contents/Resources/bin/docker info &>/dev/null; do sleep 1; done
|
|
echo "Docker is ready."
|
|
|
|
- name: Build Repository and run TUF server
|
|
env:
|
|
SYSTEMS: "macos windows linux"
|
|
PKG_FLEET_URL: ${{ needs.gen.outputs.address }}
|
|
PKG_TUF_URL: http://localhost:8081
|
|
DEB_FLEET_URL: ${{ needs.gen.outputs.address }}
|
|
DEB_TUF_URL: http://localhost:8081
|
|
RPM_FLEET_URL: ${{ needs.gen.outputs.address }}
|
|
RPM_TUF_URL: http://localhost:8081
|
|
MSI_FLEET_URL: ${{ needs.gen.outputs.address }}
|
|
MSI_TUF_URL: http://localhost:8081
|
|
ENROLL_SECRET: ${{ needs.gen.outputs.enroll_secret }}
|
|
GENERATE_PKG: 1
|
|
GENERATE_DEB: 1
|
|
GENERATE_RPM: 1
|
|
GENERATE_MSI: 1
|
|
FLEET_DESKTOP: 1
|
|
run: |
|
|
./tools/tuf/test/main.sh
|
|
|
|
- name: Upload PKG installer
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: fleet-osquery.pkg
|
|
path: |
|
|
fleet-osquery.pkg
|
|
|
|
- name: Upload DEB installer
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: fleet-osquery_42.0.0_amd64.deb
|
|
path: |
|
|
fleet-osquery_42.0.0_amd64.deb
|
|
|
|
- name: Upload MSI installer
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: fleet-osquery.msi
|
|
path: |
|
|
fleet-osquery.msi
|
|
|
|
|
|
orbit-macos:
|
|
timeout-minutes: 60
|
|
runs-on: macos-latest
|
|
needs: [gen, run-tuf-and-gen-pkgs]
|
|
steps:
|
|
|
|
- name: Checkout Code
|
|
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
|
|
|
|
- name: Download pkg
|
|
id: download
|
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
|
|
with:
|
|
name: fleet-osquery.pkg
|
|
|
|
- name: Install pkg
|
|
run: |
|
|
sudo hostname orbit-macos
|
|
sudo installer -pkg ${{ steps.download.outputs.download-path }}/fleet-osquery.pkg -target /
|
|
|
|
- name: Wait enroll
|
|
run: |
|
|
# Wait until fleet server goes down.
|
|
while curl --fail ${{ needs.gen.outputs.address }};
|
|
do
|
|
echo "Retrying in 10s..."
|
|
sleep 10
|
|
done
|
|
|
|
- name: Run orbit shell
|
|
run:
|
|
sudo orbit shell -- --json "select * from osquery_info;" | jq -e 'if (.[0]) then true else false end'
|
|
|
|
- name: Collect orbit logs
|
|
if: always()
|
|
run: |
|
|
mkdir orbit-logs
|
|
sudo cp /var/log/orbit/* orbit-logs/
|
|
|
|
- name: Upload orbit logs
|
|
if: always()
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: orbit-logs
|
|
path: |
|
|
orbit-logs
|
|
|
|
- name: Uninstall pkg
|
|
run: |
|
|
./orbit/tools/cleanup/cleanup_macos.sh
|
|
|
|
|
|
orbit-ubuntu:
|
|
timeout-minutes: 60
|
|
runs-on: ubuntu-latest
|
|
needs: [gen, run-tuf-and-gen-pkgs]
|
|
steps:
|
|
|
|
- name: Download deb
|
|
id: download
|
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
|
|
with:
|
|
name: fleet-osquery_42.0.0_amd64.deb
|
|
|
|
- name: Install deb
|
|
run: |
|
|
sudo hostname orbit-ubuntu
|
|
sudo dpkg --install ${{ steps.download.outputs.download-path }}/fleet-osquery_42.0.0_amd64.deb
|
|
|
|
- name: Wait enroll
|
|
run: |
|
|
# Wait until fleet server goes down.
|
|
while curl --fail ${{ needs.gen.outputs.address }};
|
|
do
|
|
echo "Retrying in 10s..."
|
|
sleep 10
|
|
done
|
|
|
|
- name: Run orbit shell
|
|
run:
|
|
sudo orbit shell -- --json "select * from osquery_info;" | jq -e 'if (.[0]) then true else false end'
|
|
|
|
- name: Collect orbit logs
|
|
if: always()
|
|
run: |
|
|
mkdir orbit-logs
|
|
sudo journalctl -u orbit.service > orbit-logs/orbit_service.log
|
|
|
|
- name: Upload orbit logs
|
|
if: always()
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: orbit-logs
|
|
path: |
|
|
orbit-logs
|
|
|
|
- name: Uninstall deb
|
|
run: |
|
|
sudo apt remove fleet-osquery -y
|
|
|
|
|
|
orbit-windows:
|
|
timeout-minutes: 60
|
|
needs: [run-tuf-and-gen-pkgs]
|
|
runs-on: windows-latest
|
|
steps:
|
|
|
|
- name: Download msi
|
|
id: download
|
|
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
|
|
with:
|
|
name: fleet-osquery.msi
|
|
|
|
- name: Install msi
|
|
run: |
|
|
msiexec /i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv log.txt
|
|
|
|
- name: Wait enroll
|
|
shell: bash
|
|
run: |
|
|
while curl --fail ${{ needs.gen.outputs.address }};
|
|
do
|
|
echo "Retrying in 10s..."
|
|
sleep 10
|
|
done
|
|
|
|
- name: Run orbit shell
|
|
shell: cmd
|
|
run: |
|
|
"C:\Program Files\Orbit\bin\orbit\orbit.exe" shell -- --json "select * from osquery_info;" | jq -e "if (.[0]) then true else false end"
|
|
|
|
- name: Upload Orbit logs
|
|
if: always()
|
|
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v2
|
|
with:
|
|
name: orbit-logs-windows
|
|
path: C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log
|