mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
b42fc182fe
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #32126 # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [ ] Added/updated automated tests - [x] QA'd all new/changed functionality manually Steps: - Have fleetd installed on the host. - `make build` and re-run the server. - Generate a new fleetd package: `./build/fleetctl package --type=pkg --enable-scripts --fleet-desktop --fleet-url=<URL> --enroll-secret=<SECRET>` - Upload the newly-generated `fleet-osquery.pkg` to Host details > Software > Library. - Click `Install`. - When the install finishes, verify that the UI says `Installed`: <img width="1433" height="392" alt="Screenshot 2026-03-20 at 4 42 19 PM" src="https://github.com/user-attachments/assets/ec78b63e-e5c7-4b27-acde-4e4f63f5f7b2" /> - Verified logs: `/var/log/orbit/orbit.stderr.log` logs after successful upgrade: ``` 2026-03-20T16:24:58-03:00 INF hash(orbit)=4ba4729515dc6923cf54eaca610c6dbded344941a10e552579c19676b7419bc5643e98fd8cf404d8ed2cd6168d7b756b2df56997ff41b51b520fa6456b407979 2026-03-20T16:24:58-03:00 INF hash(osqueryd)=9d2ab3eb30537e38c78a089ae28196d34afc436030bca10ae60a06fd20e344bc911ab0e036e8abb44e401809b6056a04aa9dddf00d90386a451fe55ca3a0ffe8 2026-03-20T16:24:58-03:00 INF hash(desktop)=9317a1617709492dec2cb2ff3821412e5061c402b1c7988f16a99faa81b2c8dffa1fb038d5fb8c4dae67e5545a577bbe6b1a8c13adb39453b2ba7bddfb36dafa 2026-03-20T16:24:58-03:00 INF orbit version: 1.53.1 2026-03-20T16:25:00-03:00 INF Found osquery version: 5.21.0 2026-03-20T16:25:12-03:00 INF token rotation is enabled 2026-03-20T16:25:14-03:00 INF Found fleet-desktop version: 1.53.1 2026-03-20T16:25:14-03:00 INF checking for custom mdm enrollment profile with end user email 2026-03-20T16:25:14-03:00 INF get custom enrollment profile end user email: profile not found 2026-03-20T16:25:14-03:00 INF orbitClient.GetServerCapabilities() map[end_user_email:{} escrow_buddy:{} linux_disk_encryption_escrow:{} macos_web_setup_experience:{} orbit_endpoints:{} setup_experience:{} token_rotation:{} web_setup_experience:{}] 2026-03-20T16:25:14-03:00 INF opening path="/opt/orbit/bin/desktop/macos/stable/Fleet Desktop.app" 2026-03-20T16:25:14-03:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd --pidfile=/opt/orbit/osquery.pid --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_env ENROLL_SECRET --tls_hostname=nicofleet.ngrok.io --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls,filesystem --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=8000000 --tls_accept_gzip=true --tls_server_certs /opt/orbit/certs.pem --augeas_lenses /opt/orbit/lenses --force --flagfile /opt/orbit/osquery.flags --host-identifier uuid --database_path /opt/orbit/osquery.db" 2026-03-20T16:25:14-03:00 INF killing any pre-existing fleet-desktop instances I0320 16:25:20.108963 1878142976 interface.cpp:137] Registering extension (com.fleetdm.orbit.osquery_extension.v1, 45937, version=, sdk=) I0320 16:25:30.446642 194764992 eventfactory.cpp:156] Event publisher not enabled: endpointsecurity: EndpointSecurity is disabled via configuration I0320 16:25:30.474906 194764992 eventfactory.cpp:156] Event publisher not enabled: endpointsecurity_fim: EndpointSecurity is disabled via configuration I0320 16:25:30.475134 194764992 eventfactory.cpp:156] Event publisher not enabled: openbsm: Publisher disabled via configuration I0320 16:25:30.475183 194764992 eventfactory.cpp:156] Event publisher not enabled: scnetwork: Publisher not used I0320 16:25:30.475217 194764992 eventfactory.cpp:156] Event publisher not enabled: event_tapping: Publisher disabled via configuration 2026-03-20T16:27:14-03:00 INF received notification for software installers: [147149e7-2634-4b23-b724-aafc995e3f09] runner=installer 2026-03-20T16:27:14-03:00 INF processing installerID=147149e7-2634-4b23-b724-aafc995e3f09 runner=installer 2026-03-20T16:27:14-03:00 INF fetching installer details installerID=147149e7-2634-4b23-b724-aafc995e3f09 runner=installer 2026-03-20T16:27:14-03:00 INF about to download software installer from Fleet installerID=147149e7-2634-4b23-b724-aafc995e3f09 runner=installer 2026-03-20T16:27:37-03:00 INF done downloading installerID=147149e7-2634-4b23-b724-aafc995e3f09 runner=installer 2026-03-20T16:27:37-03:00 INF software installer downloaded installerID=147149e7-2634-4b23-b724-aafc995e3f09 installerPath=/tmp/3354102551/fleet-osquery.pkg runner=installer 2026-03-20T16:27:37-03:00 INF about to run install script installerID=147149e7-2634-4b23-b724-aafc995e3f09 runner=installer 2026-03-20T16:27:40-03:00 INF install script exitCode=0 installerID=147149e7-2634-4b23-b724-aafc995e3f09 runner=installer ``` --------- Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com> |
||
|---|---|---|
| .. | ||
| changes | ||
| cmd | ||
| pkg | ||
| tools | ||
| .gitattributes | ||
| .gitignore | ||
| .gon.hcl | ||
| CHANGELOG.md | ||
| goreleaser-linux-arm64.yml | ||
| goreleaser-linux.yml | ||
| goreleaser-macos.yml | ||
| goreleaser-windows-arm64.yml | ||
| goreleaser-windows.yml | ||
| LICENSE | ||
| old-TUF.md | ||
| README.md | ||
| TUF.md | ||
Orbit is a lightweight osquery installer and autoupdater. With Orbit, it's easy to deploy osquery, manage configurations, and keep things up-to-date. Orbit eases the deployment of osquery connected with a Fleet server, and is a (near) drop-in replacement for osquery in a variety of deployment scenarios.
Orbit is the recommended agent for Fleet. But Orbit can be used with or without Fleet, and Fleet can be used with or without Orbit.
How to build from source
To build orbit we use goreleaser.
For reference, here are the build configuration files:
- Goreleaser github workflow
- Goreleaser configuration file for each platform:
Following are the commands to build in case you can't use goreleaser.
IMPORTANT: We recommend you build orbit natively and not cross compile to avoid any build or runtime errors.
macOS
CGO_ENABLED=1 \
CODESIGN_IDENTITY=$CODESIGN_IDENTITY \
ORBIT_VERSION=$VERSION \
ORBIT_BINARY_PATH=./orbit-macos \
go run ./orbit/tools/build/build.go
Windows
CGO_ENABLED=0 \
GOOS=windows \
GOARCH=amd64 \
go build \
-trimpath \
-ldflags="-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=$VERSION \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Commit=$COMMIT \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Date=$DATE" \
-o ./orbit.exe ./orbit/cmd/orbit
Linux
CGO_ENABLED=1 \
GOOS=linux \
GOARCH=amd64 \
go build \
-trimpath \
-ldflags="-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=$VERSION \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Commit=$COMMIT \
-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Date=$DATE" \
-o ./orbit-linux ./orbit/cmd/orbit
Bugs
To report a bug or request a feature, create an issue in the fleet GitHub repository.
Orbit Development
Run Orbit From Source
To execute orbit from source, use the following commands:
Connect to a Fleet server
Modify the fleet-url and enroll-secret as appropriate:
go run github.com/fleetdm/fleet/v4/orbit/cmd/orbit \
--dev-mode \
--disable-updates \
--root-dir /tmp/orbit \
--fleet-url https://localhost:8080 \
--insecure \
--enroll-secret Pz3zC0NMDdZfb3FtqiLgwoexItojrYh/ \
-- --verbose
Using a custom flagfile
With a flagfile.txt for osqueryd:
go run github.com/fleetdm/fleet/v4/orbit/cmd/orbit \
--dev-mode \
--disable-updates \
--root-dir /tmp/orbit \
-- --flagfile=flagfile.txt --verbose
Open an interactive shell to run SQL
This can be useful for building/testing extension tables:
go run github.com/fleetdm/fleet/v4/orbit/cmd/orbit \
--dev-mode \
--disable-updates \
--root-dir /tmp/orbit \
shell
Generate Installer Packages from Orbit Source
The fleetctl package command generates installers by fetching the targets/executables from a TUF repository.
To generate an installer that contains an Orbit built from source you need to setup a local TUF repository.
The following document explains how you can generate a TUF repository, and installers that use it tools/tuf/test.
FAQs
How does Orbit compare with Kolide Launcher?
Orbit is inspired by the success of Kolide Launcher, and approaches a similar problem domain with new strategies informed by the challenges encountered in real world deployments. Orbit does not share any code with Launcher.
- Both Orbit and Launcher use The Update Framework specification for managing updates. Orbit utilizes the official go-tuf library, while Launcher has it's own implementation of the specification.
- Orbit can be deployed as a (near) drop-in replacement for osquery, supporting full customization of the osquery flags. Launcher heavily manages the osquery flags making deployment outside of Fleet or Kolide's SaaS difficult.
- Orbit prefers the battle-tested plugins of osquery. Orbit uses the built-in logging, configuration, and live report plugins, while Launcher uses custom implementations.
- Orbit prefers the built-in osquery remote APIs. Launcher utilizes a custom gRPC API that has led to issues with character encoding, load balancers/proxies, and request size limits.
- Orbit encourages use of the osquery performance Watchdog, while Launcher disables the Watchdog.
Additionally, Orbit aims to tackle problems out of scope for Launcher:
- Configure updates via release channels, providing more granular control over agent versioning.
- Manage osquery startup flags from a remote (Fleet) server.
- Support for deploying and updating osquery extensions.
- Manage osquery versions from a remote (Fleet) server.
Is Orbit Free?
Yes! Orbit is licensed under an MIT license and all uses are encouraged.
How does orbit update osquery? And how do the stable and edge channels get triggered to update osquery on a self hosted Fleet instance?
Orbit uses a configurable update server. We expect that many folks will just use the update server we manage (similar to what Kolide does with Launcher's update server). We are also offering tooling for self-managing an update server as part of Fleet Premium (the subscription offering).
Community
Chat
Please join us in the #fleet channel on osquery Slack.
