Merge branch 'fleetdm:main' into main

This commit is contained in:
IvanM 2024-04-03 14:24:44 +03:00 committed by GitHub
commit 8bcf9b6f83
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4733 changed files with 521353 additions and 148309 deletions

View File

@ -5,7 +5,6 @@ module.exports = {
"plugin:jest/recommended",
"plugin:react-hooks/recommended",
"plugin:@typescript-eslint/recommended",
"plugin:cypress/recommended",
"plugin:prettier/recommended",
"plugin:storybook/recommended",
],
@ -83,13 +82,6 @@ module.exports = {
"jsx-a11y/anchor-has-content": "off",
},
overrides: [
{
files: ["cypress/**/*.ts"],
// Set to turn off jest linting error on cypress library
rules: {
"jest/valid-expect": "off",
},
},
],
settings: {
"import/resolver": {

View File

@ -1,32 +1,33 @@
---
name: 🦟  Bug report
name: 🦟 Bug report
about: Report a bug to help us improve.
title: ''
labels: 'bug,:reproduce'
labels: 'bug,:reproduce,:incoming'
assignees: ''
---
**Fleet version**: _(head to the "My account" page in the Fleet UI or run `fleetctl --version`)_
**Fleet version**: <!-- Copy this from the "My account" page in the Fleet UI, or run `fleetctl --version` -->
**Operating system**: _(e.g. macOS 11.2.3)_
**Web browser**: _(e.g. Chrome 88.0.4324)_
**Web browser and operating system**: <!-- e.g. Chrome 88.0.4324 running on macOS -->
<hr/>
### 🧑‍💻  Expected behavior
<!-- What did you do? What did you expect to see? -->
### 💥  Actual behavior
<!-- What did you see instead? -->
<!-- What did you see? Paste a screenshot, include a 30s video, or write 1-2 sentences describing the issue you observed. -->
TODO
### 👣 Reproduction steps
<!-- What step-by-step actions did you take? -->
### 🧑‍💻  Steps to reproduce
<!-- Provide step-by-step actions of how to recreate this bug in a clean install of Fleet. (This helps others understand and fix it more quickly.) -->
1. TODO
2. TODO
3.
### 🕯️ More info _(optional)_
<!-- Add any additional details you think could be relevant to solving or reproducing the bug (e.g., "this does not reproduce when...") -->
N/A
### More info
<!-- Any ideas? -->
<!-- If this is a performance issue, follow these steps to generate and attach a debug archive: https://fleetdm.com/docs/using-fleet/monitoring-fleet#debugging-performance-issues -->
<!-- If this is a performance issue: Please [follow these steps](https://fleetdm.com/docs/using-fleet/monitoring-fleet#debugging-performance-issues) to generate and attach a debug archive. -->
<!-- ### 🛠️ To fix -->
<!-- If this bug requires additional product design work, uncomment the heading above and add instructions to fix, Figma link, etc. here once design changes are settled. -->

View File

@ -1,7 +1,7 @@
blank_issues_enabled: false
contact_links:
- name: Chat with other developers
url: https://osquery.slack.com/join/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw#/
- name: Chat with other users
url: https://fleetdm.com/support
about: Please ask and answer questions here.
- name: Documentation
url: https://fleetdm.com/documentation

View File

@ -2,30 +2,24 @@
name: 💡  Feature request
about: Propose a new feature or enhancement in Fleet.
title: ''
labels: '~customer request'
labels: '~feature fest,:product'
assignees: ''
---
## Goal
TODO
<!-- Describe the desired outcome -->
## Context
TODO
<!--
Please provide as much context as you can about your use case and motivations.
- How might this have a positive affect on your organization?
- What is the current situation? Why does the current situation hurt?
Thanks for filing an issue! Please use the prompts below to provide as much context as you can about your use case and motivations.
- How might this have a positive effect on your organization?
- What is the current situation? Why does the current situation hurt?
- What are you doing right now to work around this issue? What's non-ideal about it?
-->
## Problem
TODO
<!-- Describe the problem you're trying to solve. -->
## Potential solutions
<!-- You can leave this blank, or propose a solution. You can also attach any screenshots or other visuals that might help convey your meaning. -->
1.
2.
3.

View File

@ -1,8 +1,8 @@
---
name: 📰 Release Article
name: 📰 Release article
about: Propose a new feature or enhancement in Fleet.
title: 'Release Article: vXXX.YYY.ZZZ'
labels: ':improve documentation'
title: 'Release article: vXXX.YYY.ZZZ'
labels: '#g-demand,:improve documentation'
assignees: 'spokanemac'
---
@ -10,14 +10,16 @@ assignees: 'spokanemac'
Fleet vXXX.YYY.ZZZ is scheduled for release on YYYY-MM-DD (afternoon PST)
## Goal
Prepare and publish the release article so that folks in the Fleet/osquery community can understand the latest features.
Prepare and publish the release article so the Fleet/osquery community can understand the latest features.
## Features
**Tier 1**
**Echelon 1**
- FILL IN HERE, if any
**Tier 2**
**Echelon 2**
- FILL IN HERE
## TODO
- [ ] Generate and proofread [changelog](https://github.com/fleetdm/fleet/blob/main/CHANGELOG.md) language
## [Working Document](https://drive.google.com/drive/folders/1DAzKvfO5zo9ftbuB56MrZDtmw4NESZEG)

219
.github/ISSUE_TEMPLATE/release-qa.md vendored Normal file
View File

@ -0,0 +1,219 @@
---
name: Release QA
about: Checklist of required tests prior to release
title: 'Release QA:'
labels: '#g-mdm,#g-endpoint-ops,:release'
assignees: 'xpkoala,sabrinabuckets'
---
# Goal: easy-to-follow test steps for checking a release manually
# Important reference data
1. [fleetctl preview setup](https://fleetdm.com/fleetctl-preview)
2. [permissions documentation](https://fleetdm.com/docs/using-fleet/permissions)
3. premium tests require license key (needs renewal) `fleetctl preview --license-key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGbGVldCBEZXZpY2UgTWFuYWdlbWVudCBJbmMuIiwiZXhwIjoxNjQwOTk1MjAwLCJzdWIiOiJkZXZlbG9wbWVudCIsImRldmljZXMiOjEwMCwibm90ZSI6ImZvciBkZXZlbG9wbWVudCBvbmx5IiwidGllciI6ImJhc2ljIiwiaWF0IjoxNjIyNDI2NTg2fQ.WmZ0kG4seW3IrNvULCHUPBSfFdqj38A_eiXdV_DFunMHechjHbkwtfkf1J6JQJoDyqn8raXpgbdhafDwv3rmDw`
4. premium tests require license key (active - Expires Sunday, January 1, 2023 12:00:00 AM) `fleetctl preview --license-key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGbGVldCBEZXZpY2UgTWFuYWdlbWVudCBJbmMuIiwiZXhwIjoxNjcyNTMxMjAwLCJzdWIiOiJGbGVldCBEZXZpY2UgTWFuYWdlbWVudCIsImRldmljZXMiOjEwMCwibm90ZSI6ImZvciBkZXZlbG9wbWVudCBvbmx5IiwidGllciI6InByZW1pdW0iLCJpYXQiOjE2NDI1MjIxODF9.EGHQjIzM73YyMbnCruswzg360DEYCsDi9uz48YcDwQHq90BabGT5PIXRiculw79emGj5sk2aKgccTd2hU5J7Jw`
# Smoke Tests
Smoke tests are limited to core functionality and serve as a pre-release final review. If smoke tests are failing, a release cannot proceed.
## Fleet core:
**Fleet version** (Head to the "My account" page in the Fleet UI or run `fleetctl version`):
**Web browser** _(e.g. Chrome 88.0.4324)_:
### Prerequisites
1. `fleetctl preview` is set up and running the desired test version using [`--tag` parameters.](https://github.com/fleetdm/fleet/blob/main/handbook/product.md#manual-qa )
2. Unless you are explicitly testing older browser versions, browser is up to date.
3. Certificate & flagfile are in place to create new host.
4. In your browser, clear local storage using devtools.
<table>
<tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
<tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
<tr><td>Update flow</td><td>
1. remove all fleet processes/agents/etc using `fleetctl preview reset` for a clean slate
2. run `fleetctl preview` with no tag for latest stable
3. create a host/query to later confirm upgrade with
4. STOP fleet-preview-server instances in containers/apps on Docker
5. run `fleetctl preview` with appropriate testing tag </td><td>All previously created hosts/queries are verified to still exist</td><td>pass/fail</td></tr>
<tr><td>Login flow</td><td>
1. navigate to the login page and attempt to login with both valid and invalid credentials to verify some combination of expected results.
2. navigate to the login page and attempt to login with both valid and invalid sso credentials to verify expected results.
</td><td>
1. text fields prompt when blank
2. correct error message is "authentication failed"
3. forget password link prompts for email
4. valid credentials result in a successful login.
5. valid sso credentials result in a successful login</td><td>pass/fail</td></tr>
<tr><td>Query flow</td><td>Create, edit, run, and delete queries. </td><td>
1. permissions regarding creating/editing/deleting queries are up to date with documentation
2. syntax errors result in error messaging
3. queries can be run manually
</td><td>pass/fail</td></tr>
<tr><td>Host Flow</td><td>Verify a new host can be added and removed following modal instructions using your own device.</td><td>
1. Host is added via command line
2. Host serial number and date added are accurate
3. Host is not visible after it is deleted
4. Warning and informational modals show when expected and make sense
</td><td>pass/fail</td></tr>
<tr><td>Packs flow</td><td>Verify management, operation, and logging of ["2017 packs"](https://fleetdm.com/handbook/company/why-this-way#why-does-fleet-support-query-packs).</td><td>
1. Packs successfully run on host machines after migrations
2. New Packs can be created
3. Packs can be edited and deleted
4. Packs results information is logged
</td><td>pass/fail</td></tr>
<tr><td>Log destination flow</td><td>Verify log destination for software, query, policy, and packs.</td><td>
1. Software, query, policy, and packs logs are successfully sent to external log destinations
2. Software, query, policy, and packs logs are successfully sent to Filesystem log destinations
</td><td>pass/fail</td></tr>
<tr><td>My device page</td><td>Verify the end user's my device page loads successfully.</td><td>
1. Clicking the Fleet desktop item, then "My device" successfully loads the my device page.
2. The "My device" page is populated correctly and as expected.
3. Styling and padding appears correct.
</td><td>pass/fail</td></tr>
<tr><td>MDM enrollment flow</td><td>Verify MDM enrollments, run MDM commands</td><td>
1. Erase an ADE-eligible macOS host and verify able to complete auomated enrollment flow.
2. With Windows MDM turned On, enroll a Windows host and verify MDM is turned On for the host.
3. Verify able to run MDM commands on both macOS and Windows hosts from the CLI.
</td><td>pass/fail</td></tr>
<tr><td>Scripts</td><td>Verify script library and execution</td><td>
1. Verify able to run a script on all host types from CLI.
2. Verify scripts library upload/download/delete.
3. From Host details (Windows and macOS) run a script that should PASS, verify.
4. From Host details (Windows and macOS) run a script that should FAIL, verify.
5. Verify UI loading state and statuses for scripts.
6. Disable scripts globally and verify unable to run.
7. Verify scripts display correctly in Activity feed.
</td><td>pass/fail</td></tr>
<tr><td>OS settings</td><td>Verify OS settings functionality</td><td>
1. Verify able to configure Disk encryption.
2. Verify host enrolled with Disk encryption enforced successfully encrypts.
3. Verify Profiles upload/download/delete (macOS & Windows).
4. Verify profiles are delivered to host and applied.
</td><td>pass/fail</td></tr>
<tr><td>Setup experience</td><td>Verify macOS Setup experience</td><td>
1. Configure End user authentication.
2. Upload a Boostrap package.
3. Enroll an ADE-eligible macOS host and verify successful authentication.
4. Verify Boostrap package is delivered.
</td><td>pass/fail</td></tr>
<tr><td>OS updates</td><td>Verify OS updates flow</td><td>
1. Configure OS updates (macOS & Windows).
2. Verify on-device that Nudge prompt appears (macOS).
</td><td>pass/fail</td></tr>
<tr><td>Migration Test</td><td>Verify Fleet can migrate to the next version with no issues.</td><td>
Using the migration scripts located in fleet/test/upgrade/
1. Run the upgrade_test.go script using the most recent stable version of Fleet and `main`.
2. Upgrade test returns an 'OK' response.
</td><td>pass/fail</td></tr>
<tr><td>Migration Test with Percona XtraDB MySQL Server</td><td>Verify Fleet can migrate to the next version without issues when using a specific version of Percona XtraDB Server.</td><td>
Run the instructions in [tools/percona/test/README.md](../../tools/percona/test/README.md)
</td><td>pass/fail</td></tr>
<tr><td>Release blockers</td><td>Verify there are no outstanding release blocking tickets.</td><td>
1. Check [this](https://github.com/fleetdm/fleet/labels/~release%20blocker) filter to view all open `~release blocker` tickets.
2. If any are found raise an alarm in the `#help-engineering` and `#help-product-design` channels.
</td><td>pass/fail</td></tr>
</table>
### Notes
Issues found new to this version:
Issues found that reproduce in last stable version:
What has not been tested:
Include any notes on whether issues should block release or not as needed:
## `fleetd` agent:
Includes updates to:
- Orbit: True / False
- Desktop: True / False
- Chrome extension: True / False
List versions changes for any component updates below:
<!-- Remove items without updates -->
- Orbit `v1.xx.x` > `v1.xx.x`
- Desktop `v1.xx.x` > `v1.xx.x`
- Chrome extension `v1.xx.x` > `v1.xx.x`
### Prerequisites
1. Build a new `fleetd` from the release candidate branch as neded for Orbit, Desktop, and Chrome Extension.
<table>
<tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
<tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
<tr><td>`fleetd` tests</td>
<td>
1. Create binaries for Mac, Windows, and Ubuntu running against the `edge` channels and install (--orbit-channel edge, --desktop-channel edge).<br>
2. Work with engineer leading the release to push changes to the `edge` channel.
</td>
<td>
1. Confirm the hosts running on the edge channel receive the update and are working correctly.<br>
2. Confirm any new features and/or bug fixes associated with this release are working as intended.
</td>
<td>pass/fail</td></tr>
<td>`fleetd` auto-update tests</td>
<td>
1. Conduct the [`fleetd` auto-update n+1 test]([url](https://github.com/fleetdm/fleet/blob/main/tools/tuf/test/Fleetd-auto-update-test-guide.md))<br>
2. QA certifies new release by commenting in issue.<br>
3. Engineer waits at least 1 business day, then promotes update to `stable`.
</td>
<td>
1. Agent successfully auto-updates.<br>
2. Issue is certified by QA.<br>
3. Agent is promoted to `stable`.<br>
4. Confirms agents running on `stable` receive the new update.
</td>
<td>pass/fail</td></tr>
</table>
# Notes
Issues found new to this version:
Issues found that reproduce in last stable version:
What has not been tested:
Include any notes on whether issues should block release or not as needed:

View File

@ -1,93 +0,0 @@
---
name: Release QA
about: Checklist of required tests prior to release
title: ''
labels: ''
assignees: ''
---
# Goal: easy-to-follow test steps for sanity checking a release manually
**Fleet version** (Head to the "My account" page in the Fleet UI or run `fleetctl version`):
**Web browser** _(e.g. Chrome 88.0.4324)_:
# Important reference data
1. [fleetctl preview setup](https://fleetdm.com/fleetctl-preview)
2. [permissions documentation](https://fleetdm.com/docs/using-fleet/permissions)
3. premium tests require license key (needs renewal) `fleetctl preview --license-key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGbGVldCBEZXZpY2UgTWFuYWdlbWVudCBJbmMuIiwiZXhwIjoxNjQwOTk1MjAwLCJzdWIiOiJkZXZlbG9wbWVudCIsImRldmljZXMiOjEwMCwibm90ZSI6ImZvciBkZXZlbG9wbWVudCBvbmx5IiwidGllciI6ImJhc2ljIiwiaWF0IjoxNjIyNDI2NTg2fQ.WmZ0kG4seW3IrNvULCHUPBSfFdqj38A_eiXdV_DFunMHechjHbkwtfkf1J6JQJoDyqn8raXpgbdhafDwv3rmDw`
4. premium tests require license key (active - Expires Sunday, January 1, 2023 12:00:00 AM) `fleetctl preview --license-key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJGbGVldCBEZXZpY2UgTWFuYWdlbWVudCBJbmMuIiwiZXhwIjoxNjcyNTMxMjAwLCJzdWIiOiJGbGVldCBEZXZpY2UgTWFuYWdlbWVudCIsImRldmljZXMiOjEwMCwibm90ZSI6ImZvciBkZXZlbG9wbWVudCBvbmx5IiwidGllciI6InByZW1pdW0iLCJpYXQiOjE2NDI1MjIxODF9.EGHQjIzM73YyMbnCruswzg360DEYCsDi9uz48YcDwQHq90BabGT5PIXRiculw79emGj5sk2aKgccTd2hU5J7Jw`
# Smoke Tests
Smoke tests are limited to core functionality and serve as a sanity test. If smoke tests are failing, a release cannot proceed.
## Prerequisites
1. `fleetctl preview` is set up and running the desired test version using [`--tag` parameters.](https://github.com/fleetdm/fleet/blob/main/handbook/product.md#manual-qa )
2. Unless you are explicitly testing older browser versions, browser is up to date.
3. Certificate & flagfile are in place to create new host.
4. In your browser, clear local storage using devtools.
## Instructions
<table>
<tr><th>Test name</th><th>Step instructions</th><th>Expected result</th><th>pass/fail</td></tr>
<tr><td>$Name</td><td>{what a tester should do}</td><td>{what a tester should see when they do that}</td><td>pass/fail</td></tr>
<tr><td>Update flow</td><td>
1. remove all fleet processes/agents/etc using `fleetctl preview reset` for a clean slate
1. run `fleetctl preview` with no tag for latest stable
1. create a host/query to later confirm upgrade with
1. STOP fleet-preview-server instances in containers/apps on Docker
1. run `fleetctl preview` with appropriate testing tag </td><td>All previously created hosts/queries are verified to still exist</td><td>pass/fail</td></tr>
<tr><td>Login flow</td><td>
1. navigate to the login page and attempt to login with both valid and invalid credentials to verify some combination of expected results.
2. navigate to the login page and attempt to login with both valid and invalid sso credentials to verify expected results.
</td><td>
1. text fields prompt when blank
2. correct error message is "authentication failed"
3. forget password link prompts for email
4. valid credentials result in a successful login.
5. valid sso credentials result in a successful login</td><td>pass/fail</td></tr>
<tr><td>Query flow</td><td>Create, edit, run, and delete queries. </td><td>
1. permissions regarding creating/editing/deleting queries are up to date with documentation
2. syntax errors result in error messaging
3. queries can be run manually
</td><td>pass/fail</td></tr>
<tr><td>Host Flow</td><td>Verify a new host can be added and removed following modal instructions using your own device.</td><td>
1. Host is added via command line
2. Host serial number and date added are accurate
3. Host is not visible after it is deleted
4. Warning and informational modals show when expected and make sense
</td><td>pass/fail</td></tr>
<tr><td>Migration Test</td><td>Verify Fleet can migrate to the next version with no issues.</td><td>
Using the migration scripts located in fleet/test/upgrade/
1. Run the upgrade_test.go script using the most recent stable version of Fleet and `main`.
2. Upgrade test returns an 'OK' response.
</td><td>pass/fail</td></tr>
<tr><td>Release blockers</td><td>Verify there are no outstanding release blocking tickets.</td><td>
1. Check [this](https://github.com/fleetdm/fleet/labels/~release%20blocker) filter to view all open `~release blocker` tickets.
2. If any are found raise an alarm in the `#help-engineering` and `#help-product` channels.
</td><td>pass/fail</td></tr>
</table>
# Notes
Issues found new to this version:
Issues found that reproduce in last stable version:
What has not been tested:
Include any notes on whether issues should block release or not as needed

View File

@ -7,9 +7,9 @@ assignees: ''
---
> **This issue's remaining effort can be completed in ≤1 sprint. It will be valuable even if nothing else ships.**
>
> It is [planned and ready](https://fleetdm.com/handbook/company/development-groups#making-changes) to implement. It is on the proper kanban board.
<!-- **This issue's remaining effort can be completed in ≤1 sprint. It will be valuable even if nothing else ships.**
It is [planned and ready](https://fleetdm.com/handbook/company/development-groups#making-changes) to implement. It is on the proper kanban board. -->
## Goal
@ -19,47 +19,39 @@ assignees: ''
| I want to _________________________________________
| so that I can _________________________________________.
## Changes
This issue's estimation includes completing:
- [ ] UI changes: TODO <!-- Insert the link to the relevant Figma file describing all relevant changes. Remove this checkbox if there are no changes to the user interface. -->
- [ ] CLI usage changes: TODO <!-- Specify what changes to the CLI usage are required. Remove this checkbox if there are no changes to the CLI. -->
- [ ] REST API changes: TODO <!-- Specify what changes to the API are required. Remove this checkbox if there are no changes necessary. -->
- [ ] Permissions changes: TODO <!-- Specify what changes to the permissions are required. Remove this checkbox if there are no changes necessary. -->
- [ ] Database schema migrations: TODO <!-- Specify what changes to the database schema are required. (This willl be used to change migration scripts accordingly.) Remove this checkbox if there are no changes necessary. -->
- [ ] Outdated documentation changes: TODO <!-- Specify what changes to the documentation are required. Remove this checkbox if there are no changes necessary. -->
- [ ] Scope transparency changes? TODO <!-- Remove this checkbox if there are no changes necessary. -->
- [ ] Breaking changes requiring major version bump? TODO <!-- Breaking changes to the CLI or REST API require a major version bump, which is rarely a good idea. Remove this checkbox if there are no changes necessary. -->
- [ ] Changes to paid features or tiers? TODO <!-- List changes to paid features or tiers required. Implementation of paid features should live in the `ee/` directory. Remove this checkbox if there are no changes necessary. -->
- [ ] QA complete?
- [ ] ... <!-- If there are any other notable requirements to draw extra attention to, add them as checkboxes here. Otherwise, remove this checkbox. -->
>  Please read this issue carefully and understand it. Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
## Context
- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their github usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
- Requestor(s): _________________________ <!-- Who are the non-customer requestor(s) for this story, if any? Put their GitHub usernames here. They should be notified if the story gets de-prioritized. For customer requestors, use the `customer-xyz` label instead. -->
- Product designer: _________________________ <!-- Who is the product designer to contact if folks have questions about the UI, CLI, or API changes? -->
<!--
What else should contributors [keep in mind](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) when working on this change? (Optional.)
1.
2.
-->
## Changes
### Product
- [ ] UI changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the user interface. -->
- [ ] CLI usage changes: TODO <!-- Insert the link to the relevant Figma cover page. Remove this checkbox if there are no changes to the CLI. -->
- [ ] REST API changes: TODO <!-- Specify changes as a draft PR to the REST API doc page. Remove this checkbox if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes. -->
- [ ] Permissions changes: TODO <!-- Specify changes as a draft PR to the Manage access doc page. If doc changes aren't necessary, explicitly mention no changes to the doc page. Remove this checkbox if there are no permissions changes. -->
- [ ] Outdated documentation changes: TODO <!-- Specify required documentation changes (public-facing fleetdm.com/docs or contributors) & redirects to add to /website/config/routes.js. -->
- [ ] Changes to paid features or tiers: TODO <!-- Specify "Fleet Free" or "Fleet Premium". If only certain parts of the user story involve paid features, specify which parts. Implementation of paid features should live in the `ee/` directory. -->
### Engineering
- [ ] Database schema migrations: TODO <!-- Specify what changes to the database schema are required. (This will be used to change migration scripts accordingly.) Remove this checkbox if there are no changes necessary. -->
- [ ] Load testing: TODO <!-- List any required scalability testing to be conducted. Remove this checkbox if there is no scalability testing required. -->
>  Please read this issue carefully and understand it. Pay [special attention](https://fleetdm.com/handbook/company/development-groups#developing-from-wireframes) to UI wireframes, especially "dev notes".
## QA
### Risk assessment
- [ ] Requires load testing TODO <!-- User story has performance implications that require load testing. Otherwise, remove this checkbox. -->
Risk level: Low / High TODO <!-- Choose one. -->
Risk description: TODO <!-- If risk level is high, explain why. If low, remove. -->
#### Automated:
- Fleet: Cover / Will not cover <!-- Choose one. -->
- QAWolf: Cover / Will not cover <!-- Choose one. -->
- Requires load testing: TODO <!-- User story has performance implications that require load testing. Otherwise, remove this item. -->
- Risk level: Low / High TODO <!-- Choose one. Consider: Does this change come with performance risks? Any risk of accidental log spew? Any particular regressions to watch out for? Any potential compatibility issues, even if it's not technically a breaking change? -->
- Risk description: TODO <!-- If the risk level is high, explain why. If low, remove. -->
### Manual testing steps
<!--
@ -79,5 +71,5 @@ Add detailed manual testing steps for all affected user roles.
### Confirmation
<!-- The engineer responsible for implementing this user story completes the test plan before moving to the "Ready for QA" column. -->
1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.
1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

23
.github/ISSUE_TEMPLATE/sub-task.md vendored Normal file
View File

@ -0,0 +1,23 @@
---
name: 🧩 Sub-task
about: "Specify a sub-task. (Avoid comments. Use only as prescribed.)"
title: ''
labels: '~sub-task'
assignees: ''
---
## Related user story
TODO
<!-- A sub-task always belongs to exactly one story. The parent user story for this technical sub-task is linked here. Comment on the parent story, not on this sub-task. -->
## Task
TODO
<!-- What needs to be done. -->
## Condition of satisfaction
TODO
<!-- Describe the conditions of satisfaction that will resolve this issue. The "definition of done". It is always up to contributors to check their own work. But especially keep in mind there is no external quality assurance check for sub-tasks. (Only user stories get automatic external QA. With sub-tasks, it's up to you.) -->

22
.github/ISSUE_TEMPLATE/timebox.md vendored Normal file
View File

@ -0,0 +1,22 @@
---
name: ⏳ Timebox
about: Specify an effort that will be completed within a pre-defined amount of time.
title: ''
labels: 'timebox'
assignees: ''
---
## Related user story
TODO
## Task
TODO
<!-- What needs to be learned. -->
## Condition of satisfaction
TODO
<!-- Describe the conditions of satisfaction that will resolve this issue. The "definition of done". It is always up to contributors to check their own work. -->

View File

@ -1,24 +0,0 @@
---
name: 🧩  Unestimated sub-task
about: "Specify an unestimated sub-task. (Avoid comments. Use only as prescribed.)"
title: ''
labels: '~sub-task'
assignees: ''
---
## Related user story
TODO
<!-- An unestimated sub-task always belongs to exactly one story. The parent user story for this technical sub-task is linked here. Comment on the parent story, not on this sub-task. -->
## Task
TODO
<!-- What needs to be done. -->
## Condition of satisfaction
TODO
<!-- Describe the conditions of satisfaction that will resolve this issue. The "definition of done". It is always up to contributors to check their own work. But especially keep in mind there is no external quality assurance check for sub-tasks. (Only user stories get automatic external QA. With unestimated sub-tasks, it's up to you.) -->

View File

@ -1,19 +1,19 @@
---
name: 🕸️ Website request
name: 🌐 Website request
about: Propose a new feature or enhancement to fleetdm.com.
title: 'Request: __________________________'
labels: '#g-website'
labels: '#g-digital-experience'
assignees: ''
---
> **This request is expected to be doable in ≤1 sprint. It would be valuable even if nothing else ships.**
> **This request is expected to be doable in ≤1 sprint. It would be valuable even if nothing else ships.**
>
> It will be reviewed by the acting PM for the #g-website product group, and then hopefully [prioritized, drafted, and implemented](https://fleetdm.com/handbook/company/development-groups#making-changes).
## Goal
<!-- Describe the desired outcome -->
<!-- Describe the desired outcome.-->
| User story |
|:---------------------------------------------------------------------------|
@ -21,17 +21,17 @@ assignees: ''
| I want to _________________________________________
| so that I can _________________________________________.
>For help creating a user story, see ["Writing a good user story"](https://fleetdm.com/handbook/company/development-groups#writing-a-good-user-story) in the website handbook.
## Changes
This issue's estimation includes completing:
This issue's estimation includes completing the following:
- [ ] UI changes: TODO
- [ ] QA complete?
## QA
<!--
Make sure that someone verified each step outlined below before the associated PR is merged.
-->
>The testing steps outlined below must be verified before the associated PR is merged. See ["Quality"](https://fleetdm.com/handbook/marketing/website-handbook#quality) in the website handbook for help.
### Manual testing steps
<!--
@ -42,6 +42,8 @@ Add detailed manual testing steps for all affected user flows.
2. Step 2
3. Step 3
>In addition to the steps above, ensure changes have been checked at all breakpoints, and a [browser compatibility](https://fleetdm.com/handbook/marketing/website-handbook#browser-compatibility) test has been carried out on [supported browsers](https://fleetdm.com/docs/using-fleet/supported-browsers).
### Testing notes
<!-- Any additional testing notes relevant to this story or tools required for testing. -->

View File

@ -1,5 +1,94 @@
# Basic set up for Actions and Docker. Security updates enabled via GitHub settings for other ecosystems.
version: 2
# updates intentionally left empty, as we were seeing too much volume of PRs, and breakages
# introduced by dependency version updates. Dependabot will continue to open security-related PRs,
# but non-security dependency updates must be done manually.
updates: []
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
# Disable version updates for github-actions dependencies
open-pull-requests-limit: 0
pull-request-branch-name:
# Default is "/" which makes "docker tag" fail with
# "not a valid repository/tag: invalid reference format".
separator: "-"
# Add assignees
assignees:
- "lukeheath"
# Maintain dependencies for Dockerfiles
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "daily"
# Disable version updates for docker dependencies
open-pull-requests-limit: 0
reviewers:
- "fleetdm/go"
- "fleetdm/infra"
pull-request-branch-name:
# Default is "/" which makes "docker tag" fail with
# "not a valid repository/tag: invalid reference format".
separator: "-"
# Add assignees
assignees:
- "fleetdm/go"
- "fleetdm/infra"
# Maintain dependencies for website NPM
- package-ecosystem: "npm"
directory: "/website"
labels:
- "website"
schedule:
interval: "daily"
# Disable version updates
open-pull-requests-limit: 0
allow:
- dependency-type: "production"
reviewers:
- "eashaw"
pull-request-branch-name:
# Default is "/" which makes "docker tag" fail with
# "not a valid repository/tag: invalid reference format".
separator: "-"
assignees:
- "eashaw"
# Maintain dependencies for Go
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
# Disable version updates
open-pull-requests-limit: 0
reviewers:
- lucasmrod
pull-request-branch-name:
# Default is "/" which makes "docker tag" fail with
# "not a valid repository/tag: invalid reference format".
separator: "-"
# Add assignees
assignees:
- lucasmrod
# Maintain dependencies for npm
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
# Disable version updates
open-pull-requests-limit: 0
reviewers:
- lukeheath
allow:
- dependency-type: "production"
pull-request-branch-name:
# Default is "/" which makes "docker tag" fail with
# "not a valid repository/tag: invalid reference format".
separator: "-"
# Add assignees
assignees:
- lukeheath

View File

@ -2,13 +2,17 @@
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the product design team. -->
- [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`.
See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] If database migrations are included, checked table schema to confirm autoupdate
- For database migrations:
- [ ] Checked schema for all modified table for columns that will auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.

View File

@ -29,8 +29,13 @@ jobs:
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
@ -39,9 +44,9 @@ jobs:
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.19.10
go-version: ${{ vars.GO_VERSION }}
- name: Install Go Dependencies
run: make deps-go

View File

@ -3,7 +3,7 @@ name: Build binaries
on:
push:
branches:
- main
- main
pull_request:
workflow_dispatch:
@ -24,61 +24,72 @@ jobs:
build-binaries:
runs-on: ubuntu-latest
steps:
- name: Install Go
uses: actions/setup-go@v2.1.3
with:
go-version: 1.19.10
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
# Use a separate cache for this from other JS jobs since we run the
# webpack steps and will have more to cache.
key: ${{ runner.os }}-node_modules-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node_modules-
# Set the Node.js version
- name: Set up Node.js ${{ vars.NODE_VERSION }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ vars.NODE_VERSION }}
- name: Go Cache
id: go-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
# In order:
# * Module download cache
# * Build cache (Linux)
# * Build cache (Mac)
# * Build cache (Windows)
path: |
~/go/pkg/mod
~/.cache/go-build
~/Library/Caches/go-build
%LocalAppData%\go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
run: make deps-js
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
# Use a separate cache for this from other JS jobs since we run the
# webpack steps and will have more to cache.
key: ${{ runner.os }}-node_modules-${{ hashFiles('**/yarn.lock') }}-node_version-${{ vars.NODE_VERSION }}
restore-keys: |
${{ runner.os }}-node_modules-
- name: Install Go Dependencies
if: steps.go-cache.outputs.cache-hit != 'true'
run: make deps-go
- name: Go Cache
id: go-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
# In order:
# * Module download cache
# * Build cache (Linux)
# * Build cache (Mac)
# * Build cache (Windows)
path: |
~/go/pkg/mod
~/.cache/go-build
~/Library/Caches/go-build
%LocalAppData%\go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Generate static files
run: |
export PATH=$PATH:~/go/bin
make generate
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
run: make deps-js
- name: Build binaries
run: make
- name: Install Go Dependencies
if: steps.go-cache.outputs.cache-hit != 'true'
run: make deps-go
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: build
path: build/
- name: Generate static files
run: |
export PATH=$PATH:~/go/bin
make generate
- name: Build binaries
run: make
- uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: build
path: build/

View File

@ -1,9 +1,20 @@
name: Build, Sign and Notarize Orbit
name: Build, Sign and Notarize Orbit for macOS
on:
workflow_dispatch: # allow manual action
push:
paths:
# The workflow can be triggered by modifying ORBIT_VERSION env.
- '.github/workflows/build-orbit.yaml'
pull_request:
paths:
- 'orbit/**.go'
# The workflow can be triggered by modifying ORBIT_VERSION env.
- '.github/workflows/build-orbit.yaml'
env:
ORBIT_VERSION: 1.20.0
CGO_ENABLED: 1
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
@ -22,8 +33,13 @@ jobs:
build:
runs-on: macos-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Import signing keys
env:
@ -41,9 +57,9 @@ jobs:
rm certificate.p12
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.19.10
go-version: ${{ vars.GO_VERSION }}
- name: Build, codesign and notarize orbit
run: go run ./orbit/tools/build/build.go
@ -53,6 +69,8 @@ jobs:
AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237
ORBIT_VERSION: ${{ env.ORBIT_VERSION }}
ORBIT_COMMIT: ${{ github.sha }}
- name: Upload orbit
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2

View File

@ -0,0 +1,70 @@
name: Check TUF timestamps
on:
pull_request:
paths:
- '.github/workflows/check-tuf-timestamps.yml'
workflow_dispatch: # Manual
schedule:
- cron: '0 10 * * *'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
test-go:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Check remote timestamp.json file
run: |
expires=$(curl -s http://tuf.fleetctl.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 2 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
exit 1
else
exit 0
fi
- name: Slack Notification
if: failure()
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF timestamp.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

View File

@ -45,15 +45,25 @@ jobs:
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5
uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38
with:
languages: ${{ matrix.language }}
config-file: .github/workflows/config/codeql.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5
uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38

27
.github/workflows/dependency-review.yml vendored Normal file
View File

@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

View File

@ -31,10 +31,15 @@ jobs:
strategy:
matrix:
node-version: [14.x]
node-version: [16.x]
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Configure our access credentials for the Heroku CLI
- uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 # v3.6.8
@ -45,18 +50,24 @@ jobs:
justlogin: true
- run: heroku auth:whoami
# Install the heroku-repo plugin in the Heroku CLI
- run: heroku plugins:install heroku-repo
# Set the Node.js version
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ matrix.node-version }}
# Install the right version of Go for the Golang child process that we are currently using for CSR signing
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.19
go-version: ${{ vars.GO_VERSION }}
# Download top-level dependencies and build Storybook in the website's assets/ folder
- run: npm install --legacy-peer-deps && npm run build-storybook -- -o ./website/assets/storybook --loglevel verbose
# Now start building!
# > …but first, get a little crazy for a sec and delete the top-level package.json file
@ -81,11 +92,14 @@ jobs:
- run: cd website/ && npm test
# Compile browser assets & markdown content into generated collateral
- run: cd website/ && BUILD_SCRIPT_ARGS="--githubAccessToken=${{ secrets.FLEET_RELEASE_GITHUB_PAT }}" npm run build-for-prod
- run: cd website/ && BUILD_SCRIPT_ARGS="--githubAccessToken=${{ secrets.FLEET_GITHUB_TOKEN_FOR_WEBSITE_TEST }}" npm run build-for-prod
# Build the go binary we use to sign APNS certificates in the website/.tools/ folder.
- run: cd ee/tools/mdm/ && GOOS=linux GOARCH=amd64 go build -o ../../../website/.tools/mdm-gen-cert .
# Reset the Heroku app's git repo to prevent errors when pushing to the repo. (See https://github.com/fleetdm/fleet/issues/14162 for more details)
- run: heroku repo:reset -a production-fleetdm-website
# Commit newly-generated collateral locally so we can push them to Heroku below.
# (This commit will never be pushed to GitHub- only to Heroku.)
# > The local config flags make this work in GitHub's environment.

View File

@ -0,0 +1,89 @@
name: Deploy app to vulnerability dashboard pipeline on Heroku.
on:
push:
branches: [ main ]
paths:
- 'ee/vulnerability-dashboard/**'
permissions:
contents: read
jobs:
build:
permissions:
contents: write # for Git to git push
if: ${{ github.repository == 'fleetdm/fleet' }}
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Configure our access credentials for the Heroku CLI
- uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 # v3.6.8
with:
heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_BOT_USER}}
heroku_app_name: "" # this has to be blank or it doesn't work
heroku_email: ${{secrets.HEROKU_EMAIL_FOR_BOT_USER}}
justlogin: true
- run: heroku auth:whoami
# Set the Node.js version
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ matrix.node-version }}
# Now start building!
# > …but first, get a little crazy for a sec and delete the top-level package.json file
# > i.e. the one used by the Fleet server. This is because require() in node will go
# > hunting in ancestral directories for missing dependencies, and since some of the
# > bundled transpiler tasks sniff for package availability using require(), this trips
# > up when it encounters another Node universe in the parent directory.
- run: rm -rf package.json package-lock.json node_modules/
# > Turns out there's a similar issue with how eslint plugins are looked up, so we
# > delete the top level .eslintrc file too.
- run: rm -f .eslintrc.js
# > And, as a change to the top-level fleetdm/fleet .gitignore on May 2, 2022 revealed,
# > we also need to delete the top level .gitignore file too, so that its rules don't
# > interfere with the committing and force-pushing we're doing as part of our deploy
# > script here. For more info, see: https://github.com/fleetdm/fleet/pull/5549
- run: rm -f .gitignore
# Get dependencies (including dev deps)
- run: cd ee/vulnerability-dashboard/ && npm install
# Run sanity checks
- run: cd ee/vulnerability-dashboard/ && npm test
# Compile assets
- run: cd ee/vulnerability-dashboard/ && npm run build-for-prod
# Commit newly-built assets locally so we can push them to Heroku below.
# (This commit will never be pushed to GitHub- only to Heroku.)
# > The local config flags make this work in GitHub's environment.
- run: git add ee/vulnerability-dashboard/.www
- run: git -c "user.name=GitHub" -c "user.email=github@example.com" commit -am 'AUTOMATED COMMIT - Deployed the latest, including modified HTML layouts and .sailsrc file that reference minified assets.'
# Configure the Heroku app we'll be deploying to
- run: heroku git:remote -a vulnerability-dashboard
- run: git remote -v
# Deploy to Heroku (by pushing)
# > Since a shallow clone was grabbed, we have to "unshallow" it before forcepushing.
- run: echo "Unshallowing local repository…"
- run: git fetch --prune --unshallow
- run: echo "Deploying branch '${GITHUB_REF##*/}' to Heroku…"
- run: git push heroku +${GITHUB_REF##*/}:master
- name: 🌐 The dashboard has been deployed
run: echo '' && echo '--' && echo 'OK, done. It should be live momentarily.' && echo '(if you get impatient, check the Heroku dashboard for status)'

View File

@ -28,8 +28,13 @@ jobs:
contents: read # to read files to check dead links
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # master
- uses: gaurav-nelson/github-action-markdown-link-check@58f84fd654812d0d8da4e4d4a559eda087daf8ce # v1.0.13
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
with:
use-quiet-mode: 'yes'
config-file: .github/workflows/config/markdown-link-check-config.json

View File

@ -30,6 +30,7 @@ env:
TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}
TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}
permissions:
id-token: write
@ -40,6 +41,11 @@ jobs:
name: Deploy Fleet Dogfood Environment
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- id: fail-on-main
run: "false"
@ -48,9 +54,13 @@ jobs:
with:
role-to-assume: ${{env.AWS_IAM_ROLE}}
aws-region: ${{ env.AWS_REGION }}
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: 1.3.8
terraform_version: 1.6.3
terraform_wrapper: false
- name: Terraform Init
id: init

66
.github/workflows/dogfood-gitops.yml vendored Normal file
View File

@ -0,0 +1,66 @@
name: 'Apply latest configuration to dogfood with gitops'
on:
push:
branches:
- main
paths:
- 'it-and-security/**'
- '.github/workflows/dogfood-gitops.yml'
workflow_dispatch: # allows manual triggering
defaults:
run:
shell: bash
# Limit permissions of GITHUB_TOKEN.
permissions:
contents: read
jobs:
fleet-gitops:
timeout-minutes: 10
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout our repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Checkout GitOps repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: fleetdm/fleet-gitops
ref: main
path: fleet-gitops
- name: Apply env vars to profiles
env:
MANAGED_CHROME_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
run: |
envsubst < ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig > ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig
mv ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.confidential.mobileconfig ./it-and-security/lib/configuration-profiles/macos-chrome-enrollment.mobileconfig
- name: Apply latest configuration to Fleet
uses: ./fleet-gitops/.github/gitops-action
with:
working-directory: ${{ github.workspace }}/fleet-gitops
env:
FLEET_GITOPS_DIR: ${{ github.workspace }}/it-and-security
FLEET_URL: https://dogfood.fleetdm.com
FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
DOGFOOD_APPLE_BM_DEFAULT_TEAM: "💻Workstations"
DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL: ${{ secrets.DOGFOOD_MACOS_MIGRATION_WEBHOOK_URL }}
DOGFOOD_GLOBAL_ENROLL_SECRET: ${{ secrets.DOGFOOD_GLOBAL_ENROLL_SECRET }}
DOGFOOD_SSO_ISSUER_URI: ${{ secrets.DOGFOOD_SSO_ISSUER_URI }}
DOGFOOD_SSO_METADATA: ${{ secrets.DOGFOOD_SSO_METADATA }}
DOGFOOD_FAILING_POLICIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_FAILING_POLICIES_WEBHOOK_URL }}
DOGFOOD_VULNERABILITIES_WEBHOOK_URL: ${{ secrets.DOGFOOD_VULNERABILITIES_WEBHOOK_URL }}
DOGFOOD_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_ENROLL_SECRET }}
DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET }}
DOGFOOD_SERVERS_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_ENROLL_SECRET }}
DOGFOOD_SERVERS_CANARY_ENROLL_SECRET: ${{ secrets.DOGFOOD_SERVERS_CANARY_ENROLL_SECRET }}
DOGFOOD_EXPLORE_DATA_ENROLL_SECRET: ${{ secrets.DOGFOOD_EXPLORE_DATA_ENROLL_SECRET }}

View File

@ -1,44 +0,0 @@
# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the provided team.
name: Apply latest configuration profiles (example)
on:
push:
branches:
- main
paths:
- "path/to/**.mobileconfig"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
env:
FLEET_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
FLEET_URL: ${{ secrets.DOGFOOD_URL }}
TOKEN_USED_BY_PROFILE: ${{ secrets.TOKEN_USED_BY_PROFILE }}
jobs:
apply-profiles:
timeout-minutes: 5
runs-on: ubuntu-latest
steps:
- name: Apply configuration profiles and updates
uses: fleetdm/fleet-mdm-gitops@026ee84a69cb89c869fedbe27c969bf89def418b
with:
FLEET_API_TOKEN: $FLEET_API_TOKEN
FLEET_URL: $FLEET_URL
FLEET_TEAM_NAME: 💻🐣 Workstations (canary)
MDM_CONFIG_REPO: fleetdm/fleet
MDM_CONFIG_DIRECTORY: mdm_profiles
MAC_OS_MIN_VERSION: 13.3.2
MAC_OS_VERSION_DEADLINE: 2023-06-15
MAC_OS_ENABLE_DISK_ENCRYPTION: true

View File

@ -9,13 +9,14 @@ on:
branches:
- main
- patch-*
- prepare-*
paths:
- 'orbit/**.go'
- '.github/workflows/fleet-and-orbit.yml'
- "orbit/**.go"
- ".github/workflows/fleet-and-orbit.yml"
pull_request:
paths:
- 'orbit/**.go'
- '.github/workflows/fleet-and-orbit.yml'
- "orbit/**.go"
- ".github/workflows/fleet-and-orbit.yml"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
@ -29,7 +30,7 @@ defaults:
shell: bash
env:
OSQUERY_VERSION: 5.5.1
OSQUERY_VERSION: 5.9.1
permissions:
contents: read
@ -43,100 +44,131 @@ jobs:
address: ${{ steps.gen.outputs.address }}
enroll_secret: ${{ steps.gen.outputs.enroll_secret }}
steps:
- id: gen
run: |
UUID=$(uuidgen)
echo "subdomain=fleet-test-$UUID" >> $GITHUB_OUTPUT
echo "domain=fleet-test-$UUID.fleetuem.com" >> $GITHUB_OUTPUT
echo "address=https://fleet-test-$UUID.fleetuem.com" >> $GITHUB_OUTPUT
ENROLL=$(uuidgen)
echo "enroll_secret=$ENROLL" >> $GITHUB_OUTPUT
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- id: gen
run: |
UUID=$(uuidgen)
echo "subdomain=fleet-test-$UUID" >> $GITHUB_OUTPUT
echo "domain=fleet-test-$UUID.fleetuem.com" >> $GITHUB_OUTPUT
echo "address=https://fleet-test-$UUID.fleetuem.com" >> $GITHUB_OUTPUT
ENROLL=$(uuidgen)
echo "enroll_secret=$ENROLL" >> $GITHUB_OUTPUT
run-server:
timeout-minutes: 60
strategy:
matrix:
go-version: ['^1.19.10']
mysql: ['mysql:5.7']
go-version: ["${{ vars.GO_VERSION }}"]
mysql: ["mysql:5.7"]
runs-on: ubuntu-latest
needs: gen
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
with:
go-version: ${{ matrix.go-version }}
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
# Set the Node.js version
- name: Set up Node.js ${{ vars.NODE_VERSION }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ vars.NODE_VERSION }}
- name: Start tunnel
env:
CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }}
run: |
# Install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
# Add secret
echo "$CERT_PEM" | base64 -d > cert.pem
# Start tunnel
cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} &
until [[ $(cloudflared tunnel --origincert cert.pem info -o json ${{ needs.gen.outputs.subdomain }} | jq '.conns[0].conns[0].is_pending_reconnect') = false ]]; do
echo "Awaiting tunnel ready..."
sleep 5
done
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Start Infra Dependencies
run: FLEET_MYSQL_IMAGE=${{ matrix.mysql }} docker-compose up -d mysql redis &
- name: Start tunnel
env:
CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }}
run: |
#!/bin/bash
# Increase maximum receive buffer size to roughly 2.5 MB.
# Cloudflared uses quic-go. This buffer holds packets that have been received by the kernel,
# but not yet read by the application (quic-go in this case). Once this buffer fills up, the
# kernel will drop any new incoming packet.
# See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size.
sudo sysctl -w net.core.rmem_max=2500000
- name: Install JS Dependencies
run: make deps-js
# Install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
# Add secret
echo "$CERT_PEM" | base64 -d > cert.pem
# Start tunnel
cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} --logfile cloudflared.log &
until [[ $(cloudflared tunnel --origincert cert.pem info -o json ${{ needs.gen.outputs.subdomain }} | jq '.conns[0].conns[0].is_pending_reconnect') = false ]]; do
echo "Awaiting tunnel ready..."
sleep 5
done
- name: Generate and bundle go & js code
run: make generate
- name: Start Infra Dependencies
run: FLEET_MYSQL_IMAGE=${{ matrix.mysql }} docker-compose up -d mysql redis &
- name: Build fleet and fleetctl
# fleet-dev builds fleet with "race" enabled.
run: make fleet-dev fleetctl
- name: Install JS Dependencies
run: make deps-js
- name: Run Fleet server
env:
FLEET_OSQUERY_HOST_IDENTIFIER: instance # use instance identifier to allow for duplicate UUIDs
FLEET_SERVER_ADDRESS: 0.0.0.0:1337
FLEET_SERVER_TLS: false
FLEET_LOGGING_DEBUG: true
run: |
mkdir ./fleet_log
make db-reset
./build/fleet serve --dev --dev_license 1>./fleet_log/stdout.log 2>./fleet_log/stderr.log &
./build/fleetctl config set --address http://localhost:1337 --tls-skip-verify
until ./build/fleetctl setup --email admin@example.com --name Admin --password preview1337# --org-name Example
do
echo "Retrying setup in 5s..."
sleep 5
done
# Wait for all of the hosts to be enrolled
EXPECTED=3
until [ $(./build/fleetctl get hosts --json | grep "hostname" | wc -l | tee hostcount) -ge $EXPECTED ]; do
echo -n "Waiting for hosts to enroll: "
cat hostcount | xargs echo -n
echo " / $EXPECTED"
sleep 30
done
./build/fleetctl get hosts
echo "Success! $EXPECTED hosts enrolled."
- name: Generate and bundle go & js code
run: make generate
- name: Cleanup tunnel
if: always()
run: cloudflared tunnel --origincert cert.pem delete --force ${{ needs.gen.outputs.subdomain }}
- name: Build fleet and fleetctl
# fleet-dev builds fleet with "race" enabled.
run: make fleet-dev fleetctl
- name: Upload fleet logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-logs
path: |
fleet_log
- name: Run Fleet server
env:
FLEET_OSQUERY_HOST_IDENTIFIER: instance # use instance identifier to allow for duplicate UUIDs
FLEET_SERVER_ADDRESS: 0.0.0.0:1337
FLEET_SERVER_TLS: false
FLEET_LOGGING_DEBUG: true
run: |
mkdir ./fleet_log
make db-reset
./build/fleet serve --dev --dev_license 1>./fleet_log/stdout.log 2>./fleet_log/stderr.log &
./build/fleetctl config set --address http://localhost:1337 --tls-skip-verify
until ./build/fleetctl setup --email admin@example.com --name Admin --password preview1337# --org-name Example
do
echo "Retrying setup in 5s..."
sleep 5
done
# Wait for all of the hosts to be enrolled
EXPECTED=3
until [ $(./build/fleetctl get hosts --json | grep "hostname" | wc -l | tee hostcount) -ge $EXPECTED ]; do
echo -n "Waiting for hosts to enroll: "
cat hostcount | xargs echo -n
echo " / $EXPECTED"
sleep 30
done
./build/fleetctl get hosts
./build/fleetctl get hosts --json
echo "Success! $EXPECTED hosts enrolled."
- name: Cleanup tunnel
if: always()
run: cloudflared tunnel --origincert cert.pem delete --force ${{ needs.gen.outputs.subdomain }}
- name: Upload fleet logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-logs
path: |
fleet_log
- name: Upload cloudflared logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: cloudflared.log
path: cloudflared.log
# Sets the enroll secret of the Fleet server.
#
@ -145,71 +177,83 @@ jobs:
timeout-minutes: 60
strategy:
matrix:
go-version: ['^1.19.10']
go-version: ["${{ vars.GO_VERSION }}"]
runs-on: ubuntu-latest
needs: gen
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
with:
go-version: ${{ matrix.go-version }}
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Build Fleetctl
run: make fleetctl
- id: enroll
name: Set enroll secret
run: |
./build/fleetctl config set --address ${{ needs.gen.outputs.address }}
until ./build/fleetctl login --email admin@example.com --password preview1337#
do
echo "Retrying in 30s..."
sleep 30
done
echo '---
apiVersion: v1
kind: enroll_secret
spec:
secrets:
- secret: ${{ needs.gen.outputs.enroll_secret }}
' > secrets.yml
./build/fleetctl apply -f secrets.yml
- name: Build Fleetctl
run: make fleetctl
- id: enroll
name: Set enroll secret
run: |
./build/fleetctl config set --address ${{ needs.gen.outputs.address }}
until ./build/fleetctl login --email admin@example.com --password preview1337#
do
echo "Retrying in 30s..."
sleep 30
done
echo '---
apiVersion: v1
kind: enroll_secret
spec:
secrets:
- secret: ${{ needs.gen.outputs.enroll_secret }}
' > secrets.yml
./build/fleetctl apply -f secrets.yml
# Here we generate the Fleet Desktop and osqueryd targets for
# macOS which can only be generated from a macOS host.
build-macos-targets:
strategy:
matrix:
go-version: ['^1.19.10']
runs-on: macos-latest
go-version: ["${{ vars.GO_VERSION }}"]
# Set macOS version to '12' (current equivalent to macos-latest) for
# building the binary. This ensures compatibility with macOS version 13 and
# later, avoiding runtime errors on systems using macOS 13 or newer.
#
# Note: Update this version to '13' once GitHub marks macOS 13 as stable
# or if we revise our minimum supported macOS version.
runs-on: macos-12
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
with:
go-version: ${{ matrix.go-version }}
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Build desktop.app.tar.gz and osqueryd.app.tar.gz
run: |
make desktop-app-tar-gz
make osqueryd-app-tar-gz version=$OSQUERY_VERSION out-path=.
- name: Upload desktop.app.tar.gz and osqueryd.app.tar.gz
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: macos-pre-built-apps
path: |
desktop.app.tar.gz
osqueryd.app.tar.gz
- name: Build desktop.app.tar.gz and osqueryd.app.tar.gz
run: |
make desktop-app-tar-gz
make osqueryd-app-tar-gz version=$OSQUERY_VERSION out-path=.
- name: Upload desktop.app.tar.gz and osqueryd.app.tar.gz
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: macos-pre-built-apps
path: |
desktop.app.tar.gz
osqueryd.app.tar.gz
# TODO(lucas): Currently, to simplify the workflow we do all in one job:
# 1. Generate TUF repository (compile Orbit from source).
@ -227,276 +271,287 @@ jobs:
timeout-minutes: 60
strategy:
matrix:
go-version: ['^1.19.10']
go-version: ["${{ vars.GO_VERSION }}"]
runs-on: ubuntu-latest
needs: [gen, build-macos-targets]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
with:
go-version: ${{ matrix.go-version }}
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Download macos pre-built apps
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: macos-pre-built-apps
- name: Download macos pre-built apps
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: macos-pre-built-apps
- name: Build Repository and run TUF server
env:
SYSTEMS: "macos windows linux"
PKG_FLEET_URL: ${{ needs.gen.outputs.address }}
PKG_TUF_URL: http://localhost:8081
DEB_FLEET_URL: ${{ needs.gen.outputs.address }}
DEB_TUF_URL: http://localhost:8081
RPM_FLEET_URL: ${{ needs.gen.outputs.address }}
RPM_TUF_URL: http://localhost:8081
MSI_FLEET_URL: ${{ needs.gen.outputs.address }}
MSI_TUF_URL: http://localhost:8081
ENROLL_SECRET: ${{ needs.gen.outputs.enroll_secret }}
MACOS_USE_PREBUILT_DESKTOP_APP_TAR_GZ: 1
MACOS_USE_PREBUILT_OSQUERYD_APP_TAR_GZ: 1
GENERATE_PKG: 1
GENERATE_DEB: 1
GENERATE_RPM: 1
GENERATE_MSI: 1
FLEET_DESKTOP: 1
run: |
./tools/tuf/test/main.sh
- name: Build Repository and run TUF server
env:
SYSTEMS: "macos windows linux"
PKG_FLEET_URL: ${{ needs.gen.outputs.address }}
PKG_TUF_URL: http://localhost:8081
DEB_FLEET_URL: ${{ needs.gen.outputs.address }}
DEB_TUF_URL: http://localhost:8081
RPM_FLEET_URL: ${{ needs.gen.outputs.address }}
RPM_TUF_URL: http://localhost:8081
MSI_FLEET_URL: ${{ needs.gen.outputs.address }}
MSI_TUF_URL: http://localhost:8081
ENROLL_SECRET: ${{ needs.gen.outputs.enroll_secret }}
MACOS_USE_PREBUILT_DESKTOP_APP_TAR_GZ: 1
MACOS_USE_PREBUILT_OSQUERYD_APP_TAR_GZ: 1
GENERATE_PKG: 1
GENERATE_DEB: 1
GENERATE_RPM: 1
GENERATE_MSI: 1
FLEET_DESKTOP: 1
run: |
./tools/tuf/test/main.sh
- name: Upload PKG installer
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-osquery.pkg
path: |
fleet-osquery.pkg
- name: Upload PKG installer
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-osquery.pkg
path: |
fleet-osquery.pkg
- name: Upload DEB installer
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-osquery_42.0.0_amd64.deb
path: |
fleet-osquery_42.0.0_amd64.deb
- name: Upload MSI installer
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-osquery.msi
path: |
fleet-osquery.msi
- name: Upload DEB installer
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-osquery_42.0.0_amd64.deb
path: |
fleet-osquery_42.0.0_amd64.deb
- name: Upload MSI installer
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: fleet-osquery.msi
path: |
fleet-osquery.msi
orbit-macos:
timeout-minutes: 60
runs-on: macos-latest
needs: [gen, run-tuf-and-gen-pkgs]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Download pkg
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: fleet-osquery.pkg
- name: Download pkg
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: fleet-osquery.pkg
- name: Install pkg
run: |
sudo hostname orbit-macos
sudo installer -pkg ${{ steps.download.outputs.download-path }}/fleet-osquery.pkg -target /
- name: Install pkg
run: |
sudo hostname orbit-macos
sudo installer -pkg ${{ steps.download.outputs.download-path }}/fleet-osquery.pkg -target /
- name: Wait enroll
run: |
# Wait until fleet server goes down.
while curl --fail ${{ needs.gen.outputs.address }};
do
echo "Retrying in 10s..."
sleep 10
done
- name: Wait enroll
run: |
# Wait until fleet server goes down.
while curl --fail ${{ needs.gen.outputs.address }};
do
echo "Retrying in 10s..."
sleep 10
done
- name: Run orbit shell
run:
sudo orbit shell -- --json "select * from osquery_info;" | jq -e 'if (.[0]) then true else false end'
- name: Run orbit shell
run: sudo orbit shell -- --json "select * from osquery_info;" | jq -e 'if (.[0]) then true else false end'
- name: Collect orbit logs
if: always()
run: |
mkdir orbit-logs
sudo cp /var/log/orbit/* orbit-logs/
- name: Collect orbit logs
if: always()
run: |
mkdir orbit-logs
sudo cp /var/log/orbit/* orbit-logs/
- name: Upload orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-logs
path: |
orbit-logs
- name: Uninstall pkg
run: |
./orbit/tools/cleanup/cleanup_macos.sh
- name: Upload orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-logs
path: |
orbit-logs
- name: Uninstall pkg
run: |
./orbit/tools/cleanup/cleanup_macos.sh
orbit-ubuntu:
timeout-minutes: 60
runs-on: ubuntu-latest
needs: [gen, run-tuf-and-gen-pkgs]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Download deb
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: fleet-osquery_42.0.0_amd64.deb
- name: Download deb
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: fleet-osquery_42.0.0_amd64.deb
- name: Install deb
run: |
sudo hostname orbit-ubuntu
sudo dpkg --install ${{ steps.download.outputs.download-path }}/fleet-osquery_42.0.0_amd64.deb
- name: Install deb
run: |
sudo hostname orbit-ubuntu
sudo dpkg --install ${{ steps.download.outputs.download-path }}/fleet-osquery_42.0.0_amd64.deb
- name: Wait enroll
run: |
# Wait until fleet server goes down.
while curl --fail ${{ needs.gen.outputs.address }};
do
echo "Retrying in 10s..."
sleep 10
done
- name: Wait enroll
run: |
# Wait until fleet server goes down.
while curl --fail ${{ needs.gen.outputs.address }};
do
echo "Retrying in 10s..."
sleep 10
done
- name: Run orbit shell
run:
sudo orbit shell -- --json "select * from osquery_info;" | jq -e 'if (.[0]) then true else false end'
- name: Run orbit shell
run: sudo orbit shell -- --json "select * from osquery_info;" | jq -e 'if (.[0]) then true else false end'
- name: Collect orbit logs
if: always()
run: |
mkdir orbit-logs
sudo journalctl -u orbit.service > orbit-logs/orbit_service.log
- name: Collect orbit logs
if: always()
run: |
mkdir orbit-logs
sudo journalctl -u orbit.service > orbit-logs/orbit_service.log
- name: Upload orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-logs
path: |
orbit-logs
- name: Uninstall deb
run: |
sudo apt remove fleet-osquery -y
- name: Upload orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-logs
path: |
orbit-logs
- name: Uninstall deb
run: |
sudo apt remove fleet-osquery -y
orbit-windows:
timeout-minutes: 60
needs: [run-tuf-and-gen-pkgs]
needs: [gen, run-tuf-and-gen-pkgs]
runs-on: windows-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Download msi
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: fleet-osquery.msi
- name: Download msi
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: fleet-osquery.msi
- name: Install msi
shell: pwsh
run: |
Start-Process msiexec -ArgumentList "/i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv log.txt" -Wait
- name: Install msi
shell: pwsh
run: |
Start-Process msiexec -ArgumentList "/i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv log.txt" -Wait
- name: Wait enroll
run: |
while curl --fail ${{ needs.gen.outputs.address }};
do
echo "Retrying in 10s..."
sleep 10
done
- name: Wait enroll
run: |
while curl --fail ${{ needs.gen.outputs.address }};
do
echo "Retrying in 10s..."
sleep 10
done
- name: Run orbit shell
shell: cmd
run: |
"C:\Program Files\Orbit\bin\orbit\orbit.exe" shell -- --json "select * from osquery_info;" | jq -e "if (.[0]) then true else false end"
- name: Run orbit shell
shell: cmd
run: |
"C:\Program Files\Orbit\bin\orbit\orbit.exe" shell -- --json "select * from osquery_info;" | jq -e "if (.[0]) then true else false end"
- name: Fleet Service Tests
shell: pwsh
run: |
# Tests setup
$serviceName = "Fleet osquery"
$orbitMaxTimeToStartAndTeardown = 15
- name: Fleet Service Tests
shell: pwsh
run: |
# Tests setup
$serviceName = "Fleet osquery"
$orbitMaxTimeToStartAndTeardown = 15
# Test 1 - Check that the service starts without issues
Stop-Service -Name $serviceName
Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
Start-Service -Name $serviceName
Get-Service -Name $serviceName | %{ if ($_.Status -ne "Running") { throw "Fleet Service test #1 failed" } }
# Test 1 - Check that the service starts without issues
Stop-Service -Name $serviceName
Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
Start-Service -Name $serviceName
Get-Service -Name $serviceName | %{ if ($_.Status -ne "Running") { throw "Fleet Service test #1 failed" } }
# Test 2 - Check that the service stops without issues
Stop-Service -Name $serviceName
Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
Get-Service -Name $serviceName | %{ if ($_.Status -ne "Stopped") { throw "Fleet Service test #2 failed" } }
# Test 2 - Check that the service stops without issues
Stop-Service -Name $serviceName
Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
Get-Service -Name $serviceName | %{ if ($_.Status -ne "Stopped") { throw "Fleet Service test #2 failed" } }
# Test 3 - Check that no orbit.exe is running after service stop (updated after graceful shutdown)
#Start-Service -Name $serviceName
#Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
#Stop-Service -Name $serviceName
#Start-Sleep -Seconds ($orbitMaxTimeToStartAndTeardown * 10) # there is an issue with osqueryd runner intertupt that needs to be tracked down
#Get-Process | %{ if ($_.Name -eq "orbit") { throw "Fleet Service test #3 failed" } }
# Test 3 - Check that no orbit.exe is running after service stop (updated after graceful shutdown)
#Start-Service -Name $serviceName
#Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
#Stop-Service -Name $serviceName
#Start-Sleep -Seconds ($orbitMaxTimeToStartAndTeardown * 10) # there is an issue with osqueryd runner intertupt that needs to be tracked down
#Get-Process | %{ if ($_.Name -eq "orbit") { throw "Fleet Service test #3 failed" } }
# Test 4 - Check that service starts in less than 3 secs
#Start-Job { Start-Service -Name $args[0] } -ArgumentList $serviceName | Out-Null #async operation
#Start-Sleep -Seconds 3
#Get-Service -Name $serviceName | %{ if ($_.Status -ne "Running") { throw "Fleet Service test #4 failed" } }
# Test 4 - Check that service starts in less than 3 secs
#Start-Job { Start-Service -Name $args[0] } -ArgumentList $serviceName | Out-Null #async operation
#Start-Sleep -Seconds 3
#Get-Service -Name $serviceName | %{ if ($_.Status -ne "Running") { throw "Fleet Service test #4 failed" } }
# Test 5 - Check that service stops in less than $orbitMaxTimeToStartAndTeardown secs
#Start-Job { Stop-Service -Name $args[0] } -ArgumentList $serviceName | Out-Null #async operation
#Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
#Get-Service -Name $serviceName | %{ if ($_.Status -ne "Stopped") { throw "Fleet Service test #5 failed" } }
# There is an sporadic issue with --insecure flag being used and osqueryd which causes long shutdown time, not testing this scenario until issue this scenario is sorted out
# Test 5 - Check that service stops in less than $orbitMaxTimeToStartAndTeardown secs
#Start-Job { Stop-Service -Name $args[0] } -ArgumentList $serviceName | Out-Null #async operation
#Start-Sleep -Seconds $orbitMaxTimeToStartAndTeardown
#Get-Service -Name $serviceName | %{ if ($_.Status -ne "Stopped") { throw "Fleet Service test #5 failed" } }
- name: MSI Installer Tests
shell: pwsh
run: |
# Tests setup
$serviceName = "Fleet osquery"
$registryPath = "HKLM:\SOFTWARE\FleetDM\"
$installerExecTime = 15
# There is an sporadic issue with --insecure flag being used and osqueryd which causes long shutdown time, not testing this scenario until issue this scenario is sorted out
# Commenting test, being looked at as part of https://github.com/fleetdm/fleet/issues/8057
# Test 1 - Check that there is not Orbit installation folder in programfiles and no registry entries after MSI uninstallation
# msiexec /x ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest1.txt
# Start-Sleep -Seconds $installerExecTime
# if (Test-Path -Path $Env:Programfiles\Orbit) { throw "MSI Installer test #1 failed" }
# Get-Service -Name $serviceName -ErrorAction SilentlyContinue | %{ if ($_.Name) { throw "MSI Installer test #1 failed" } }
# if (((Get-ChildItem -Path $registryPath -ErrorAction SilentlyContinue | Measure-Object).Count) -gt 0) { throw "MSI Installer test #1 failed" }
- name: MSI Installer Tests
shell: pwsh
run: |
# Tests setup
$serviceName = "Fleet osquery"
$registryPath = "HKLM:\SOFTWARE\FleetDM\"
$installerExecTime = 15
# Test 2 - Check that Orbit service, installation folder and registry entry are present after installing MSI again
# msiexec /i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest2.txt
# Start-Sleep -Seconds $installerExecTime
# if (-not (Test-Path -Path $Env:Programfiles\Orbit)) { throw "MSI Installer test #2 failed" }
# Get-Service -Name $serviceName -ErrorAction SilentlyContinue | %{ if ($_.Status -ne "Running") { throw "MSI Installer test #2 failed" } }
# if (((Get-ChildItem -Path $registryPath -ErrorAction SilentlyContinue | Measure-Object).Count) -eq 0) { throw "MSI Installer test #2 failed" }
# Commenting test, being looked at as part of https://github.com/fleetdm/fleet/issues/8057
# Test 3 - Check that there is not Orbit folder in programfiles, no fleet service entry and no registry entries after uninstalling MSI again
# msiexec /x ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest3.txt
# Start-Sleep -Seconds $installerExecTime
# if (Test-Path -Path $Env:Programfiles\Orbit) { throw "MSI Installer test #3 failed" }
# Get-Service -Name $serviceName -ErrorAction SilentlyContinue | %{ if ($_.Name) { throw "MSI Installer test #3 failed" } }
# if (((Get-ChildItem -Path $registryPath -ErrorAction SilentlyContinue | Measure-Object).Count) -gt 0) { throw "MSI Installer test #3 failed" }
# Test 1 - Check that there is not Orbit installation folder in programfiles and no registry entries after MSI uninstallation
# msiexec /x ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest1.txt
# Start-Sleep -Seconds $installerExecTime
# if (Test-Path -Path $Env:Programfiles\Orbit) { throw "MSI Installer test #1 failed" }
# Get-Service -Name $serviceName -ErrorAction SilentlyContinue | %{ if ($_.Name) { throw "MSI Installer test #1 failed" } }
# if (((Get-ChildItem -Path $registryPath -ErrorAction SilentlyContinue | Measure-Object).Count) -gt 0) { throw "MSI Installer test #1 failed" }
# Test 4 - Check that osquery manifest is present and that it points to the expected osqueryd.exe file
# msiexec /i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest4.txt
# Start-Sleep -Seconds $installerExecTime
# Get-Content "$Env:Programfiles\Orbit\osquery.man" | % { if($_ -match 'resourceFileName=\"(.*?)\"') { if (-not (Test-Path -Path ([System.Environment]::ExpandEnvironmentVariables($Matches[1])))) { throw "MSI Installer test #4 failed" } } }
# Test 2 - Check that Orbit service, installation folder and registry entry are present after installing MSI again
# msiexec /i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest2.txt
# Start-Sleep -Seconds $installerExecTime
# if (-not (Test-Path -Path $Env:Programfiles\Orbit)) { throw "MSI Installer test #2 failed" }
# Get-Service -Name $serviceName -ErrorAction SilentlyContinue | %{ if ($_.Status -ne "Running") { throw "MSI Installer test #2 failed" } }
# if (((Get-ChildItem -Path $registryPath -ErrorAction SilentlyContinue | Measure-Object).Count) -eq 0) { throw "MSI Installer test #2 failed" }
- name: Upload Orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-logs-windows
path: C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log
# Test 3 - Check that there is not Orbit folder in programfiles, no fleet service entry and no registry entries after uninstalling MSI again
# msiexec /x ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest3.txt
# Start-Sleep -Seconds $installerExecTime
# if (Test-Path -Path $Env:Programfiles\Orbit) { throw "MSI Installer test #3 failed" }
# Get-Service -Name $serviceName -ErrorAction SilentlyContinue | %{ if ($_.Name) { throw "MSI Installer test #3 failed" } }
# if (((Get-ChildItem -Path $registryPath -ErrorAction SilentlyContinue | Measure-Object).Count) -gt 0) { throw "MSI Installer test #3 failed" }
# Test 4 - Check that osquery manifest is present and that it points to the expected osqueryd.exe file
# msiexec /i ${{ steps.download.outputs.download-path }}\fleet-osquery.msi /quiet /passive /lv logtest4.txt
# Start-Sleep -Seconds $installerExecTime
# Get-Content "$Env:Programfiles\Orbit\osquery.man" | % { if($_ -match 'resourceFileName=\"(.*?)\"') { if (-not (Test-Path -Path ([System.Environment]::ExpandEnvironmentVariables($Matches[1])))) { throw "MSI Installer test #4 failed" } } }
- name: Upload Orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-logs-windows
path: C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log

View File

@ -8,6 +8,7 @@ on:
branches:
- main
- patch-*
- prepare-*
paths:
- 'cmd/fleetctl/**.go'
- 'pkg/**.go'
@ -16,6 +17,7 @@ on:
- 'orbit/**.go'
- 'ee/fleetctl/**.go'
- 'docs/01-Using-Fleet/standard-query-library/standard-query-library.yml'
- 'tools/osquery/in-a-box'
pull_request:
paths:
- 'cmd/fleetctl/**.go'
@ -25,6 +27,7 @@ on:
- 'orbit/**.go'
- 'ee/fleetctl/**.go'
- 'docs/01-Using-Fleet/standard-query-library/standard-query-library.yml'
- 'tools/osquery/in-a-box'
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
@ -50,33 +53,44 @@ jobs:
# - Unattended installation of Docker on macOS fails. (see
# https://github.com/docker/for-mac/issues/6450)
os: [ubuntu-latest]
go-version: ['1.19.10']
go-version: ['${{ vars.GO_VERSION }}']
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Build Fleetctl
run: make fleetctl
- name: Run fleetctl preview
run: |
./build/fleetctl preview --std-query-lib-file-path $(pwd)/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
./build/fleetctl preview \
--preview-config-path ./tools/osquery/in-a-box \
--std-query-lib-file-path $(pwd)/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml
sleep 10
./build/fleetctl get hosts | tee hosts.txt
[ $( cat hosts.txt | grep online | wc -l) -eq 8 ]
[ $( cat hosts.txt | grep online | wc -l) -eq 9 ]
- name: Get fleet logs
if: always()
run: |
FLEET_LICENSE_KEY=foo docker compose -f ~/.fleet/preview/docker-compose.yml logs fleet01 fleet02 > fleet-logs.txt
# Copying logs, otherwise the upload-artifact action uploads the logs in a hidden folder (.fleet)
cp ~/.fleet/preview/orbit.log orbit.log
# Old location of orbit logs before v4.43.0
cp ~/.fleet/preview/orbit.log orbit.log || true
# New location of orbit logs since v4.43.0
cp ~/.fleet/preview/orbit/orbit.log orbit.log || true
cp -r ~/.fleet/preview/logs osquery_result_status_logs
- name: Upload logs

View File

@ -27,11 +27,10 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Start tunnel
run: |
npm install -g localtunnel
lt --port 1337 &
sleep 5
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Test fleetctl preview
run: |
@ -39,7 +38,7 @@ jobs:
fleetctl preview
sleep 10
fleetctl get hosts | tee hosts.txt
[ $( cat hosts.txt | grep online | wc -l) -eq 8 ]
[ $( cat hosts.txt | grep online | wc -l) -eq 9 ]
shell: bash
- name: Get fleet logs
@ -47,7 +46,10 @@ jobs:
run: |
FLEET_LICENSE_KEY=foo docker compose -f ~/.fleet/preview/docker-compose.yml logs fleet01 fleet02 > fleet-logs.txt
# Copying logs, otherwise the upload-artifact action uploads the logs in a hidden folder (.fleet)
cp ~/.fleet/preview/orbit.log orbit.log
# Old location of orbit logs before v4.43.0
cp ~/.fleet/preview/orbit.log orbit.log || true
# New location of orbit logs since v4.43.0
cp ~/.fleet/preview/orbit/orbit.log orbit.log || true
cp -r ~/.fleet/preview/logs osquery_result_status_logs
shell: bash

View File

@ -1,49 +0,0 @@
# This workflow applies the latest MDM profiles to the workstations team.
# It uses a fleet instance also built and executed from source.
#
# It runs automatically when a file is changed in /mdm_profiles.
name: Apply latest MDM profiles (Canary)
on:
push:
branches:
- main
paths:
- "mdm_profiles/**.mobileconfig"
- ".github/workflows/fleetctl-workstations-canary.yml"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
env:
DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }}
CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
jobs:
apply-profiles:
timeout-minutes: 5
runs-on: ubuntu-latest
steps:
- name: Apply configuration profiles and updates
uses: fleetdm/fleet-mdm-gitops@026ee84a69cb89c869fedbe27c969bf89def418b
with:
FLEET_API_TOKEN: $DOGFOOD_API_TOKEN
FLEET_URL: $DOGFOOD_URL
FLEET_TEAM_NAME: 💻🐣 Workstations (canary)
MDM_CONFIG_REPO: fleetdm/fleet
MDM_CONFIG_DIRECTORY: mdm_profiles
MAC_OS_MIN_VERSION: "13.4.0"
MAC_OS_VERSION_DEADLINE: 2023-06-01
MAC_OS_ENABLE_DISK_ENCRYPTION: true

View File

@ -1,49 +0,0 @@
# This workflow applies the latest configuration profiles (macOS settings) and macOS updates minimum version and deadline to the workstations team.
# It uses a Fleet instance also built and executed from source.
#
# It runs when the GitHub action is triggered manually
name: Apply latest configuration profiles and macOS updates
on:
push:
branches:
- main
paths:
- "mdm_profiles/**.mobileconfig"
- ".github/workflows/fleetctl-workstations.yml"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
env:
DOGFOOD_API_TOKEN: ${{ secrets.DOGFOOD_API_TOKEN }}
DOGFOOD_URL: ${{ secrets.DOGFOOD_URL }}
CLOUD_MANAGEMENT_ENROLLMENT_TOKEN: ${{ secrets.CLOUD_MANAGEMENT_ENROLLMENT_TOKEN }}
jobs:
apply-profiles:
timeout-minutes: 5
runs-on: ubuntu-latest
steps:
- name: Apply configuration profiles and updates
uses: fleetdm/fleet-mdm-gitops@026ee84a69cb89c869fedbe27c969bf89def418b
with:
FLEET_API_TOKEN: $DOGFOOD_API_TOKEN
FLEET_URL: $DOGFOOD_URL
FLEET_TEAM_NAME: 💻 Workstations
MDM_CONFIG_REPO: fleetdm/fleet
MDM_CONFIG_DIRECTORY: mdm_profiles
MAC_OS_MIN_VERSION: 13.4.0
MAC_OS_VERSION_DEADLINE: "2023-06-02"
MAC_OS_ENABLE_DISK_ENCRYPTION: true

60
.github/workflows/fleetd-tuf.yml vendored Normal file
View File

@ -0,0 +1,60 @@
name: Update documentation of current versions of TUF fleetd components
on:
workflow_dispatch: # Manual
schedule:
- cron: '0 3 * * *' # Nightly 3AM UTC
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
update-fleetd-tuf:
permissions:
contents: write # for peter-evans/create-pull-request to create branch
pull-requests: write # for peter-evans/create-pull-request to create a PR
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Checkout Code
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
with:
fetch-depth: 0
- name: Update orbit/TUF.md
run: |
make fleetd-tuf
- name: PR changes
uses: peter-evans/create-pull-request@f22a7da129c901513876a2380e2dae9f8e145330 # v3.12.1
with:
base: main
branch: update-versions-of-fleetd-components-tuf
delete-branch: true
title: Update versions of fleetd components in Fleet's TUF [automated]
commit-message: |
Update versions of fleetd components in Fleet's TUF [automated]
Generated automatically with tools/tuf/status.
body: Automated change from [GitHub action](https://github.com/fleetdm/fleet/actions/workflows/fleetd-tuf.yml).

View File

@ -24,23 +24,34 @@ defaults:
shell: bash
env:
FLEET_DESKTOP_VERSION: 1.10.0
FLEET_DESKTOP_VERSION: 1.22.0
permissions:
contents: read
jobs:
desktop-macos:
runs-on: macos-latest
# Set macOS version to '12' (current equivalent to macos-latest) for
# building the binary. This ensures compatibility with macOS version 13 and
# later, avoiding runtime errors on systems using macOS 13 or newer.
#
# Note: Update this version to '13' once GitHub marks macOS 13 as stable
# or if we revise our minimum supported macOS version.
runs-on: macos-12
steps:
- name: Install Go
uses: actions/setup-go@v2.1.3
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
go-version: '^1.19.10'
egress-policy: audit
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Import signing keys
env:
@ -82,13 +93,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Install Go
uses: actions/setup-go@v2.1.3
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
go-version: '^1.19.10'
egress-policy: audit
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Generate fleet-desktop.exe
run: |
@ -105,13 +121,18 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Install Go
uses: actions/setup-go@v2.1.3
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
go-version: '^1.19.10'
egress-policy: audit
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Generate desktop.tar.gz
run: |

View File

@ -33,8 +33,13 @@ jobs:
generate-macos:
runs-on: macos-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Generate nudge.app.tar.gz
run: make nudge-app-tar-gz version=$NUDGE_VERSION out-path=.

View File

@ -24,7 +24,7 @@ defaults:
shell: bash
env:
OSQUERY_VERSION: 5.8.2
OSQUERY_VERSION: 5.12.0
permissions:
contents: read
@ -33,8 +33,13 @@ jobs:
generate-macos:
runs-on: macos-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Generate osqueryd.app.tar.gz
run: |
@ -49,8 +54,13 @@ jobs:
generate-linux:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Download and extract osqueryd for linux
run: |
@ -69,8 +79,13 @@ jobs:
generate-windows:
runs-on: windows-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Download osquery msi for Windows
run: |

View File

@ -5,6 +5,7 @@ on:
branches:
- main
- patch-*
- prepare-*
paths:
- '**.go'
pull_request:
@ -37,14 +38,19 @@ jobs:
matrix:
# See #9943, we just need to add windows-latest here once all issues are fixed.
os: [ubuntu-latest, macos-latest]
go-version: ['1.19.10']
go-version: ['${{ vars.GO_VERSION }}']
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
@ -59,5 +65,9 @@ jobs:
# Don't forget to update
# docs/Contributing/Testing-and-local-development.md when this
# version changes
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.1
go install github.com/golangci/golangci-lint/cmd/golangci-lint@411e0bbbd3096aa0ee2b924160629bdf2bc81d40 # v1.54.2
make lint-go
- name: Run cloner-check tool
run: |
go run ./tools/cloner-check/main.go -check

View File

@ -3,7 +3,7 @@ name: goreleaser
on:
push:
tags:
- 'fleet-*'
- "fleet-*"
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
@ -25,8 +25,13 @@ jobs:
permissions:
contents: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0 # Needed for goreleaser
@ -37,10 +42,16 @@ jobs:
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
# Set the Node.js version
- name: Set up Node.js ${{ vars.NODE_VERSION }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ vars.NODE_VERSION }}
- name: Install JS Dependencies
run: make deps-js

View File

@ -24,8 +24,13 @@ jobs:
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
@ -49,12 +54,12 @@ jobs:
rm certificate.p12
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser@v1.9.2 release --debug --rm-dist --skip-publish -f orbit/goreleaser-macos.yml
run: go run github.com/goreleaser/goreleaser@56c9d09a1b925e2549631c6d180b0a1c2ebfac82 release --debug --rm-dist --skip-publish -f orbit/goreleaser-macos.yml # v1.20.0
env:
GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
@ -66,15 +71,20 @@ jobs:
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-macos
path: dist
path: dist/orbit-macos_darwin_all/orbit
goreleaser-linux:
runs-on: ubuntu-20.04
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
@ -83,26 +93,31 @@ jobs:
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser@v1.9.2 release --debug --rm-dist --skip-publish -f orbit/goreleaser-linux.yml
run: go run github.com/goreleaser/goreleaser@56c9d09a1b925e2549631c6d180b0a1c2ebfac82 release --debug --rm-dist --skip-publish -f orbit/goreleaser-linux.yml # v1.20.0
- name: Upload
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-linux
path: dist
path: dist/orbit_linux_amd64_v1/orbit
goreleaser-windows:
runs-on: windows-2022
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
@ -111,15 +126,15 @@ jobs:
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser@v1.9.2 release --debug --rm-dist --skip-publish -f orbit/goreleaser-windows.yml
run: go run github.com/goreleaser/goreleaser@56c9d09a1b925e2549631c6d180b0a1c2ebfac82 release --debug --rm-dist --skip-publish -f orbit/goreleaser-windows.yml # v1.20.0
- name: Upload
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-windows
path: dist
path: dist/orbit_windows_amd64_v1/orbit.exe

View File

@ -2,15 +2,20 @@ name: Docker publish
on:
push:
branches:
- "main"
- "prepare-*"
- "patch-*"
paths-ignore:
- 'handbook/**'
- 'website/**'
- 'mdm-profiles/**'
- "handbook/**"
- "website/**"
- "mdm-profiles/**"
pull_request:
paths-ignore:
- 'handbook/**'
- 'website/**'
- 'mdm-profiles/**'
- "handbook/**"
- "website/**"
- "mdm-profiles/**"
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
@ -35,8 +40,13 @@ jobs:
runs-on: ubuntu-20.04
environment: Docker Hub
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
@ -45,9 +55,15 @@ jobs:
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
- name: Set up Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.19.10
go-version: ${{ vars.GO_VERSION }}
# Set the Node.js version
- name: Set up Node.js ${{ vars.NODE_VERSION }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ vars.NODE_VERSION }}
- name: Install Dependencies
run: make deps

View File

@ -31,6 +31,11 @@ jobs:
subdomain: ${{ steps.gen.outputs.subdomain }}
address: ${{ steps.gen.outputs.address }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- id: gen
run: |
UUID=$(uuidgen)
@ -41,17 +46,29 @@ jobs:
runs-on: ubuntu-latest
needs: gen
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Start tunnel
env:
CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }}
run: |
# Increase maximum receive buffer size to roughly 2.5 MB.
# Cloudflared uses quic-go. This buffer holds packets that have been received by the kernel,
# but not yet read by the application (quic-go in this case). Once this buffer fills up, the
# kernel will drop any new incoming packet.
# See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size.
sudo sysctl -w net.core.rmem_max=2500000
# Install cloudflared
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
sudo dpkg -i cloudflared-linux-amd64.deb
# Add secret
echo "$CERT_PEM" | base64 -d > cert.pem
# Start tunnel
cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} &
cloudflared tunnel --origincert cert.pem --hostname ${{ needs.gen.outputs.subdomain }} --url http://localhost:1337 --name ${{ needs.gen.outputs.subdomain }} --logfile cloudflared.log &
until [[ $(cloudflared tunnel --origincert cert.pem info -o json ${{ needs.gen.outputs.subdomain }} | jq '.conns[0].conns[0].is_pending_reconnect') = false ]]; do
echo "Awaiting tunnel ready..."
sleep 5
@ -68,10 +85,7 @@ jobs:
check_artifacts: true
- name: Run Fleet server
timeout-minutes: 15
env:
# Use instance identifier to allow for duplicate UUIDs
FLEET_OSQUERY_HOST_IDENTIFIER: instance
timeout-minutes: 10
run: |
chmod +x ./build/fleetctl
./build/fleetctl preview --no-hosts
@ -79,19 +93,23 @@ jobs:
./build/fleetctl get enroll-secret
docker compose -f ~/.fleet/preview/docker-compose.yml logs --follow fleet01 fleet02 &
# Wait for all of the hosts to be enrolled
EXPECTED=12
EXPECTED=3
until [ $(./build/fleetctl get hosts --json | wc -l | tee hostcount) -ge $EXPECTED ]; do
echo -n "Waiting for hosts to enroll: "
cat hostcount | xargs echo -n
echo " / $EXPECTED"
sleep 10
sleep 20
done
./build/fleetctl get hosts
echo "Success! $EXPECTED hosts enrolled."
- name: Show enrolled hosts
if: always()
run: |
./build/fleetctl get hosts --json
- name: Slack Notification
if: failure()
uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da # v1.18.0
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
@ -114,6 +132,13 @@ jobs:
if: always()
run: cloudflared tunnel --origincert cert.pem delete --force ${{ needs.gen.outputs.subdomain }}
- name: Upload cloudflared logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: cloudflared.log
path: cloudflared.log
login:
runs-on: ubuntu-latest
needs: gen
@ -121,6 +146,11 @@ jobs:
token: ${{ steps.login.outputs.token }}
steps:
# Download fleet and fleetctl binaries from last successful build on main
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Download binaries
uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67
with:
@ -146,16 +176,30 @@ jobs:
echo "token=$TOKEN" >> $GITHUB_OUTPUT
orbit-macos:
timeout-minutes: 15
timeout-minutes: 10
strategy:
matrix:
orbit-channel: [ 'stable', 'edge' ]
osqueryd-channel: ['stable', 'edge' ]
# To run multiple VMs that have the same UUID we need to implement
# https://github.com/fleetdm/fleet/issues/8021 (otherwise orbit and osqueryd
# in the same host are enrolled as two hosts in Fleet).
# Until then we will just test the `stable` channel in all components.
#
# Alternatively, we can bring back the `edge` channel when we decide to upgrade
# our worker to macOS 13 in the future, as they changed the virtualization
# layer for 13 and now it has random UUIDs (https://github.com/actions/runner-images/issues/7591).
orbit-channel: [ 'stable' ]
osqueryd-channel: [ 'stable' ]
desktop-channel: [ 'stable' ]
runs-on: macos-latest
needs: [gen, login]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Install dependencies
run: |
@ -170,7 +214,7 @@ jobs:
SECRET=$(echo $SECRET_JSON | jq -r '.spec.secrets[0].secret')
echo "Secret: $SECRET"
echo "Hostname: $(hostname -s)"
fleetctl package --type pkg --fleet-url=${{ needs.gen.outputs.address }} --enroll-secret=$SECRET --orbit-channel=${{ matrix.orbit-channel }} --osqueryd-channel=${{ matrix.osqueryd-channel }} --fleet-desktop
fleetctl package --type pkg --fleet-url=${{ needs.gen.outputs.address }} --enroll-secret=$SECRET --orbit-channel=${{ matrix.orbit-channel }} --osqueryd-channel=${{ matrix.osqueryd-channel }} --desktop-channel=${{ matrix.desktop-channel }} --fleet-desktop --debug
sudo installer -pkg fleet-osquery.pkg -target /
until fleetctl get hosts | grep -iF $(hostname -s);
do
@ -188,7 +232,7 @@ jobs:
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-macos-${{ matrix.orbit-channel }}-${{ matrix.osqueryd-channel }}-logs
name: orbit-macos-${{ matrix.orbit-channel }}-${{ matrix.osqueryd-channel }}-${{ matrix.desktop-channel }}-logs
path: |
orbit-logs
@ -197,26 +241,36 @@ jobs:
./orbit/tools/cleanup/cleanup_macos.sh
orbit-ubuntu:
timeout-minutes: 15
timeout-minutes: 10
strategy:
matrix:
orbit-channel: [ 'stable', 'edge' ]
osqueryd-channel: ['stable', 'edge' ]
# To run multiple VMs that have the same UUID we need to implement
# https://github.com/fleetdm/fleet/issues/8021 (otherwise orbit and osqueryd
# in the same host are enrolled as two hosts in Fleet).
# Until then we will just test the `stable` channel in all components.
orbit-channel: [ 'stable' ]
osqueryd-channel: [ 'stable' ]
desktop-channel: [ 'stable' ]
runs-on: ubuntu-latest
needs: [gen, login]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install dependencies
run: |
npm install -g fleetctl
fleetctl config set --address ${{ needs.gen.outputs.address }} --token ${{ needs.login.outputs.token }}
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '^1.19.10'
go-version: ${{ vars.GO_VERSION }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Build Fleetctl
run: make fleetctl
@ -230,7 +284,7 @@ jobs:
SECRET=$(echo $SECRET_JSON | jq -r '.spec.secrets[0].secret')
echo "Secret: $SECRET"
echo "Hostname: $(hostname -s)"
./build/fleetctl package --type deb --fleet-url=${{ needs.gen.outputs.address }} --enroll-secret=$SECRET --orbit-channel=${{ matrix.orbit-channel }} --osqueryd-channel=${{ matrix.osqueryd-channel }}
./build/fleetctl package --type deb --fleet-url=${{ needs.gen.outputs.address }} --enroll-secret=$SECRET --orbit-channel=${{ matrix.orbit-channel }} --osqueryd-channel=${{ matrix.osqueryd-channel }} --desktop-channel=${{ matrix.desktop-channel }} --fleet-desktop --debug
sudo dpkg -i fleet-osquery*
until fleetctl get hosts | grep -iF $(hostname -s);
do
@ -248,7 +302,7 @@ jobs:
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-ubuntu-${{ matrix.orbit-channel }}-${{ matrix.osqueryd-channel }}-logs
name: orbit-ubuntu-${{ matrix.orbit-channel }}-${{ matrix.osqueryd-channel }}-${{ matrix.desktop-channel }}-logs
path: |
orbit-logs
@ -257,14 +311,24 @@ jobs:
sudo apt remove fleet-osquery -y
orbit-windows-build:
timeout-minutes: 15
timeout-minutes: 10
strategy:
matrix:
orbit-channel: [ 'stable', 'edge' ]
osqueryd-channel: ['stable', 'edge' ]
# To run multiple VMs that have the same UUID we need to implement
# https://github.com/fleetdm/fleet/issues/8021 (otherwise orbit and osqueryd
# in the same host are enrolled as two hosts in Fleet).
# Until then we will just test the `stable` channel in all components.
orbit-channel: [ 'stable' ]
osqueryd-channel: [ 'stable' ]
desktop-channel: [ 'stable' ]
runs-on: ubuntu-latest
needs: [gen, login]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install dependencies
run: |
docker pull fleetdm/wix:latest &
@ -278,24 +342,34 @@ jobs:
SECRET=$(echo $SECRET_JSON | jq -r '.spec.secrets[0].secret')
echo "Secret: $SECRET"
echo "Hostname: $(hostname -s)"
fleetctl package --type msi --fleet-url=${{ needs.gen.outputs.address }} --enroll-secret=$SECRET --orbit-channel=${{ matrix.orbit-channel }} --osqueryd-channel=${{ matrix.osqueryd-channel }} --fleet-desktop
mv fleet-osquery.msi orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi
fleetctl package --type msi --fleet-url=${{ needs.gen.outputs.address }} --enroll-secret=$SECRET --orbit-channel=${{ matrix.orbit-channel }} --osqueryd-channel=${{ matrix.osqueryd-channel }} --desktop-channel=${{ matrix.desktop-channel }} --fleet-desktop --debug
mv fleet-osquery.msi orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}-desktop-${{ matrix.desktop-channel }}.msi
- name: Upload MSI
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi
path: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi
name: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}-desktop-${{ matrix.desktop-channel }}.msi
path: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}-desktop-${{ matrix.desktop-channel }}.msi
orbit-windows:
timeout-minutes: 15
timeout-minutes: 10
strategy:
matrix:
orbit-channel: [ 'stable', 'edge' ]
osqueryd-channel: ['stable', 'edge' ]
# To run multiple VMs that have the same UUID we need to implement
# https://github.com/fleetdm/fleet/issues/8021 (otherwise orbit and osqueryd
# in the same host are enrolled as two hosts in Fleet).
# Until then we will just test the `stable` channel in all components.
orbit-channel: [ 'stable' ]
osqueryd-channel: [ 'stable' ]
desktop-channel: [ 'stable' ]
needs: [gen, login, orbit-windows-build]
runs-on: windows-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install dependencies
shell: bash
run: |
@ -306,21 +380,28 @@ jobs:
id: download
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2
with:
name: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi
name: orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}-desktop-${{ matrix.desktop-channel }}.msi
- name: Install Orbit
shell: cmd
run: |
msiexec /i ${{steps.download.outputs.download-path}}\orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}.msi /quiet /passive /lv log.txt
msiexec /i ${{steps.download.outputs.download-path}}\orbit-${{ matrix.orbit-channel }}-osqueryd-${{ matrix.osqueryd-channel }}-desktop-${{ matrix.desktop-channel }}.msi /quiet /passive /lv log.txt
sleep 30
# We can't very accurately check the install on these Windows hosts since the hostnames tend to
# overlap and we can't control the hostnames. Instead we just return and have the run-server job
# wait until the expected number of hosts enroll.
- name: Upload orbit install log
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: msiexec-install-log
path: log.txt
- name: Upload Orbit logs
if: always()
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
with:
name: orbit-windows-${{ matrix.orbit-channel }}-${{ matrix.osqueryd-channel }}-logs
name: orbit-windows-${{ matrix.orbit-channel }}-${{ matrix.osqueryd-channel }}-${{ matrix.desktop-channel }}-logs
path: C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log

View File

@ -28,8 +28,13 @@ jobs:
kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26
runs-on: ubuntu-20.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: create temp dir
run: mkdir -p helm-temp
- name: helm template -- default values

View File

@ -35,8 +35,13 @@ jobs:
build-docker:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # v1

View File

@ -0,0 +1,72 @@
name: Release fleetd-chrome beta
on:
push:
tags:
- 'fleetd-chrome-**-beta'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
release-fleetd-chrome-beta:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Run test
working-directory: ./ee/fleetd-chrome
run: |
npm install && npm run test
- name: Build & sign extension
working-directory: ./ee/fleetd-chrome
env:
CHROME_SIGNING_KEY: ${{ secrets.FLEETD_CHROME_SIGNING_KEY_BETA }}
run: |
echo -e 'FLEET_URL=""\nFLEET_ENROLL_SECRET=""' > .env
npm install && npm run build
echo "$CHROME_SIGNING_KEY" > chrome.pem
/usr/bin/google-chrome --pack-extension=./dist --pack-extension-key=chrome.pem
- name: Upload extension
working-directory: ./ee/fleetd-chrome
env:
R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
R2_CHROME_BETA_ACCESS_KEY_ID: ${{ secrets.R2_CHROME_BETA_ACCESS_KEY_ID }}
R2_CHROME_BETA_ACCESS_KEY_SECRET: ${{ secrets.R2_CHROME_BETA_ACCESS_KEY_SECRET }}
run: |
sudo apt-get install rclone
mkdir -p ~/.config/rclone
echo "[r2]
type = s3
provider = Cloudflare
region = auto
no_check_bucket = true
access_key_id = $R2_CHROME_BETA_ACCESS_KEY_ID
secret_access_key = $R2_CHROME_BETA_ACCESS_KEY_SECRET
endpoint = $R2_ENDPOINT
" > ~/.config/rclone/rclone.conf
mv dist.crx fleetd.crx
rclone copy fleetd.crx r2:chrome-beta/
mv updates-beta.xml updates.xml
rclone copy updates.xml r2:chrome-beta/

View File

@ -0,0 +1,72 @@
name: Release fleetd-chrome
on:
push:
tags:
- 'fleetd-chrome-**'
- '!fleetd-chrome-**-beta'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
release-fleetd-chrome:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Run test
working-directory: ./ee/fleetd-chrome
run: |
npm install && npm run test
- name: Build & sign extension
working-directory: ./ee/fleetd-chrome
env:
CHROME_SIGNING_KEY: ${{ secrets.FLEETD_CHROME_SIGNING_KEY }}
run: |
echo -e 'FLEET_URL=""\nFLEET_ENROLL_SECRET=""' > .env
npm install && npm run build
echo "$CHROME_SIGNING_KEY" > chrome.pem
/usr/bin/google-chrome --pack-extension=./dist --pack-extension-key=chrome.pem
- name: Upload extension
working-directory: ./ee/fleetd-chrome
env:
R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
R2_CHROME_ACCESS_KEY_ID: ${{ secrets.R2_CHROME_ACCESS_KEY_ID }}
R2_CHROME_ACCESS_KEY_SECRET: ${{ secrets.R2_CHROME_ACCESS_KEY_SECRET }}
run: |
sudo apt-get install rclone
mkdir -p ~/.config/rclone
echo "[r2]
type = s3
provider = Cloudflare
region = auto
no_check_bucket = true
access_key_id = $R2_CHROME_ACCESS_KEY_ID
secret_access_key = $R2_CHROME_ACCESS_KEY_SECRET
endpoint = $R2_ENDPOINT
" > ~/.config/rclone/rclone.conf
mv dist.crx fleetd.crx
rclone copy fleetd.crx r2:chrome/
rclone copy updates.xml r2:chrome/

View File

@ -24,10 +24,15 @@ jobs:
contents: write # to push helm charts
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260
with:
token: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
token: ${{ secrets.GITHUB_TOKEN }}
charts_dir: charts
target_dir: charts
linting: off

View File

@ -24,13 +24,18 @@ jobs:
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: "Checkout code"
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
@ -47,6 +52,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1
with:
sarif_file: results.sarif

View File

@ -5,6 +5,7 @@ on:
branches:
- main
- patch-*
- prepare-*
pull_request:
paths:
- '**.go'
@ -29,10 +30,15 @@ jobs:
test-db-changes:
runs-on: ubuntu-latest
steps:
- name: Install Go
uses: actions/setup-go@v2.1.3
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
go-version: '^1.19.10'
egress-policy: audit
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ vars.GO_VERSION }}
- name: Checkout Code
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
with:
@ -81,3 +87,16 @@ jobs:
fi
index=$((index+1))
done
- name: Prevent hosts foreign keys
run: |
# grep exits with an error code if it doesn't find a match, so this condition
# is only true if it a) finds a matching migrations file in the diff, and b)
# finds an FK to hosts in one of the migrations files.
#
# grep prints the matches, which will help figure out where those references are.
if git diff --name-only origin/main | grep "migrations/" | xargs grep -i -E 'references\s*hosts\s*\(\s*id\s*\)' ; then
echo "❌ fail: hosts foreign keys are not allowed"
echo "Ref: https://github.com/fleetdm/fleet/blob/main/handbook/engineering/scaling-fleet.md#foreign-keys-and-locking"
exit 1
fi

View File

@ -0,0 +1,72 @@
name: Run fleetd-chrome tests
on:
push:
branches:
- main
- patch-*
- prepare-*
pull_request:
paths:
- ee/fleetd-chrome/**
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
test-fleetd-chrome:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
key: ${{ runner.os }}-modules-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-modules-
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
working-directory: ./ee/fleetd-chrome
run: npm install
- name: Build JS
working-directory: ./ee/fleetd-chrome
run: |
echo -e 'FLEET_URL="url"\nFLEET_ENROLL_SECRET="secret"' > .env
npm run build
- name: Run JS Tests
working-directory: ./ee/fleetd-chrome
run: |
npm test
- name: Upload to Codecov
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
with:
directory: ./ee/fleetd-chrome/coverage
flags: fleetd-chrome

View File

@ -5,12 +5,14 @@ on:
branches:
- main
- patch-*
- prepare-*
paths:
- '**.go'
- 'go.mod'
- 'go.sum'
- '.github/workflows/test-go.yaml'
- 'server/authz/policy.rego'
- 'docker-compose.yml'
pull_request:
paths:
- '**.go'
@ -18,6 +20,7 @@ on:
- 'go.sum'
- '.github/workflows/test-go.yaml'
- 'server/authz/policy.rego'
- 'docker-compose.yml'
workflow_dispatch: # Manual
schedule:
- cron: '0 4 * * *'
@ -40,27 +43,37 @@ jobs:
strategy:
matrix:
os: [ubuntu-latest]
go-version: ['^1.19.10']
go-version: ['${{ vars.GO_VERSION }}']
mysql: ["mysql:5.7.21", "mysql:8.0.28"]
runs-on: ${{ matrix.os }}
env:
RACE_ENABLED: false
GO_TEST_TIMEOUT: 15m
GO_TEST_TIMEOUT: 20m
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Pre-starting dependencies here means they are ready to go when we need them.
- name: Start Infra Dependencies
# Use & to background this
run: FLEET_MYSQL_IMAGE=${{ matrix.mysql }} docker-compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup minio saml_idp mailhog mailpit &
run: FLEET_MYSQL_IMAGE=${{ matrix.mysql }} docker-compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup minio saml_idp mailhog mailpit smtp4dev_test &
- name: Add TLS certificate for SMTP Tests
run: |
sudo cp tools/smtp4dev/fleet.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# It seems faster not to cache Go dependencies
- name: Install Go Dependencies
@ -86,6 +99,7 @@ jobs:
done
echo "mysql is ready"
- name: Run Go Tests
run: |
GO_TEST_EXTRA_FLAGS="-v -race=$RACE_ENABLED -timeout=$GO_TEST_TIMEOUT" \
@ -107,7 +121,7 @@ jobs:
- name: Slack Notification
if: github.event.schedule == '0 4 * * *' && failure()
uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da # v1.18.0
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{

117
.github/workflows/test-js.yml vendored Normal file
View File

@ -0,0 +1,117 @@
name: JavaScript Tests
on:
push:
branches:
- main
- patch-*
- prepare-*
pull_request:
paths:
- assets/**
- frontend/**
- package.json
- yarn.lock
- webpack.config.js
- tsconfig.json
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
test-js:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
# Set the Node.js version
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Set up Node.js ${{ vars.NODE_VERSION }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ vars.NODE_VERSION }}
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-modules-
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
run: make deps-js
- name: Run JS Tests
run: |
yarn test:ci
- name: Upload to Codecov
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with:
flags: frontend
lint-js:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
# Set the Node.js version
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Set up Node.js ${{ vars.NODE_VERSION }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ vars.NODE_VERSION }}
- name: Checkout Code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-modules-
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
run: make deps-js
- name: Run JS Linting
run: |
make lint-js
- name: Run prettier formatting check
run: |
yarn prettier:check

View File

@ -7,6 +7,7 @@ on:
branches:
- main
- patch-*
- prepare-*
pull_request:
paths:
- 'cmd/fleetctl/**.go'
@ -40,17 +41,22 @@ jobs:
fail-fast: false
matrix:
os: [ubuntu-latest]
go-version: ['^1.19.10']
go-version: ['${{ vars.GO_VERSION }}']
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Install Go Dependencies
run: make deps-go

View File

@ -9,6 +9,7 @@ on:
branches:
- main
- patch-*
- prepare-*
pull_request:
paths:
- 'cmd/fleetctl/**.go'
@ -42,7 +43,7 @@ jobs:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
go-version: ['^1.19.10']
go-version: ['${{ vars.GO_VERSION }}']
runs-on: ${{ matrix.os }}
steps:
@ -50,6 +51,11 @@ jobs:
# Docker needs to be installed manually on macOS.
# From https://github.com/docker/for-mac/issues/2359#issuecomment-943131345
# FIXME: lock Docker version to 4.10.0 as newer versions fail to initialize
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Docker
timeout-minutes: 20
if: matrix.os == 'macos-latest'
@ -69,14 +75,24 @@ jobs:
run: docker pull fleetdm/wix:latest &
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# It seems faster not to cache Go dependencies
- name: Install wine and wix
if: matrix.os == 'macos-latest'
run: |
./scripts/macos-install-wine.sh
wget https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip -nv -O wix.zip
mkdir wix
unzip wix.zip -d wix
rm -f wix.zip
echo wix installed at $(pwd)/wix
# It seems faster not to cache Go dependencies
- name: Install Go Dependencies
run: make deps-go
@ -106,3 +122,7 @@ jobs:
- name: Build PKG with Fleet Desktop
run: ./build/fleetctl package --type pkg --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop
- name: Build MSI (using local Wix)
if: matrix.os == 'macos-latest'
run: ./build/fleetctl package --type msi --enroll-secret=foo --fleet-url=https://localhost:8080 --fleet-desktop --local-wix-dir ./wix

59
.github/workflows/test-puppet.yml vendored Normal file
View File

@ -0,0 +1,59 @@
name: Test Puppet
on:
push:
branches:
- main
- patch-*
pull_request:
paths:
- 'ee/tools/puppet/fleetdm/**'
- '.github/workflows/test-puppet.yml'
workflow_dispatch: # Manual
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
test-puppet:
runs-on: macos-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Puppet Development Kit
run: brew install --cask puppetlabs/puppet/pdk
- name: Checkout Code
uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
with:
fetch-depth: 0
- name: Install Ruby Gems
working-directory: ./ee/tools/puppet/fleetdm/
run: /opt/puppetlabs/pdk/bin/pdk bundle install
- name: Run Tests
working-directory: ./ee/tools/puppet/fleetdm/
run: /opt/puppetlabs/pdk/bin/pdk test unit
- name: Run Rubocop
working-directory: ./ee/tools/puppet/fleetdm/
run: /opt/puppetlabs/pdk/bin/pdk bundle exec rubocop
- name: Run Linter
working-directory: ./ee/tools/puppet/fleetdm/
run: /opt/puppetlabs/pdk/bin/pdk bundle exec puppet-lint .

View File

@ -0,0 +1,58 @@
on:
pull_request:
paths:
- 'ee/vulnerability-dashboard/**'
- '.github/workflows/test-vulnerability-dashboard-changes.yml'
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
permissions:
contents: read
jobs:
build:
permissions:
contents: read
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [16.x]
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Set the Node.js version
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ matrix.node-version }}
# Now start building!
# > …but first, get a little crazy for a sec and delete the top-level package.json file
# > i.e. the one used by the Fleet server. This is because require() in node will go
# > hunting in ancestral directories for missing dependencies, and since some of the
# > bundled transpiler tasks sniff for package availability using require(), this trips
# > up when it encounters another Node universe in the parent directory.
- run: rm -rf package.json package-lock.json node_modules/
# > Turns out there's a similar issue with how eslint plugins are looked up, so we
# > delete the top level .eslintrc file too.
- run: rm -f .eslintrc.js
# Get dependencies (including dev deps)
- run: cd ee/vulnerability-dashboard/ && npm install
# Run sanity checks
- run: cd ee/vulnerability-dashboard/ && npm test
# Compile assets
- run: cd ee/vulnerability-dashboard/ && npm run build-for-prod

View File

@ -3,11 +3,12 @@ name: Test Fleet website
on:
pull_request:
paths:
- 'website/**'
- 'docs/**'
- 'handbook/**'
- 'schema/**'
- 'articles/**'
- "website/**"
- "docs/**"
- "handbook/**"
- "schema/**"
- "articles/**"
- ".github/workflows/test-website.yml"
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
@ -28,33 +29,41 @@ jobs:
strategy:
matrix:
node-version: [14.x]
node-version: [16.x]
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
# Set the Node.js version
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1
with:
node-version: ${{ matrix.node-version }}
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Now start building!
# > …but first, get a little crazy for a sec and delete the top-level package.json file
# > i.e. the one used by the Fleet server. This is because require() in node will go
# > hunting in ancestral directories for missing dependencies, and since some of the
# > bundled transpiler tasks sniff for package availability using require(), this trips
# > up when it encounters another Node universe in the parent directory.
- run: rm -rf package.json package-lock.json node_modules/
# > Turns out there's a similar issue with how eslint plugins are looked up, so we
# > delete the top level .eslintrc file too.
- run: rm -f .eslintrc.js
# Set the Node.js version
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
with:
node-version: ${{ matrix.node-version }}
# Get dependencies (including dev deps)
- run: cd website/ && npm install
# Download top-level dependencies and build Storybook in the website's assets/ folder.
- run: npm install --legacy-peer-deps && npm run build-storybook -- -o ./website/assets/storybook --loglevel verbose
# Run sanity checks
- run: cd website/ && npm test
# Now start building!
# > …but first, get a little crazy for a sec and delete the top-level package.json file
# > i.e. the one used by the Fleet server. This is because require() in node will go
# > hunting in ancestral directories for missing dependencies, and since some of the
# > bundled transpiler tasks sniff for package availability using require(), this trips
# > up when it encounters another Node universe in the parent directory.
- run: rm -rf package.json package-lock.json node_modules/
# > Turns out there's a similar issue with how eslint plugins are looked up, so we
# > delete the top level .eslintrc file too.
- run: rm -f .eslintrc.js
# Compile assets
- run: cd website/ && BUILD_SCRIPT_ARGS="--githubAccessToken=${{ secrets.FLEET_RELEASE_GITHUB_PAT }}" npm run build-for-prod
# Get dependencies (including dev deps)
- run: cd website/ && npm install
# Run sanity checks
- run: cd website/ && npm test
# Compile assets
- run: cd website/ && BUILD_SCRIPT_ARGS="--githubAccessToken=${{ secrets.FLEET_GITHUB_TOKEN_FOR_WEBSITE_TEST }}" npm run build-for-prod

View File

@ -5,6 +5,7 @@ on:
branches:
- main
- patch-*
- prepare-*
paths:
- 'ee/cis/**.yml'
- '.github/workflows/test-yml-specs.yml'
@ -32,17 +33,22 @@ jobs:
strategy:
matrix:
os: [ubuntu-latest]
go-version: ['^1.19.10']
go-version: ['${{ vars.GO_VERSION }}']
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Install Go
uses: actions/setup-go@v2.1.3
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Run apply spec tests
run: |

View File

@ -1,96 +0,0 @@
name: Run Tests
on:
push:
branches:
- main
- patch-*
pull_request:
paths:
- assets/**
- frontend/**
- package.json
- yarn.lock
- webpack.config.js
- tsconfig.json
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
test-js:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
~/.cache/Cypress
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-modules-
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
run: make deps-js
- name: Run JS Tests
run: |
yarn test:ci
- name: Upload to Codecov
uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70
with:
flags: frontend
lint-js:
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout Code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
- name: JS Dependency Cache
id: js-cache
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
with:
path: |
**/node_modules
~/.cache/Cypress
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-modules-
- name: Install JS Dependencies
if: steps.js-cache.outputs.cache-hit != 'true'
run: make deps-js
- name: Run JS Linting
run: |
make lint-js
- name: Run prettier formatting check
run: |
yarn prettier:check

View File

@ -1,48 +0,0 @@
name: tfsec
on:
push:
branches:
- main
paths:
- '**.tf'
pull_request:
paths:
- '**.tf'
workflow_dispatch: # Manual dispatch
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
tfsec:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: tfsec sarif report
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- name: tfsec
uses: tfsec/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608
with:
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5
with:
# Path to SARIF file relative to the root of the repository
sarif_file: tfsec.sarif

View File

@ -30,11 +30,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Clone repo
uses: actions/checkout@v3
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Install terraform
uses: hashicorp/setup-terraform@v2
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: 1.3.0

58
.github/workflows/trivy-scan.yml vendored Normal file
View File

@ -0,0 +1,58 @@
name: Trivy vulnerability scan
on:
push:
branches:
- main
paths:
- "**.tf"
pull_request:
paths:
- "**.tf"
workflow_dispatch:
schedule:
- cron: "0 4 * * *" # Nightly 4AM UTC
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
cancel-in-progress: true
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Trivy sarif report
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
with:
scan-type: "fs"
ignore-unfixed: false
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH,MEDIUM,LOW"
trivyignores: ".trivyignore"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
with:
sarif_file: "trivy-results.sarif"

View File

@ -1,29 +0,0 @@
name: Trivy vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: '0 4 * * *' # Nightly 4AM UTC
jobs:
build:
name: Trivy
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 # master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/'
trivyignores: '.trivyignore'
security-checks: 'vuln'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5
with:
sarif_file: 'trivy-results.sarif'

View File

@ -25,6 +25,11 @@ jobs:
pull-requests: write # for peter-evans/create-pull-request to create a PR
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v.24.0

20
.gitignore vendored
View File

@ -37,15 +37,11 @@ mysqldata/
# test helm charts
helm-temp
charts/fleet/charts
#editors
.idea
# Cypress e2e testing
cypress/screenshots
cypress/videos
cypress/downloads
# Fleet local development DB backups
backup.sql.gz
@ -94,3 +90,17 @@ orbit/cmd/desktop/manifest.xml
orbit/cmd/desktop/resource.syso
orbit/cmd/orbit/manifest.xml
orbit/cmd/orbit/resource.syso
# Residual files from osqueryd loadtests.
osquery_worker_*.jpg
# Residual files when building fleetd_tables extension.
fleetd_tables_*
# Location of test extensions executables
tools/test_extensions/hello_world/macos
tools/test_extensions/hello_world/windows
tools/test_extensions/hello_world/linux
# Residual files when building fleet_tables extension.
fleet_tables_*.ext

View File

@ -17,10 +17,11 @@ linters:
linters-settings:
depguard:
list-type: denylist
include-go-stdlib: false
packages-with-error-message:
- github.com/pkg/errors: "use ctxerr if a context.Context is available or stdlib errors.New / fmt.Errorf with the %w verb"
rules:
main:
deny:
- pkg: github.com/pkg/errors
desc: "use ctxerr if a context.Context is available or stdlib errors.New / fmt.Errorf with the %w verb"
errcheck:
check-type-assertions: false

View File

@ -27,12 +27,12 @@ builds:
- -trimpath
ldflags:
- -extldflags "-static"
- -X github.com/kolide/kit/version.appName={{ .ArtifactName }}
- -X github.com/kolide/kit/version.version={{ .Version }}
- -X github.com/kolide/kit/version.branch={{ .Branch }}
- -X github.com/kolide/kit/version.revision={{ .FullCommit }}
- -X github.com/kolide/kit/version.buildDate={{ time "2006-01-02" }}
- -X github.com/kolide/kit/version.buildUser={{ .Env.USER }}
- -X github.com/fleetdm/fleet/v4/server/version.appName={{ .ArtifactName }}
- -X github.com/fleetdm/fleet/v4/server/version.version={{ .Version }}
- -X github.com/fleetdm/fleet/v4/server/version.branch={{ .Branch }}
- -X github.com/fleetdm/fleet/v4/server/version.revision={{ .FullCommit }}
- -X github.com/fleetdm/fleet/v4/server/version.buildDate={{ time "2006-01-02" }}
- -X github.com/fleetdm/fleet/v4/server/version.buildUser={{ .Env.USER }}
- id: fleetctl
dir: ./cmd/fleetctl/
@ -46,12 +46,12 @@ builds:
flags:
- -trimpath
ldflags:
- -X github.com/kolide/kit/version.appName={{ .ArtifactName }}
- -X github.com/kolide/kit/version.version={{ .Version }}
- -X github.com/kolide/kit/version.branch={{ .Branch }}
- -X github.com/kolide/kit/version.revision={{ .FullCommit }}
- -X github.com/kolide/kit/version.buildDate={{ time "2006-01-02" }}
- -X github.com/kolide/kit/version.buildUser={{ .Env.USER }}
- -X github.com/fleetdm/fleet/v4/server/version.appName={{ .ArtifactName }}
- -X github.com/fleetdm/fleet/v4/server/version.version={{ .Version }}
- -X github.com/fleetdm/fleet/v4/server/version.branch={{ .Branch }}
- -X github.com/fleetdm/fleet/v4/server/version.revision={{ .FullCommit }}
- -X github.com/fleetdm/fleet/v4/server/version.buildDate={{ time "2006-01-02" }}
- -X github.com/fleetdm/fleet/v4/server/version.buildUser={{ .Env.USER }}
dockers:

View File

@ -27,12 +27,12 @@ builds:
- -trimpath
ldflags:
- -extldflags "-static"
- -X github.com/kolide/kit/version.appName={{ .ArtifactName }}
- -X github.com/kolide/kit/version.version={{ .Version }}
- -X github.com/kolide/kit/version.branch={{ .Branch }}
- -X github.com/kolide/kit/version.revision={{ .FullCommit }}
- -X github.com/kolide/kit/version.buildDate={{ time "2006-01-02" }}
- -X github.com/kolide/kit/version.buildUser={{ .Env.USER }}
- -X github.com/fleetdm/fleet/v4/server/version.appName={{ .ArtifactName }}
- -X github.com/fleetdm/fleet/v4/server/version.version={{ .Version }}
- -X github.com/fleetdm/fleet/v4/server/version.branch={{ .Branch }}
- -X github.com/fleetdm/fleet/v4/server/version.revision={{ .FullCommit }}
- -X github.com/fleetdm/fleet/v4/server/version.buildDate={{ time "2006-01-02" }}
- -X github.com/fleetdm/fleet/v4/server/version.buildUser={{ .Env.USER }}
- id: fleetctl
dir: ./cmd/fleetctl/
@ -40,7 +40,6 @@ builds:
env:
- CGO_ENABLED=0
goos:
- darwin
- linux
- windows
goarch:
@ -48,20 +47,44 @@ builds:
flags:
- -trimpath
ldflags:
- -X github.com/kolide/kit/version.appName={{ .ArtifactName }}
- -X github.com/kolide/kit/version.version={{ .Version }}
- -X github.com/kolide/kit/version.branch={{ .Branch }}
- -X github.com/kolide/kit/version.revision={{ .FullCommit }}
- -X github.com/kolide/kit/version.buildDate={{ time "2006-01-02" }}
- -X github.com/kolide/kit/version.buildUser={{ .Env.USER }}
- -X github.com/fleetdm/fleet/v4/server/version.appName={{ .ArtifactName }}
- -X github.com/fleetdm/fleet/v4/server/version.version={{ .Version }}
- -X github.com/fleetdm/fleet/v4/server/version.branch={{ .Branch }}
- -X github.com/fleetdm/fleet/v4/server/version.revision={{ .FullCommit }}
- -X github.com/fleetdm/fleet/v4/server/version.buildDate={{ time "2006-01-02" }}
- -X github.com/fleetdm/fleet/v4/server/version.buildUser={{ .Env.USER }}
- id: fleetctl-macos
dir: ./cmd/fleetctl/
binary: fleetctl
env:
- CGO_ENABLED=0
goos:
- darwin
goarch:
- amd64
- arm64
flags:
- -trimpath
ldflags:
- -X github.com/fleetdm/fleet/v4/server/version.appName={{ .ArtifactName }}
- -X github.com/fleetdm/fleet/v4/server/version.version={{ .Version }}
- -X github.com/fleetdm/fleet/v4/server/version.branch={{ .Branch }}
- -X github.com/fleetdm/fleet/v4/server/version.revision={{ .FullCommit }}
- -X github.com/fleetdm/fleet/v4/server/version.buildDate={{ time "2006-01-02" }}
- -X github.com/fleetdm/fleet/v4/server/version.buildUser={{ .Env.USER }}
universal_binaries:
- id: fleetctl # resulting binary id
ids: [fleetctl-macos] # source binaries
replace: true
name_template: fleetctl # resulting binary name
archives:
- id: fleet
builds:
- fleet
name_template: fleet_v{{.Version}}_{{.Os}}
replacements:
darwin: macos
name_template: fleet_v{{.Version}}_{{- if eq .Os "darwin" }}macos{{- else }}{{ .Os }}{{ end }}
format_overrides:
- goos: windows
format: zip
@ -70,18 +93,14 @@ archives:
- id: fleetctl
builds:
- fleetctl
name_template: fleetctl_v{{.Version}}_{{.Os}}
replacements:
darwin: macos
name_template: fleetctl_v{{.Version}}_{{- if eq .Os "darwin" }}macos{{- else }}{{ .Os }}{{ end }}
wrap_in_directory: true
- id: fleetctl-zip
builds:
- fleetctl
name_template: fleetctl_v{{.Version}}_{{.Os}}
name_template: fleetctl_v{{.Version}}_{{- if eq .Os "darwin" }}macos{{- else }}{{ .Os }}{{ end }}
format: zip
replacements:
darwin: macos
wrap_in_directory: true
dockers:

35
.pre-commit-config.yaml Normal file
View File

@ -0,0 +1,35 @@
repos:
- repo: https://github.com/digitalpulp/pre-commit-php
rev: 1.4.0
hooks:
- id: php-lint-all
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/golangci/golangci-lint
rev: v1.52.2
hooks:
- id: golangci-lint
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 3.0.0
hooks:
- id: RuboCop
- id: shellcheck
- repo: https://github.com/pocc/pre-commit-hooks
rev: v1.3.5
hooks:
- id: cpplint
- repo: https://github.com/pre-commit/mirrors-eslint
rev: v8.38.0
hooks:
- id: eslint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/pylint-dev/pylint
rev: v2.17.2
hooks:
- id: pylint

View File

@ -28,11 +28,6 @@ tmp/
.vscode
.idea
# Cypress e2e testing
cypress/screenshots
cypress/videos
cypress/downloads
# fleetdm.com website (uses its own formatting conventions)
website/

View File

@ -52,7 +52,7 @@ const config: StorybookConfig = {
"@storybook/addon-mdx-gfm",
"@storybook/addon-a11y",
"@storybook/test-runner",
"storybook-addon-designs",
"@storybook/addon-designs",
],
typescript: {
check: false,

1
.yarnrc Normal file
View File

@ -0,0 +1 @@
save-prefix ""

View File

@ -0,0 +1,2 @@
- Fix a bug where the manage query automations modal would lose its state when the user clicks
"Preview data"

File diff suppressed because it is too large Load Diff

View File

@ -1,95 +1,161 @@
# Go engineers are automatically added as reviewers when changes are made to go
# files or related backend files.
##############################################################################################
# ██████╗ ██████╗ ██████╗ ███████╗ ██████╗ ██╗ ██╗███╗ ██╗███████╗██████╗ ███████╗
# ██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔═══██╗██║ ██║████╗ ██║██╔════╝██╔══██╗██╔════╝
# ██║ ██║ ██║██║ ██║█████╗ ██║ ██║██║ █╗ ██║██╔██╗ ██║█████╗ ██████╔╝███████╗
# ██║ ██║ ██║██║ ██║██╔══╝ ██║ ██║██║███╗██║██║╚██╗██║██╔══╝ ██╔══██╗╚════██║
# ╚██████╗╚██████╔╝██████╔╝███████╗╚██████╔╝╚███╔███╔╝██║ ╚████║███████╗██║ ██║███████║
# ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚══╝╚══╝ ╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝╚══════╝
##############################################################################################
# ⛔ This file indicates REQUIRED reviewers for changes to certain file paths in this repo.
#
# > How? This "requiredness" is provided natively by GitHub. If a team is specified, then
# > the logic behaves slightly differently. See GitHub's latest documentation on CODEOWNERS
# > for more information. CODEOWNERS is especially useful for paths that usually end up
# > in PRs with lots of other reviewers.)
#
# ⚠️ For file paths not listed, the DRI is instead indicated in website/config/custom.js.
# Regardless of whether a path's DRI is configured in CODEOWNERS or custom.js, the DRI is
# automatically requested for review when changes are proposed.
# [!] But beware: No path should ever be configured as a DRI in both CODEOWNERS _and_
# the website config.
# [!] In addition, no path should ever be configured in CODEOWNERS if there is ALSO one
# of its ancestral paths configured in website/config/custom.js.
#
# ✅ Some paths also have multiple individuals who are allowed to make changes without review,
# even though they are not the DRI. These are called "maintainers".
#
# For more information on how this works, see:
# - What is a DRI and how is this configured? https://fleetdm.com/handbook/company/why-this-way#why-direct-responsibility
# - Historical context: https://github.com/fleetdm/fleet/pull/12786
##############################################################################################
##############################################################################################
# 🚀 Golang files and other files related to the core product backend.
# (1 or more Golang-literate engineers is required to review changes.)
# FUTURE: Look for a way to not have this notify every single person in this "github team".
##############################################################################################
*.go @fleetdm/go
go.sum @fleetdm/go
go.mod @fleetdm/go
/server/ @fleetdm/go
/cmd/ @fleetdm/go
# Compliance
/ee/cis/ @sharon-fdm @lucasmrod @marcosd4h @rachelElysia
# MDM
/ee/tools/puppet @roperzh @gillespi314 @mna @georgekarrv
# React engineers are automatically added as reviewers when changes are made to react files
##############################################################################################
# 🚀 React files and other files related to the core product frontend.
# (1 or more React-literate engineers is required to review changes.)
# FUTURE: Look for a way to not have this notify every single person in this "github team".
##############################################################################################
/frontend/ @fleetdm/frontend
# Infra/terraform
*.tf @edwardsb @zwinnerman-fleetdm @rfairburn
/infrastructure/ @zwinnerman-fleetdm @edwardsb @rfairburn
/charts/ @zwinnerman-fleetdm @edwardsb @rfairburn
/terraform @zwinnerman-fleetdm @edwardsb @rfairburn
##############################################################################################
# 🚀 Config as code for infrastructure, internal security and IT use cases, and more.
# (1 or more infra-literate engineers is required to review changes.)
# FUTURE: Look for a way to not have this notify every single person in this "github team".
##############################################################################################
# GitHub issue templates
/.github/ISSUE_TEMPLATE @mikermcneil
# Codeowners file
/CODEOWNERS @mikermcneil
# Changelog
/CHANGELOG.md @noahtalerman
# Fleet documentation (who is auto-requested as reviewer for changes to docs?)
/docs/ @rachaelshaw
# REST API reference documentation
/docs/Using-Fleet/REST-API.md @rachaelshaw
/docs/Contributing/API-for-contributors.md @rachaelshaw
# Standard query library YAML
/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml @zwass
# Expanded table documentation
/schema @eashaw
# Articles
/articles @jarodreyes
# Website
/website/ @eashaw
/website/views/ @eashaw
/website/assets/ @eashaw
# Features table
# - CEO is DRI for pricing
# - Mo is DRI for features table
# - Eric is DRI for website frontend code
/website/views/pages/pricing.ejs @mikermcneil
/handbook/product/pricing-features-table.yml @mikermcneil
# Website redirects and URLs
/website/config/routes.js @mikermcneil @eashaw
# Website backend, scripts, deps
/website/api/ @mikermcneil @eashaw
/website/config/ @mikermcneil @eashaw
/website/scripts/ @mikermcneil @eashaw
/website/package.json @mikermcneil @eashaw
# GitHub brandfront
/README.md @mikermcneil
# NPM brandfront (npmjs.com/package/fleetctl)
/tools/fleetctl-npm/README.md @mikermcneil
# Handbook
/handbook/company @mikermcneil
/handbook/company/* @mikermcneil
/handbook/business-operations @mikermcneil
/handbook/business-operations/* @mikermcneil
/handbook/engineering @lukeheath
/handbook/engineering/* @lukeheath
/handbook/product @zhumo
/handbook/product/* @zhumo
/handbook/customers @alexmitchelliii
/handbook/customers/* @alexmitchelliii
/handbook/marketing @jarodreyes
/handbook/marketing/* @jarodreyes
/handbook/README.md @mikermcneil # « This is the "Table of contents"
/infrastructure/ @rfairburn @ksatter @lukeheath @edwardsb
/charts/ @rfairburn @ksatter @lukeheath @edwardsb
/terraform/ @rfairburn @ksatter @lukeheath @edwardsb
/it-and-security/ @noahtalerman
##############################################################################################
# ⚗️ Reference, config surface, built-in queries, API, and other documentation.
#
# For configuration that determines auto-approval + auto-unfreezing, so that contributors
# can merge their own PRs without additional approval, please see the latest version of:
# https://github.com/fleetdm/fleet/blob/74f65447b718663bd04df31ea1da28915d98792c/website/config/custom.js#L88-L128
# (see website/config/custom.js for DRIs of other paths not listed here)
##############################################################################################
/docs @rachaelshaw
/docs/Using-Fleet/REST-API.md @rachaelshaw # « REST API reference documentation
/docs/Contributing/API-for-contributors.md @rachaelshaw # « Advanced / contributors-only API reference documentation
/schema @eashaw # « Data tables (osquery/fleetd schema) documentation
/docs/Deploy/_kubernetes/ @dherder # « Kubernetes best practice
##############################################################################################
# 🫧 Pricing and features
#
# (see website/config/custom.js for DRIs of other paths not listed here)
##############################################################################################
/handbook/company/pricing-features-table.yml @mikermcneil # « CEO is current DRI for features table
##############################################################################################
# 🦿 Repo automation and change control settings
##############################################################################################
# /CODEOWNERS @mikermcneil # Covered in DRIs
##############################################################################################
# 🦿 Handbook
#
# (see website/config/custom.js for DRIs of other paths not listed here)
##############################################################################################
/handbook/company/README.md @mikermcneil
/handbook/company/communications.md @mikermcneil
/handbook/company/leadership.md @mikermcneil
/handbook/company/why-this-way.md @mikermcneil
/handbook/README.md @mikermcneil
/handbook/company/open-positions.yml @sampfluger88
/handbook/company/product-groups.md @mikermcneil @sampfluger88 @lukeheath
/handbook/business-operations @sampfluger88
/handbook/digital-experience @sampfluger88
/handbook/customer-success @sampfluger88
/handbook/demand @sampfluger88
/handbook/engineering @sampfluger88 @lukeheath
/handbook/sales @sampfluger88
/handbook/product-design @sampfluger88
##############################################################################################
# 🦿 GitHub issue templates
##############################################################################################
/.github/ISSUE_TEMPLATE @mikermcneil @sampfluger88 @lukeheath # See https://github.com/fleetdm/fleet/pull/16203
##############################################################################################
# 🌐 GitHub workflows
##############################################################################################
/.github/workflows/markdown-link-check-config.json @eashaw
/.github/workflows/deploy-vulnerability-dashboard.yml @eashaw
/.github/workflows/test-website.yml @eashaw
/.github/workflows/test-vulnerability-dashboard-changes.yml @eashaw
/.github/workflows/docs.yml @eashaw
/.github/workflows/deploy-fleet-website.yml @eashaw
##############################################################################################
# 🚀 GitHub workflows
##############################################################################################
/.github/workflows/README.md @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/goreleaser-fleet.yaml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/update-certs.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/codeql-analysis.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/codeql.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/scorecards-analysis.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/integration.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/fleetctl-preview.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/fleetctl-preview-latest.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/goreleaser-orbit.yaml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/trivy-scan.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/goreleaser-snapshot-fleet.yaml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/build-and-push-fleetctl-docker.yml @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/fleetd-tuf.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/generate-desktop-targets.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-yml-specs.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/build-binaries.yaml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/fleet-and-orbit.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/build-orbit.yaml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/generate-osqueryd-targets.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-packaging.yml @lucasmrod @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/release-helm.yaml @rfairburn @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/pr-helm.yaml @rfairburn @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/tfvalidate.yml @rfairburn @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/dogfood-deploy.yml @rfairburn @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-db-changes.yml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-go.yaml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/golangci-lint.yml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-native-tooling-packaging.yml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/check-tuf-timestamps.yml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-puppet.yml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/generate-nudge-targets.yml @roperzh @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-js.yml @ghernandez345 @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/dogfood-gitops.yml @getvictor @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/test-fleetd-chrome.yml @getvictor @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/release-fleetd-chrome.yml @getvictor @lukeheath @georgekarrv @sharon-fdm
/.github/workflows/release-fleetd-chrome-beta.yml @getvictor @lukeheath @georgekarrv @sharon-fdm
# But wait, there's more!
# See the comments up top to learn where else DRIs and maintainers are configured.

View File

@ -1,4 +1,4 @@
FROM alpine:3.17.3@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126
FROM alpine:3.18.2@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1
LABEL maintainer="Fleet Developers"
RUN apk --update add ca-certificates

View File

@ -1,12 +1,6 @@
FROM --platform=linux/amd64 golang:1.20.3-bullseye@sha256:0c4028f241827951ee41df718abdb75769b63610f3b0e2350cf6fede68e24d6f
FROM --platform=linux/amd64 golang:1.21.7-bullseye@sha256:447afe790df28e0bc19d782a9f776a105ce3b8417cdd21f33affc4ed6d38f9d5
LABEL maintainer="Fleet Developers"
RUN apt-get update && apt-get install -y \
gcc \
libgtk-3-dev \
libayatana-appindicator3-dev \
&& rm -rf /var/lib/apt/lists/*
RUN mkdir -p /usr/src/fleet
RUN mkdir -p /output

View File

@ -1,4 +1,4 @@
FROM golang:1.20.3-alpine@sha256:08e9c086194875334d606765bd60aa064abd3c215abfbcf5737619110d48d114
FROM golang:1.20.5-alpine@sha256:b036c52b3bcc8e4e31be19a7a902bb9897b2bf18028f40fd306a9778bab5771c
ARG ENROLL_SECRET
ARG HOST_COUNT

100
Makefile
View File

@ -1,4 +1,4 @@
.PHONY: build clean clean-assets e2e-reset-db e2e-serve e2e-setup changelog db-reset db-backup db-restore
.PHONY: build clean clean-assets e2e-reset-db e2e-serve e2e-setup changelog db-reset db-backup db-restore check-go-cloner update-go-cloner
export GO111MODULE=on
@ -54,14 +54,14 @@ ifdef CIRCLE_TAG
DOCKER_IMAGE_TAG = ${CIRCLE_TAG}
endif
KIT_VERSION = "\
-X github.com/kolide/kit/version.appName=${APP_NAME} \
-X github.com/kolide/kit/version.version=${VERSION} \
-X github.com/kolide/kit/version.branch=${BRANCH} \
-X github.com/kolide/kit/version.revision=${REVISION} \
-X github.com/kolide/kit/version.buildDate=${NOW} \
-X github.com/kolide/kit/version.buildUser=${USER} \
-X github.com/kolide/kit/version.goVersion=${GOVERSION}"
LDFLAGS_VERSION = "\
-X github.com/fleetdm/fleet/v4/server/version.appName=${APP_NAME} \
-X github.com/fleetdm/fleet/v4/server/version.version=${VERSION} \
-X github.com/fleetdm/fleet/v4/server/version.branch=${BRANCH} \
-X github.com/fleetdm/fleet/v4/server/version.revision=${REVISION} \
-X github.com/fleetdm/fleet/v4/server/version.buildDate=${NOW} \
-X github.com/fleetdm/fleet/v4/server/version.buildUser=${USER} \
-X github.com/fleetdm/fleet/v4/server/version.goVersion=${GOVERSION}"
all: build
@ -113,7 +113,7 @@ help:
build: fleet fleetctl
fleet: .prefix .pre-build .pre-fleet
CGO_ENABLED=1 go build -race=${GO_BUILD_RACE_ENABLED_VAR} -tags full,fts5,netgo -o build/${OUTPUT} -ldflags ${KIT_VERSION} ./cmd/fleet
CGO_ENABLED=1 go build -race=${GO_BUILD_RACE_ENABLED_VAR} -tags full,fts5,netgo -o build/${OUTPUT} -ldflags ${LDFLAGS_VERSION} ./cmd/fleet
fleet-dev: GO_BUILD_RACE_ENABLED_VAR=true
fleet-dev: fleet
@ -121,7 +121,7 @@ fleet-dev: fleet
fleetctl: .prefix .pre-build .pre-fleetctl
# Race requires cgo
$(eval CGO_ENABLED := $(shell [[ "${GO_BUILD_RACE_ENABLED_VAR}" = "true" ]] && echo 1 || echo 0))
CGO_ENABLED=${CGO_ENABLED} go build -race=${GO_BUILD_RACE_ENABLED_VAR} -o build/fleetctl -ldflags ${KIT_VERSION} ./cmd/fleetctl
CGO_ENABLED=${CGO_ENABLED} go build -race=${GO_BUILD_RACE_ENABLED_VAR} -o build/fleetctl -ldflags ${LDFLAGS_VERSION} ./cmd/fleetctl
fleetctl-dev: GO_BUILD_RACE_ENABLED_VAR=true
fleetctl-dev: fleetctl
@ -130,7 +130,7 @@ lint-js:
yarn lint
lint-go:
golangci-lint run --skip-dirs ./node_modules --timeout 10m
golangci-lint run --skip-dirs ./node_modules --timeout 15m
lint: lint-go lint-js
@ -138,13 +138,13 @@ dump-test-schema:
go run ./tools/dbutils ./server/datastore/mysql/schema.sql
test-go: dump-test-schema generate-mock
go test -tags full,fts5,netgo ${GO_TEST_EXTRA_FLAGS_VAR} -parallel 8 -coverprofile=coverage.txt -covermode=atomic ./cmd/... ./ee/... ./orbit/pkg/... ./orbit/cmd/orbit ./pkg/... ./server/... ./tools/...
go test -tags full,fts5,netgo ${GO_TEST_EXTRA_FLAGS_VAR} -parallel 8 -coverprofile=coverage.txt -covermode=atomic -coverpkg=github.com/fleetdm/fleet/v4/... ./cmd/... ./ee/... ./orbit/pkg/... ./orbit/cmd/orbit ./pkg/... ./server/... ./tools/...
analyze-go:
go test -tags full,fts5,netgo -race -cover ./...
test-js:
npm test
yarn test
test: lint test-go test-js
@ -173,7 +173,6 @@ generate-dev: .prefix
NODE_ENV=development yarn run webpack --progress --watch
generate-mock: .prefix
go install github.com/fleetdm/mockimpl@ecbb3041eabfc9e046a3f2e414e32c28254b75b2
go generate github.com/fleetdm/fleet/v4/server/mock github.com/fleetdm/fleet/v4/server/mock/mockresult github.com/fleetdm/fleet/v4/server/service/mock
generate-doc: .prefix
@ -188,8 +187,18 @@ deps-js:
deps-go:
go mod download
# check that the generated files in tools/cloner-check/generated_files match
# the current version of the cloneable structures.
check-go-cloner:
go run ./tools/cloner-check/main.go --check
# update the files in tools/cloner-check/generated_files with the current
# version of the cloneable structures.
update-go-cloner:
go run ./tools/cloner-check/main.go --update
migration:
go run github.com/fleetdm/goose/cmd/goose -dir server/datastore/mysql/migrations/tables create $(name)
go run ./server/goose/cmd/goose -dir server/datastore/mysql/migrations/tables create $(name)
gofmt -w server/datastore/mysql/migrations/tables/*_$(name)*.go
clean: clean-assets
@ -218,14 +227,14 @@ fleetctl-docker: xp-fleetctl
mkdir -p build/binary-bundle/darwin
xp-fleet: .pre-binary-bundle .pre-fleet generate
CGO_ENABLED=1 GOOS=linux go build -tags full,fts5,netgo -trimpath -o build/binary-bundle/linux/fleet -ldflags ${KIT_VERSION} ./cmd/fleet
CGO_ENABLED=1 GOOS=darwin go build -tags full,fts5,netgo -trimpath -o build/binary-bundle/darwin/fleet -ldflags ${KIT_VERSION} ./cmd/fleet
CGO_ENABLED=1 GOOS=windows go build -tags full,fts5,netgo -trimpath -o build/binary-bundle/windows/fleet.exe -ldflags ${KIT_VERSION} ./cmd/fleet
CGO_ENABLED=1 GOOS=linux go build -tags full,fts5,netgo -trimpath -o build/binary-bundle/linux/fleet -ldflags ${LDFLAGS_VERSION} ./cmd/fleet
CGO_ENABLED=1 GOOS=darwin go build -tags full,fts5,netgo -trimpath -o build/binary-bundle/darwin/fleet -ldflags ${LDFLAGS_VERSION} ./cmd/fleet
CGO_ENABLED=1 GOOS=windows go build -tags full,fts5,netgo -trimpath -o build/binary-bundle/windows/fleet.exe -ldflags ${LDFLAGS_VERSION} ./cmd/fleet
xp-fleetctl: .pre-binary-bundle .pre-fleetctl generate-go
CGO_ENABLED=0 GOOS=linux go build -trimpath -o build/binary-bundle/linux/fleetctl -ldflags ${KIT_VERSION} ./cmd/fleetctl
CGO_ENABLED=0 GOOS=darwin go build -trimpath -o build/binary-bundle/darwin/fleetctl -ldflags ${KIT_VERSION} ./cmd/fleetctl
CGO_ENABLED=0 GOOS=windows go build -trimpath -o build/binary-bundle/windows/fleetctl.exe -ldflags ${KIT_VERSION} ./cmd/fleetctl
CGO_ENABLED=0 GOOS=linux go build -trimpath -o build/binary-bundle/linux/fleetctl -ldflags ${LDFLAGS_VERSION} ./cmd/fleetctl
CGO_ENABLED=0 GOOS=darwin go build -trimpath -o build/binary-bundle/darwin/fleetctl -ldflags ${LDFLAGS_VERSION} ./cmd/fleetctl
CGO_ENABLED=0 GOOS=windows go build -trimpath -o build/binary-bundle/windows/fleetctl.exe -ldflags ${LDFLAGS_VERSION} ./cmd/fleetctl
binary-bundle: xp-fleet xp-fleetctl
cd build/binary-bundle && zip -r fleet.zip darwin/ linux/ windows/
@ -243,12 +252,12 @@ fleetd-tables-linux:
fleetd-tables-darwin:
GOOS=darwin GOARCH=amd64 go build -o fleetd_tables_darwin.ext ./orbit/cmd/fleetd_tables
fleetd-tables-darwin_arm:
GOOS=darwin GOARCH=arm64 go build -o fleetd_tables_darwin_arm.ext ./orbit/cmd/fleetd_tables
fleetd-tables-darwin-universal:
$(MAKE) fleetd-tables-darwin fleetd-tables-darwin_arm
GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go build -o fleetd_tables_darwin_arm.ext ./orbit/cmd/fleetd_tables
fleetd-tables-darwin-universal: fleetd-tables-darwin fleetd-tables-darwin_arm
lipo -create fleetd_tables_darwin.ext fleetd_tables_darwin_arm.ext -output fleetd_tables_darwin_universal.ext
fleetd-tables-all:
$(MAKE) fleetd-tables-windows fleetd-tables-linux fleetd-tables-darwin-universal
fleetd-tables-all: fleetd-tables-windows fleetd-tables-linux fleetd-tables-darwin-universal
fleetd-tables-clean:
rm -f fleetd_tables_windows.exe fleetd_tables_linux.ext fleetd_tables_darwin.ext fleetd_tables_darwin_arm.ext fleetd_tables_darwin_universal.ext
.pre-binary-arch:
ifndef GOOS
@ -263,8 +272,8 @@ endif
binary-arch: .pre-binary-arch .pre-binary-bundle .pre-fleet
mkdir -p build/binary-bundle/${GOARCH}-${GOOS}
CGO_ENABLED=1 GOARCH=${GOARCH} GOOS=${GOOS} go build -tags full,fts5,netgo -o build/binary-bundle/${GOARCH}-${GOOS}/fleet -ldflags ${KIT_VERSION} ./cmd/fleet
CGO_ENABLED=0 GOARCH=${GOARCH} GOOS=${GOOS} go build -tags full,fts5,netgo -o build/binary-bundle/${GOARCH}-${GOOS}/fleetctl -ldflags ${KIT_VERSION} ./cmd/fleetctl
CGO_ENABLED=1 GOARCH=${GOARCH} GOOS=${GOOS} go build -tags full,fts5,netgo -o build/binary-bundle/${GOARCH}-${GOOS}/fleet -ldflags ${LDFLAGS_VERSION} ./cmd/fleet
CGO_ENABLED=0 GOARCH=${GOARCH} GOOS=${GOOS} go build -tags full,fts5,netgo -o build/binary-bundle/${GOARCH}-${GOOS}/fleetctl -ldflags ${LDFLAGS_VERSION} ./cmd/fleetctl
cd build/binary-bundle/${GOARCH}-${GOOS} && tar -czf fleetctl-${GOARCH}-${GOOS}.tar.gz fleetctl fleet
@ -313,6 +322,14 @@ changelog-orbit:
sh -c "cat new-CHANGELOG.md orbit/CHANGELOG.md > tmp-CHANGELOG.md && rm new-CHANGELOG.md && mv tmp-CHANGELOG.md orbit/CHANGELOG.md"
sh -c "git rm orbit/changes/*"
# Updates the documentation for the currently released versions of fleetd components in Fleet's TUF.
fleetd-tuf:
sh -c 'echo "<!-- DO NOT EDIT. This document is automatically generated by running \`make fleetd-tuf\`. -->\n# tuf.fleetctl.com\n\nFollowing are the currently deployed versions of fleetd components on the \`stable\` and \`edge\` channel.\n" > orbit/TUF.md'
sh -c 'echo "## \`stable\`\n" >> orbit/TUF.md'
sh -c 'go run tools/tuf/status/tuf-status.go channel-version -channel stable -format markdown >> orbit/TUF.md'
sh -c 'echo "\n## \`edge\`\n" >> orbit/TUF.md'
sh -c 'go run tools/tuf/status/tuf-status.go channel-version -channel edge -format markdown >> orbit/TUF.md'
###
# Development DB commands
###
@ -370,17 +387,28 @@ endif
# Generate swiftDialog.app.tar.gz bundle from the swiftDialog repo.
#
# Usage:
# make swift-dialog-app-tar-gz version=2.1.0 build=4148 out-path=.
# make swift-dialog-app-tar-gz version=2.2.1 build=4591 out-path=.
swift-dialog-app-tar-gz:
ifneq ($(shell uname), Darwin)
@echo "Makefile target swift-dialog-app-tar-gz is only supported on macOS"
@exit 1
endif
# locking the version of swiftDialog to 2.2.1-4591 as newer versions
# migth have layout issues.
ifneq ($(version), 2.2.1)
@echo "Version is locked at 2.1.0, see comments in Makefile target for details"
@exit 1
endif
ifneq ($(build), 4591)
@echo "Build version is locked at 4591, see comments in Makefile target for details"
@exit 1
endif
$(eval TMP_DIR := $(shell mktemp -d))
curl -L https://github.com/bartreardon/swiftDialog/releases/download/v$(version)/dialog-$(version)-$(build).pkg --output $(TMP_DIR)/swiftDialog-$(version).pkg
curl -L https://github.com/swiftDialog/swiftDialog/releases/download/v$(version)/dialog-$(version)-$(build).pkg --output $(TMP_DIR)/swiftDialog-$(version).pkg
pkgutil --expand $(TMP_DIR)/swiftDialog-$(version).pkg $(TMP_DIR)/swiftDialog_pkg_expanded
mkdir -p $(TMP_DIR)/swiftDialog_pkg_payload_expanded
tar xvf $(TMP_DIR)/swiftDialog_pkg_expanded/Payload --directory $(TMP_DIR)/swiftDialog_pkg_payload_expanded
tar xvf $(TMP_DIR)/swiftDialog_pkg_expanded/tmp-package.pkg/Payload --directory $(TMP_DIR)/swiftDialog_pkg_payload_expanded
$(TMP_DIR)/swiftDialog_pkg_payload_expanded/Library/Application\ Support/Dialog/Dialog.app/Contents/MacOS/Dialog --version
tar czf $(out-path)/swiftDialog.app.tar.gz -C $(TMP_DIR)/swiftDialog_pkg_payload_expanded/Library/Application\ Support/Dialog/ Dialog.app
rm -rf $(TMP_DIR)
@ -424,13 +452,7 @@ desktop-linux:
docker run --rm -v $(shell pwd):/output desktop-linux-builder /bin/bash -c "\
mkdir /output/fleet-desktop && \
go build -o /output/fleet-desktop/fleet-desktop -ldflags "-X=main.version=$(FLEET_DESKTOP_VERSION)" /usr/src/fleet/orbit/cmd/desktop && \
cp /usr/lib/x86_64-linux-gnu/libayatana-appindicator3.so.1 \
/usr/lib/x86_64-linux-gnu/libayatana-ido3-0.4.so.0 \
/usr/lib/x86_64-linux-gnu/libayatana-indicator3.so.7 \
/lib/x86_64-linux-gnu/libm.so.6 \
/usr/lib/x86_64-linux-gnu/libdbusmenu-gtk3.so.4 \
/usr/lib/x86_64-linux-gnu/libdbusmenu-glib.so.4 \
/output/fleet-desktop && cd /output && \
cd /output && \
tar czf desktop.tar.gz fleet-desktop && \
rm -r fleet-desktop"

View File

@ -4,7 +4,7 @@
Open-source platform for IT and security teams with thousands of computers. Designed for APIs, GitOps, webhooks, YAML, and humans.
<a href="https://fleetdm.com/logos"><img alt="Wallpaper featuring a futuristic cloud city with the Fleet logo" src="https://github.com/fleetdm/fleet/assets/618009/f705c7ee-6efe-448e-b5ee-f5535d7cd101"/></a>
<a href="https://fleetdm.com/logos"><img src="https://github.com/fleetdm/fleet/assets/618009/f705c7ee-6efe-448e-b5ee-f5535d7cd101" alt="A glass city in the clouds"/></a>
## What's it for?
@ -14,7 +14,7 @@ Organizations like Fastly and Gusto use Fleet for vulnerability reporting, detec
To see what kind of data you can use Fleet to gather, check out the [table reference documentation](https://fleetdm.com/tables).
#### Out-of-the-box policies
Fleet includes out-of-the box support for all [CIS benchmarks for macOS and Windows](https://fleetdm.com/pricing), as well as many [simpler queries](https://fleetdm.com/queries).
Fleet includes out-of-the box support for all [CIS benchmarks for macOS and Windows](https://fleetdm.com/docs/using-fleet/cis-benchmarks), as well as many [simpler queries](https://fleetdm.com/queries).
Take as much or as little as you need for your organization.
@ -71,7 +71,7 @@ The Fleet community is full of [kind and helpful people](https://fleetdm.com/han
The landscape of cybersecurity and IT is too complex. Let's open it up.
Contributions are welcome, whether you answer questions on [Slack](#chat) / [GitHub](https://github.com/fleetdm/fleet/issues) / [StackOverflow](https://stackoverflow.com/search?q=osquery) / [LinkedIn](https://linkedin.com/company/fleetdm) / [Twitter](https://twitter.com/fleetctl), improve the documentation or [website](./website), write a tutorial, give a talk at a conference or local meetup, give an [interview on a podcast](https://fleetdm.com/podcasts), troubleshoot reported issues, or [submit a patch](https://fleetdm.com/docs/contributing/contributing). The Fleet code of conduct is [on GitHub](https://github.com/fleetdm/fleet/blob/main/CODE_OF_CONDUCT.md).
Contributions are welcome, whether you answer questions on [Slack](https://fleetdm.com/slack) / [GitHub](https://github.com/fleetdm/fleet/issues) / [StackOverflow](https://stackoverflow.com/search?q=osquery) / [LinkedIn](https://linkedin.com/company/fleetdm) / [Twitter](https://twitter.com/fleetctl), improve the documentation or [website](./website), write a tutorial, give a talk at a conference or local meetup, give an [interview on a podcast](https://fleetdm.com/podcasts), troubleshoot reported issues, or [submit a patch](https://fleetdm.com/docs/contributing/contributing). The Fleet code of conduct is [on GitHub](https://github.com/fleetdm/fleet/blob/main/CODE_OF_CONDUCT.md).
<!-- - Great contributions are motivated by real-world use cases or learning.
- Some of the most valuable contributions might not touch any code at all.
@ -81,7 +81,7 @@ Contributions are welcome, whether you answer questions on [Slack](#chat) / [Git
To see what Fleet can do, head over to [fleetdm.com](https://fleetdm.com) and try it out for yourself, grab time with one of the maintainers to discuss, or visit the docs and roll it out to your organization.
#### Production deployment
Fleet is simple enough to [spin up for yourself](https://fleetdm.com/docs/using-fleet/learn-how-to-use-fleet). Or you can have us [host it for you](https://fleetdm.com/pricing). Premium features are [available](https://fleetdm.com/pricing) either way.
Fleet is simple enough to [spin up for yourself](https://fleetdm.com/docs/get-started/tutorials-and-guides). Or you can have us [host it for you](https://fleetdm.com/pricing). Premium features are [available](https://fleetdm.com/pricing) either way.
#### Documentation
Complete documentation for Fleet can be found at [https://fleetdm.com/docs](https://fleetdm.com/docs).
@ -90,4 +90,4 @@ Complete documentation for Fleet can be found at [https://fleetdm.com/docs](http
## License
The free version of Fleet is available under the MIT license. The commercial license is also designed to allow contributions to paid features for users whose employment agreements allow them to contribute to open source projects. (See LICENSE.md for details.)
> Fleet is built on osquery, nanoMDM, and Nudge.
> Fleet is built on [osquery](https://github.com/osquery/osquery), [nanoMDM](https://github.com/micromdm/nanomdm), [Nudge](https://github.com/macadmins/nudge), and [swiftDialog](https://github.com/swiftDialog/swiftDialog).

View File

@ -38,7 +38,7 @@ Thank you to Jason Meller and Mike Arpaia for the vision to release our work on
I have thoroughly enjoyed working with Fleet and the community since the inception of the project in 2017. Heres to years more progress!
Zach Wasserman — CTO, Fleet
Zach Wasserman — Cofounder, Fleet
<meta name="category" value="announcements">
<meta name="authorGitHubUsername" value="zwass">

View File

@ -0,0 +1,163 @@
# Apple developer certificates on Linux for configuration profile signing
![Apple developer certificates on Linux for configuration profile signing](../website/assets/images/articles/apple-developer-certificates-on-linux-for-configuration-profile-signing-1600x900@2x.png)
Streamlining development processes across different operating systems is more crucial than ever. Ensuring the integrity and security of your software and, in this example, configuration profiles is paramount whether for iOS, macOS, watchOS, tvOS, or visionOS. This is where signing assets with an Apple Developer identity comes into play. By leveraging Apple Developer certificates, developers can sign code, applications, and configuration profiles, thereby asserting their authenticity and safeguarding them against tampering.
But what if your development environment or continuous integration/continuous deployment (CI/CD) workflows are based on Linux? The reality is that many development teams prefer Linux for its flexibility, power, openness, and containerization, particularly in server environments, automated testing, and cloud-based development workflows. Whether you're using Linux as part of an automated CI/CD workflow in AWS, GitHub Actions, or another system, the need to sign assets with an Apple Developer identity on a Linux platform is a common scenario that can pose unique challenges.
This guide is designed to bridge that gap. It walks you through the process of installing Apple Developer certificates on a Linux system, enabling you to sign assets and configuration profiles seamlessly, even outside the Apple ecosystem. By following these steps, you can integrate Apple's security practices into your Linux-based development workflows, ensuring that your applications maintain their integrity and security, no matter where they are developed or deployed.
## Create a certificate signing request (CSR)
Before we generate the CSR and deal with private keys, we must understand the importance of securing them. Private keys (`application.key` in this context) are the backbone of your application's security and authenticity. If compromised, they could allow malicious actors to sign applications or code as if they were you, potentially leading to severe security breaches. Taking steps to restrict access, encrypt with strong passwords, and securely backup you can significantly reduce the risk of handling private keys and ensure the security of your development workflow.
1. On your Linux host, do updates or upgrades as needed, then navigate to the `/tmp` directory:
```
sudo apt get update
sudo apt get upgrade
sudo apt install p11-kit
sudo apt-get install -y ca-certificates
cd /tmp
```
2. Create a 2048-bit key pair, and a certificate signing request with the following command:
```
openssl req -nodes -newkey rsa:2048 -keyout application.key -out application.csr
````
3. The `.csr` can be viewed with the following command (which will show the password used to create these files in plain text):
```
openssl req -in installer.csr -noout -text
```
## Create a developer certificate
For the next part of the process, you'll need access to the Apple Developer portal, which requires a web browser. Because of this, we need to move the CSR file created on your Linux server to a computer with browser access. This transfer ensures you can upload the file to Apple's Developer website in a subsequent step.
To securely transfer the file from your Linux system to another computer, use the `scp` (Secure Copy Protocol) command. This command encrypts the file as it's transferred over the network, protecting your sensitive information.
1. Execute the following command in your Linux system's terminal, replacing `admin@<FQDN or IP>` with your user name and the fully qualified domain name or IP address of your target computer:
```
scp admin@<FQDN or IP>:/tmp/application.csr /Users/Shared/
```
This command prompts you to authenticate with the target computer's credentials. Once authenticated, it will copy the `application.csr` file to the specified directory, readying it for the next steps in the Apple Developer portal.
2. Log into [developer.apple.com](http://developer.apple.com) with your Apple Developer credentials.
3. Navigate to Account > Certificates, IDs & Profiles > Certificates.
4. Click the **+** button next to Certificates:
![Click the **+** button next to Certificates](../website/assets/images/articles/apple-developer-certificates-on-linux-for-configuration-profile-signing4-567x126@2x.png "Click the **+** button next to Certificates")
5. Scroll to the bottom of the page, and download all current Apple Intermediate Certificates (NOTE: certificates may be listed with dates past expiry.):
![download all current Apple Intermediate Certificates](../website/assets/images/articles/apple-developer-certificates-on-linux-for-configuration-profile-signing3-717x236@2x.png "download all current Apple Intermediate Certificates")
6. Once you've downloaded the intermediate certificate, scroll up to the "Software" section and select "Developer ID Application," then click "Continue".
![Select Developer ID Application, then click Continue](../website/assets/images/articles/apple-developer-certificates-on-linux-for-configuration-profile-signing1-732x181@2x.png "select Developer ID Application, then click Continue")
7. Select the "G2 Sub-CA" profile type (or whatever Profile Type is NOT listed as "Previous Sub-CA").
8. Click **Choose File** to upload the `application.csr` file created and copied from your Linux host.
9. After completing the upload, click "Continue" to download the certificate.
![After completing the upload, click Continue to download the
certificate](../website/assets/images/articles/apple-developer-certificates-on-linux-for-configuration-profile-signing2-734x383@2x.png
"After completing the upload, click Continue to download the certificate")
10. Move all downloaded certificates, and a `.mobileconfig` file to your Linux host with a command like:
```
scp ~/Downloads/{AppleWWDRCAG3.cer,AppleWWDRCAG4.cer,DeveloperIDG2CA.cer,developerID_application.cer,profile.mobileconfig} admin@<FQDN or IP>:/tmp
```
11. The `/tmp` directory on your Linux host should now contain the following files:
12. Convert Apple `.cer` files to `.pem`, then rename with `.crt` file extensions.
```
openssl x509 -inform der -in AppleWWDRCAG3.cer -out AppleWWDRCAG3.pem
openssl x509 -inform der -in AppleWWDRCAG4.cer -out AppleWWDRCAG4.pem
openssl x509 -inform der -in DeveloperIDG2CA.cer -out DeveloperIDG2CA.pem
for file in *.pem; do mv -- "$file" "${file%.pem}.crt"; done
```
13. Add the Apple Intermediate Certificates to the Linux trust store ( it may also be necessary to move an Apple root certificate to the trust store.):
```
mv /tmp/{AppleWWDRCAG3.crt,AppleWWDRCAG4.crt,DeveloperIDG2CA.crt} /usr/local/share/ca-certificates/
sudo update-ca-certificates
```
14. Convert the signing certificate from `.cer` to `.pem` then change the file extension to `.crt`:
```
openssl x509 -inform der -in developerID_application.cer -out developerID_application.pem
mv developerID_application.pem developerID_application.crt
```
## Sign the profile using the signing certificate
1. Sign the profile:
```
openssl smime -sign -in profile.mobileconfig -out signed.mobileconfig -inkey application.key -signer developerID_application.crt -outform der -nodetach
```
2. To verify signing, run the following command:
```
cat signed.mobileconfig
```
3. To verify file integrity, strip the profile signature, and compare the original profile against the unsigned profile:
```
openssl cms -in signed.mobileconfig -inform der -verify -nosigs -noverify -out unsigned.mobileconfig; diff -sy profile.mobileconfig unsigned.mobileconfig
```
## Streamlining your CI/CD workflow
This guide should help integrate the Apple Developer security practices into your Linux-based development environment. Signing `.mobileconfig` files on Linux allows you to automate the signing and deployment of MDM configuration profiles, ensuring that your device management workflows are secure and efficient.
Incorporating these steps into your CI/CD pipeline can streamline your deployment process. Automated signing eliminates manual intervention, reducing the potential for human error and freeing up time for other tasks. Consider exploring further automation opportunities within your CI/CD workflow. The goal is to create a seamless pipeline that enhances security and increases your team's productivity and deployment reliability.
<meta name="articleTitle" value="Apple developer certificates on Linux for configuration profile signing">
<meta name="authorFullName" value="Brock Walters">
<meta name="authorGitHubUsername" value="nonpunctual">
<meta name="category" value="guides">
<meta name="publishedOn" value="2024-03-06">
<meta name="articleImageUrl" value="../website/assets/images/articles/apple-developer-certificates-on-linux-for-configuration-profile-signing-1600x900@2x.png">
<meta name="description" value="This guide walks through the process of adding an Apple signing certificate to a Linux host.">

View File

@ -0,0 +1,45 @@
# Catch missed authorization checks during software development
<div class="video-container" style="position: relative; width: 100%; padding-bottom: 56.25%; margin-top: 24px; margin-bottom: 40px;">
<iframe class="video" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border: 0;" src="https://www.youtube.com/embed/jbkPLQpzPtc?si=k1BUb98QWRT1V8fZ" allowfullscreen></iframe>
</div>
Authorization is giving permission to a user to do an action on the server. As developers, we must ensure that users are only allowed to do what they are authorized.
One way to ensure that authorization has happened is to loudly flag when it hasnt. This is how we do it at [Fleet Device Management](https://www.linkedin.com/company/fleetdm/?lipi=urn%3Ali%3Apage%3Ad_flagship3_pulse_read%3BCaXkx0wxSNeQ8WfF5SZ17g%3D%3D).
In our code base, we use the [go-kit library](https://github.com/go-kit/kit). Most of the general endpoints are created in the handler.go file. For example:
```
// user-authenticated endpoints
ue := newUserAuthenticatedEndpointer(svc, opts, r, apiVersions...)
ue.POST("/api/_version_/fleet/trigger", triggerEndpoint, triggerRequest{})
```
Every endpoint calls **kithttp.NewServer** and wraps the endpoint with our **AuthzCheck**. From [handler.go](https://github.com/fleetdm/fleet/blob/36421bd5055d37a4c39a04e0f9bd96ad47951131/server/service/handler.go#L729):
```
e = authzcheck.NewMiddleware().AuthzCheck()(e)
return kithttp.NewServer(e, decodeFn, encodeResponse, opts...)
```
![Example check](../website/assets/images/articles/catch-missed-authorization-checks-during-software-development-720x179@2x.jpg
"Example check")
This means that after the business logic is processed, the AuthzCheck is called. This check ensures that authorization was checked. Otherwise, an error is returned. From [authzcheck.go](https://github.com/fleetdm/fleet/blob/36421bd5055d37a4c39a04e0f9bd96ad47951131/server/service/middleware/authzcheck/authzcheck.go#L51):
```
// If authorization was not checked, return a response that will
// marshal to a generic error and log that the check was missed.
if !authzctx.Checked() {
// Getting to here means there is an authorization-related bug in our code.
return nil, authz.CheckMissingWithResponse(response)
}
```
This additional check is useful during our development and QA process, to ensure that authorization always happens in our business logic.
<meta name="articleTitle" value="Catch missed authorization checks during software development">
<meta name="authorFullName" value="Victor Lyuboslavsky">
<meta name="authorGitHubUsername" value="getvictor">
<meta name="category" value="guides">
<meta name="publishedOn" value="2023-12-04">
<meta name="description" value="How to perform authorization checks in a golang codebase for cybersecurity">

View File

@ -0,0 +1,51 @@
# A comparative look at VMware Workspace ONE and Fleet Device Management
![A comparative look at VMware Workspace ONE and Fleet Device Management](../website/assets/images/articles/comparative-look-at-ws1-and-fleet-1600x900@2x.png)
IT administrators and security professionals are constantly looking for robust, scalable device management solutions that can accommodate the dynamic needs of their organizations. The recent acquisition of VMware by Broadcom, with its potential implications for VMware Workspace ONE users, has added a layer of uncertainty to this search. Amidst these industry shifts, Fleet Device Management emerges as a compelling alternative, distinguished by its open-core, cross-platform approach and strong community support. This blog post delves into a comparative analysis of VMware Workspace ONE and Fleet Device Management, offering insights to help navigate the complex terrain of device management solutions.
### Understanding VMware Workspace ONE
VMware Workspace ONE (formerly known as AirWatch) is a comprehensive digital workspace platform, often called unified endpoint management (UEM), offering a range of features designed to simplify device and application management across diverse environments. However, the [acquisition of VMware by Broadcom](https://investors.broadcom.com/news-releases/news-release-details/broadcom-completes-acquisition-vmware) introduces a degree of uncertainty, particularly regarding the future direction and support for Workspace ONE. While there may be potential benefits, such as greater integration with Broadcom's security and networking solutions and possibly increased resources for development, concerns loom large. These include potential disruptions to existing workflows, shifts in product focus away from smaller businesses, and significant price increases upon contract renewal—a stark reflection of the broader industry trend towards prioritizing corporate profitability at the expense of customer value.
### Introducing Fleet Device Management
Fleet, with its open-core model, offers a refreshing contrast. Designed for real-time insights using osquery and GitOps-driven management, Fleet caters to a wide range of devices, including Mac, Windows, Linux, and ChromeOS. Its strength lies in its adaptability to organizations of various sizes, facilitated by a robust community-driven development model. Fleet's emphasis on flexibility, scalability, and community engagement positions it as a desirable option for organizations seeking stability and transparency in their device management solutions.
### Comparative analysis
When comparing the two solutions, several key differences emerge. VMware Workspace ONE offers a broad feature set with deep integration into the VMware ecosystem, potentially appealing to organizations heavily invested in VMware products. However, the recent acquisition raises questions about long-term stability and cost-effectiveness.
In contrast, Fleet's open-source nature and community-driven approach provide a level of transparency and control not typically found in proprietary solutions. This aspect particularly appeals to organizations wary of vendor lock-in and those valuing the agility and innovation spurred by community contributions.
Centralized management capabilities are crucial for larger organizations; both solutions offer robust tools. However, Fleet's open-source model may provide more flexibility and customization options with a [robust API](https://fleetdm.com/docs/rest-api/rest-api), allowing organizations to tailor the solution to their specific needs without facing unexpected cost hikes or unilateral changes to the service.
### The value of open source in device management
The open-source model underpinning Fleet Device Management exemplifies the benefits of community collaboration and innovation. Unlike proprietary models, which can be subject to corporate decisions that may not align with user needs, open-source projects like Fleet thrive on user feedback and contributions. This model fosters a vibrant ecosystem where stability, security, and functionality continuously evolve, driven by its users' collective expertise and insights.
### Navigating uncertainties in the tech landscape
The tech industry's landscape is fraught with uncertainties, particularly with frequent mergers and acquisitions. The stability and predictability offered by open-source solutions like Fleet can be a safe harbor for IT decision-makers. Fleet's transparent development process and community-driven roadmap provide assurance that is hard to find in proprietary solutions, which may be subject to abrupt changes in direction or pricing in the wake of corporate acquisitions.
### Conclusion
The choice between VMware Workspace ONE and Fleet Device Management hinges on various factors, including organizational size, existing infrastructure, and long-term strategic priorities. As the industry continues to evolve, the value of open-source solutions like Fleet—marked by their flexibility, community support, and transparency—becomes increasingly apparent. For organizations navigating the complexities of device management, Fleet offers a compelling alternative that aligns with the needs of a diverse and dynamic IT landscape.
We invite readers to explore Fleet Device Management further, considering how its open-core, community-driven approach can meet the evolving needs of your organization. Check out our [migration guide](https://fleetdm.com/docs/using-fleet/mdm-migration-guide#migration-guide) to move from VMware Workspace ONE to Fleet. Your feedback and questions are invaluable as we continue to navigate the future of device management together. [Join the conversation](https://fleetdm.com/support) and let us know your thoughts on this critical topic.
<meta name="category" value="announcements">
<meta name="authorFullName" value="JD Strong">
<meta name="authorGitHubUsername" value="spokanemac">
<meta name="publishedOn" value="2024-02-01">
<meta name="articleTitle" value="A comparative look at VMware Workspace ONE and Fleet Device Management">
<meta name="articleImageUrl" value="../website/assets/images/articles/comparative-look-at-ws1-and-fleet-1600x900@2x.png">

View File

@ -0,0 +1,88 @@
# Config-less `fleetd` agent deployment
![Config-less `fleetd` agent deployment](../website/assets/images/articles/config-less-fleetd-agent-deployment-1600x900@2x.png)
Deploying Fleet's agent across a diverse range of devices often involves the crucial step of enrolling each device. Traditionally, this involves [packaging](https://fleetdm.com/docs/using-fleet/fleetd#packaging) `fleetd` with configuration including the enroll secret and server URL. While effective, an alternative offers more flexibility in your deployment process. This guide introduces a different approach for deploying Fleet's agent without embedding configuration settings directly into `fleetd`. Ideal for IT administrators who prefer to generate a single package and maintain greater control over the distribution of enrollment secrets and server URLs, this method simplifies the enrollment process across macOS and Windows hosts.
Emphasizing adaptability and convenience, this approach allows for a more efficient way to manage device enrollments. Lets dive into how to deploy Fleet's agent using this alternative method, ensuring a more open and flexible deployment process.
## For macOS:
1. First, you need to build an installer that will read the configs from an enrollment profile using:
```
fleetctl package --type=pkg --use-system-configuration --fleet-desktop
```
> [Download the latest version of fleetctl.](https://github.com/fleetdm/fleet/releases/latest)
2. With your MDM, send an enrollment configuration profile like the example provided here (be sure to replace `YOUR_ENROLL_SECRET_HERE` and `YOUR_FLEET_URL_HERE` with proper values.):
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>EnrollSecret</key>
<string>YOUR_ENROLL_SECRET_HERE</string>
<key>FleetURL</key>
<string>YOUR_FLEET_URL_HERE</string>
<key>PayloadDisplayName</key>
<string>Fleetd configuration</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.fleetd.config</string>
<key>PayloadType</key>
<string>com.fleetdm.fleetd.config</string>
<key>PayloadUUID</key>
<string>476F5334-D501-4768-9A31-1A18A4E1E807</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Fleetd configuration</string>
<key>PayloadIdentifier</key>
<string>com.fleetdm.fleetd.config</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0C6AFB45-01B6-4E19-944A-123CD16381C7</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadDescription</key>
<string>Default configuration for the fleetd agent.</string>
</dict>
</plist>
```
## For Windows:
1. Download the Base MSI installer from [https://download.fleetdm.com/fleetd-base.msi](https://download.fleetdm.com/fleetd-base.msi) (once installed, `fleetd` and `fleet-desktop` will be upgraded to the latest)
2. Install fleet on Windows boxes by passing the `FLEET_URL` and `FLEET_SECRET` properties to the MSI installer:
```xml
msiexec /i fleetd-base.msi FLEET_URL="<target_url>" FLEET_SECRET="<secret_to_use>"
```
These steps are a flexible alternative to deploying Fleet's agent across macOS and Windows platforms. This method, focused on separating the configuration from the `fleetd` package, empowers you with more control and simplifies the management of your device enrollments.
This approach complements the original packaging method, allowing you to choose the best fit for your organizations needs. Whether you prioritize streamlined package generation or prefer granular control over configuration distribution, these methods foster an open, flexible environment for deploying Fleet.
We encourage you to explore this alternative method in your environment and see how it aligns with your operational workflows. If you have any questions, insights, or experiences to share, feel free to join our community [Fleet Slack channels](https://fleetdm.com/support). Your feedback helps us improve and fosters a collaborative space where ideas and solutions can flourish.
<meta name="articleTitle" value="Config-less fleetd agent deployment">
<meta name="authorFullName" value="Noah Talerman">
<meta name="authorGitHubUsername" value="noahtalerman">
<meta name="category" value="guides">
<meta name="publishedOn" value="2024-01-31">
<meta name="articleImageUrl" value="../website/assets/images/articles/config-less-fleetd-agent-deployment-1600x900@2x.png">
<meta name="description" value="Config-less `fleetd` agent deployment">

View File

@ -1,715 +0,0 @@
# Deploy Fleet on Hetzner Cloud with cloud-init and Docker
![Fleet + Hetzner](../website/assets/images/articles/deploying-fleet-on-hetzner-1600x900@2x.jpg)
[Hetzner](https://hetzner.com) is a great price-performance provider for “root” (dedicated) and Virtual Private Servers (VPS) with high performance and generous bandwidth.
While other providers may charge large amounts for computing and storage, Hetzner is cost-effective _and_ scalable, with great managed options (such as [Nextcloud](https://www.hetzner.com/storage/storage-share)).
Lets explore how you might deploy Fleet on [Hetzner Cloud](https://hetzner.com/cloud) as quickly as possible so you can use Fleet to orchestrate osquery on your endpoints.
## The 2 minute setup
For those who want to get started quickly, copy and paste the following two scripts into cloud-init User-Data. Alternatively, the more adventurous can follow the [full deployment guide](#the-full-deployment-guide).
### Fleet
Copy and paste the following script into cloud-init User-Data for the Fleet controller machine, replacing `FLEET_DOMAIN` with your Fleet machine TLD:
```bash
#!/usr/bin/bash
# DONT FORGET: Replace the line below with your fleet machine TLD
export FLEET_DOMAIN=fleet.domain.tld
#######
# DNS #
#######
# Set up DNS resolution
sed -i /etc/systemd/resolved.conf 's/^#DNS=$/DNS=1.1.1.1 9.9.9.9 8.8.8.8/'
systemctl restart systemd-resolved
#######
# APT #
#######
# Update Apt
sudo apt update
sudo apt install -y ca-certificates curl gnupg lsb-release
############
# Firewall #
############
apt install ufw
ufw deny all
ufw allow ssh
ufw allow http
ufw allow https
ufw enable
############
# Fail2Ban #
############
apt install fail2ban
##########
# Docker #
##########
apt install -y ca-certificates curl gnupg lsb-release # these should already be installed
# Set up package repositories for docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install docker
apt update
apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
docker pull mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67 # mysql:5.7.38 as of 2022/05/19
######################
# MySQL (dockerized) #
######################
# mysql:5.7.38 as of 2022/05/19
docker pull mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67
# Create the Fleet MySQL data folder
mkdir -p /etc/fleet
# Create ENV that will be used by the docker container
touch /etc/fleet/mysql.env
chmod 600 /etc/fleet/mysql.env
echo "MYSQL_HOST=127.0.0.1" >> /etc/fleet/mysql.env
echo "MYSQL_USER=fleet" >> /etc/fleet/mysql.env
echo "MYSQL_DATABASE=fleet" >> /etc/fleet/mysql.env
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | sed -e 's/^/MYSQL_PASSWORD=/' >> /etc/fleet/mysql.env
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | sed -e 's/^/MYSQL_ROOT_PASSWORD=/' >> /etc/fleet/mysql.env
cat <<EOF > /etc/systemd/system/fleet-mysql.service
[Unit]
Description=Fleet MySQL instance
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67
ExecStart=/usr/bin/docker run --rm \
--name %n \
-p 127.0.0.1:3306:3306 \
-v /etc/fleet/mysql:/var/lib/mysql \
--env-file /etc/fleet/mysql.env \
mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67
ExecStop=/usr/bin/docker stop %n
[Install]
WantedBy=default.target
EOF
systemctl daemon-reload
systemctl enable fleet-mysql
systemctl start fleet-mysql
######################
# Redis (Dockerized) #
######################
docker pull eqalpha/keydb@sha256:18a00f69577105650d829ef44a9716eb4feaa7a5a2bfacd115f0a1e7a97a8726
cat <<EOF > /etc/systemd/system/fleet-redis.service
[Unit]
Description=Fleet Redis instance
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
# eqalpha/keydb:x86_64_v6.3.0 as of 2022-05-19
ExecStartPre=-/usr/bin/docker pull eqalpha/keydb@sha256:18a00f69577105650d829ef44a9716eb4feaa7a5a2bfacd115f0a1e7a97a8726
ExecStart=/usr/bin/docker run --rm \
--name %n \
-p 127.0.0.1:6379:6379 \
-v /etc/fleet/redis:/var/lib/redis \
eqalpha/keydb@sha256:18a00f69577105650d829ef44a9716eb4feaa7a5a2bfacd115f0a1e7a97a8726
ExecStop=/usr/bin/docker stop %n
[Install]
WantedBy=default.target
EOF
systemctl daemon-reload
systemctl enable fleet-redis
systemctl start fleet-redis
######################
# Fleet (Dockerized) #
######################
docker pull fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b
mkdir -p /etc/fleet/fleet
# MySQL fleet ENV
bash -c 'source /etc/fleet/mysql.env && echo -e "FLEET_MYSQL_USERNAME=$MYSQL_USER" >> /etc/fleet/fleet.env';
bash -c 'source /etc/fleet/mysql.env && echo -e "FLEET_MYSQL_PASSWORD=$MYSQL_PASSWORD" >> /etc/fleet/fleet.env';
echo 'FLEET_MYSQL_DATABASE=fleet' >> /etc/fleet/fleet.env
# Other fleet ENV vars
echo 'FLEET_SERVER_ADDRESS=127.0.0.1:8080' >> /etc/fleet/fleet.env
echo 'FLEET_MYSQL_ADDRESS=localhost:3306' >> /etc/fleet/fleet.env
echo 'FLEET_REDIS_ADDRESS=localhost:6379' >> /etc/fleet/fleet.env
echo 'FLEET_SERVER_TLS=false' >> /etc/fleet/fleet.env
cat <<EOF > /etc/systemd/system/fleet.service
[Unit]
Description=Fleet
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b
ExecStartPre=/usr/bin/docker run --rm \
--name fleet-prepare-db \
--net=host \
--env-file=/etc/fleet/fleet.env \
fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b \
/usr/bin/fleet prepare db --no-prompt --logging_debug
ExecStart=/usr/bin/docker run --rm \
--name %n \
--net=host \
-p 127.0.0.1:8080:8080 \
--env-file=/etc/fleet/fleet.env \
fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b \
/usr/bin/fleet serve
[Install]
WantedBy=default.target
EOF
systemctl daemon-reload
systemctl enable fleet
systemctl start fleet
######################
# Caddy (Dockerized) #
######################
mkdir -p /etc/fleet/caddy;
touch /etc/fleet/caddy.env;
chmod 600 /etc/fleet/caddy.env;
echo -e "FLEET_DOMAIN=${FLEET_DOMAIN}" >> /etc/fleet/caddy.env; # Replace this with your domain!
cat <<EOF > /etc/fleet/caddy/Caddyfile
{\$FLEET_DOMAIN}
reverse_proxy 127.0.0.1:8080
EOF
docker pull caddy@sha256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c
cat <<EOF > /etc/systemd/system/fleet-caddy.service
[Unit]
Description=Fleet Caddy instance
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
EnvironmentFile=/etc/fleet/caddy.env
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
# caddy:2.5.1-alpine as of 2022-05-20
ExecStartPre=-/usr/bin/docker pull caddy@sha256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c
ExecStart=/usr/bin/docker run --rm \
--name %n \
--env-file=/etc/fleet/caddy.env \
--net=host \
-v /etc/fleet/caddy/Caddyfile:/etc/caddy/Caddyfile \
-v /etc/fleet/caddy/data:/data \
-v /etc/fleet/caddy/config:/config \
caddy@sha256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c
[Install]
WantedBy=default.target
EOF
systemctl daemon-reload
systemctl enable fleet-caddy
systemctl start fleet-caddy
```
### Host
Copy and paste the script below into cloud-init User-Data for your hosts (which run `osqueryd` and workloads).
> The Fleet version number in the script can be swapped for the latest.
```bash
#!/usr/bin/bash
#######
# DNS #
#######
# Set up DNS resolution
sed -i /etc/systemd/resolved.conf 's/^#DNS=$/DNS=1.1.1.1 9.9.9.9 8.8.8.8/'
systemctl restart systemd-resolved
#######
# APT #
#######
# Update Apt
sudo apt update
sudo apt install -y ca-certificates curl gnupg lsb-release
############
# Firewall #
############
apt install ufw
ufw deny all
ufw allow ssh
ufw allow http
ufw allow https
ufw enable
############
# Fail2Ban #
############
apt install fail2ban
############
# fleetctl #
############
wget https://github.com/fleetdm/fleet/releases/download/fleet-v4.15.0/fleetctl_v4.15.0_linux.tar.gz
echo "cd50f058724cdde07edcc3cf89c83e9c5cd91ca41974ea470ae660cb50dd04a1 fleetctl_v4.15.0_linux.tar.gz" | sha256sum -c
tar --extract --file=fleetctl_v4.15.0_linux.tar.gz fleetctl_v4.15.0_linux/fleetctl
mv fleetctl_v4.15.0_linux/fleetctl /usr/bin/fleetctl
##########################
# Machine Workload Setup #
##########################
### Your normal node setup goes here
### (after the Fleet instance is running, you'll get a command like the one below to run on hosts)
### $ fleetctl package --type=deb --fleet-url=https://fleet.vadosware.io --enroll-secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
### (Running the command above produces a .DEB package you can install like the example below)
### $ apt install /root/fleet-osquery_0.0.13_amd64.deb
### (After this, you should be able to see your new machine on the fleet instance! 🎉)
```
---
## The full deployment guide
For the more adventurous, here are the complete instructions for deploying Fleet on Hetzner with cloud-init and Docker from scratch.
## Prerequisites
To follow this guide, youll need:
- An [account with Hetzner](https://accounts.hetzner.com/signUp)
- A practical understanding of [Cloud-init](https://cloudinit.readthedocs.io/), the multi-distribution method for cross platform cloud instance initialization.
- A practical understanding of cloud-init [User-Data](https://cloudinit.readthedocs.io/en/latest/topics/format.html)
- A practical understanding of [Docker](https://docs.docker.com/) (or any other container runtime of your choice)
## Get a machine from Hetzner
First, purchase a machine (for example, a [Hetzner Cloud](https://hetzner.com/cloud) instance):
![Hetzner cloud purchase machine screen](../website/assets/images/articles/deploy-fleet-on-hetzner-cloud-1-932x388%402x.png)
_Hetzner cloud purchase machine screen_
After purchasing, you should know the IP address of your machine (and make sure you set up things like SSH [securely](https://community.hetzner.com/tutorials/securing-ssh)!)
---
## DNS
### For your domain
This would be a great time to set up `A`/`AAAA` records for your Fleet controller instance something like `fleet.domain.tld` should work (ex. `fleet.yoursite.com`).
### On the machine
Now that we have our machine, well want to allow DNS queries to DNS resolvers other than Hetzner:
```
sed -i /etc/systemd/resolved.conf 's/^#DNS=$/DNS=1.1.1.1 9.9.9.9 8.8.8.8/'
systemctl restart systemd-resolved
```
This will ensure that external DNS can be reached through a means _other_ than by Hetzner default DNS nameservers.
### Set up APT
Lets get our machine up to date and install some packages well need later
```
# Update Apt
sudo apt update
sudo apt install -y ca-certificates curl gnupg lsb-release
```
### Set up a firewall
To ensure we do not expose services accidentally, we'll install [UncomplicatedFirewall](https://wiki.ubuntu.com/UncomplicatedFirewall), also known as ufw, to block all inbound traffic by default and then allow the protocols we need.
```
apt install ufw
ufw deny all
ufw allow ssh
ufw allow http
ufw allow https
ufw enable
```
---
## Docker
Before we can get started, lets install [Docker](https://docs.docker.com/) to manage our workloads. Other container runtimes would work, but Docker is pretty well known, robust, and uses [Containerd](https://containerd.io) underneath anyway, so lets use that:
```
sudo apt install -y ca-certificates curl gnupg lsb-release # these should already be installed
# Set up package repositories for docker
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
$ echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install docker
$ sudo apt update
$ sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
```
>NOTE: This is a UserData script, so we dont have to worry about removing previous existing versions!
>See the [official Docker Ubuntu install documentation](https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository) for more details.
---
## MySQL
Fleet uses [MySQL](https://www.mysql.com/) as its primary data store, so first, well have to set up MySQL.
To run MySQL, well have to do the following:
### Pull the MySQL container
We can pull the [official MySQL docker image](https://hub.docker.com/_/mysql) like so:
```
$ docker pull mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67 # mysql:5.7.38 as of 2022/05/19
```
### Create & enable a systemd unit for MySQL
[systemd](https://systemd.io) has become the defacto systems manager for most distros, and as such, well be setting up a [systemd unit](https://www.freedesktop.org/software/systemd/man/systemd.unit.html) to ensure MySQL is started automatically.
First well set up our credentials:
```
# Create the Fleet MySQL data folder
mkdir -p /etc/fleet
# Create ENV that will be used by the docker container
touch /etc/fleet/mysql.env
chmod 600 /etc/fleet/mysql.env
echo "MYSQL_HOST=127.0.0.1" >> /etc/fleet/mysql.env
echo "MYSQL_USER=fleet" >> /etc/fleet/mysql.env
echo "MYSQL_DATABASE=fleet" >> /etc/fleet/mysql.env
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | sed -e 's/^/MYSQL_PASSWORD=/' >> /etc/fleet/mysql.env
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | sed -e 's/^/MYSQL_ROOT_PASSWORD=/' >> /etc/fleet/mysql.env
```
And then well create the actual unit that reads this config
```
[Unit]
Description=Fleet MySQL instance
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67
ExecStart=/usr/bin/docker run --rm \
--name %n \
-p 127.0.0.1:3306:3306 \
-v /etc/fleet/mysql:/var/lib/mysql \
--env-file /etc/fleet/mysql.env \
mysql@sha256:16e159331007eccc069822f7b731272043ed572a79a196a05ffa2ea127caaf67
ExecStop=/usr/bin/docker stop %n
[Install]
WantedBy=default.target
```
Well save this content to `/etc/systemd/system/fleet-mysql.service`, and refresh `systemd`:
```
$ systemctl daemon-reload
$ systemctl enable fleet-mysql
```
---
## Redis
Fleet uses [Redis](https://redis.io/) as its primary caching solution, so well need to set up Redis as well. While “vanilla” Redis is a great choice, a recent entrant to the space is [KeyDB](https://keydb.dev/), an alternative multi-threaded implementation of Redis.
### Pull the ~~Redis~~ KeyDB Docker container
We can pull the [KeyDB docker image](https://hub.docker.com/r/eqalpha/keydb) like so:
```
$ docker pull eqalpha/keydb@sha256:18a00f69577105650d829ef44a9716eb4feaa7a5a2bfacd115f0a1e7a97a8726 # x86_64_v6.3.0 as of 2022/05/19
```
### Create and enable a Redis systemd service
Similarly to MySQL, a systemd service can be created for our redis-equivalent service as well.
```
[Unit]
Description=Fleet Redis instance
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull eqalpha/keydb@sha256:18a00f69577105650d829ef44a9716eb4feaa7a5a2bfacd115f0a1e7a97a8726 # eqalpha/keydb:x86_64_v6.3.0 as of 2022-05-19
ExecStart=/usr/bin/docker run --rm \
--name %n \
-p 127.0.0.1:6379:6379 \
-v /etc/fleet/redis:/var/lib/redis \
eqalpha/keydb@sha256:18a00f69577105650d829ef44a9716eb4feaa7a5a2bfacd115f0a1e7a97a8726
ExecStop=/usr/bin/docker stop %n
[Install]
WantedBy=default.target
```
Well save this content to `/etc/systemd/system/fleet-redis.service`. And just like MySQL well `daemon-reload` and `enable`:
```
systemctl daemon-reload
systemctl enable fleet-redis
```
---
## Fleet
Were finally at the main course time to install Fleet!
### Pull the Fleet docker container
We can pull the [Fleet docker image](https://hub.docker.com/r/fleetdm/fleet) like so:
```
$ docker pull fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b
```
The [Fleet v4.15.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) release can be found [in DockerHub](https://hub.docker.com/r/fleetdm/fleet/tags?page=1&name=v4.15.0).
### Create and enable the Fleet systemd service
First, well get our Fleet ENV vars in place:
```
mkdir -p /etc/fleet/fleet
# MySQL fleet ENV
bash -c 'source /etc/fleet/mysql.env && echo -e "FLEET_MYSQL_USERNAME=$MYSQL_USER" >> /etc/fleet/fleet.env';
bash -c 'source /etc/fleet/mysql.env && echo -e "FLEET_MYSQL_PASSWORD=$MYSQL_PASSWORD" >> /etc/fleet/fleet.env';
echo 'FLEET_MYSQL_DATABASE=fleet' >> /etc/fleet/fleet.env
# Other fleet ENV vars
echo 'FLEET_SERVER_ADDRESS=127.0.0.1:8080' >> /etc/fleet/fleet.env
echo 'FLEET_MYSQL_ADDRESS=localhost:3306' >> /etc/fleet/fleet.env
echo 'FLEET_REDIS_ADDRESS=localhost:6379' >> /etc/fleet/fleet.env
echo 'FLEET_SERVER_TLS=false' >> /etc/fleet/fleet.env
```
We can set up Fleet to run like so:
```
[Unit]
Description=Fleet
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b
ExecStartPre=/usr/bin/docker run --rm \
--name fleet-prepare-db \
--net=host \
--env-file=/etc/fleet/fleet.env \
fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b \
/usr/bin/fleet prepare db --no-prompt --logging_debug
ExecStart=/usr/bin/docker run --rm \
--name %n \
--net=host \
--env-file=/etc/fleet/fleet.env \
fleetdm/fleet@sha256:332744f3503dc15fdb65c7b672a09349b2c30fb59a08f9ab4b1bbab94e3ddb5b \
/usr/bin/fleet serve
[Install]
WantedBy=default.target
```
---
## (Optional) Caddy for automatic HTTPS
To have access to your Fleet instance from far away, well set up a TLS-terminating load balancer like [Caddy](https://caddyserver.com/docs) to do the heavy lifting for us.
Luckily, Caddy supports automatic HTTPS certificate retrieval via [LetsEncrypt](https://letsencrypt.org/), so it will make things easier.
First, lets write our domain as a configuration that systemd can use at `/etc/fleet/caddy.env`:
```
mkdir -p /etc/fleet/caddy;
touch /etc/fleet/caddy.env;
chmod 600 /etc/fleet/caddy.env;
echo "FLEET_DOMAIN=fleet.domain.tld" >> /etc/fleet/caddy.env; # Replace this with your domain!
```
Assuming you have a domain like `fleet.domain.tld` already purchased and set up; we can get external-reachability for our cluster with Caddy by first writing a `Caddyfile`:
```
{$FLEET_DOMAIN}
reverse_proxy 127.0.0.1:8080
```
After saving that simple `Caddyfile` at `/etc/fleet/caddy/Caddyfile`, we can do our usual `docker pull`ing:
```
$ docker pull caddy@sha256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c
```
Heres a systemd service:
```
[Unit]
Description=Fleet Caddy instance
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=0
Restart=always
EnvironmentFile=/etc/fleet/caddy.env
ExecStartPre=-/usr/bin/docker exec %n stop
ExecStartPre=-/usr/bin/docker rm %n
ExecStartPre=-/usr/bin/docker pull caddysha@256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c # caddy:2.5.1-alpine as of 2022-05-20
ExecStart=/usr/bin/docker run --rm \
--name %n \
--env-file=/etc/fleet/caddy.env \
-p 80:80 \
-p 443:443 \
-v /etc/fleet/caddy/Caddyfile:/etc/caddy/Caddyfile \
-v /etc/fleet/caddy/data:/data \
-v /etc/fleet/caddy/config:/config \
caddy@sha256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c
[Install]
WantedBy=default.target
```
>NOTE: if you choose not to use Caddy, youll have to generate self-signed certs or use another method.
At this point you should be able to go to your domain (ex. `https://fleet.domain.tld`) and access Fleet 🎉!
---
## How long does it take?
The User Data script takes around 100 seconds to run: \
```
Cloud-init v. 22.1-14-g2e17a0d6-0ubuntu1~20.04.3 running 'modules:final' at Thu, 02 Jun 2022 07:22:35 +0000. Up 12.99 seconds.
Cloud-init v. 22.1-14-g2e17a0d6-0ubuntu1~20.04.3 finished at Thu, 02 Jun 2022 07:23:58 +0000. Datasource DataSourceHetzner. Up 94.87 seconds
```
---
## Set up Fleet and enroll hosts
Now that Fleet is running, visit your Fleet dashboard (i.e., `https://fleet.domain.tld`) and enter your name, email and password. You should now see the empty hosts page. To start enrolling hosts into Fleet, check out [Adding hosts](https://fleetdm.com/docs/using-fleet/adding-hosts).
---
## What's next?
Now that youre ready to use Fleet and have a host installed. Here's some next steps:
- Take some time to get acclimatized to Fleet. [Learn how to use Fleet](https://fleetdm.com/docs/using-fleet/learn-how-to-use-fleet) and [Fleet UI](https://fleetdm.com/docs/using-fleet/fleet-ui) are both great places to start.
- Import Fleet's [standard query library](https://fleetdm.com/docs/using-fleet/standard-query-library) to start asking questions about your hosts.
- To run a more secure setup, consider creating a dedicated `fleet` user with Docker's support for user [namespaces](https://docs.docker.com/engine/security/userns-remap/).
<meta name="category" value="deploy">
<meta name="authorGitHubUsername" value="ksatter">
<meta name="authorFullName" value="Kathy Satterlee">
<meta name="publishedOn" value="2022-06-27">
<meta name="articleTitle" value="Deploy Fleet on Hetzner Cloud with cloud-init and Docker">
<meta name="articleImageUrl" value="../website/assets/images/articles/deploying-fleet-on-hetzner-1600x900@2x.jpg">

View File

@ -1,335 +0,0 @@
# Deploy Fleet on AWS with Terraform
There are many ways to deploy Fleet. Last time, we looked at deploying [Fleet on Render](https://fleetdm.com/deploy/deploying-fleet-on-render). This time, were going to deploy Fleet on AWS with Terraform IaC (infrastructure as code).
Deploying on AWS with Fleets reference architecture is an easy way to get a fully functional Fleet instance that can scale to your needs.
> Updated May 2023 to reflect Fleet's current Terraform Module setup.
## Prerequisites:
- AWS CLI installed and configured.
- Terraform installed (version `1.3.9` or greater)
- AWS Account and IAM user capable of creating resources
- About 30 minutes
## Introduction
### Remote State
Remote state can be simple (local state) or complicated (S3, state locking, etc.). To keep this guide straightforward we are
going to leave remote state out of the equation. For more information on how to manage terraform remote state see https://developer.hashicorp.com/terraform/language/state/remote
### Modules
[Fleet terraform](https://github.com/fleetdm/fleet/tree/main/terraform) is made up of multiple modules. These modules can be used independently, or as group to stand up an opinionated
set of infrastructure that we have found success with.
Each module defines the required resource and consumes the next nested module. The root module creates the VPC and then pulls in the `byo-vpc` module
configuring it as necessary. The `byo-vpc` module creates the database and cache instances that get passed into the `byo-db` module. And finally the `byo-db` module
creates the ECS cluster and load balancer to be consumed by the `byo-ecs` module.
The modules are made to be flexible allowing you to bring your own infrastructure. For example if you already have an existing VPC
you'd like to deploy Fleet into, you could opt to use the `byo-vpc` module, supplying the necessary configuration like subnets(database, cache, and application need to communicate) and VPC ID.
#### Examples
##### Bring your own nothing
```hcl
module "fleet" {
source = "github.com/fleetdm/fleet//terraform?ref=main"
}
```
This configuration utilizes all the modules Fleet defines with the default configurations. In essence this would provision:
1. VPC
2. DB & Cache
3. ECS for compute
##### Bring your own VPC
```hcl
module "fleet_vpcless" {
source = "github.com/fleetdm/fleet//terraform/byo-vpc?ref=main"
alb_config = {
subnets = ["public-subnet-789"]
certificate_arn = "acm_cert_arn"
}
vpc_config = {
vpc_id = "vpc123"
networking = {
subnets = ["private-subnet-123", "private-subnet-456"]
}
}
}
```
This configuration allows you to bring your own VPC, public & private subnets, and ACM certificate. All of these are required
to configure the remainder of the infrastructure, like the Database and ECS.
##### Bring only Fleet
```hcl
module "fleet_ecs" {
source = "github.com/fleetdm/fleet//terraform/byo-vpc/byo-db/byo-ecs?ref=main"
ecs_cluster = "my_ecs_cluster"
vpc_id = "vpc123"
fleet_config = {
image = "fleetdm/fleet:latest"
database = {
address = "rds_cluster_endpoint"
rr_address = "rds_cluster_readonly_endpoint"
database = "fleet"
user = "fleet"
password_secret_arn = "secrets-manager-arn" # ARN to the database password
}
redis = {
address = "redis_cluster_endpoint"
}
networking = {
subnets = ["private_subnet-123"]
}
loadbalancer = {
arn = "alb_arn"
}
}
}
```
This configuration assumes you have brought all the required dependencies of Fleet, the VPC, MySQL, Redis, and ALB/networking.
## Infrastructure
https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws
![Architecture Diagram](../website/assets/images/articles/fleet-aws-reference-arch-diagram.png)
The infrastructure used in this deployment is available in all regions. The following resources will be created:
- VPC
- Subnets
- Public
- Private
- ACLs
- Security Groups
- Application Load Balancer
- ECS as the container orchestrator
- Fargate for underlying compute
- Task roles via IAM
- RDS Aurora (MySQL 8.X)
- Elasticache (Redis 6.X)
### Encryption
By default, both RDS & Elasticache are encrypted at rest and encrypted in transit. The S3 buckets are also server-side encrypted using AWS managed KMS keys.
### Networking
For more details on the networking configuration take a look at https://github.com/terraform-aws-modules/terraform-aws-vpc. In the configuration Fleet provides
we are creating public and private subnets in addition to separate data layer for RDS and Elasticache. The configuration also defaults
to using a single NAT Gateway.
### Backups
RDS daily snapshots are enabled by default and retention is set to 30 days. A snapshot identifier can be supplied via terraform variable (`rds_initial_snapshot`)
in order to create the database from a previous snapshot.
## Deployment
We're going to deploy Fleet using the module system with a few configurations. First start off by creating `fleet.tf` or naming it whatever you like.
```hcl
module "fleet" {
source = "github.com/fleetdm/fleet//terraform?ref=main"
fleet_config = {
image = "fleetdm/fleet:v4.31.1" # override default to deploy the image you desire
}
}
```
Run `terraform get` to have terraform pull down the module. After this completes you should get a linting error saying that a required property,`certificate_arn`, is not defined .
To fix this issue lets define some Route53 resources:
```hcl
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "4.3.1"
domain_name = "fleet.<your_domain>.com"
zone_id = aws_route53_zone.main.id
wait_for_validation = true
}
resource "aws_route53_zone" "main" {
name = "fleet.<your_domain>.com"
}
resource "aws_route53_record" "main" {
zone_id = aws_route53_zone.main.id
name = "fleet.<your_domain>.com"
type = "A"
alias {
name = module.fleet.byo-vpc.byo-db.alb.lb_dns_name
zone_id = module.fleet.byo-vpc.byo-db.alb.lb_zone_id
evaluate_target_health = true
}
}
```
Now we can edit the module declaration:
```hcl
module "fleet" {
source = "github.com/fleetdm/fleet//terraform?ref=main"
certificate_arn = module.acm.acm_certificate_arn
fleet_config = {
image = "fleetdm/fleet:v4.31.1" # override default to deploy the image you desire
}
}
```
We're also going to pull in the auto-migration addon that will ensure Fleet migrations run:
```hcl
module "migrations" {
source = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=main"
ecs_cluster = module.fleet.byo-vpc.byo-db.byo-ecs.service.cluster
task_definition = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.family
task_definition_revision = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.revision
subnets = module.fleet.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].subnets
security_groups = module.fleet.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].security_groups
}
```
All together this looks like:
```hcl
module "fleet" {
source = "github.com/fleetdm/fleet//terraform?ref=main"
certificate_arn = module.acm.acm_certificate_arn
fleet_config = {
image = "fleetdm/fleet:v4.31.1" # override default to deploy the image you desire
}
}
module "migrations" {
source = "github.com/fleetdm/fleet//terraform/addons/migrations?ref=main"
ecs_cluster = module.fleet.byo-vpc.byo-db.byo-ecs.service.cluster
task_definition = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.family
task_definition_revision = module.fleet.byo-vpc.byo-db.byo-ecs.task_definition.revision
subnets = module.fleet.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].subnets
security_groups = module.fleet.byo-vpc.byo-db.byo-ecs.service.network_configuration[0].security_groups
}
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "4.3.1"
domain_name = "fleet.<your_domain>.com"
zone_id = aws_route53_zone.main.id
wait_for_validation = true
}
resource "aws_route53_zone" "main" {
name = "fleet.<your_domain>.com"
}
resource "aws_route53_record" "main" {
zone_id = aws_route53_zone.main.id
name = "fleet.<your_domain>.com"
type = "A"
alias {
name = module.fleet.byo-vpc.byo-db.alb.lb_dns_name
zone_id = module.fleet.byo-vpc.byo-db.alb.lb_zone_id
evaluate_target_health = true
}
}
```
Now we can start to provision the infrastructure. In order to do this we'll need to run `terraform apply` in stages to layer up the infrastructure.
First run:
```shell
terraform apply -target module.fleet.module.vpc
```
This will provision the VPC and the subnets required to deploy the rest of the Fleet dependencies (database and cache).
Next run:
```shell
terraform apply
```
You should see the planned output, and you will need to confirm the creation. Review this output, and type `yes` when you are ready. Note this will take up to 30 minutes to apply.
During this process, terraform will create a `hosted zone` with an `NS` record for your domain and request a certificate from [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/). While the process is running, you'll need to add the `NS` records to your domain as well.
Lets say we own `queryops.com` and have an ACM certificate issued to it. We want to host Fleet at `fleet.queryops.com` so in this case, well need to hand nameserver authority over to `fleet.queryops.com` before ACM will verify via DNS and issue the certificate. To make this work, we need to create an `NS` record on `queryops.com` and copy the `NS` records that were created by terraform for the `fleet.queryops.com` hosted zone.
![Route 53 QueryOps Hosted Zone](../website/assets/images/articles/deploying-fleet-on-aws-with-terraform-1-622x250@2x.png)
### Modifying the Fleet configuration
To modify Fleet, you can override any of the exposed keys in `fleet_config`. Here is an example:
```hcl
module "fleet" {
source = "github.com/fleetdm/fleet//terraform?ref=main"
certificate_arn = module.acm.acm_certificate_arn
fleet_config = {
image = "fleetdm/fleet:v4.31.1"
cpu = 500 # note that by default fleet runs as ECS fargate so you need to abide by limit thresholds https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#:~:text=Amazon%20ECS.-,Task%20CPU%20and%20memory,-Amazon%20ECS%20task
mem = 1024
# you can even supply additional IAM policy ARNs for Fleet to assume, this is useful when you want to add custom logging destinations for osquery logs
extra_iam_policies = ["iam_arn"]
}
}
```
## Conclusion
Setting up all the required infrastructure to run a dedicated web service in AWS can be a daunting task. Our goal is to provide a solid base to build from. As most AWS environments have their own specific needs and requirements, this base is intended to be modified and tailored to your specific needs.
## Troubleshooting
1. AWS CLI gives the error "cannot find ECS cluster" when trying to run the migration task
- double-check your AWS CLI default region and make sure it is the same region you deployed the ECS cluster in
- the `--cluster <arg>` might be incorrect, verify the name of your ECS cluster that was created
2. AWS ACM fails to validate and issue certificates
- verify that the NS records created in the new hosted zone are propagated to your nameserver authority
- this might require multiple terraform apply runs
3. ECS fails to deploy Fleet container image (docker pull request limit exceeded/429 errors)
- if the migration task has not run successfully before the Fleet backend attempts to start it will cause the container to repeatedly fail and this can exceed docker pull request rate limits
- scale down the fleet backend to zero tasks and let the pull request limit reset, this can take from 15 minutes to an hour
- attempt to run migrations and then scale the Fleet backend back up
4. If Fleet is running, but you are getting a poor experience or feel like something is wrong
- check application logs emitted to AWS Cloudwatch
- check performance metrics (CPU & Memory utilization) in AWS Cloudwatch
- RDS
- Elasticache
- ECS
### Scaling Limitations
It is possible to run into multiple AWS scaling limitations depending on the size of the Fleet deployment, frequency of queries, and amount of data returned.
The Fleet backend is designed to scale horizontally (this is also enabled by default using target-tracking autoscaling policies out-of-the-box).
However, it is still possible to run into AWS scaling limitations such as:
#### Firehose write throughput provision exceeded errors
This particular issue would only be encountered for the largest of Fleet deployments and can occur because of high volume of data and/or number of hosts, if you notice these errors in the application logs or from the AWS Firehose console try the following:
1. Check the service limits https://docs.aws.amazon.com/firehose/latest/dev/limits.html
2. evaluate the amount of data returned using Fleet's live query feature
3. reduce the frequency of scheduled queries
4. reduce the amount of data returned for scheduled queries (Snapshot vs Differential queries https://osquery.readthedocs.io/en/stable/deployment/logging/)
More troubleshooting tips can be found here https://fleetdm.com/docs/deploying/faq
<meta name="category" value="deploy">
<meta name="authorGitHubUsername" value="edwardsb">
<meta name="authorFullName" value="Ben Edwards">
<meta name="publishedOn" value="2021-11-30">
<meta name="articleTitle" value="Deploy Fleet on AWS with Terraform">
<meta name="articleImageUrl" value="../website/assets/images/articles/deploying-fleet-on-aws-with-terraform-cover-1600x900@2x.jpg">

View File

@ -1,150 +0,0 @@
# Deploy Fleet on Render
[Render](https://render.com/) is a cloud hosting service that makes it dead simple to get things up and running fast, without the typical headache of larger enterprise hosting providers. Hosting Fleet on Render is a cost effective and scalable cloud environment with a lower barrier to entry, making it a great place to get some experience with [Fleet](https://fleetdm.com/) and [osquery](https://osquery.io/).
---
Below well look at how to deploy Fleet on Render using Render WebService & Private Service components. To complete this youll need an account on Render, and about 30 minutes.
Fleet only has 2 external dependencies:
- MySQL 5.7
- Redis 6
First lets get these dependencies up and running on Render.
---
## MySQL
Fleet uses MySQL as the datastore to organize host enrollment and other metadata around serving Fleet. Start by forking [https://github.com/edwardsb/render-mysql](https://github.com/edwardsb/render-mysql), then create a new private service within Render. When prompted for the repository — enter your forks URL here.
![Private Service component in Render](../website/assets/images/articles/deploying-fleet-on-render-2-216x163@2x.png)
*Private Service component in Render*
This private service will run MySQL, our database, so lets give it a fitting name, something like “fleet-mysql”.
Were also going to need to set up some environment variables and a disk to mount. Expand “Advanced” and enter the following:
### Environment Variables
- `MYSQL_DATABASE=fleet`
- `MYSQL_PASSWORD=supersecurepw`
- `MYSQL_ROOT_PASSWORD=supersecurerootpw`
- `MYSQL_USER=fleet`
### Disks
- Name: `mysql`
- Mount Path: `/var/lib/mysql`
- Size: `50GB`
---
## Redis
The next dependency well configure is Redis. Fleet uses Redis to ingest and queue the results of distributed queries, cache data, etc. Luckily for us the folks over at Render have a ready-to-deploy Redis template that makes deploying Redis as a private service a single mouse click. Check out [https://render.com/docs/deploy-redis](https://render.com/docs/deploy-redis).
After its deployed, you should see a unique Redis host/port combination, well need that for Fleet so make sure to copy it for later.
---
## Fleet
Now that we have the dependencies up and running, on to Fleet!
Start by forking or use [https://github.com/edwardsb/fleet-on-render](https://github.com/edwardsb/fleet-on-render) directly. This Dockerfile is based on Fleet, but overrides the default command to include the migration step, which prepares the database by running all required migrations. Normally its best to do this as a separate task, or job that runs before a new deployment, but for simplicity we can have it run every time the task starts.
Back in Render, create a new web service and give it a unique name, since this will be resolvable on the internet, it actually has to be unique on Renders platform.
![Web Service component in Render](../website/assets/images/articles/deploying-fleet-on-render-2-216x163@2x.png)
*Web Service component in Render*
Next we will supply the environment variables Fleet needs to connect to the database and redis. We are also going to disable TLS on the Fleet server, since Render is going to handle SSL termination for us.
Give it the following environment variables:
- `FLEET_MYSQL_ADDRESS=fleet-mysql:3306`(your unique service address)
- `FLEET_MYSQL_DATABASE=fleet`
- `FLEET_MYSQL_PASSWORD=supersecurepw`
- `FLEET_MYSQL_USERNAME=fleet`
- `FLEET_REDIS_ADDRESS=fleet-redis:10000` (your unique Redis host:port from earlier)
- `FLEET_SERVER_TLS=false` (Render takes care of SSL termination)
Additionally well configure the following so Render knows how to build our app and make sure its healthy:
![Additional component details](../website/assets/images/articles/deploying-fleet-on-render-3-512x213@2x.png)
- Health Check Path: `/healthz`
- Docker Build Context Directory: `.`
- Dockerfile Path: `./Dockerfile`
Click Create and watch Render deploy Fleet! You should see something like this in the event logs:
```
Migrations completed.
ts=20210915T02:09:07.06528012Z transport=http address=0.0.0.0:8080 msg=listening
```
Fleet is up and running, head to your public URL.
![Fleet deployed on Render](../website/assets/images/articles/deploying-fleet-on-render-4-216x163@2x.png)
*Fleet deployed on Render*
---
## Setup Fleet and enroll hosts
You should be prompted with a setup page, where you can enter your name, email, and password. Run through those steps and you should have an empty hosts page waiting for you.
Youll find the enroll-secret after clicking “Add New Hosts”. This is a special secret the host will need to register to your Fleet instance. Once you have the enroll-secret you can use `fleetctl` to create Orbit installers, which makes installing and updating osquery super simple. [Download fleetctl](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.3.0) and try the following command (Docker require) on your terminal:
```
fleetctl package --type=msi --enroll-secret <secret> --fleet-url https://<your-unique-service-name>.onrender.com
```
This command creates an `msi` installer pointed at your Fleet instance.
Now we need some awesome queries to run against the hosts we enroll, check out the collection [here](https://github.com/fleetdm/fleet/tree/main/docs/01-Using-Fleet/standard-query-library).
To get them into Fleet we can use `fleetctl` again. Run the following on your terminal:
```
curl https://raw.githubusercontent.com/fleetdm/fleet/main/docs/01-Using-Fleet/standard-query-library/standard-query-library.yml -o standard-query-library.yaml
```
Now that we downloaded the standard query library, well apply it using `fleetctl`. First well configure `fleetctl` to use the instance we just built.
Try running:
```
fleetctl config set --address https://<your-unique-service-name>.onrender.com
```
Next, login with your credentials from when you set up the Fleet instance by running `fleetctl login`:
```
fleetctl login
Log in using the standard Fleet credentials.
Email: <enter user you just setup>
Password:
Fleet login successful and context configured!
```
Applying the query library is simple. Just run:
```
fleetctl apply -f standard-query-library.yaml
```
`fleetctl` makes configuring Fleet really easy, directly from your terminal. You can even create API credentials so you can script `fleetctl` commands, and really unlock the power of Fleet.
Thats it! We have successfully deployed and configured a Fleet instance! Render makes this process super easy, and you can even enable auto-scaling and let the app grow with your needs.
<meta name="category" value="deploy">
<meta name="authorGitHubUsername" value="edwardsb">
<meta name="authorFullName" value="Ben Edwards">
<meta name="publishedOn" value="2021-11-21">
<meta name="articleTitle" value="Deploy Fleet on Render">
<meta name="articleImageUrl" value="../website/assets/images/articles/deploying-fleet-on-render-cover-1600x900@2x.jpg">

View File

@ -0,0 +1,65 @@
# Embracing the future: Declarative Device Management
![Embracing the future: Declarative Device Management](../website/assets/images/articles/embracing-the-future-declarative-device-management@2x.png)
As a Mac administrator, managing a fleet of Apple devices across your organization requires consistency and airtight security. With a variety of system services and background tasks to oversee, the challenge is not only to maintain uniform configurations but also to keep the organization's data secure. Recognizing these challenges, Apple has advanced a powerful new approach - Declarative Device Management (DDM).
DDM is a paradigm shift in device management, enabling a more efficient and secure administration of macOS devices. It allows for tamper-resistant configurations and ensures simplified monitoring of system services and background tasks.
In this blog post, we dive into Apple's forthcoming DDM in macOS Sonoma. Specifically, we'll explore how it will alter the way you manage system services, certificates and identities, and how it transitions you from traditional Mobile Device Management (MDM) systems. Whether you're an experienced Mac admin or just getting started, hopefully, this guide will provide some insights into DDM for you and your organization. Let's dive in!
## Declarative device management for system services
DDM paves the way for a secure and reliable mechanism to manage system services. Using tamper-resistant system configuration files for different system services ensures uniform and secure configurations across all devices. Declarative Device Management provides an added layer of protection against accidental changes by users.
For instance, system services like sshd, sudo, PAM, CUPS, Apache httpd, bash and Z-shells will be able to adopt managed service configuration files to ensure consistency and compliance. The configuration files reference a data asset that provides a ZIP archive of SSH keys that is downloaded and expanded into a tamper-resistant, service-specific location when required conditions are met—for example, FileVault is enabled—and are always prioritized over any default or overridden system configuration.
## Monitoring and compliance rules for background tasks
DDM provides an excellent way of keeping track of background tasks. A new status item in this coming release reports the list of installed background tasks, making it easier to verify that required tasks are running and unwanted tasks aren't.
In addition, the FileVault enabled state of the macOS boot volume is reported, allowing you to install sensitive configurations only when it is safe to proceed. With these features, you can ensure compliance and consistency across all macOS devices in your organization.
## Secure access with certificates and identities
Certificates and identities play a crucial role in ensuring secure access to organizational resources. In this context, DDM provides a more efficient mechanism for managing certificates and identities using its declaration data model.
Certificates and identities are defined as asset declarations, which various configurations can reference. This eliminates the need for duplicating certificates and identities across multiple profiles, thereby reducing management overhead.
## A new paradigm: software updates
Apple's DDM introduces a redefined software update process, which marks another significant step forward in device management.
Traditionally, administrators have faced considerable challenges in managing software updates. However, with DDM, this process has been dramatically simplified. The Declarative model handles scheduling and applying updates, allowing administrators to specify the desired state for instance, maintaining the latest software version and leave the rest to DDM.
To improve upon this functionality, Fleet, with its osquery integration, allows admins to monitor the status of these updates in real time. It provides critical insights about the update process, such as software versions, pending updates, and the update history. These features make the software update process significantly more manageable and transparent.
DDM represents an important advancement in how we manage and understand software updates. It not only will streamline administrative tasks but also elevates the overall security, performance, and integrity of the devices Mac admins manage.
## Seamless transition from MDM to DDM
Transitioning from traditional MDM to DDM will be a challenge. However, DDM provides a smooth transition without causing disruption or leaving a management gap. This is achieved by allowing DDM to take over the management of already installed MDM profiles without the need to remove them.
## Fleet + osquery + DDM = 💗
The innovations introduced with DDM, including the new software update process, represent a paradigm shift in device management. Fleet's MDM solution, powered by osquery, complements these changes and offers a GitOps-driven management platform for Mac admins.
As we continue to navigate this evolving landscape, we have tools that equip us better than ever to handle the challenges and complexities of modern device management. This new era presents opportunities for enhanced security, control, and efficiency in managing our devices.
Fleet is transforming how we manage and secure devices. Offering an open-core, cross-platform solution, Fleet is committed to empowering Mac admins with the tools they need to meet the challenges of today's and tomorrow's device management. Through its powerful and versatile platform, Fleet is illuminating the path forward in device management.
<meta name="category" value="announcements">
<meta name="authorGitHubUsername" value="spokanemac">
<meta name="authorFullName" value="JD Strong">
<meta name="publishedOn" value="2023-07-06">
<meta name="articleTitle" value="Embracing the future: Declarative Device Management">
<meta name="articleImageUrl" value="../website/assets/images/articles/embracing-the-future-declarative-device-management@2x.png">
<meta name="description" value="Explore the transformative impact of Declarative Device Management (DDM), Fleet, and osquery for MacAdmins.">

View File

@ -110,7 +110,7 @@ Theres no one-size-fits-all approach for successful end user self-remediation
The benefits of self-remediation go beyond security. By making computer problems more approachable, youll empower employees to be more confident end users. So, they might be more inclined to troubleshoot issues before making a request.
See how easy implementing end user self-remediation can be. [Sign up for Sandbox](https://fleetdm.com/try-fleet/register) to try Fleet on your device for free.
See how easy implementing end user self-remediation can be. [Try `fleetctl preview`](https://fleetdm.com/try-fleet/register) to test Fleet on your device for free.
<meta name="category" value="security">
<meta name="authorFullName" value="Chris McGillicuddy">

View File

@ -0,0 +1,33 @@
# ExpedITioners Podcast
## Bradley Chambers: The bright future and golden era of MacOS
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/bradley-chambers-the-bright-future-and-golden-era-of-macos/id1641183838?i=1000621184125"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/bradley-chambers-the-bright-future-and-golden-era-of-macos/id1641183838?i=1000621184125), [Spotify](https://open.spotify.com/episode/02Sah2dTmPEeGqxFcunIUm?si=4vj2BRaIRbiQJ1-ra-lKng), or [PodBean](https://www.podbean.com/ew/pb-derbt-1457407).
### Show notes: 
In todays episode of the ExpedITioners Podcast, we are joined by Bradley Chambers, who covers enterprise technology for 9 to 5 Mac and the Apple @ work podcast. They also have a day job at Cribl running content marketing, helping companies understand how to best manage observability data.
### Topics discussed:
- How Bradley got into the world of MacOS
- Quality of life improvements for Apple Admins
- How Apple puts people first, even in enterprise deployments
- The factors leading industry experts from K-12 to large enterprises
- Recommendations for those looking to make sense of all the data coming from Macs
- The importance of proving security through compliance
- The future of enterprise Apple management
### Where to get in touch:
- [Find Bradley on LinkedIn](https://www.linkedin.com/in/chambersbradley/)
- [Listen to Apple @ Work Podcast](https://9to5mac.com/guides/apple-work-podcast/)
- [Find 9 to 5 Mac](https://9to5mac.com/)
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-07-20">
<meta name="articleTitle" value="ExpedITioners podcast with Bradley Chambers">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep1-1600x900@2x.png">

View File

@ -0,0 +1,38 @@
# ExpedITioners Podcast
## Charles Edge: The past, present, and future of all things computing and device management.
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/charles-edge-the-past-present-and-future-of/id1641183838?i=1000632334146"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/charles-edge-the-past-present-and-future-of/id1641183838?i=1000632334146), [Spotify](https://open.spotify.com/episode/1hrR28oZBl2qg11ewrlZQC?si=S2nnbfdBSFyRsTAivA7fjg), or [PodBean](https://expeditioners.podbean.com/e/charles-edge-the-past-present-and-future-of-all-things-computing-and-device-management/).
### Show notes: 
On this episode, we have Charles Edge, also known as the "Old School Mac Guy," who not only hosts the MacAdmins Podcast but also serves as the Chief Technology Officer at Boostrappers.mn. He is dedicated to pioneering innovative approaches in the realms of Apple technology, security, and IT management software. Join us as Charles shares insights into the future of MDM and device management
### Topics discussed:
- Charles start in the MacAdmin world.
- Wingdings.
- Building an MDM.
- Enjoying the business, financial, and technical sides of IT management.
- Secret Chest and DND spells
- Writing a 2,000-page textbook on the history of computing.
- What the biggest changes for IT and MacAdmins will be.
- The future of MDM.
### Resources mentioned:
- [Secret Chest](https://www.secret-chest.com/)
- [Mac Admins Podcast](https://podcast.macadmins.org/)
### Where to get in touch:
- [LinkedIn](https://www.linkedin.com/in/charlesedge/)
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-10-23">
<meta name="articleTitle" value="ExpedITioners podcast with Charles Edge">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep5-1600x900@2x.jpg">

View File

@ -0,0 +1,42 @@
# ExpedITioners Podcast
## Huxley Barbee: The modern divergence of environments and security methodologies
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/huxley-barbee-the-modern-divergence-of/id1641183838?i=1000643562582"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/huxley-barbee-the-modern-divergence-of/id1641183838?i=1000643562582), [Spotify](https://open.spotify.com/episode/39gnqKiVnG0iU62qSAAcmW?si=1LsNsJEuQwuoo7W5OqBIsA), or [PodBean](https://expeditioners.podbean.com/e/huxley-barbee-the-modern-divergence-of-environments-and-security-methodologies/).
### Show notes: 
Today, were joined by Huxley Barbee, a security evangelist at RunZero and organizer of Bsides NYC. In this episode, Zach and Huxley discuss the modern divergence of environments and security methodologies.
### Topics discussed:
- Huxleys start within the security industry.
- Making the industry a better place for newcomers.
- Chasm solutions.
- Comprehensive security visibility.
- Methodologies of collecting data (on the network).
- How “network” terminology has evolved.
- “Deperimeterization”.
- Modern divergence of security environments and efforts of discovery.
- The top 3 important components that help round out a security program.
- Agent-based collection compared to network-based collection.
- The organization of Bsides NYC.
### Where to get in touch:
- [Linkedin](https://www.linkedin.com/in/jhbarbee/)
- [Twitter](https://twitter.com/huxley_barbee)
- [Mastadon](https://infosec.exchange/@huxley)
- [BsidesNYC](https://bsidesnyc.org/)
- [Runzero](https://www.runzero.com/)
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2024-01-30">
<meta name="articleTitle" value="ExpedITioners podcast with Huxley Barbee">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep8-1600x900@2x.jpg">

View File

@ -0,0 +1,34 @@
# ExpedITioners Podcast
## Jeff Chao: Configuration as code for efficiency and automation.
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/jeff-chao-configuration-as-code-for-efficiency-and/id1641183838?i=1000634957170"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/jeff-chao-configuration-as-code-for-efficiency-and/id1641183838?i=1000634957170), [Spotify](https://open.spotify.com/episode/1qpPdOxQBlT0BMVpmu242o?si=BmE_XbJQQ5ep9N8aBAUAFw), or [PodBean](https://www.podbean.com/ew/pb-qpwzz-14fccce).
### Show notes: 
As the Co-Founder and Chief Technology Officer at Abbey Labs, Jeff Chao advocates for the implementation of configuration as code, emphasizing its pivotal role in streamlining processes and enhancing efficiency. Actively contributing to fostering trust and prioritizing outcomes over tasks, Jeff recognizes the importance of achieving tangible results through automation. 
### Topics discussed:
- Jeff's introduction to tech?
- Enabling people to build things instead of just protecting them.
- Attending DEFCON as a teenager.
- Configuration as code for efficiency and automation.
- The creation of Abbey Labs.
- Easing into the adoption of configuration as code.
### Resources mentioned:
- [Abbey Labs](https://www.abbey.io/)
### Where to get in touch:
- [LinkedIn](https://www.linkedin.com/in/thejeffchao/)
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-11-15">
<meta name="articleTitle" value="ExpedITioners podcast with Jeff Chao">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep6-1600x900@2x.jpg">

View File

@ -0,0 +1,33 @@
# ExpedITioners Podcast
## John Reynolds: Rehumanizing interactions between IT and end users
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/john-reynolds-rehumanizing-interactions-between-it/id1641183838?i=1000628749885"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/john-reynolds-rehumanizing-interactions-between-it/id1641183838?i=1000628749885), [Spotify](https://open.spotify.com/episode/7AHJinyvizmoHdfVTINu9y?si=sYhKqJXzQhetv8KyNMTxdA), or [PodBean](https://expeditioners.podbean.com/e/john-reynolds-rehumanizing-interactions-between-it-and-end-users/).
### Show notes: 
John Reynolds navigates a unique approach to modern IT as the Head of IT at Pleo. Culture and interactions with humans come first in order to truly enable users to do their work. Join us on this episode as John talks about how their team works to put people first.
### Topics discussed:
- How John Reynolds got into their professional career
- Creating an IT team from scratch for growth
- Emotional healing with IT teams
- Allowing IT to enable users to get their work done
- “Invisible when we can be, and unmissable when we should be”
- Reducing escalation friction
- Letting people talk to IT like they talk to everyone else
- Standardizing processes for IT logistics in hybrid workforces
- The future of IT
### Where to get in touch:
- [LinkedIn](https://www.linkedin.com/in/john-reynolds-74511660/ )
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-09-21">
<meta name="articleTitle" value="ExpedITioners podcast with John Reynolds">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep4-1600x900@2x.jpg">

View File

@ -0,0 +1,41 @@
# ExpedITioners Podcast
## Niels Hofmans: Threat modeling, open-source collaboration, and bug bounties.
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/niels-hofmans-threat-modeling-open-source-collaboration/id1641183838?i=1000624915742"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/niels-hofmans-threat-modeling-open-source-collaboration/id1641183838?i=1000624915742), [Spotify](https://open.spotify.com/episode/4pZj6mfLvTVJavIVkLULF1?si=wHxOTZVnS3-gsFcoIs4WUw), or [PodBean](https://expeditioners.podbean.com/e/niels-hofmans-threat-modeling-open-source-collaboration-and-bug-bounties/).
### Show notes: 
Niels is the Head of Security at Intigriti, Europe's largest bug bounty platform, which connects 90,000+ security researchers to their customers' assets.
He manages cloud security, SoC, threat intelligence, application security, compliance, detection & response, infrastructure, incident response & more.
When not with his head in the trenches, he spends time writing experimental security tooling or executing various projects for customers.
### Topics discussed:
- How Niels got their start in Cybersecurity.
- Developing proof of concepts for malware and workarounds.
- Making the transition from “amateur hacker” to “professional hacker”.
- What the bug bounty scene is all about.
- Convincing customers and larger names to trust a company like Integriti with confidential information.
- What a procurement process for a bug bounty company looks like.
- Tips for building out security programs and how to prioritize work.
- Returning to the fundamentals of a security threat model.
- Creating win-win situations between community and customers with open-source collaboration.
- The value of open-source.
- Where the security industry should be looking over the next five years.
### Where to get in touch:
- [Find Niels on LinkedIn](https://www.linkedin.com/in/nielshofmans/)
- [Find Niels on GitHub](https://github.com/hazcod/)
- [Intigriti](https://www.intigriti.com/ )
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-08-22">
<meta name="articleTitle" value="ExpedITioners podcast with Niels Hofmans">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep2-1600x900@2x.jpg">

View File

@ -0,0 +1,41 @@
# ExpedITioners Podcast
## Marcus Ransom: The positive future of collaboration between vendors and Apple for enterprise
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/marcus-ransom-the-positive-future-of/id1641183838?i=1000638225150"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/marcus-ransom-the-positive-future-of/id1641183838?i=1000638225150), [Spotify](https://open.spotify.com/episode/1DcqQhWvrrBTgGVJINvm0T?si=c0tw9fzCTxywp-6WpbZHJA), or [PodBean](https://expeditioners.podbean.com/e/marcus-ransom-the-positive-future-of-collaboration-between-vendors-and-apple-for-enterprise/).
### Show notes: 
We're joined by Marcus Ransom Sales Engineer at Jamf and one of the hosts of the Mac Admins podcast. In this episode, Zach and Marcus talk about the exciting future of Apple for enterprise and the MacAdmin community that supports it.
### Topics discussed:
- Marcus introduction to the Mac admin/IT world.
- Opportunities with the future of Apple products
- Changes throughout the history of the MacAdmin community.
- Integrating MacOS devices across every ecosystem.
- Frequent challenges and opportunities seen across the industry.
- Enabling developers to build the tools your company needs for its customers.
- Thoughts on the future of Mac IT.
- Apple instituting actionable and useful feedback from vendors.
- The importance of sharing information across the industry and community.
### Resources mentioned:
- [Xworld Australia ](https://auc.edu.au/xworld/about/)
- [MacAdmins Slack](https://www.macadmins.org/)
- [MacAdmins podcast](https://podcast.macadmins.org/)
- [MacAdmins Foundation](https://www.macadmins.org/about-the-mac-admins-foundation)
### Where to get in touch:
- [LinkedIn](https://www.linkedin.com/in/marcusransom/)
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-12-11">
<meta name="articleTitle" value="ExpedITioners podcast with Marcus Ransom">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep7-1600x900@2x.jpg">

View File

@ -0,0 +1,40 @@
# ExpedITioners Podcast
## Rich Trouton: Declarative Device Management and a promising future for Mac Admins
<iframe allow="autoplay *; encrypted-media *; fullscreen *; clipboard-write" frameborder="0" height="175" style="width:100%;max-width:660px;overflow:hidden;background:transparent;" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation-by-user-activation" src="https://embed.podcasts.apple.com/us/podcast/rich-trouton-declarative-device-management-and/id1641183838?i=1000626388077"></iframe>
Listen to the episode on [Apple](https://podcasts.apple.com/us/podcast/rich-trouton-declarative-device-management-and/id1641183838?i=1000626388077), [Spotify](https://open.spotify.com/episode/7AHJinyvizmoHdfVTINu9y?si=sYhKqJXzQhetv8KyNMTxdA), or [PodBean](https://www.podbean.com/ew/pb-w65bb-1494d01).
### Show notes: 
Were joined by Rich Trouton, an IT Technology Services Expert at SAP with over twenty years of experience. Outside of work, Rich also publishes the Der Flounder MacOS blog and is Treasurer for the Mac Admins Foundation.
### Topics discussed:
- How Rich got into Mac Administration and IT
- IT allowing for more enticing opportunities than traditional roles
- Biggest changes that have taken place for MacAdmins over the past twenty years
- Introduction of MDM and Declarative Device Management (DDM)
- What people want in MDM
- How much of a difference will DDM make for other MacAdmins
- Genesis of the Mac Admins Foundation and involvement
- The next five years of the Mac Admin world
### Resources mentioned:
- [MacAdmins Foundation](https://www.macadmins.org/about-the-mac-admins-foundation)
- [Declarative Device Management](https://fleetdm.com/announcements/embracing-the-future-declarative-device-management)
- [Richs talk on DDM](https://www.youtube.com/watch?v=ttKcFGOw7oo)
- [Der flounder blog](https://derflounder.wordpress.com/)
### Where to get in touch:
- [MacAdmins Slack](https://join.slack.com/t/macadmins/shared_invite/zt-20clw2xpd-fi_TB~i8n_H_i7CWxbCchw)
- [LinkedIn](https://www.linkedin.com/in/rtrouton/)
<meta name="category" value="podcasts">
<meta name="authorGitHubUsername" value="zwass">
<meta name="authorFullName" value="Zach Wasserman">
<meta name="publishedOn" value="2023-08-31">
<meta name="articleTitle" value="ExpedITioners podcast with Rich Trouton">
<meta name="articleImageUrl" value="../website/assets/images/articles/expeditioners-podcast-ep3-1600x900@2x.jpg">

View File

@ -14,7 +14,7 @@ For the complete summary of changes and release binaries check out the [release
Fleet is utilized by organizations with up to hundreds of thousands of endpoints. As a result, were constantly looking for areas to improve performance. Changes introduced in Fleet 3.11.0 reduce the MySQL CPU usage by ~ 33%.
These performance improvements are the result of batching the updates of the last time a host has connected to the server. For more details on these changes, check out the [pull request](https://github.com/fleetdm/fleet/pull/633) from our CTO, [Zach Wasserman](https://medium.com/u/b0291119b263?source=post_page-----25d5a1efe19c--------------------------------).
These performance improvements are the result of batching the updates of the last time a host has connected to the server. For more details on these changes, check out the [pull request](https://github.com/fleetdm/fleet/pull/633) from our Cofounder, [Zach Wasserman](https://medium.com/u/b0291119b263?source=post_page-----25d5a1efe19c--------------------------------).
## Software inventory

View File

@ -9,7 +9,10 @@ For update instructions, see our [upgrade guide](https://fleetdm.com/docs/deploy
## Highlights
- Jira integration
- Improved live query experience
<!-- Note: For the sake of efficiency, in Nov 2023, Fleet decided for now to focus all API reference documentation efforts instead on the API docs located at https://fleetdm.com/docs/rest-api/rest-api.
- Postman Collection
-->
## Jira integration
**Available in Fleet Free & Fleet Premium**
@ -34,12 +37,14 @@ Follow the steps below to configure Jira as a ticket destination:
We added a “Show query” option to the live query results view. You can now double-check the syntax you used and compare that to your results without leaving the current view.
<!-- Note: For the sake of efficiency, in Nov 2023, Fleet decided for now to focus all API reference documentation efforts instead on the API docs located at https://fleetdm.com/docs/rest-api/rest-api.
## Postman Collection
**Available in Fleet Free & Fleet Premium**
![Postman Collection](../website/assets/images/articles/fleet-4.14.0-3-1600x900@2x.png)
Fleet users can easily interact with Fleet's API routes using the new Postman Collection. Build and test integrations for running live queries, carving files, managing policies, and more!
-->
## More new features, improvements, and bug fixes

View File

@ -46,7 +46,7 @@ You'll see how many hosts, assigned to a team, have passed or failed global poli
* Added a '/api/v1/fleet/device/{token}/desktop' API route that returns only the number of failing policies for a specific host.
* Added support for [kubequery](https://github.com/Uptycs/kubequery).
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-installers).
* Added support for an `AC_TEAM_ID` environment variable when creating [signed installers for macOS hosts](https://fleetdm.com/docs/using-fleet/adding-hosts#signing-fleetd-installers).
* Made cards on the Home page clickable.
* Added es_process_file_events, password_policy, and windows_update_history to osquery tables.
* Added activity items to capture when, and by who, agent options are edited.

View File

@ -48,8 +48,6 @@ You already have a lot of raw data to sift through in your data lake, especially
Fleet 4.26.0 reduces the number of calls you have to make to pull software data with the REST API. Each time a host has software added, updated, or deleted, a `host_software_updated_at` timestamp gets updated for that host. The `host_software_updated_at` timestamp is exposed through the API. This lets you send the latest software data to your data lake, so you can avoid drowning in outdated information.
<call-to-action preset="mdm-beta"></call-to-action>
## Fleet MDM
**MDM features are not ready for production and are currently in development. These features are disabled by default.**

Some files were not shown because too many files have changed in this diff Show More