mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
9191f4ce66
* WIP * Adding DEP functionality to Fleet * Better organize additional MDM code * Add cmdr.py and amend API paths * Fix lint * Add demo file * Fix demo.md * go mod tidy * Add munki setup to Fleet * Add diagram to demo.md * Add fixes * Update TODOs and demo.md * Fix cmdr.py and add TODO * Add endpoints to demo.md * Add more Munki PoC/demo stuff * WIP * Remove proposals from PoC * Replace prepare commands with fleetctl commands * Update demo.md with current state * Remove config field * Amend demo * Remove Munki setup from MVP-Dogfood * Update demo.md * Add apple mdm commands (#7769) * fleetctl enqueue mdm command * fix deps * Fix build Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com> * Add command to upload installers * go mod tidy * fix subcommands help There is a bug in urfave/cli where help text is not generated properly when subcommands are nested too deep. * Add support for installing apps * Add a way to list enrolled devices * Add dep listing * Rearrange endpoints * Move DEP routine to schedule * Define paths globally * Add a way to list enrollments and installers * Parse device-ids as comma-separated string * Remove unused types * Add simple commands and nest under enqueue-command * Fix simple commands * Add help to enqueue-command * merge apple_mdm database * Fix commands * update nanomdm * Split nanomdm and nanodep schemas * Set 512 MB in memory for upload * Remove empty file * Amend profile * Add sample commands * Add delete installers and fix bug in DEP profile assigning * Add dogfood.md deployment guide * Update schema.sql * Dump schema with MySQL 5 * Set default value for authenticate_at * add tokens to enrollment profiles When a device downloads an MDM enrollment profile, verify the token passed as a query parameter. This ensures untrusted devices don't enroll with our MDM server. - Rename enrollments to enrollment profiles. Enrollments is used by nano to refer to devices that are enrolled with MDM - Rename endpoint /api/<version>/fleet/mdm/apple/enrollments to ../enrollmentprofiles - Generate a token for authentication when creating an enrollment profile - Return unauthorized if token is invalid when downloading an enrollment profile from /api/mdm/apple/enroll?token= * remove mdm apple server url * update docs * make dump-test-schema * Update nanomdm with missing prefix table * Add docs and simplify changes * Add changes file * Add method docs * Fix compile and revert prepare.go changes * Revert migration status check change * Amend comments * Add more docs * Clarify storage of installers * Remove TODO * Remove unused * update dogfood.md * remove cmdr.py * Add authorization tests * Add TODO comment * use kitlog for nano logging * Add yaml tags * Remove unused flag * Remove changes file * Only run DEP routine if MDM is enabled * Add docs to all new exported types * Add docs * more nano logging changes * Fix unintentional removal * more nano logging changes * Fix compile test * Use string for configs and fix config test * Add docs and amend changes * revert changes to basicAuthHandler * remove exported BasicAuthHandler * rename rego authz type * Add more information to dep list * add db tag * update deps * Fix schema * Remove unimplemented Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <michal@fleetdm.com>
212 lines
5.7 KiB
YAML
212 lines
5.7 KiB
YAML
---
|
|
version: "2"
|
|
services:
|
|
# To test with MariaDB, set FLEET_MYSQL_IMAGE to mariadb:10.6 or the like (note MariaDB is not
|
|
# officially supported).
|
|
# To run in macOS M1, set FLEET_MYSQL_IMAGE=arm64v8/mysql:oracle FLEET_MYSQL_PLATFORM=linux/arm64/v8
|
|
mysql:
|
|
image: ${FLEET_MYSQL_IMAGE:-mysql:5.7}
|
|
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
|
|
volumes:
|
|
- mysql-persistent-volume:/tmp
|
|
command:
|
|
[
|
|
"mysqld",
|
|
"--datadir=/tmp/mysqldata",
|
|
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
|
|
"--enforce-gtid-consistency=ON",
|
|
"--log-bin=bin.log",
|
|
"--server-id=master-01",
|
|
# Required for storage of Apple MDM installers.
|
|
"--max_allowed_packet=536870912"
|
|
]
|
|
environment:
|
|
&mysql-default-environment
|
|
MYSQL_ROOT_PASSWORD: toor
|
|
MYSQL_DATABASE: fleet
|
|
MYSQL_USER: fleet
|
|
MYSQL_PASSWORD: insecure
|
|
ports:
|
|
- "3306:3306"
|
|
|
|
mysql_test:
|
|
image: ${FLEET_MYSQL_IMAGE:-mysql:5.7}
|
|
platform: ${FLEET_MYSQL_PLATFORM:-linux/x86_64}
|
|
# innodb-file-per-table=OFF gives ~20% speedup for test runs.
|
|
command:
|
|
[
|
|
"mysqld",
|
|
"--datadir=/tmpfs",
|
|
"--slow_query_log=1",
|
|
"--log_output=TABLE",
|
|
"--log-queries-not-using-indexes",
|
|
"--innodb-file-per-table=OFF",
|
|
# These 3 keys run MySQL with GTID consistency enforced to avoid issues with production deployments that use it.
|
|
"--enforce-gtid-consistency=ON",
|
|
"--log-bin=bin.log",
|
|
"--server-id=master-01",
|
|
# Required for storage of Apple MDM installers.
|
|
"--max_allowed_packet=536870912"
|
|
]
|
|
environment: *mysql-default-environment
|
|
ports:
|
|
- "3307:3306"
|
|
tmpfs:
|
|
- /var/lib/mysql:rw,noexec,nosuid
|
|
- /tmpfs
|
|
|
|
mailhog:
|
|
image: mailhog/mailhog:latest
|
|
ports:
|
|
- "8025:8025"
|
|
- "1025:1025"
|
|
|
|
redis:
|
|
image: redis:5
|
|
ports:
|
|
- "6379:6379"
|
|
|
|
redis-cluster-setup:
|
|
image: redis:5
|
|
command: redis-cli --cluster create 172.20.0.31:7001 172.20.0.32:7002 172.20.0.33:7003 172.20.0.34:7004 172.20.0.35:7005 172.20.0.36:7006 --cluster-yes --cluster-replicas 1
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.30
|
|
depends_on:
|
|
- redis-cluster-1
|
|
- redis-cluster-2
|
|
- redis-cluster-3
|
|
- redis-cluster-4
|
|
- redis-cluster-5
|
|
- redis-cluster-6
|
|
|
|
redis-cluster-1:
|
|
image: redis:5
|
|
command: redis-server /usr/local/etc/redis/redis.conf
|
|
ports:
|
|
- "7001:7001"
|
|
volumes:
|
|
- ./tools/redis-tests/redis-cluster-1.conf:/usr/local/etc/redis/redis.conf
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.31
|
|
|
|
redis-cluster-2:
|
|
image: redis:5
|
|
command: redis-server /usr/local/etc/redis/redis.conf
|
|
ports:
|
|
- "7002:7002"
|
|
volumes:
|
|
- ./tools/redis-tests/redis-cluster-2.conf:/usr/local/etc/redis/redis.conf
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.32
|
|
|
|
redis-cluster-3:
|
|
image: redis:5
|
|
command: redis-server /usr/local/etc/redis/redis.conf
|
|
ports:
|
|
- "7003:7003"
|
|
volumes:
|
|
- ./tools/redis-tests/redis-cluster-3.conf:/usr/local/etc/redis/redis.conf
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.33
|
|
|
|
redis-cluster-4:
|
|
image: redis:5
|
|
command: redis-server /usr/local/etc/redis/redis.conf
|
|
ports:
|
|
- "7004:7004"
|
|
volumes:
|
|
- ./tools/redis-tests/redis-cluster-4.conf:/usr/local/etc/redis/redis.conf
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.34
|
|
|
|
redis-cluster-5:
|
|
image: redis:5
|
|
command: redis-server /usr/local/etc/redis/redis.conf
|
|
ports:
|
|
- "7005:7005"
|
|
volumes:
|
|
- ./tools/redis-tests/redis-cluster-5.conf:/usr/local/etc/redis/redis.conf
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.35
|
|
|
|
redis-cluster-6:
|
|
image: redis:5
|
|
command: redis-server /usr/local/etc/redis/redis.conf
|
|
ports:
|
|
- "7006:7006"
|
|
volumes:
|
|
- ./tools/redis-tests/redis-cluster-6.conf:/usr/local/etc/redis/redis.conf
|
|
networks:
|
|
cluster_network:
|
|
ipv4_address: 172.20.0.36
|
|
|
|
saml_idp:
|
|
image: fleetdm/docker-idp:latest
|
|
environment:
|
|
SIMPLESAMLPHP_SP_ENTITY_ID: "https://localhost:8080"
|
|
SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE: "https://localhost:8080/api/v1/fleet/sso/callback"
|
|
volumes:
|
|
- ./tools/saml/users.php:/var/www/simplesamlphp/config/authsources.php
|
|
ports:
|
|
- "9080:8080"
|
|
- "9443:8443"
|
|
|
|
# CAdvisor container allows monitoring other containers. Useful for
|
|
# development.
|
|
cadvisor:
|
|
image: google/cadvisor:latest
|
|
ports:
|
|
- "5678:8080"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- /sys:/sys:ro
|
|
- /var/lib/docker/:/var/lib/docker:ro
|
|
|
|
prometheus:
|
|
image: prom/prometheus:latest
|
|
ports:
|
|
- "9090:9090"
|
|
volumes:
|
|
- ./tools/app/prometheus.yml:/etc/prometheus/prometheus.yml
|
|
|
|
# localstack to simulate AWS integrations like firehose & kinesis
|
|
# use http://localhost:4566 as the `--endpoint-url` argument in awscli
|
|
localstack:
|
|
image: localstack/localstack
|
|
ports:
|
|
- "4566:4566"
|
|
- "4571:4571"
|
|
environment:
|
|
- SERVICES=firehose,kinesis
|
|
|
|
# s3 compatible object storage (file carving backend)
|
|
minio:
|
|
image: quay.io/minio/minio
|
|
command: server /data --console-address ":9001"
|
|
ports:
|
|
- "9000:9000"
|
|
- "9001:9001"
|
|
environment:
|
|
MINIO_ROOT_USER: minio
|
|
MINIO_ROOT_PASSWORD: minio123!
|
|
volumes:
|
|
- data-minio:/data
|
|
|
|
volumes:
|
|
mysql-persistent-volume:
|
|
data-minio:
|
|
|
|
|
|
networks:
|
|
cluster_network:
|
|
driver: bridge
|
|
ipam:
|
|
config:
|
|
- subnet: 172.20.0.0/24
|