fleet Add support for executing zsh scripts

Screenshot 2024-03-01 at 5 22 09 PM

Problem

Many customers would like to be able to run the installomator script for macOS application installation: https://github.com/Installomator/Installomator

The installomator script uses zsh-specific code. Fleet can not currently execute it natively without workarounds, (eg, below is an sh script delivering a zsh script in a here doc which is then set to be executable and called with zsh command.)

#!/bin/sh

scptpth='/private/tmp/zshtest.sh'

/bin/cat << "EOF" > "$scptpth"
#!/bin/zsh

autoload is-at-least

for ((i=0;i<=10;i++))
{
    if is-at-least 10.4.1 10.5.9
    then
        echo 'yay'
    else
        echo 'boo'
    fi
}
EOF

/bin/chmod 755 "$scptpth"
/usr/bin/xattr -c "$scptpth"
/usr/sbin/chown 0:0 "$scptpth"
/bin/zsh -i -c "$scptpth"

screenshot_2024-02-12_at_1 48 59___pm_720

Potential solutions

Add support for executing zsh scripts by:

Modifying Fleet to natively handle zsh script execution.
Using method similar to the above test script in Fleet, ie, deliver shell code that must be executed with command line interpreters other than sh in a "wrapper" or here doc for execution on device (this would have to be done in a way to ensure execution in the correct user context (ie, as "root" or on behalf of a user) without any potential for scary arbitrary code execution (ie, ensure scripts are delivered to ephemeral temp dirs, etc.)
Add support for all available runtimes as well like python, ruby, etc.

See:

Increase character limit for saved scripts https://github.com/fleetdm/fleet/issues/16668 Script execution: Run a script via CLI https://github.com/fleetdm/fleet/issues/9583 Script library for macOS https://github.com/fleetdm/fleet/issues/9537

for additional context. Thanks!

Mar 01 '24 23:03 nonpunctual

@nonpunctual thanks for tracking this! Bringing this to be weighed at feature fest.

Mar 04 '24 15:03 noahtalerman

Noah: Potential solution: Add support for IT admin specifying #!/bin/zsh and update validation to error if some other interpreter is specified (ex. python)

Mar 04 '24 18:03 noahtalerman

Hey @nonpunctual heads up, this story was prioritized during feature fest.

Aiming to ship an improvement in the next 6 weeks.

Mar 08 '24 15:03 noahtalerman

@nonpunctual heads up, I updated the issue description to user story format and moved your original issue description here:

Problem

Many customers would like to be able to run the installomator script for macOS application installation: https://github.com/Installomator/Installomator

The installomator script uses zsh-specific code. Fleet can not currently execute it natively without workarounds, (eg, below is an sh script delivering a zsh script in a here doc which is then set to be executable and called with zsh command.)

#!/bin/sh

scptpth='/private/tmp/zshtest.sh'

/bin/cat << "EOF" > "$scptpth"
#!/bin/zsh

autoload is-at-least

for ((i=0;i<=10;i++))
{
    if is-at-least 10.4.1 10.5.9
    then
        echo 'yay'
    else
        echo 'boo'
    fi
}
EOF

/bin/chmod 755 "$scptpth"
/usr/bin/xattr -c "$scptpth"
/usr/sbin/chown 0:0 "$scptpth"
/bin/zsh -i -c "$scptpth"

screenshot_2024-02-12_at_1 48 59___pm_720

Potential solutions

Add support for executing zsh scripts by:

Modifying Fleet to natively handle zsh script execution.
Using method similar to the above test script in Fleet, ie, deliver shell code that must be executed with command line interpreters other than sh in a "wrapper" or here doc for execution on device (this would have to be done in a way to ensure execution in the correct user context (ie, as "root" or on behalf of a user) without any potential for scary arbitrary code execution (ie, ensure scripts are delivered to ephemeral temp dirs, etc.)
Add support for all available runtimes as well like python, ruby, etc.

See:

Increase character limit for saved scripts https://github.com/fleetdm/fleet/issues/16668 Script execution: Run a script via CLI https://github.com/fleetdm/fleet/issues/9583 Script library for macOS https://github.com/fleetdm/fleet/issues/9537

for additional context. Thanks!

Mar 11 '24 22:03 noahtalerman

Hey @marko-lisica, the UI changes look good!

Do we also need to update/add an error message for when the user runs a custom script via CLI/API that includes a unsupported interpreter?

@nonpunctual please let us know if you have any feedback on the changes. UI changes are in Figma here: https://www.figma.com/file/nYJ5MlWy3E4gIbM9ee1shl/%2317321-Run-zsh-scripts?type=design&node-id=21%3A22&mode=design&t=1SuVYcvpYhTN3q7R-1

Mar 13 '24 22:03 noahtalerman

Looks good to me as long as the text in the middle of the screen will be changed to say something about zsh as an option?

Mar 13 '24 22:03 nonpunctual

Looks good to me as long as the text in the middle of the screen will be changed to say something about zsh as an option?

Thanks for the feedback @nonpunctual!

@marko-lisica maybe we could add a 3rd file icon for .zsh?

And, update the copy to the following (remove ".sh" and ".ps1"): Shell for macOS and Linux or PowerShell for Windows. I can already tell what's supported by the icons.

Mar 13 '24 22:03 noahtalerman

Can there be another little "flag" on the icon on the left that says .zsh instead of 3rd icon? For text maybe

Mar 13 '24 22:03 nonpunctual

@marko-lisica maybe we could add a 3rd file icon for .zsh?

And, update the copy to the following (remove ".sh" and ".ps1"): Shell for macOS and Linux or PowerShell for Windows. I can already tell what's supported by the icons.

@noahtalerman I remember we had this discussion before. I can't remember if the .zsh file type doesn't exist or is not used often, so I'm thinking what if we just update copy and mention that Bash scripts can run in “#!/bin/sh” and “#!/bin/zsh”. See the screenshot below.

cc @nonpunctual

Mar 14 '24 11:03 marko-lisica

If I run the script above in the description either .sh or .zsh works. Whatever you guys like the best is probably going to be fine. But, you are right to say that you can have a #!/bin/zsh command line interpreter with a .sh file extension & that will execute in a zsh shell.

% sudo zsh /Users/brock/Desktop/untitled.zsh 
yay
% sudo zsh /Users/brock/Desktop/untitled.sh  
yay

Mar 14 '24 13:03 nonpunctual

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @ghernandez345 @gillespi314 @mna @roperzh

Mar 20 '24 16:03 georgekarrv

Change to the agent, We should add the executable bit to the script (chmod +x) and then execute the script instead of passing it to /bin/sh.

Mar 20 '24 16:03 georgekarrv

Scripts in zsh glide, Fleet UI, an open tide, Ease for IT's stride.

May 01 '24 15:05 fleet-release

QA Approved!

UI Changes:

Copy has been updated according to Figma
Error message displays when criteria not met (as expected)
Activity page shows successful results

API:

Calls ran successfully with zshSample.sh (#!/bin/zsh)

Fleetctl:

Errors display correctly when trying to run unsupported interpreters or file types.
Successfully ran a zsh script using fleetctl run-script --script-path=/path/to/script --host=hostname

Documentation:

@noahtalerman @georgekarrv This page has not been updated but I noticed it’s marked as TO DO. If I move this ticket to Ready for Release how do we track this open task?

May 14 '24 07:05 PezHub

Heads up @nonpunctual, this was shipped in Fleet 4.50

TODOs from C&C:

documentation changes: @marko-lisica

May 30 '24 15:05 noahtalerman

Zsh scripts now run, In a glass cloud city bright, Ease for IT's night.

May 30 '24 15:05 fleet-release

@noahtalerman @marko-lisica Please see @spokanemac 's internal help-engineering thread regarding documentation issues. cc-ing you both in the thread now. Thanks.

May 30 '24 15:05 nonpunctual

Docs PR: https://github.com/fleetdm/fleet/pull/19419

May 31 '24 16:05 marko-lisica

fleet fleet copied to clipboard

Add support for executing zsh scripts

Problem

Potential solutions

Problem

Potential solutions

fleet
fleet copied to clipboard