fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Upgrade `nfpm` in `fleetctl` from `v2.10.0` to `v2.35.3`

Open lucasmrod opened this issue 1 year ago • 2 comments

#17359

  • The new version of nfpm changed the package so we had to performed modifications (they removed a method we were using files.ExpandContentGlobs)
  • Using umask = 022 to prevent world writable files on the resulting package.

Sample of the installed package on CentOS 7 which shows that w is not allowed for group or other:

[luk@localhost test]$ ls -al /opt/orbit
total 364
drwxr-xr-x  8 root root    283 Mar 28 06:44 .
drwxr-xr-x. 4 root root     29 Mar 28 06:44 ..
drwxr-xr-x  5 root root     50 Mar 28 06:44 bin
-rw-r--r--  1 root root 229654 Mar 28 06:41 certs.pem
-rw-r--r--  1 root root     36 Mar 28 06:44 identifier
drwxr-xr-x  2 root root   8192 Mar 28 06:44 lenses
srwxr-xr-x  1 root root      0 Mar 28 06:44 orbit-osquery.em
srwxr-xr-x  1 root root      0 Mar 28 06:44 orbit-osquery.em.26113
drwx------  2 root root    152 Mar 28 06:44 osquery.db
-rw-------  1 root root      0 Mar 28 06:41 osquery.flags
drwxr-xr-x  2 root root     98 Mar 28 06:44 osquery_log
-rw-------  1 root root      5 Mar 28 06:44 osquery.pid
drwxr-xr-x  2 root root     23 Mar 28 06:44 proxy
-rw-------  1 root root     32 Mar 28 06:44 secret-orbit-node-key.txt
drwxr-xr-x  2 root root      6 Mar 28 06:41 staging
-rw-------  1 root root 112018 Mar 28 06:41 tuf-metadata.json

ls -al /etc/default/orbit 
-rw------- 1 root root 356 Mar 28 06:41 /etc/default/orbit

$ ls -al /usr/lib/systemd/system/orbit.service 
-rw-r--r-- 1 root root 317 Mar 28 06:41 /usr/lib/systemd/system/orbit.service
  • [X] Changes file added for user-visible changes in changes/ or orbit/changes/. See Changes files for more information.
  • [X] Manual QA for all new/changed functionality
    • For Orbit and Fleet Desktop changes:
      • [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.
      • [X] Auto-update manual QA, from released version of component to new version (see tools/tuf/test).

lucasmrod avatar Mar 28 '24 14:03 lucasmrod

Re: failing go test CI:

We cannot merge yet because for some reason, when updating nfpm via go get it forces us to also update viper, which is breaking some functionality and may have undesired changes in fleet. Looking into it.

lucasmrod avatar Apr 03 '24 16:04 lucasmrod

@lukeheath @getvictor Converting PR to draft until we decide to upgrade support of YAML 1.1 and 1.2 (see https://github.com/fleetdm/fleet/issues/18057)

lucasmrod avatar Apr 09 '24 19:04 lucasmrod

Closing to reduce PR clutter. Will re-open as soon as we decide to move forward with upgrading dependencies (yaml v1.1 support)

lucasmrod avatar Jun 26 '24 19:06 lucasmrod