fleet
fleet copied to clipboard
fleetdm
Add fleetctl package option for adding a preinstall or postinstall script into the fleet enroll package
Problem
fleetctl package does not have an option for including a preinstall or postinstall script created by an admin in an enrollment package.
Fleet currently has premade base installer packages but these would have to modified for this use case: https://github.com/fleetdm/fleet/blob/main/orbit/pkg/packaging/linux_shared.go#L119 https://github.com/fleetdm/fleet/blob/main/orbit/pkg/packaging/linux_shared.go#L351-L364
e.g., A customer has a PAM authorization product installed which uses a customized sudo (dzdo). Because of this, fleetctl was unable to get privilege to correctly install the Fleet Desktop app. The solution was to modify the $PATH variable, i.e., customer had to add a line to /etc/default/orbit: PATH="/sbin:/usr/sbin:/bin:/usr/bin"
This customer asked if fleetctl could inject that change into the package dynamically because .deb packages have the option of adding pre & post install scripts: https://canonical-ubuntu-packaging-guide.readthedocs-hosted.com/en/latest/
What have you tried?
N/A - this capability does not exist today.
Potential solutions
Add a --script option to fleetctl package that would wrap a script file into the fleetctl pacakge from a specified file path (the file path could be the value of the option: --script /some/file/path/here) The option should be available for .deb, .rpm, .pkg, .msi etc.
What is the expected workflow as a result of your proposal?
fleetctl enrollment packages could be deployed with pre & post install actions.
Hey @nonpunctual this makes sense!
Sounds like the customer is most focused on .deb packages here.
My guess is this isn't a problem today for macOS (.pkg) and Windows (.msi) because the customer has an MDM that let's them supply pre and post-isntall scripts to macOS and Windows package installs (like Fleet today).
Please let me know if that's wrong.
I'm curious if you know, are there any .deb packaging tools out there today that could make the following workflow feasible?
- Run
fleetctl packageto create.debfleetd. - Use third-party packaging tool to re-package fleetd w/ a pre and post-install script.
@noahtalerman I don't think what you've described would require 3rd party tools on any platform. There are CLI options for wrapping a package in another package, e.g., on macOS you can use productbuild to wrap a distribution package around a component package. I assume it is possible to create a "metapackage" like this in Ubuntu, etc.
But, all of these workflows require multiple additional steps. Creating the Fleet enrollment package is already non-trivial.
This is the spec for future fleetctl package capabilities. I think an intermediary step would be to add this feature request to the future options:
https://github.com/fleetdm/fleet/blob/182823753c215d35b7406b46147458c09d00b029/proposals/Fleet-Installers.md?plain=1#L296
I believe this is the script that creates the fleetctl package: https://github.com/fleetdm/fleet/blob/182823753c215d35b7406b46147458c09d00b029/tools/tuf/test/gen_pkgs.sh#L161
Looking at it, it doesn't seem like it would be much lift to pick up a script file & drop it in the correct directory structure in the final package output. This would be a time saver & a large reduction in complexity for admins.
There are CLI options for wrapping a package in another package, e.g., on macOS you can use productbuild to wrap a distribution package around a component package. I assume it is possible to create a "metapackage" like this in Ubuntu, etc.
@nonpunctual Ah, cool! Good to know that an IT admin on a Mac doesn't need to install a third-party tool to add a pre-install script to fleetd.
Creating the Fleet enrollment package is already non-trivial.
Totally agree.