Title
#fleet
t

Tilman Bender

03/23/2022, 4:08 PM
Regarding orbit: I understand it uses TUF which sounds good. However until we've looked at the update process in detail, I'd like remove one upstream dependency by not having it auto-update (we might run our own update server later). How would I go about disabling the auto-udpate? Is passing
--disable-updates
sufficient? Will that still allow me to push things like changes to the flags using fleet?
Lucas Rodriguez

Lucas Rodriguez

03/23/2022, 4:18 PM
Hi Tilman. After some requests from the community we added the
--disable-updates
option. With that flag set during the package generation, Orbit won't run any auto-update routines (so it won't reach out to a TUF at all).
Will that still allow me to push things like changes to the flags using fleet?
Yes, that continues to be the same.
--disable-updates
just disables auto-updates of Orbit+osquery via a TUF server.
t

Tilman Bender

03/23/2022, 4:22 PM
Ah so I must pass it to
fleetctl package
? Or could I also pass that parameter to the orbit binary itself? e.g. by deploying a modified systemd file on linux?
Lucas Rodriguez

Lucas Rodriguez

03/23/2022, 4:24 PM
Ah yes, you can pass the same flag to Orbit itself too.
t

Tilman Bender

03/23/2022, 4:27 PM
Perfect. That be sufficient to reduce some of the backlash I might be getting
4:28 PM
currently looking into ansible task to deploy internally
4:29 PM
Tell a bunch of security folk you want to install a service that's running as root and auto-updating from an external source and you can expect some serous backlash 😄
Lucas Rodriguez

Lucas Rodriguez

03/23/2022, 4:38 PM
Indeed. The other alternative is using the Premium feature in Fleet to set up and have fleetctl/orbit point to a user-owned TUF server.
t

Tilman Bender

03/23/2022, 5:25 PM
Yup. We already bought al license to have teams, but I simply don't have the time to roll my own udpate server now
5:26 PM
Also we'll first have a look at TUF, maybe it passes msuter with an external update server