https://github.com/osquery/osquery logo
Join Slack
Powered by
I'm guessing it's because the Go library is using ...
# fleet
s
I'm guessing it's because the Go library is using the equivalent of 
pkgbuild --ownership preserve
instead of 
pkgbuild --ownership recommended
... a simple flag to switch
I can rebuild the installer with the correct permissions, but it would be nice to fix it at the source
k
Looks like this is a new one, @Shawn Maddock! I'll loop the team in. The installer package should be generated in the same location where the command was run, though I suspect I may not have quite understood what you were looking for, so just let me know if that's the case.
s
Yeah it's generating fine, but the metadata in the installer package are incorrect
k
Gotcha. I wasn't sure if you were also looking for the installer locally, so I wanted to be sure.
Did you run 
fleetctl package
as 
root
or as a standard user?
s
I tried both. 
root
resulted in permissions that were more correct, but still not right. lol
k
That's fun. I'll hopefully have an update (or more questions) shortly!
s
Happy to provide more info!
k
Was the package also generated on MacOS?
s
It was
k
What are you using to scan for these conflicts? And is everything running properly?
s
There are a number of tools, the screenshot is from a Mac application called "Suspicious Package". And no, the reason I brought it up is when we attempt to deploy the installer via our software management tool, it does not install correctly (the files are placed on the endpoints but the devices never check into fleet, even after a reboot)
k
I don't believe that anything has changed with permissions recently and the consensus seems to be that this likely wouldn't cause that behavior, so it may be unrelated. What software management tool are you using? Anything interesting in the Orbit logs on your hosts? You can find those at 
/private/var/log/orbit/orbit.std{out|err}.log
.
s
Well, we just deployed a rebuilt package which is working on all devices. Let me see if any of them still have the old logs.
The only stderr.log entries are from our repackaged installer. There are no stdout.log entries.
We are using Munki for macOS software management.
k
Good deal. Did you change the permissions on the new package, or was it the same build process?
s
No I extracted the payload from the 
fleetctl
-built installer and used 
pkgbuild
to create a new installer.
k
If you'd be down for testing out that original installer again on a host or two to see what shows up in the logs, that would be awesome. That way, we can (hopefully) see whether the issue was related. We haven't seen other reports of issues yet, but we've got the permissions conflicts on our radar and are keeping an eye out.
s
Lemme spin up a VM
k
We're testing it with Munki as well, but it's always helpful to get data straight from the source :)
Here's the ticket in case you'd like to follow it!
s
Thanks! Just wrapping up my VM testing
Okay. Looks like two separate issues.
The permissions are one
The second is that 
fleetctl
is building a "distribution" style Mac installer package, but there's no valid Distribution or PackageInfo file imbedded in it
So when Munki goes to import it, it does not accurately see the receipts that Installer.app will generate
This is getting in the weeds of macOS package creation though, I can create a separate ticket
Found the bug
The project readme has a link to "submit a patch" but it goes to https://fleetdm.com/docs/contributing/contributing which only talks about contributing to documentation. I can submit a PR for my issue but didn't know if there's protocol around which branch to submit to
k
Go ahead and Submit your PR for the main branch and tag me (@ksatter) and I'll take it from there 🙂 I'll also get that documentation updated.
s
And done!
k
Fantastic, thanks so much!
Send over a DM with your: Shirt size Shipping info Email address (work if you don't mind sharing) And I'll get you hooked up with some Fleet swag!
2 Views
Open in Slack
PreviousNext
Powered by