Title
#fleet
s

Shawn Maddock

09/20/2022, 1:47 PM
I'm guessing it's because the Go library is using the equivalent of
pkgbuild --ownership preserve
instead of
pkgbuild --ownership recommended
... a simple flag to switch
1:58 PM
I can rebuild the installer with the correct permissions, but it would be nice to fix it at the source
Kathy Satterlee

Kathy Satterlee

09/20/2022, 2:19 PM
Looks like this is a new one, @Shawn Maddock! I'll loop the team in. The installer package should be generated in the same location where the command was run, though I suspect I may not have quite understood what you were looking for, so just let me know if that's the case.
s

Shawn Maddock

09/20/2022, 2:20 PM
Yeah it's generating fine, but the metadata in the installer package are incorrect
Kathy Satterlee

Kathy Satterlee

09/20/2022, 2:23 PM
Gotcha. I wasn't sure if you were also looking for the installer locally, so I wanted to be sure.
2:31 PM
Did you run
fleetctl package
as
root
or as a standard user?
s

Shawn Maddock

09/20/2022, 2:32 PM
I tried both.
root
resulted in permissions that were more correct, but still not right. lol
Kathy Satterlee

Kathy Satterlee

09/20/2022, 2:34 PM
That's fun. I'll hopefully have an update (or more questions) shortly!
s

Shawn Maddock

09/20/2022, 2:34 PM
Happy to provide more info!
Kathy Satterlee

Kathy Satterlee

09/20/2022, 2:37 PM
Was the package also generated on MacOS?
s

Shawn Maddock

09/20/2022, 2:37 PM
It was
Kathy Satterlee

Kathy Satterlee

09/20/2022, 2:51 PM
What are you using to scan for these conflicts? And is everything running properly?
s

Shawn Maddock

09/20/2022, 2:52 PM
There are a number of tools, the screenshot is from a Mac application called "Suspicious Package". And no, the reason I brought it up is when we attempt to deploy the installer via our software management tool, it does not install correctly (the files are placed on the endpoints but the devices never check into fleet, even after a reboot)
Kathy Satterlee

Kathy Satterlee

09/20/2022, 3:09 PM
I don't believe that anything has changed with permissions recently and the consensus seems to be that this likely wouldn't cause that behavior, so it may be unrelated. What software management tool are you using? Anything interesting in the Orbit logs on your hosts? You can find those at
/private/var/log/orbit/orbit.std{out|err}.log
.
s

Shawn Maddock

09/20/2022, 3:32 PM
Well, we just deployed a rebuilt package which is working on all devices. Let me see if any of them still have the old logs.
3:36 PM
The only stderr.log entries are from our repackaged installer. There are no stdout.log entries.
3:36 PM
We are using Munki for macOS software management.
Kathy Satterlee

Kathy Satterlee

09/20/2022, 3:47 PM
Good deal. Did you change the permissions on the new package, or was it the same build process?
s

Shawn Maddock

09/20/2022, 3:48 PM
No I extracted the payload from the
fleetctl
-built installer and used
pkgbuild
to create a new installer.
Kathy Satterlee

Kathy Satterlee

09/20/2022, 3:54 PM
If you'd be down for testing out that original installer again on a host or two to see what shows up in the logs, that would be awesome. That way, we can (hopefully) see whether the issue was related. We haven't seen other reports of issues yet, but we've got the permissions conflicts on our radar and are keeping an eye out.
s

Shawn Maddock

09/20/2022, 3:56 PM
Lemme spin up a VM
Kathy Satterlee

Kathy Satterlee

09/20/2022, 3:57 PM
We're testing it with Munki as well, but it's always helpful to get data straight from the source 😃
4:37 PM
Here's the ticket in case you'd like to follow it!
s

Shawn Maddock

09/20/2022, 4:37 PM
Thanks! Just wrapping up my VM testing
4:52 PM
Okay. Looks like two separate issues.
4:52 PM
The permissions are one
4:53 PM
The second is that
fleetctl
is building a "distribution" style Mac installer package, but there's no valid Distribution or PackageInfo file imbedded in it
4:54 PM
So when Munki goes to import it, it does not accurately see the receipts that Installer.app will generate
4:55 PM
This is getting in the weeds of macOS package creation though, I can create a separate ticket
6:22 PM
Found the bug
6:35 PM
The project readme has a link to "submit a patch" but it goes to https://fleetdm.com/docs/contributing/contributing which only talks about contributing to documentation. I can submit a PR for my issue but didn't know if there's protocol around which branch to submit to
Kathy Satterlee

Kathy Satterlee

09/20/2022, 6:59 PM
Go ahead and Submit your PR for the main branch and tag me (@ksatter) and I'll take it from there 🙂 I'll also get that documentation updated.
s

Shawn Maddock

09/20/2022, 7:00 PM
And done!
Kathy Satterlee

Kathy Satterlee

09/20/2022, 7:01 PM
Fantastic, thanks so much!
7:15 PM
Send over a DM with your: Shirt size Shipping info Email address (work if you don't mind sharing) And I'll get you hooked up with some Fleet swag!