diff options
-rw-r--r-- | .SRCINFO | 22 | ||||
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | .gitlab-ci.yml | 68 | ||||
-rw-r--r-- | LICENSE | 19 | ||||
-rw-r--r-- | PKGBUILD | 57 | ||||
-rw-r--r-- | PKGBUILD.jinja | 57 | ||||
-rwxr-xr-x | fleet-orbit | 8 | ||||
-rw-r--r-- | fleet-orbit-cleanup.hook | 8 | ||||
-rw-r--r-- | fleet-orbit-config | 29 | ||||
-rw-r--r-- | fleet-orbit.service | 15 | ||||
-rw-r--r-- | metadata.json | 9 | ||||
-rwxr-xr-x | render_pkgbuild.py | 90 | ||||
-rw-r--r-- | requirements.txt | 3 |
13 files changed, 386 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..319f35ce97ac --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,22 @@ +pkgbase = fleet-orbit + pkgdesc = Eases the deployment of osquery connected with a Fleet server. + pkgver = 0.0.11 + pkgrel = 1 + url = https://github.com/fleetdm/fleet/tree/main/orbit + arch = x86_64 + license = MIT + makedepends = go + depends = osquery + backup = etc/default/orbit + source = https://github.com/fleetdm/fleet/archive/refs/tags/orbit-v0.0.11.tar.gz + source = fleet-orbit + source = fleet-orbit-cleanup.hook + source = fleet-orbit-config + source = fleet-orbit.service + sha512sums = ad6891bd5deed9111759f14e478334d966275d98a42b13a02e69c80735567f017baa78c542159e5f55417fa8704a22bcfc556ef395e52c303468134c2084b075 + sha512sums = 449f29d82564b3a0e56d529e0550bf83b22cfd672b960e20441015ef5c106f4d7508f4f0bb47631fe399e477e31b05c4a223549a36d23dc89ba9571d6468a75e + sha512sums = c4d4fdf980a891f5e56ca82173c57b60d0e157ef4af769fc5d9ecd7b9c70124402d694f35d48101e6633d0134ade9ab33cff3c129e2f603a6b7df1ee560eab5a + sha512sums = 781ba7743f8f176aeeef702cce67478af70981596029677e1e50f1a57b479c66832436e39d66b5e7f879477733b661326d306064050968acfb246adddfddf30a + sha512sums = 87aca00b0c053c194a36d583f474f34f22207c4e1e5319ed3722769f796599e8f69b920063daca95644f9ea11454cefdb4109011370c70ce27db90720d5f12e8 + +pkgname = fleet-orbit diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..fe22837fdb20 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/*.pkg.tar.zst
\ No newline at end of file diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000000..8f9485f82479 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,68 @@ +stages: + - package + - deploy + +update_pkgbuild: + stage: package + image: python:latest + script: + - pip install -r requirements.txt + - ./render_pkgbuild.py + artifacts: + paths: + - ./metadata.json + - ./PKGBUILD + expire_in: 1 day + +build_package: + stage: package + needs: [update_pkgbuild] + image: archlinux:latest + script: + - pacman -Syu --noconfirm base-devel sudo + - useradd --create-home builder + - echo 'builder ALL=(ALL) ALL' >> /etc/sudoers.d/builder + - echo 'Defaults:builder !authenticate' >> /etc/sudoers.d/builder + - sudo -Hu builder makepkg --printsrcinfo > .SRCINFO + - sudo -Hu builder makepkg --noconfirm --syncdeps --clean + artifacts: + paths: + - ./.SRCINFO + - ./fleet-orbit-*.pkg.tar.zst + expire_in: 1 day + +test_package: + stage: package + needs: [build_package] + image: archlinux:latest + script: + - pacman -Syu --noconfirm + - pacman -U --noconfirm fleet-orbit-*.pkg.tar.zst + - fleet-orbit version + +push_package: + stage: deploy + image: alpine:latest + rules: + - if: $PUSH_PACKAGE == "true" + script: + - apk add git openssh-client + - eval $(ssh-agent -s) + - mkdir -p ~/.ssh + - chmod 700 ~/.ssh + - ssh-keyscan gitlab.com aur.archlinux.com >> ~/.ssh/known_hosts + - echo "${SSH_PRIVATE_KEY}" | tr -d '\r' | ssh-add - + - git clone git@gitlab.com:nlr/fleet-orbit-aur.git + - git remote add aur ssh://aur@aur.archlinux.org/fleet-orbit.git + - cp PKGBUILD .SRCINFO metadata.json fleet-orbit-aur/ + - cd fleet-orbit-aur/ + - git config user.name "[BOT] Gilbert Gilb's" + - git config user.email "gilbsgilbert@gmail.com" + - git add . + - | + if ! git diff --cached --exit-code; then + pkgver="$(grep -E '^pkgver=' PKGBUILD | cut -d'=' -f2)" + git commit -m "Update to ${pkgver}." + fi + - git push origin HEAD:main + - git push aur HEAD:master diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000000..533b021a76fc --- /dev/null +++ b/LICENSE @@ -0,0 +1,19 @@ +Copyright (c) 2022 Gilbert Gilb's + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..d0c80a4d22a4 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,57 @@ +# Maintainer: Gilbert Gilb's <gilbsgilbert@gmail.com> + +pkgname=fleet-orbit +pkgver=0.0.10 +pkgrel=1 +pkgdesc='Eases the deployment of osquery connected with a Fleet server.' +arch=(x86_64) +url='https://github.com/fleetdm/fleet/tree/main/orbit' +license=(MIT) +depends=(osquery) +makedepends=(go) +backup=(etc/default/orbit) +optdepends=() +source=( + "https://github.com/fleetdm/fleet/archive/refs/tags/orbit-v$pkgver.tar.gz" + 'fleet-orbit' + 'fleet-orbit-cleanup.hook' + 'fleet-orbit-config' + 'fleet-orbit.service' +) +sha512sums=( + 'cd1323204a25978fde48de7b24726ff99b252561c0506f0c9c06f2ff2e08950a7fc7c299819d0edf55defe423527b09389ba0c4ade505739f02483b3bf18be2c' + '449f29d82564b3a0e56d529e0550bf83b22cfd672b960e20441015ef5c106f4d7508f4f0bb47631fe399e477e31b05c4a223549a36d23dc89ba9571d6468a75e' + 'c4d4fdf980a891f5e56ca82173c57b60d0e157ef4af769fc5d9ecd7b9c70124402d694f35d48101e6633d0134ade9ab33cff3c129e2f603a6b7df1ee560eab5a' + '781ba7743f8f176aeeef702cce67478af70981596029677e1e50f1a57b479c66832436e39d66b5e7f879477733b661326d306064050968acfb246adddfddf30a' + '87aca00b0c053c194a36d583f474f34f22207c4e1e5319ed3722769f796599e8f69b920063daca95644f9ea11454cefdb4109011370c70ce27db90720d5f12e8' +) + +build() { + cd "$pkgname-v$pkgver" + + mkdir -p build + go mod download + isodate=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ") + CGO_ENABLED=0 go build \ + -o build/ \ + -trimpath \ + -buildvcs=false \ + -ldflags "-s -w -X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=v$pkgver -X github.com/fleetdm/fleet/v4/orbit/pkg/build.Commit=7372777c56248aa10a7a15de971c63328e6d6b69 -X github.com/fleetdm/fleet/v4/orbit/pkg/build.Date=$isodate" \ + ./orbit/cmd/orbit/ +} + +package() { + install -Dm644 'fleet-orbit-config' "$pkgdir/etc/default/fleet-orbit" + install -Dm644 'fleet-orbit.service' "$pkgdir/usr/lib/systemd/system/fleet-orbit.service" + install -Dm644 'fleet-orbit-cleanup.hook' "$pkgdir/usr/share/libalpm/hooks/fleet-orbit-cleanup.hook" + + install -Dm644 "$pkgname-v$pkgver/LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + + install -Dm755 "$pkgname-v$pkgver/build/orbit" "$pkgdir/opt/fleet-orbit/bin/orbit/linux/stable/orbit" + ln -s "./linux/stable/orbit" "$pkgdir/opt/fleet-orbit/bin/orbit/orbit" + + install -Dm755 "fleet-orbit" "$pkgdir/usr/bin/fleet-orbit" + + mkdir -p "$pkgdir/opt/fleet-orbit/bin/osqueryd/linux/stable/" + ln -s /usr/bin/osqueryd "$pkgdir/opt/fleet-orbit/bin/osqueryd/linux/stable/osqueryd" +}
\ No newline at end of file diff --git a/PKGBUILD.jinja b/PKGBUILD.jinja new file mode 100644 index 000000000000..b5544ee93e85 --- /dev/null +++ b/PKGBUILD.jinja @@ -0,0 +1,57 @@ +# Maintainer: Gilbert Gilb's <gilbsgilbert@gmail.com> + +pkgname=fleet-orbit +pkgver={{ metadata.tag_info.pkgver }} +pkgrel=1 +pkgdesc='Eases the deployment of osquery connected with a Fleet server.' +arch=(x86_64) +url='https://github.com/fleetdm/fleet/tree/main/orbit' +license=(MIT) +depends=(osquery) +makedepends=(go) +backup=(etc/default/orbit) +optdepends=() +source=( + "https://github.com/fleetdm/fleet/archive/refs/tags/orbit-v$pkgver.tar.gz" + 'fleet-orbit' + 'fleet-orbit-cleanup.hook' + 'fleet-orbit-config' + 'fleet-orbit.service' +) +sha512sums=( + '{{ metadata.release_sha512sum }}' + '{{ sha512sum("fleet-orbit") }}' + '{{ sha512sum("fleet-orbit-cleanup.hook") }}' + '{{ sha512sum("fleet-orbit-config") }}' + '{{ sha512sum("fleet-orbit.service") }}' +) + +build() { + cd "$pkgname-v$pkgver" + + mkdir -p build + go mod download + isodate=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ") + CGO_ENABLED=0 go build \ + -o build/ \ + -trimpath \ + -buildvcs=false \ + -ldflags "-s -w -X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=v$pkgver -X github.com/fleetdm/fleet/v4/orbit/pkg/build.Commit={{ metadata.tag_info.commit_sha }} -X github.com/fleetdm/fleet/v4/orbit/pkg/build.Date=$isodate" \ + ./orbit/cmd/orbit/ +} + +package() { + install -Dm644 'fleet-orbit-config' "$pkgdir/etc/default/fleet-orbit" + install -Dm644 'fleet-orbit.service' "$pkgdir/usr/lib/systemd/system/fleet-orbit.service" + install -Dm644 'fleet-orbit-cleanup.hook' "$pkgdir/usr/share/libalpm/hooks/fleet-orbit-cleanup.hook" + + install -Dm644 "$pkgname-v$pkgver/LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + + install -Dm755 "$pkgname-v$pkgver/build/orbit" "$pkgdir/opt/fleet-orbit/bin/orbit/linux/stable/orbit" + ln -s "./linux/stable/orbit" "$pkgdir/opt/fleet-orbit/bin/orbit/orbit" + + install -Dm755 "fleet-orbit" "$pkgdir/usr/bin/fleet-orbit" + + mkdir -p "$pkgdir/opt/fleet-orbit/bin/osqueryd/linux/stable/" + ln -s /usr/bin/osqueryd "$pkgdir/opt/fleet-orbit/bin/osqueryd/linux/stable/osqueryd" +} diff --git a/fleet-orbit b/fleet-orbit new file mode 100755 index 000000000000..94ae6949fe42 --- /dev/null +++ b/fleet-orbit @@ -0,0 +1,8 @@ +#!/bin/sh + +. /etc/default/fleet-orbit + +export ORBIT_ROOT_DIR="${ORBIT_ROOT_DIR:-/opt/fleet-orbit}" +export ORBIT_DISABLE_UPDATES="${ORBIT_DISABLE_UPDATES:-true}" + +exec /opt/fleet-orbit/bin/orbit/orbit "$@" diff --git a/fleet-orbit-cleanup.hook b/fleet-orbit-cleanup.hook new file mode 100644 index 000000000000..a3b4151b5306 --- /dev/null +++ b/fleet-orbit-cleanup.hook @@ -0,0 +1,8 @@ +[Trigger] +Operation = Remove +Type = Package +Target = fleet-orbit + +[Action] +When = PreTransaction +Exec = /usr/bin/rm -Rf /opt/fleet-orbit/ diff --git a/fleet-orbit-config b/fleet-orbit-config new file mode 100644 index 000000000000..390937cd2de2 --- /dev/null +++ b/fleet-orbit-config @@ -0,0 +1,29 @@ +# Root directory for Orbit state +#ORBIT_ROOT_DIR=/opt/fleet-orbit + +# Disable TLS certificate verification +#ORBIT_INSECURE=false + +# URL (host:port) of Fleet server +#ORBIT_FLEET_URL= + +# Path to server certificate chain +#ORBIT_FLEET_CERTIFICATE= + +# URL for update server +#ORBIT_UPDATE_URL=https://tuf.fleetctl.com + +# Enroll secret for authenticating to Fleet server +#ORBIT_ENROLL_SECRET= + +# Disables auto updates +#ORBIT_DISABLE_UPDATES=false + +# Path to file containing enroll secret +#ORBIT_ENROLL_SECRET_PATH= + +# Runs in development mode +#ORBIT_DEV_MODE=false + +# Enable debug logging +#ORBIT_DEBUG=false diff --git a/fleet-orbit.service b/fleet-orbit.service new file mode 100644 index 000000000000..e6cce5731e21 --- /dev/null +++ b/fleet-orbit.service @@ -0,0 +1,15 @@ +[Unit] +Description=Orbit osquery +After=network.service syslog.service + +[Service] +TimeoutStartSec=0 +ExecStart=/usr/bin/fleet-orbit +Restart=always +RestartSec=60 +KillMode=control-group +KillSignal=SIGTERM +CPUQuota=5% + +[Install] +WantedBy=multi-user.target diff --git a/metadata.json b/metadata.json new file mode 100644 index 000000000000..5b9b41ddfbd9 --- /dev/null +++ b/metadata.json @@ -0,0 +1,9 @@ +{ + "release_sha512sum": "cd1323204a25978fde48de7b24726ff99b252561c0506f0c9c06f2ff2e08950a7fc7c299819d0edf55defe423527b09389ba0c4ade505739f02483b3bf18be2c", + "tag_info": { + "commit_sha": "7372777c56248aa10a7a15de971c63328e6d6b69", + "name": "orbit-v0.0.10", + "pkgver": "0.0.10", + "tarball_url": "https://github.com/fleetdm/fleet/archive/refs/tags/orbit-v0.0.10.tar.gz" + } +}
\ No newline at end of file diff --git a/render_pkgbuild.py b/render_pkgbuild.py new file mode 100755 index 000000000000..cd10e8f3093b --- /dev/null +++ b/render_pkgbuild.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python3 +import hashlib +import json +import pathlib +import re +import sys +import typing + +import jinja2 +import requests +from github import Github + + +REPO_NAME = "fleetdm/fleet" +VERSION_PATTERN = re.compile(r"orbit-v([0-9]+\.[0-9]+\.[0-9]+)") + +REPO = Github().get_repo(REPO_NAME) +METADATA_PATH = pathlib.Path("./metadata.json") + + +class TagInfo(typing.TypedDict): + name: str + pkgver: str + commit_sha: str + tarball_url: str + + +class Metadata(typing.TypedDict): + tag_info: TagInfo + release_sha512sum: str + + +def query_latest_tag_info() -> TagInfo: + for tag in REPO.get_tags(): + match = VERSION_PATTERN.match(tag.name) + if match is not None: + return { + "name": tag.name, + "pkgver": match.group(1), + "commit_sha": tag.commit.sha, + "tarball_url": f"https://github.com/{REPO_NAME}/archive/refs/tags/{tag.name}.tar.gz", + } + + raise RuntimeError("No tag matching pattern found.") + + +def refresh_metadata(tag_info: TagInfo) -> Metadata: + release_sha512sum: typing.Optional[str] = None + if METADATA_PATH.exists(): + old_metadata: Metadata = json.loads(METADATA_PATH.read_text()) + if tag_info == old_metadata["tag_info"]: + release_sha512sum = old_metadata["release_sha512sum"] + + metadata: Metadata = { + "tag_info": tag_info, + "release_sha512sum": release_sha512sum + or compute_remote_checksum(tag_info["tarball_url"]), + } + + METADATA_PATH.write_text(json.dumps(metadata, sort_keys=True, indent=2)) + return metadata + + +def compute_remote_checksum(url: str, sumfunc=hashlib.sha512, chunk_size=1024) -> str: + s = sumfunc() + with requests.get(url, stream=True) as resp: + for content in resp.iter_content(chunk_size=chunk_size): + s.update(content) + return s.hexdigest() + + +def render_pkgbuild(metadata: Metadata) -> None: + env = jinja2.Environment(loader=jinja2.FileSystemLoader(".")) + env.globals["sha512sum"] = lambda path: hashlib.sha512( + pathlib.Path(path).read_bytes() + ).hexdigest() + template = env.get_template("./PKGBUILD.jinja") + result = template.render(metadata=metadata) + pathlib.Path("./PKGBUILD").write_text(result) + + +def main() -> bool: + tag_info = query_latest_tag_info() + metadata = refresh_metadata(tag_info) + render_pkgbuild(metadata) + return True + + +if __name__ == "__main__": + sys.exit(not bool(main())) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 000000000000..0b26c7487dc3 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +jinja2 +pygithub +requests
\ No newline at end of file |