Merge branch 'main' into feat-fleet-app-library

fleetdm · Oct 2, 2024 · d8fda9f · d8fda9f
2 parents aa887d3 + 570d184
commit d8fda9f
Show file tree

Hide file tree

Showing 115 changed files with 1,765 additions and 1,210 deletions.
diff --git a/.github/workflows/build-binaries.yaml b/.github/workflows/build-binaries.yaml
@@ -37,11 +37,10 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
-      # Set the Node.js version
-      - name: Set up Node.js ${{ vars.NODE_VERSION }}
+      - name: Set up Node.js
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
-          node-version: ${{ vars.NODE_VERSION }}
+          node-version-file: package.json
 
       - name: JS Dependency Cache
         id: js-cache
@@ -51,7 +50,7 @@ jobs:
             **/node_modules
           # Use a separate cache for this from other JS jobs since we run the
           # webpack steps and will have more to cache.
-          key: ${{ runner.os }}-node_modules-${{ hashFiles('**/yarn.lock') }}-node_version-${{ vars.NODE_VERSION }}
+          key: ${{ runner.os }}-node_modules-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-node_modules-
 

diff --git a/.github/workflows/fleet-and-orbit.yml b/.github/workflows/fleet-and-orbit.yml
@@ -79,11 +79,10 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
-      # Set the Node.js version
-      - name: Set up Node.js ${{ vars.NODE_VERSION }}
+      - name: Set up Node.js
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
-          node-version: ${{ vars.NODE_VERSION }}
+          node-version-file: package.json
 
       - name: Start tunnel
         env:

diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml
@@ -46,11 +46,10 @@ jobs:
         with:
           go-version-file: 'go.mod'
 
-      # Set the Node.js version
-      - name: Set up Node.js ${{ vars.NODE_VERSION }}
+      - name: Set up Node.js
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
-          node-version: ${{ vars.NODE_VERSION }}
+          node-version-file: package.json
 
       - name: Install JS Dependencies
         run: make deps-js

diff --git a/.github/workflows/goreleaser-snapshot-fleet.yaml b/.github/workflows/goreleaser-snapshot-fleet.yaml
@@ -60,10 +60,10 @@ jobs:
           go-version-file: 'go.mod'
 
       # Set the Node.js version
-      - name: Set up Node.js ${{ vars.NODE_VERSION }}
+      - name: Set up Node.js
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
-          node-version: ${{ vars.NODE_VERSION }}
+          node-version-file: package.json
 
       - name: Install Dependencies
         run: make deps

diff --git a/.github/workflows/test-db-changes.yml b/.github/workflows/test-db-changes.yml
@@ -40,33 +40,6 @@ jobs:
       with:
         fetch-depth: 0
 
-    - name: Install Go
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-      with:
-        go-version-file: 'go.mod'
-
-    - name: Start Infra Dependencies
-      # Use & to background this
-      run: docker compose up -d mysql_test &
-
-    - name: Wait for mysql
-      run: |
-        echo "waiting for mysql..."
-        until docker compose exec -T mysql_test sh -c "mysql -uroot -p\"\${MYSQL_ROOT_PASSWORD}\" -e \"SELECT 1=1\" fleet" &> /dev/null; do
-            echo "."
-            sleep 1
-        done
-        echo "mysql is ready"
-
-    - name: Verify test schema changes
-      run: |
-        make dump-test-schema
-        if [[ $(git diff server/datastore/mysql/schema.sql) ]]; then
-          echo "❌ fail: uncommited changes in schema.sql"
-          echo "please run `make dump-test-schema` and commit the changes"
-          exit 1
-        fi
-
     # TODO: This doesn't cover all scenarios since other PRs might
     # be merged into `main` after this check has passed.
     #
@@ -84,8 +57,8 @@ jobs:
           base_ref=$(git tag --list "fleet-v*" --sort=-creatordate | head -n 1)
         fi
 
-        all_migrations=($(ls server/datastore/mysql/migrations/tables/20*_*.go | sort -r))
-        new_migrations=($(git diff --find-renames --name-only --diff-filter=A $base_ref -- server/datastore/mysql/migrations/tables/20\*_\*.go | sort -r))
+        all_migrations=($(ls server/datastore/mysql/migrations/tables/20*_*.go | sort -r | grep -v '_test.go'))
+        new_migrations=($(git diff --find-renames --name-only --diff-filter=A $base_ref -- server/datastore/mysql/migrations/tables/20\*_\*.go ':(exclude,glob)server/datastore/mysql/migrations/tables/20*_*_test.go' | sort -r))
 
         index=0
         for migration in "${new_migrations[@]}"; do
@@ -110,3 +83,31 @@ jobs:
         	echo "Ref: https://github.com/fleetdm/fleet/blob/main/handbook/engineering/scaling-fleet.md#foreign-keys-and-locking"
         	exit 1
         fi
+
+
+    - name: Install Go
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+      with:
+        go-version-file: 'go.mod'
+
+    - name: Start Infra Dependencies
+      # Use & to background this
+      run: docker compose up -d mysql_test &
+
+    - name: Wait for mysql
+      run: |
+        echo "waiting for mysql..."
+        until docker compose exec -T mysql_test sh -c "mysql -uroot -p\"\${MYSQL_ROOT_PASSWORD}\" -e \"SELECT 1=1\" fleet" &> /dev/null; do
+            echo "."
+            sleep 1
+        done
+        echo "mysql is ready"
+
+    - name: Verify test schema changes
+      run: |
+        make dump-test-schema
+        if [[ $(git diff server/datastore/mysql/schema.sql) ]]; then
+          echo "❌ fail: uncommited changes in schema.sql"
+          echo "please run `make dump-test-schema` and commit the changes"
+          exit 1
+        fi
diff --git a/.github/workflows/test-js.yml b/.github/workflows/test-js.yml
@@ -42,14 +42,14 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Set up Node.js ${{ vars.NODE_VERSION }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          node-version: ${{ vars.NODE_VERSION }}
-
       - name: Checkout Code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
+      - name: Set up Node.js
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version-file: package.json
+
       - name: JS Dependency Cache
         id: js-cache
         uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2
@@ -87,14 +87,14 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Set up Node.js ${{ vars.NODE_VERSION }}
-        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
-        with:
-          node-version: ${{ vars.NODE_VERSION }}
-
       - name: Checkout Code
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
+      - name: Set up Node.js
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
+        with:
+          node-version-file: package.json
+
       - name: JS Dependency Cache
         id: js-cache
         uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v2

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,12 @@
+## Fleet 4.57.1 (Oct 01, 2024)
+
+### Bug fixes
+
+* Improved performance of SQL queries used to determine MDM profile status for Apple hosts.
+* Ensured request timeouts for software installer edits were just as high as for initial software installer uploads.
+* Fixed an issue with the migration that added support for multiple VPP tokens, which would happen if a token was removed prior to upgrading Fleet.
+* Fixed a "no rows" error when adding a software installer that matched an existing title's name and source but not its bundle ID.
+
 ## Fleet 4.57.0 (Sep 23, 2024)
 
 **Endpoint Operations**

diff --git a/articles/config-less-fleetd-agent-deployment.md b/articles/config-less-fleetd-agent-deployment.md
@@ -4,7 +4,7 @@
 
 Deploying Fleet's agent across a diverse range of devices often involves the crucial step of enrolling each device. Traditionally, this involves [packaging](https://fleetdm.com/docs/using-fleet/fleetd#packaging)  `fleetd` with configuration including the enroll secret and server URL. While effective, an alternative offers more flexibility in your deployment process. This guide introduces a different approach for deploying Fleet's agent without embedding configuration settings directly into `fleetd`. Ideal for IT administrators who prefer to generate a single package and maintain greater control over the distribution of enrollment secrets and server URLs, this method simplifies the enrollment process across macOS and Windows hosts.
 
-Emphasizing adaptability and convenience, this approach allows for a more efficient way to manage device enrollments. Let’s dive into how to deploy Fleet's agent using this alternative method, ensuring a more open and flexible deployment process.
+This approach emphasizes adaptability and convenience and allows for a more efficient way to manage device enrollments. Let’s explore how to deploy Fleet's agent using this alternative method, ensuring a more open and flexible deployment process.
 
 
 ## For macOS:
@@ -44,6 +44,18 @@ fleetctl package --type=pkg --use-system-configuration --fleet-desktop
         <key>PayloadVersion</key>
         <integer>1</integer>
       </dict>
+      <dict>
+        <key>EndUserEmail</key>
+        <string>END_USER_EMAIL_HERE</string>
+        <key>PayloadIdentifier</key>
+        <string>com.fleetdm.fleet.mdm.apple.mdm</string>
+        <key>PayloadType</key>
+	  <string>com.apple.mdm</string>
+	  <key>PayloadUUID</key>
+	  <string>29713130-1602-4D27-90C9-B822A295E44E</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+      </dict>
     </array>
     <key>PayloadDisplayName</key>
     <string>Fleetd configuration</string>
@@ -56,11 +68,38 @@ fleetctl package --type=pkg --use-system-configuration --fleet-desktop
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>PayloadDescription</key>
-    <string>Default configuration for the fleetd agent.</string>
+    <string>Configuration for the fleetd agent.</string>
   </dict>
 </plist>
 ```
 
+You can optionally specify the `END_USER_EMAIL` that will be added to the host's [human-device mapping](https://fleetdm.com/docs/rest-api/rest-api#get-human-device-mapping):
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>PayloadContent</key>
+    <array>
+      ...
+      <dict>
+        <key>EndUserEmail</key>
+        <string>END_USER_EMAIL</string>
+        <key>PayloadIdentifier</key>
+        <string>com.fleetdm.fleet.mdm.apple.mdm</string>
+        <key>PayloadType</key>
+	  <string>com.apple.mdm</string>
+	  <key>PayloadUUID</key>
+	  <string>29713130-1602-4D27-90C9-B822A295E44E</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+      </dict>
+    </array>
+    ...
+  </dict>
+</plist>
+```
 
 ## For Windows:
 

diff --git a/articles/enroll-hosts.md b/articles/enroll-hosts.md
@@ -320,7 +320,7 @@ Fleetd will send stdout/stderr logs to the following directories:
 
   - macOS: `/private/var/log/orbit/orbit.std{out|err}.log`.
   - Windows: `C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.log` (the log file is rotated).
-  - Linux: Orbit and osqueryd stdout/stderr output is sent to syslog (`/var/log/syslog` on Debian systems and `/var/log/messages` on CentOS).
+  - Linux: Orbit and osqueryd stdout/stderr output is sent to syslog (`/var/log/syslog` on Debian systems, `/var/log/messages` on CentOS, and `journalctl -u orbit` on Fedora).
 
 If the `logger_path` agent configuration is set to `filesystem`, fleetd will send osquery's "result" and "status" logs to the following directories:
   - Windows: C:\Program Files\Orbit\osquery_log

diff --git a/articles/macos-mdm-setup.md b/articles/macos-mdm-setup.md
@@ -58,17 +58,17 @@ If no default team is set for a host platform (macOS, iOS, or iPadOS), then newl
 
 To connect Fleet to Apple's VPP, head to the guide [here](https://fleetdm.com/guides/install-vpp-apps-on-macos-using-fleet).
 
-### Best practice
+## Best practice
 
-Most organizations need only one ABM token and one VPP token to manage their macOS, iOS, and iPadOS hosts.
+Most organizations only need one ABM token and one VPP token to manage their macOS, iOS, and iPadOS hosts.
 
-Some organizations need multiple ABM and VPP tokens:
+These organizations may need multiple ABM and VPP tokens:
 
 - Managed Service Providers (MSPs)
 - Enterprises that acquire new businesses and as a result inherit new hosts
 - Umbrella organizations that preside over entities with separated purchasing authority (i.e. a hospital or university) 
 
-For MSPs, the best practice is to have one ABM and VPP connection per client. 
+For **MSPs**, the best practice is to have one ABM and VPP connection per client. 
 
 The default teams in Fleet for each client's ABM token in Fleet will look like this:
 - macOS: 💻 Client A - Workstations
@@ -77,7 +77,7 @@ The default teams in Fleet for each client's ABM token in Fleet will look like t
 
 Client A's VPP token will be assigned to the above teams.
 
-For enterprises that acquire, the best practice is to add a new ABM and VPP connection for each acquisition.
+For **enterprises that acquire**, the best practice is to add a new ABM and VPP connection for each acquisition.
 
 These will default teams in Fleet:
 

diff --git a/changes/19619-win-battery b/changes/19619-win-battery
@@ -0,0 +1 @@
+- Windows host details now include battery status
diff --git a/changes/20537-add-rpm-support b/changes/20537-add-rpm-support
@@ -0,0 +1 @@
+* Added support for uploading RPM packages.
diff --git a/changes/21409-fedora-label b/changes/21409-fedora-label
@@ -0,0 +1 @@
+- added builtin label for Fedora Linux.  Warning: migrations will fail if a pre-existing 'Fedora Linux' label exists.  To resolve, delete the existing 'Fedora Linux' label.
diff --git a/changes/21923-switch-exact-search-focus-bug b/changes/21923-switch-exact-search-focus-bug
@@ -0,0 +1 @@
+- UI fix: Switching vulnerability search types does not cause page re-render
diff --git a/changes/22094-cleanup-queries b/changes/22094-cleanup-queries
@@ -0,0 +1 @@
+- updated activity cleanup job to remove all expired live queries to improve API performance in environment using large volumes of live queries.  To note, the cleanup cron may take longer on the first run after upgrade.
diff --git a/changes/22094-query-optimization b/changes/22094-query-optimization
@@ -0,0 +1 @@
+- Increased performance for Host details and Fleet Desktop, particularly in environments using high volumes of live queries
diff --git a/changes/22198-defaults b/changes/22198-defaults
@@ -0,0 +1,2 @@
+- Fixes a bug where removing a VPP or ABM token from a GitOps YAML file would leave the team
+  assignments unchanged.
diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml
@@ -8,7 +8,7 @@ version: v6.2.0
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.57.0
+appVersion: v4.57.1
 dependencies:
   - name: mysql
     condition: mysql.enabled

diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml
@@ -3,7 +3,7 @@
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
 imageRepository: fleetdm/fleet
-imageTag: v4.57.0 # Version of Fleet to deploy
+imageTag: v4.57.1 # Version of Fleet to deploy
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources: