Reconcile MDM profiles by updating installed profiles in place

[gillespi314]

Issues #10775 & #10678

Revise ReconcileProfiles cron job so that whenever a profile to be installed shares the same profile identifier as an already installed profile, the profile is updated in place (i.e. do not send a RemoveProfile command first).

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/ or orbit/changes/.
  See Changes files for more information.
• Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)
• Documented any permissions changes
• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)
• Added support on fleet's osquery simulator cmd/osquery-perf for new osquery data ingestion features.
• Added/updated tests
• Manual QA for all new/changed functionality
  • For Orbit and Fleet Desktop changes:
    • Manual QA must be performed in the three main OSs, macOS, Windows and Linux.
    • Auto-update manual QA, from released version of component to new version (see tools/tuf/test).

[mna]

I think this is an awesome approach that could very well work (while being simpler than what I had in mind)! It assumes the queue is reliable and runs commands in sequence for a given host - if we can rely on that, great. AIUI, it uses the fact that profiles are unique per team and profile identifier to detect when a Remove+Install is needed vs a Replace, without having to do that logic when saving the profiles for the team/no team (i.e. we still do a delete+insert at that place, meaning that an update to the contents of the profile results in a new internal profile ID at the DB level).

The other points I mention in the review are, I think, all solvable. I think the way to identify if the operation should be a replace needs to be done per "host UUID+profile identifier" tuple, and not just profile identifier.

[mna]

I think this should be done only once the Install of the replaced profile is successfully done, otherwise we remove a profile from our table for a host, but it may still have the old one "to-be-replaced".

[gillespi314]

My thinking here was that if the install fails, there would be an entry for the install failure, which would tie back to the profile identifier of the to-be-replaced profile. I think that is consistent with what the UI wants to display, but do you think we need more than that entry for our own table hygiene?

[mna]

Ah yeah, you're right, the profile to be removed would be deleted from the table, but the one to be inserted as replacement would also be inserted and with a status NULL so that enqueuing the Install command is retried on the next run. It would be reported in stats/UI/etc. as "pending install" which is exactly what we want.

[mna]

This assumes that when a ProfileIdentifier is seen in toInstall, then it is necessarily being replaced for all hosts if it is also seen in toRemove. I'm not sure this is right, e.g.

• Add profile with Identifier Custom1 to team 1
• Add profile with Identifier Custom1 to team 2
• ReconcileProfiles deploys the profile to hosts in team 1 and 2
• Update profile Custom1 for team 1 (must be replaced for hosts in team 1)
• Remove profile Custom1 for team 2 (must be deleted for hosts in team 2)
• ReconcileProfiles would see that Custom1 needs to be installed (because it needs to, but just for hosts in team 1)
• ReconcileProfiles sees that all hosts in teams 1 and 2 have Custom1 to be removed
• Thus it does not send a Remove for all hosts in teams 1 and 2, expecting them to have the profile replaced (which is true only for hosts in team 1)
• Result would be (I think) that hosts in team 2 still have the profile installed, but it is deleted from our host profiles table

[gillespi314]

Thanks! I've modified the map to use the combined key (HostUUID,ProfileIdentifier) and I'll add some tests to cover these scenarios.

[mna]

I don't think the query is quite right - it will delete rows where the host uuid is in the list of uuids whenever it is part of the profile identifiers or ids, but maybe it shouldn't be deleted for some particular combinations.

E.g. if I call this with [{hostA, profID1}, {hostB, profID2}], it would delete the row if hostA happens to have profile profID2.

[gillespi314]

Thanks again! I've modified query and I'll add some tests that cover this too.

[codecov]

Codecov Report

Patch coverage: 40.00% and project coverage change: -0.02 ⚠️

Comparison is base (337d61c) 60.41% compared to head (005d501) 60.40%.

❗ Current head 005d501 differs from pull request most recent head c0d5b29. Consider uploading reports for the commit c0d5b29 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10998      +/-   ##
==========================================
- Coverage   60.41%   60.40%   -0.02%     
==========================================
  Files         522      524       +2     
  Lines       54200    54392     +192     
==========================================
+ Hits        32747    32855     +108     
- Misses      18468    18542      +74     
- Partials     2985     2995      +10     

Impacted Files	Coverage Δ
server/fleet/apple_mdm.go	40.38% <ø> (+1.49%)	⬆️
server/fleet/datastore.go	0.00% <ø> (ø)
server/datastore/mysql/apple_mdm.go	70.62% <3.57%> (-0.26%)	⬇️
server/service/apple_mdm.go	58.50% <100.00%> (+1.71%)	⬆️

... and 13 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[gillespi314]

Closed in favor of #11084