-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Autoupdate osquery #34
Conversation
The upstream package was refactored and doesn't exist anymore. The functionality is actually being implemented in #34 so the correct dependencies will be added there. Because the updater package is missing, the dependency manager is corrupting the dependency cache for various pull requests. Closes #39
|
||
// bootstraps local TUF metadata from bindata assets. | ||
func (u *Updater) createLocalTufRepo() error { | ||
if err := os.MkdirAll(u.settings.LocalRepoPath, 0755); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function doesn't take the creation of the directory structure for delegate roles into account.
├── root.json
├── snapshot.json
├── targets
│ ├── bar.json
│ ├── role
│ │ └── foo.json
│ └── role.json
├── targets.json
└── timestamp.json
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to move this to an issue
Makefile
Outdated
INSECURE ?= false | ||
PLATFORM ?= darwin | ||
generate: | ||
go run $(shell pwd)/autoupdate/generate_tuf.go \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't this be go run ./autoupdate/generate_tuf.go
or even using GOPATH
instead of pwd
?
Should we consider merging this before too many merge conflicts arise? It looks like the debug logging changes maybe have caused some merge conflicts in |
No, I'm in the process of rebasing this locally. Started yesterday. |
autoupdate/autoupdate.go
Outdated
|
||
func (u *Updater) binary() string { | ||
bin := filepath.Base(string(u.destination)) | ||
if bin == "osqueryd" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marpaia right now we have the binary named osqueryd
but the download url uses osquery
for the binary/url path.
Would you rather have this conditional in the code, or use osqueryd
in the url on the mirror?
Let's 🚲 🏠
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure that I follow. I think the binary should be called osqueryd
in GCS.
cmd/launcher/launcher.go
Outdated
@@ -59,6 +66,11 @@ func parseOptions() (*options, error) { | |||
false, | |||
"print launcher version and exit", | |||
) | |||
flTLS = flag.Bool( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's rename this to something like flInsecureTLS
as right now false
indicates "use TLS" and that's a bit confusing.
Makefile
Outdated
|
||
|
||
test: generate | ||
go test -cover -v $(shell go list ./... | grep -v /vendor/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-race
also?
autoupdate/autoupdate.go
Outdated
) (*Updater, error) { | ||
gun, err := d.gun() | ||
if err != nil { | ||
return nil, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to be consistent with the use of errors.Wrap
(as in line 78). I'd prefer using it everywhere, but I'm open to argument.
autoupdate/autoupdate.go
Outdated
localRepo := filepath.Base(u.settings.LocalRepoPath) | ||
roles := []string{"root.json", "snapshot.json", "timestamp.json", "targets.json"} | ||
for _, role := range roles { | ||
asset, err := Asset(path.Join("autoupdate/assets", localRepo, role)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
split "autoupdate/assets" into two strings so path.Join
can use the appropriate separator
autoupdate/autoupdate.go
Outdated
func (u *Updater) Run(opts ...tuf.Option) (stop func(), err error) { | ||
updaterOpts := []tuf.Option{ | ||
tuf.WithHTTPClient(u.client), | ||
tuf.WithFrequency(10 * time.Second), //TODO leave default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a TODO for this PR or later?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good question. I might just up this to every 5 minutes an issue for now while we're working out the details.
or i could expose it in a flag..
The default interval is 1 hour, which is ok for a customer's environment, but a hell of a time to wait while testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you refer to "testing" are you talking about manual testing, or automated tests? If it's manual testing then I think I agree with the idea of putting it behind a flag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, manual testing with the launcher running and actually updating the artifact in the remote mirror.
I'll add the flag.
autoupdate/generate_tuf.go
Outdated
flag.Parse() | ||
|
||
gun := fmt.Sprintf("kolide/%s", *flBinary) | ||
localRepo := filepath.Join("./autoupdate/assets/", fmt.Sprintf("%s-tuf", *flBinary)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
split "./autoupdate/assets/"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you clarify what you mean by split?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, I see
autoupdate/generate_tuf.go
Outdated
) | ||
flag.Parse() | ||
|
||
gun := fmt.Sprintf("kolide/%s", *flBinary) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a path being created? Should it use filepath.Join
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's a URL path.
I suppose path.Join can work.
|
||
// call this method to restart the launcher when autoupdate completes. | ||
launcherFinalizer := func() error { | ||
if err := syscall.Exec(os.Args[0], os.Args, os.Environ()); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool!
cmd/launcher/launcher.go
Outdated
logFatal(logger, errors.Wrap(err, "launching osquery instance")) | ||
} | ||
|
||
// TODO delete this block and use docker compose |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO for this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, this was just a shim so I can test with a local mirror
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great!
Makefile
Outdated
go run ./autoupdate/generate_tuf.go \ | ||
-binary=osqueryd -notary=${NOTARY_URL} -insecure=${INSECURE} | ||
# go run ./autoupdate/generate_tuf.go \ | ||
# -binary=launcher -notary=${NOTARY_URL} -insecure=${INSECURE} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these be uncommented?
updater.bootstrapFn = updater.createLocalTufRepo | ||
|
||
for _, opt := range opts { | ||
opt(&updater) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤘
cmd/launcher/launcher.go
Outdated
launcherUpdaterOpts..., | ||
) | ||
if err != nil { | ||
logFatal(logger, "err", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that enableAutoUpdate
should return (func(), err)
and func main
should be the one doing the logFatal
ing.
Adds the autoupdate package which wraps github.com/kolide/updater/tuf to provide secure autoupdates from a remote mirror. If enabled, both osquery and launcher itself are updated when new versions are released.
This PR is mostly complete. Needs some work adding tests and using docker compose instead of some hacky code to run a local test mirror.