MacOS Ventura - Not starting meshagent on boot (Maybe Solved)

spiffyguy commented 2 years ago

Hi there,

I upgraded a lot of the machines I manage to MacOS Ventura yesterday. Upgrade went fine on the machines but after installing and then restarting the new update, I noticed the machines were "offline" in my MeshCentral interface.

I got onto the machines another way and re-installed the meshagent which worked perfectly and allowed me to see it in MeshCentral again.

Then I restarted the client machine and noticed that the machine was "offline" again when it booted back up.

So I looked into the launchd console log to see why it didn't start automatically and saw these 2 lines:

> (system/meshagent) <Error>: Caller tried to import service with same label as an existing service: path = /Library/LaunchDaemons/meshagent.plist, caller = smd[95] > (system) <Notice>: Bootstrap by smd[95] for /Library/LaunchDaemons/meshagent.plist failed (17: File exists)

When I googled this message, random notes online said to check /Library/LaunchAgents/ folder and see if there is a duplicate service .plist file and there was! So I had the same meshcentral.plist file in both "LaunchAgents" and "LaunchDaemons" folders.

I deleted the /Library/LaunchAgents/meshcentral.plist file. Then restarted the client machine. And it came back "online" through my MeshCentral interface!

Further reading online says that the /Library/LaunchAgents/ folder is usually for USER services and /Library/LaunchDaemons/ is usually for ROOT/SYSTEM services.

Is there a reason why the meshcentral.plist file gets installed into both folders? I noticed that it's in both folders on all my macOS Monterey machines as well but is still able to launch where as macOS Ventura seems to stop the service if it's tried to be called from both places.

If it helps I installed the meshagent using the "Linux / BSD / MacOS Binary Installer" so my command I run on the client terminal to install meshagent is something like this: curl -k "https://SERVER.DOMAIN.COM/meshagents?id=JiiIjBvqSfC5vncaxwUNIQUEIDfhdsjghdfjg3434343&installflags=2&meshinstall=10005" -o ./meshagent && chmod +x ./meshagent && sudo ./meshagent -install which just asks for the user password and installs meshagent in the proper group I want.

After discovering this... BEFORE I upgrade to macOS Ventura and to make sure meshagent continues to run on boot... I run this first: sudo rm -rf /Library/LaunchAgents/meshcentral.plist on the client machine and THEN upgrade the machine to Ventura. Then everything is fine and meshagent auto starts when the machine boots up.

Can anyone else confirm they see the same issue? And let me know if removing the "LaunchAgents" plist file fixes the meshagent starting at boot for them as well?

If that is the fix, then I recommend we make sure the meshagent installer uses the "LaunchDaemons" folder and not the "LaunchAgents" folder in the future for startup services on Mac.

r4yzs commented 2 years ago

Hello, same problem with the mpkg. Need to delete meshcentral.plist on LaunchAgents. Can you take control before log in ?

krayon007 commented 2 years ago

I'll have to take a look and retool how the agent uses the LaunchAgent, because the agent requires both a launch agent and a launch daemon, otherwise a couple components won't work, such as remote desktop, or dialog boxes, etc. The agent uses a launch agent to IPC to an interactive desktop session.

r4yzs commented 2 years ago

I'll have to take a look and retool how the agent uses the LaunchAgent, because the agent requires both a launch agent and a launch daemon, otherwise a couple components won't work, such as remote desktop, or dialog boxes, etc. The agent uses a launch agent to IPC to an interactive desktop session.

Is there a solution to have remote desktop before login ? I know that some other remote software can do it.

Thanks you

spiffyguy commented 2 years ago

Gotcha, well it may be something as simple as labelling them different. I know you can customize the name of the service using the config on the server but maybe for the "LaunchAgent" side it does something like "meshagent-user.plist" and then the "LaunchDaemons" side it does "meshagent-system.plist." So if someone does use the "agentCustomization" settings in the config.json to change the name it would be something like "${agentCustomization->filename}-user.plist" so no matter what the LaunchDaemon/LaunchAgents will both exist and be named differently so they don't conflict. Need to do some testing to see if that works.

spiffyguy commented 2 years ago

Is there a solution to have remote desktop before login ? I know that some other remote software can do it.

Thanks you

I think this is a different concern, I don't mean to change the subject of this issue but I do have access to my mac's BEFORE they login with MeshCentral. So I see the main login screen when no one has signed in. There could be something else going on... What does it look like on your side when you try to Remote Desktop before login? I would open a separate ticket @r4yzs to discuss this further.

r4yzs commented 2 years ago

Is there a solution to have remote desktop before login ? I know that some other remote software can do it. Thanks you

I think this is a different concern, I don't mean to change the subject of this issue but I do have access to my mac's BEFORE they login with MeshCentral. So I see the main login screen when no one has signed in. There could be something else going on... What does it look like on your side when you try to Remote Desktop before login? I would open a separate ticket @r4yzs to discuss this further.

Hello @spiffyguy , I will open a ticket.

I see that my Mac is online but I can't see the screen (black screen) but I can use the terminal.

I tested with 2 mac with Ventura.

Thanks you

spiffyguy commented 2 years ago

Hello @spiffyguy , I will open a ticket.

I see that my Mac is online but I can't see the screen (black screen) but I can use the terminal.

I tested with 2 mac with Ventura.

Thanks you

That's a different issue, not a permissions thing, I think I know the problem, doing testing right now. Make a ticket and I will comment on what to try to see if you can get in...!

NiceGuyIT commented 1 year ago

@krayon007

the agent requires both a launch agent and a launch daemon

Even though the LaunchAgent is needed, removing it allowed most functionality (desktop, terminal, files) to work. I'm assuming the functionality that requires the agent includes things that interact with the user such as chat and messaging. Renaming the Label allowed the daemon to start on boot. I don't know if it's required but I also renamed the agent meshagent.plist to differentiate it from the system meshagent.plist.

However, the user services still didn't work. Since the agent and daemon share the same install location, I had to give my user access to the directory and files using the command below. The permissions on the directory did not allow my user to view the contents. The executable already had o+x so all I had to do was give access to the installation directory. Note: +X gives traversal (a.k.a. cd) permissions to directories and does not affect files.

sudo chmod o+rX /opt/tacticalmesh/

Those 3 changes (rename the service, plist and change permissions on the install directory) makes MeshCentral work on macOS Ventura.

rosch100 commented 1 year ago

It works with both Agent and Daemon if I change the name and label of the Daemon to e.g. meshdaemon. This script takes care of a working installation:

curl -k "https://SERVER.DOMAIN.COM/meshagents?id=fL198sFnWekXXR1KBJwhbO5vvuqvIKrF6QmdmjPURJKDsTdQgcZGHxEud6ZKDKxM&installflags=0&meshinstall=10005" -o ./meshagent
chmod +x ./meshagent
sudo ./meshagent -install
sudo sed -i '' '/<key>Label<\/key>/,/<\/string>/s/meshagent/meshdaemon/'  /Library/LaunchDaemons/meshagent.plist
sudo mv /Library/LaunchDaemons/meshagent.plist /Library/LaunchDaemons/meshdaemon.plist