Agent subtask: Run script

[georgekarrv]

Only if script execution is enabled (via build or profile)

• [x] Create a subdirectory that matches the execution uuid.
• [x] Create a file with contents of the script.
• [x] Give the file execute permissions. (should not be necessary given that we run sh <script-file>, maybe on Windows? To test...)
• [x] Execute the script capturing stdout and stderr
• [x] Store the last 10000 characters of stdout and stderr combined
• [x] Store the runtime in seconds as an integer
• [x] Kill the process after 30s if it has not exited
• [x] remove directory and contents. (for debugging it would be useful to have a flag to NOT delete these contents)
• [x] The host should locked to use only 1 script at a time.
• [x] The lock should be accessible via the api.

If script execution is not enabled we need an error state for the run that indicates to the user that script execution is not available for this host.

Communication between fleet server and agent was implemented as part of https://github.com/fleetdm/fleet/issues/13305:

• Use the notifications struct returned as part of the "get orbit config" request to get the list of pending scripts' execution_id to run on the host (PendingScriptExecutionIDs)
• Get the scripts to run, one at a time, using POST /api/fleet/orbit/scripts/request (it will already be implemented as a method on OrbitClient.GetHostScript as part of #13305 ) to get the script's contents
• Save the script's result using POST /api/fleet/orbit/scripts/result (it will already be implemented as a method on OrbitClient.SaveHostScriptResult as part of #13305 ) to save the script's results

[georgekarrv]

Hey team! Please add your planning poker estimate with Zenhub @gillespi314 @mna @roperzh

[mna]

@georgekarrv and note to the person that will address this ticket:

I think the agent should send a result (call OrbitClient.SaveHostScriptResult even if script execution is disabled for the agent (in which case, of course, it wouldn't execute the script, just send a stock result, e.g. output: "script execution disabled", exit_code: -1) so that Fleet knows that the script is not pending anymore and stops sending useless notifications to the host.

This is because the server cannot know for sure if script execution is available or not on that host (if the deployed agent was compiled with or without the script execution enabled). Another option is to track that somehow (e.g. via a query ingestion of the capabilities of the orbit agent) and prevent sending script execution requests to those hosts, but that's more complex and not something readily available AFAIK.

[mna]

@georgekarrv I'm wondering what the environment variables provided to the script should be? By default, it would get the same as orbit's, but maybe there are some things in there that shouldn't be passed. On another hand, clearing the env vars altogether might prevent some scripts from working as expected, e.g. if it expects at least a reasonable $PATH and such.

For now I'll leave it as the default (it will inherit orbit's env vars), but just wanted to raise this point so we can think about it and see if there's any potential security risk (cc @lucasmrod who knows orbit quite well).

[fleet-release]

Script takes its flight, Fleet's wisdom in each byte, Securing the night.

Through clouds it will race, In its unique storage space, Leaving no trace.

For the scripts we yearn, Only one at a time will turn, In the lock, they learn.