Download Fleet installers from a separate AWS container

[eashaw]

Problem

As a Fleet user, I want the option to download an installer for my Fleet instance instead of creating one with fleetctl package.

Users who click the "Add hosts" button in Fleet are given instructions for generating installers for their Fleet instance using the fleetctl package command. Users who are unfamiliar with the terminal may not be able to easily generate an installer.

Requirements

Allow users to download a package for their Fleet instance directly from fleetdm.com.

1. The Fleet core product's "Add hosts" modal presents users with the option to download an installer.
2. The core product directs users who want to download a Fleet installer to a page on fleetdm.com, and sends the information required to generate an installer to fleetdm.com.
3. An API on fleetdm.com that runs the fleetctl package command.
4. A page on fleetdm.com where users can download their generated Fleet installer.
5. pkg comes signed so that no warning appears to the end user.

[eashaw]

From Slack:

eashaw: I tested running fleetctl package from a child process in a Heroku app. It looks like the child process doesn't have sufficient permissions to create directories with the correct mode. Here is the error that it fails with:

Zach Wasserman: Thank you for the update, Eric. I have another idea for how we might be able to make this work on Heroku. Essentially it would be taking the fleetdm/fleetctl Docker container and then adding whatever components are necessary to serve the Sails app on top of that. Because that container includes all of the dependencies necessary for running fleetctl package, I think that we might have better luck that way. I'll follow up with more about this after we sort out the MDM CSR work.

[mike-j-thomas]

@zwass, did you get a chance to try out your idea, above?

[zwass]

I have not yet been able to try out the idea of installing the rest of the dependencies.

[zayhanlon]

@zwass This may have dropped in priority, but if we're still interested in completing this - let us know! We will wait on your feedback on the above ^ before prioritizing

[zayhanlon]

https://github.com/fleetdm/fleet/issues/9000

[zhumo]

@zayhanlon I added a requirement above: "pkg comes signed so that no warning appears to the end user." LMK if that is hard to do.

[zhumo]

@zayhanlon I'd like to move this up in priority.

[zayhanlon]

@zhumo Eric can't complete this without information from Zach. I have a call with Zach to discuss today! Stand by for an update

[zayhanlon]

@zhumo notes from call with Zach:

• Linux: We could build the RPM and deb package installers into Fleet. It's pure GO
• Windows: Complex. We should do code signing.
• Mac: Complexity is that mac packages need to be code signed and notarized. Requires secrets that each org would have and the person that is the package downloader, may not have access. Idea is that Fleet would sign the package. There's a process where it reaches out to Apple (who attempts to do this in <30 sec, but sometimes can take minutes to hours). Is this ideal? Need a way to let people know when the process is done if it's going slowly in the minutes to hours timeframe.

It was going to be nice to not do this with additional infrastructure by putting it on fleetdm.com, but it's probably less pain to stand up a server in AWS for doing this. There's a container already available with dependencies configured.

Next steps: Zay to design UI @zhumo What do we want the user experience to look like? I can take on design with some input from you. We thinking of it looking like the sandbox experience, while also allowing the current process?

1) Lucas or Zach Wass to address backend work (needs estimation) 2) What's the method to deploy maintain and monitor this ongoing (infra team)?

@eashaw This is going to be pulled off your plate.

[zhumo]

@zayhanlon I think the outcome here is that users don't have to run a fleetctl command, you just click a button and an installer gets generated. I think if customers need to host the AWS image, that's fine too... I would hope that deployment is painless and it "just works." Let's talk through this at our next 1/1.

[zayhanlon]

@lucasmrod to estimate before next sprint