Keep a long term storage of all binaries and artifacts created by Fleet #19182
Comments
sharon-fdm
added
#g-endpoint-ops
|
From the estimation call the following need to be addressed:
Idea: Use a directory with version name to keep historical data (because R2 does not have versioning). |
sharon-fdm
added
:release
noahtalerman
changed the title
|
@getvictor as discussed in Slack, here is (high level) what we would need on the MDM side:
|
|
over-communicating: I have marked this as a blocker for #19176 |
#19182 and #19111 - Upload and keep all fleetd-base and fleetd-chrome artifacts - Code sign fleetd-base.msi - Verify checksums and try installing fleetd-base packages These changes will apply the fleet-base workflow to download-testing.fleetdm.com, and another PR will change to the production endpoint (download.fleetdm.com) after QA. ## fleetd-base Successful fleetd-base workflow run: https://github.com/fleetdm/fleet/actions/runs/9522282299 New meta files will be in the `stable` directory: - https://download-testing.fleetdm.com/stable/meta.json - https://download-testing.fleetdm.com/stable/tuf-meta.json The files in the root directory will no longer be updated for backward compatibility. ## fleetd-chrome Successful fleetd-chrome beta run: https://github.com/fleetdm/fleet/actions/runs/9552391075/job/26328861033
|
@roperzh The updated workflow #19749 will be updating files at https://download-testing.fleetdm.com Once this workflow is QAd, I will do another PR to switch it to https://download.fleetdm.com |
|
@xpkoala I used https://download-testing.fleetdm.com/ for the work at #20078 and can confirm that's working great. Any way I can help you get this through ready to release? |
|
@roperzh Nope! I was working on this with Victor yesterday and I just failed to move it over. I appreciate the extra eyes! |
|
Thanks! @getvictor as soon as you update https://download.fleetdm.com I will merge #20078 |
|
@roperzh Please approve #20093 I already run the flow, so you can see the files at: https://download.fleetdm.com/stable/meta.json |
#19182 Releasing new fleetd-base flow - The flow has been QA'd - The flow puts the generated files into new directories (`stable` and `archive`), so risk is low
#19182 Updated docs to point to https://download.fleetdm.com/stable The files at the root (https://download.fleetdm.com/fleetd-base.pkg and https://download.fleetdm.com/fleetd-base.msi) will no longer be updated.
|
Binaries stored, like seeds, |
Goal
Context
Unlike code that could be tagged and retracted with specific exact versions, binaries could not be recompiled to have the exact same file with same signature because of many reason (e.g. using different compilers).
For the reason described below and many others, it is needed to store for long term, any binary with its version.
Reason: In an incident documented here we used an existing binary with a specific SHA256 signature to remediate a problem. Similar usage may be needed in the future.
Changes
Create a mechanism that will follow our releases and store all binaries in an organized manner.
TODO: The exact organization should be discussed. (Need all files with all their versions.)
Product
QA
Make sure the new mechanism works on all our binaries. The new fleetd-base release mechanism stores files in new directories (stable and archive), so we do not need to worry about being backward compatible with current/old Fleet server.
Risk assessment
Manual testing steps
Testing notes
Confirmation
The text was updated successfully, but these errors were encountered: