fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

Ability to deploy python scripts through Fleet

Open harrisonravazzolo opened this issue 1 year ago • 5 comments

  • prospect-olympus: Gong snippet: https://us-65885.app.gong.io/call?id=3634815565109127519&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1345%2C%22to%22%3A1414%7D%5D && https://us-65885.app.gong.io/call?id=6230952129081950044&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1876%2C%22to%22%3A1925%7D%5D
  • customer-sarahwu: Gong snippet
  • @noahtalerman: olympus requested this because they run some python scripts that include JSON/XML parsing and it's inconvenient for them to re-write these in shell/bash. For all other scripts they use shell/bash.
    • @nonpunctual: JSON parsing is native in Python. Something like jsonlib.
    • @allenhouchins: In addition to JSON/XML parsing, there are other features that are python only.
    • @noahtalerman: In the interim the user can re-write their scripts in shell/bash (yikes).
    • @noahtalerman: Eventually Fleet will allow users to upload Python scripts. And let them execute Python scripts.
  • @noahtalerman: sarahwu requested this because all their scripts are written in Python.
  • @nonpunctual: sarahwu requested this because they write scripts that have an objective C bridge to make it easier to interact with macOS APIs.
  • @nonpunctual: Python isn't included by default in macOS. To run Python scripts you have to deploy Python. Most Mac Admins use this to deploy Python: https://github.com/gregneagle/relocatable-python
  • @nonpunctual: If you try to run a Python script and there's no Python the default error message isn't good: zsh: command not found: somebin
    • @noahtalerman: Fleet could make this friendlier. Can we know that there's no Python?
    • @nonpunctual: Most Mac admins will understand this error message (they know Python isn't there by default). Windows admins running scripts on Macs won't.
  • @nonpunctual: Windows admins run Python scripts on Windows. Most have a preference for PowerShell.

harrisonravazzolo avatar Jan 07 '25 21:01 harrisonravazzolo

@Patagonia121 can you add the snippet from today's call with customer-sarahwu where they said they needed python support? Probably around the 15 minute mark.

allenhouchins avatar Jan 14 '25 18:01 allenhouchins

If we validate the shebang here against an allowlist (which we can expand as needed on successive releases) this shouldn't be too difficult to do.

One major assumption here is that scripts being deployed are self-contained, rather than requiring additional packages. Does this assumption hold for the customers'/prospects' script libraries, or does this need to support package management ([insert Python package manager holy war here]) to be an effective solution?

Other question: given that executing Python scripts would be in scope for script automation as part of this, do we want to try to run Python scripts on Windows (which would require a little more research to ensure they work there) or is *nix support sufficient for an initial iteration?

iansltx avatar Jan 15 '25 13:01 iansltx

All set, @allenhouchins. Thanks!

Patagonia121 avatar Jan 15 '25 15:01 Patagonia121

Most Mac admins that are deploying python for scripting & Munki will be using this: https://github.com/gregneagle/relocatable-python

nonpunctual avatar Jan 15 '25 15:01 nonpunctual

Problem

We often deploy scripts to our endpoints with structured languages like JSON or XML and we don't want to do that in bash because it's not as friendly. My CPE team is most experienced writing in this language.

What have you tried?

I tried uploading a .py script to the script repo in Fleet and it failed.

Potential solutions

Allow Fleet to intake .py files and support the #!/usr/bin/env python3 type interpreter.

What is the expected workflow as a result of your proposal?

When in the controls tab, allow the admin to upload Python scripts.

noahtalerman avatar Jan 15 '25 19:01 noahtalerman