I’m writing some KBs on deploying software with BigFix, and I’m running into an issue with a deployment that requires multiple commands to install.
The software is for macOS, and there are multiple files, so I’m using the Software Distribution dashboard to upload the folder as a .bftemp. When it comes time to enter the Installation Command, I can only enter one line:
No problem, I thought, I’ll just use semicolons.
if [[ "$(uname -s)" = Darwin && "$(uname -v)" = *ARM64* ]]; then installer -pkg rapid7-insight-agent-*version*.arm64.pkg -target /; else installer -pkg rapid7-insight-agent-*version*.x86_64.pkg -target /;fi;/opt/rapid7/ir_agent/components/insight_agent/$(ls /opt/rapid7/ir_agent/components/insight_agent | grep "[0-9][^/]*$" | sort -Vr | head -n1)/configure_agent.sh --attributes="ENTER-TAG-HERE" --start --certificate_package_installation="$PWD/"
This command works, but the fixlet fails because BigFix first tries to echo it, and then fails at the first semicolon (thinking there’s a new command starting with then)
The user building this fixlet will need to replace the “ENTER-TAG-HERE” string with their department’s tag, so it needs to be easily editable (ruling out providing them with a base64 encoded command — I want them to just be able to copy-paste the command in after making their edits).
I am personally comfortable with editing the action script and adding multiple commands to run.sh, but I’m trying to make the process as easy as possible for our new BigFix operators.
Does anyone have any ideas or workarounds?
Some things I’m currently ruling out as too difficult for the target audience:
- Packaging everything up as a single .pkg to deploy
- Removing the first
echo
- Editing the Action Script to enter the multiple commands manually
- Building the command, and then base64 encoding it
Thanks
Well, it’s working, but gross:
echo "placeholder"; if [[ -z $run ]]; then if [[ "$(uname -s)" = Darwin && "$(uname -v)" = *ARM64* ]]; then installer -pkg rapid7-insight-agent-*version*.arm64.pkg -target /; else installer -pkg rapid7-insight-agent-*version*.x86_64.pkg -target /;fi;/opt/rapid7/ir_agent/components/insight_agent/$(ls /opt/rapid7/ir_agent/components/insight_agent | grep "[0-9][^/]*$" | sort -Vr | head -n1)/configure_agent.sh --attributes="ENTER-TAG-HERE" --start --certificate_package_installation="$PWD"; run="ran"; fi
Instead of echo’ing the whole command, I just give it echo "placeholder";, and then run the actual command after the semicolon in the same line.
Then to make sure it doesn’t run twice, I check for the existence of a run variable, which gets set after the first run.
Not sure how I feel about this, but it does enable inexperienced users to just copy paste the command after editing what they need.
If you’re already bundling multiple installers in a package, maybe you could also bundle a custom script like ‘install.sh’ with it?
Your install.sh could take that user tag as a parameter and then run all the other commands relative to the directory and tag.
1 Like
Not a bad idea, but unfortunately it’s another team sharing out the installers. I could instruct operators to create a .sh and include it in their uploads, but that’s backfired on us in the past — since some operators have file extensions hidden, we end up with install.sh.txt files.
I’ll think about hosting a template file somewhere for them to download… that might be the solution. Thanks!
Yeah I think you could use one install.sh for everyone, and you could create that; the instructions then are “copy the installers from path X, copy my install.sh from path Y, put them together in one directory on your machine, and upload that folder using the SWD dashboard”.
The install.sh that you create would take the TAG as a command-line option, and then run all of the other installers that it needs; so for your end users it’s a one-line command /bin/sh -c "./install.sh YOUR-TAG-HERE"
1 Like