Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Role install_agent #25

Merged
merged 15 commits into from
Mar 27, 2024
Merged

New Role install_agent #25

merged 15 commits into from
Mar 27, 2024

Conversation

mwester117
Copy link
Collaborator

@mwester117 mwester117 commented Mar 14, 2024

This PR contains the new install_agent role which uses the recently introduces sentinelone_download_agent module and adds a new release v1.1.0 to the sva.sentinelone collection.

With this role you can download and install the SentinelAgent on Windows and Linux hosts. Just provide the API URL, API token and site.

For more Details see: README.md

Fixes: #1 and #13

- Added Linux installation part
- Added Windows installation part
- Removed unnecessary string convertion in modules
- Increased collection version
- Optimized Code in download agent module to be better compatible with the role
 - Refactored SentinelOne modules examples to use the new namespace 'sva.sentinelone' instead of 'sentinelone'
 - Updated the 'install_agent' role to use the new modules
 - Added functionality to get the registration token from the API
 - Included tasks based on the OS family
 - Added a check to verify if the new client appears in the management console
 - Removed the local agent install package after installation
- Updated error message for unsupported OS in preflight check.
- Replaced `ansible_facts.os_family` with `os_family` for OS type determination.
- Modified Authorization header to include "APIToken" prefix.
- Adjusted conditions for successful API calls.
- Changed `reg_token_uri` to use explicit group and site IDs.
- Split task execution into separate Linux and Windows tasks.
- Added `os_family` variable to determine OS based on package format.
- Updated README.md with new license information from Apache License, Version 2.0 to GNU General Public License v3.0+.
- Updated galaxy.yml with new license file location and added a new tag 'install_agent'.
- Expanded the install_agent role README.md with detailed information about supported operating systems, requirements, role variables, dependencies, and author information.
- Updated install_agent role default variables including enabling signed packages and added new variables 'hide_sensitive' and 'lx_force_new_token'.
- Enhanced install_agent role metadata in meta/main.yml, including author details, issue tracker URL, minimum ansible version, supported platforms, and tags.
- Included new tasks in Linux.yml for the install_agent role to handle function tracing issues, import GPG keys, install signed/unsigned packages, and conditionally register agents.
- Included new tasks in Windows.yml for the install_agent role to remove Windows Defender on servers, manage the SentinelOne service, and handle system reboots.
- Updated main.yml for the install_agent role to handle registration tokens, site and group IDs, and added conditional no_log for sensitive tasks.
- Added variables to vars/main.yml to determine package formats, architectures, and set the API base URL.
- General improvements to install_agent role tasks for better readability, reliability, and security.
…thon versions

- Removed support for Ansible stable-2.13 from the GitHub Actions CI workflow.
- Updated the ansible-test matrix to match the currently supported Ansible versions
- Bumped the minimum required Ansible version from 2.13 to 2.14 in README.
- Increased the minimum Python version requirement from 3.6 to 3.9 in README.
- Added galaxy dependencies.
- Expanded the supported operating systems list in `roles/install_agent/README.md`.
- Added new role variables `hide_sensitive` and `lx_force_new_token` to `roles/install_agent/README.md`.
- Set default value of `lx_force_new_token` to false in `roles/install_agent/defaults/main.yml`.
- Corrected quoting of `min_ansible_version` in `roles/install_agent/meta/main.yml`.
- Added new platforms and updated versions in `roles/install_agent/meta/main.yml`.
- Changed task name to include quotes for consistency in `roles/install_agent/tasks/Linux.yml`.
- Fixed the module name typo from `ansible.windos.win_service` to `ansible.windows.win_service` in `roles/install_agent/tasks/Windows.yml`.
- Removed the `tests/sanity/ignore-2.13.txt` file as support for Ansible stable-2.13 is dropped.
- signed packages option is not neccessary since all packages are now signed
- Added `ansible.windows` dependency to `galaxy.yml`.
- Updated `install_agent` role to support flexibility in GPG key handling for RPM package verification.
- Replaced static console URL with a placeholder in `install_agent` README.
- Reorganized supported operating systems list in `install_agent` README for better readability.
- Added and fixed logic to enable gpg_key signature checks for packages
- Streamlined the `install_agent` meta info, fixing tag consistency and trimming unnecessary comments.
- Added pre-installation checks to ensure the agent is not already installed.
- Adjusted `install_agent` main task to skip download if the agent is already installed.
- Added `no_log` directive to sensitive tasks to prevent logging of secure information.
- Fixed some statements in tasks: Windows.yml and vars/Windows.yml
  - Modified reboot condition to check for changes rather than relying on `reboot_required`
  - Implemented a pause after installation before checking service status
  - Included a conditional task to install Python bindings for package managers on Linux
  - Gather package facts conditionally based on OS family.
  - Implemented a check for SentinelOne agent installation on Windows
  - Set `agent_installed` fact based on package facts or service information (os_dependant)
- Adjusted agent architecture mapping
- Set `run_once` directive for the block that gets the registration token to prevent unnecessary repeated tasks
- Defined `exe_parameters` and `msi_parameters` for Windows package installation.
- Refined `pkg_arch` and `os_family` variable definitions using regex and conditional logic.
- Update collection and role Readme.md
- renamed variable win_download_exe to win_use_exe
- Updated CHANGELOG.rst
Copy link

github-actions bot commented Mar 14, 2024

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and the docs are now incorporated into main:
https://svalabs.github.io/sva.sentinelone/branch/main

@mwester117 mwester117 marked this pull request as ready for review March 14, 2024 15:14
@mwester117 mwester117 requested a review from nwerker March 14, 2024 15:15
@mwester117 mwester117 added the enhancement New feature or request label Mar 14, 2024
@codecov-commenter
Copy link

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️

@mwester117 mwester117 assigned stdevel and unassigned nwerker Mar 26, 2024
@mwester117 mwester117 requested review from stdevel and removed request for nwerker March 26, 2024 14:05
Copy link
Member

@nwerker nwerker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very good!

Besides the nitpicking comment:

I checked the Docs Site that was build for this PR and sadly couldn't find the documentation for the role. Maybe we have to tweak the pipeline or see if antsibull docs is even capable of rendering documentation for the role.

when: pkg_format == "msi" or pkg_format == "exe"

- name: "Windows: Wait for 15 seconds"
ansible.builtin.pause:
Copy link
Member

@nwerker nwerker Mar 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could lead to problems depending on the Windows System to be configured.

2 ideas to improve this:
a. set time duration to wait not fixed but variable (leave 15 sec as default)
b. Would be ideal, but I'm not sure regarding implementability: Use win_wait_for or win_service_info module to check if desired sentinel one service is running after installation

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've seen that you are checking with "win_service_info" for the availability of the Service shortly after.

Maybe instead of having a fixed wait it would be better to just work with "retries / until" the service is available and maybe timeout after a given period of time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Compromise with @mwester117: Fix this in a follow up release

image

@nwerker nwerker self-requested a review March 27, 2024 13:01
@mwester117 mwester117 merged commit 68082a3 into main Mar 27, 2024
22 checks passed
@mwester117 mwester117 deleted the feature_install_agent_role branch March 27, 2024 13:05
@mwester117 mwester117 removed the request for review from stdevel March 27, 2024 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add client/agent management role/modules
4 participants