AutoPkg with FileWave

The AutoPkg chapter of our Knowledge Base provides comprehensive guidance on using AutoPkg and AutoPkgr with FileWave to streamline software deployment. It includes articles on the new integrated AutoPkg feature in FileWave 15.5 for easy package creation, as well as detailed instructions on leveraging the full AutoPkg and AutoPkgr tools for advanced package management and customization.

Using AutoPkgr with FileWave for Advanced macOS Software Deployment
Autopkg(r) FAIL_RECIPES_WITHOUT_TRUST_INFO

Using AutoPkgr with FileWave for Advanced macOS Software Deployment

Description

AutoPkg is an automation framework for macOS software packaging and distribution, oriented toward the tasks one would normally perform manually to prepare third-party software for mass deployment to managed clients. An important use in conjunction with FileWave is to provide a way to turn 3rd party software updates into Filesets on an automated basis.

AutoPkg is an automation framework for macOS software packaging and distribution, designed to automate the tasks one would normally perform manually to prepare third-party software for mass deployment to managed clients. While FileWave version 15.5 and later introduces an integrated AutoPkg feature for simplified package creation (as detailed in our new article “Integrated AutoPkg (v15.5+)”), power users seeking advanced functionality may prefer using the full AutoPkg and AutoPkgr tools. This article focuses on leveraging AutoPkgr with FileWave to automate the process of turning third-party software updates into Filesets on an automated basis, providing greater control and customization options for sophisticated deployment scenarios.

Ingredients

FW Admin
AutoPkgr Installer
An 'always on' computer

Directions

Complementing the below setup, there is also a Foundry presentation about this and, additional configuration and typical stumbling blocks: FileWave and AutoPkg

Setup FileWave

Go to FileWave Admin -> Assistants -> Manage Administrators

Click on the + button to add a new Administrator
Select Local Account, (for example autopkg and the password autopkg as well)
Go to Permissions tab and click on Select None
Allow the autopkg user to 'Modify Filesets' and 'Set Permissions' as per the above screenshot.
Click Apply
Confirm with OK

Setup AutoPkgr

Go to https://github.com/lindegroup/autopkgr/releases/latest
Download, install and launch AutoPkgr
Launch AutoPkgr, Click on "Install AutoPkg" , and "Install Git"

Go to Folders & Integration and click on Install FileWaveImporter:

Click on Configure FileWaveImporter:

Enter your FileWave Server Hostname

- FileWave Server Port is already set to 20016
- Username is e.g. autopkg
- Password is e.g. autopkg
- Click on Verify to validate the setup
Click on Save and Close
Go to Repos & Recipes and verify that https://github.com/autopkg/recipes.git and https://github.com/autopkg/filewave/git are checked
Make sure that 'Active recipe list' has added com.github.autopkg.filewave:

Now You can run a Recipe for example Java8. To find it quickly enter filewave on search bar and check the Java8 recipe:

Security and Trust Relationship
Running recipes directly from a cloned repo will bypass AutoPkg's security mechanism. As such an Override recipe should always be created and run. This builds a local recipe with a trust relationship between this and any linked 'parent' recipes, see below. For additional information on Override recipes and more, please view the Foundry video: FileWave and AutoPkg

Congratulations ! Your AutoPkgr setup is now complete. Choose the recipes you would like to run on a regular basis , and then schedule AutoPkgr to run every 24 hours.

Recipe Updates
On occasion recipes that were working will fail to run. Typically this is because something has changed regarding the 3rd party's website or download. This will require the author of the relevant recipe to update their recipe to implement this change. In this instance of failed recipes, check for recipe updates 'Update Recipes Now'. For any updated recipe, changes should be observed and then the trust relationship will need to be updated too; see below.
Override recipes can additionally customise the Fileset, Fileset groups, etc.

Override Recipes & Trust Relationship

For security, a trust relationship was added between recipes. The idea is the child recipe is made to trust it's parent recipes. If an updated version of a parent recipe is pulled from a repository, then this parent will no longer be trusted by that child, until the trust relationship is manually updated. AutoPkgr does not offer the ability to change trust and so this must be done via the command line.

With no trust, when a recipe is run that relies on parent recipes you will see an error similar when running the recipe from Terminal:

$ autopkg run -v OracleJava8.filewave.local
Processing OracleJava8.filewave.local...
Failed local trust verification.
Receipt written to /tmp/receipts/OracleJava8.filewave-receipt-20180409-141621.plist
 
The following recipes failed:
    OracleJava8.filewave.local
        No trust information present.
 
Nothing downloaded, packaged or imported.

In this example, Creating a Recipe Override will create a recipe that has trust added for us. Using the above Java8 example, first make an Override recipe. The Override recipe and initial trust can be created in either AutoPkgr or using the command line. The Java 8 override recipe will be called "Java8.filewave.override". The last entry is reference to the parent recipe to be overridden (this can be either be recipe name or it's identifier, recipe name used in this example):

$ autopkg make-override -n Java8.filewave.override Java8.filewave

By making the override file in this way, the trust relationship has been added automatically to the Override recipe. Now there is a trust relationship, the override file can be used to run the recipe (either through Terminal or AutoPkgr):

$ autopkg run -v OracleJava8.filewave.override
Processing OracleJava8.filewave.override...
 
 
[lines removed]
 
 
The following fileset was imported:
    Fw Fileset Id  Fw Fileset Group  Fw Fileset Name   
 
    -------------  ----------------  ---------------   
    194266         Root              Java - 1.8.161.12 
 
The following packages were copied:
    Pkg Path                                                                            
 
    --------                                                                            
    /Users/Shared/Autopkg/Cache/local.override.filewave.OracleJava8/Java-1.8.161.12.pkg 
 
The following new items were downloaded:
    Download Path                                                                      
 
    -------------                                                                      
    /Users/Shared/Autopkg/Cache/local.override.filewave.OracleJava8/downloads/Java.dmg

If after updating repos, the trust relationship error is flagged against any recipes, this indicates that a parent has been updated and trust is no longer in place. At this point, the parent should be reviewed to observe the changes made. Changes to a recipe can easily be viewed by navigating to the relevant recipe on GitHub and viewing the 'History'.

Once confirmation has been made that the changes are acceptable, a new trust relationship should be created. As an override file already exits, the trust will need to be updated for the Java 8 override recipe; as such re-trusting all parents:

$ autopkg update-trust-info Java8.filewave.override

Although it is possible to disable trust relationship, this should not be recommended for security reasons. Current status can be seen by running the following and checking the value of 'FAIL_RECIPES_WITHOUT_TRUST_INFO':

$ autopkg info

It is possible to temporarily override the trust relationship, such that it is ignored:

$ autopkg run --ignore-parent-trust-verification-errors [name of recipe]

Important

FOR SECURITY REASONS, IT IS ALWAYS RECOMMENDED THAT RECIPES ARE CHECKED BEFORE INGESTING INTO YOUR FILEWAVE SERVER AND CREATED FILESETS ARE SUBSEQUENTLY CHECKED ON TEST MACHINES BEFORE DEPLOYING TO LARGER GROUPS OF MACHINES

Integrated AutoPkg (v15.5+)
Autopkg(r) FAIL_RECIPES_WITHOUT_TRUST_INFO
FileWave & AutoPkg Instructions - https://github.com/autopkg/filewave
The primary site for AutoPkg - http://autopkg.github.io/autopkg
Github Site for AutoPkg - https://github.com/autopkg/autopkg
AutoPkgr website - http://www.lindegroup.com/autopkgr
AutoPkg Trust - https://github.com/autopkg/autopkg/wiki/AutoPkg-and-recipe-parent-trust-info

Autopkg(r) FAIL_RECIPES_WITHOUT_TRUST_INFO

AutoPkg(r) FAIL_RECIPES_WITHOUT_TRUST_INFO

Description

Autopkg provides security through trust relationship. Each recipe is set to trust any parents. If those parents change, the trust will be broken until the recipe is informed to trust these updated parent recipes. Message may read as follows with no exit status error:

WARNING: com.github.autopkg.filewave.OracleJava8 is missing trust info and FAIL_RECIPES_WITHOUT_TRUST_INFO is not set.  
Proceeding...

This is a generic Autopkg(r) message and details on Trust Info configuration to address this may be found at AutoPkg and recipe parent trust info

Typical parent updates are due to URL changes in a download recipe.

FileWave 13

After to upgrading to FileWave 13, the following errors may be experienced:

Exit Status 108:

WARNING: com.github.autopkg.filewave.OracleJava8 is missing trust info and FAIL_RECIPES_WITHOUT_TRUST_INFO is not set. Proceeding...
 
Command '['/Applications/FileWave/FileWave Admin.app/Contents/MacOS/FileWave Admin', '-u', u'autopkg', '-p', u'autopkg', '-H', u'filewave.server.com', '-P', '20016', '--listFilesets']' returned non-zero exit status 108

Exit Status 109:

WARNING: com.github.autopkg.filewave.Evernote is missing trust info and FAIL_RECIPES_WITHOUT_TRUST_INFO is not set. Proceeding...
 
Error in com.github.autopkg.filewave.Evernote: Processor: com.github.autopkg.filewave.FWTool/FileWaveImporter: Error: Error importing the folder '/Users/username/Library/AutoPkg/Cache/com.github.autopkg.filewave.Evernote/Evernote/Evernote.app' into FileWave as a fileset called 'Evernote - 7.7'.  Reason: Command '['/Applications/FileWave/FileWave Admin.app/Contents/MacOS/FileWave Admin', '-u', u'autopkg', '-p', u'autopkg', '-H', u'filewave.server.com', '-P', '20016', '--importFolder', u'/Users/username/Library/AutoPkg/Cache/com.github.autopkg.filewave.Evernote/Evernote/Evernote.app', '--name', u'Evernote - 7.7', '--root', u'/Applications/Evernote.app']' returned non-zero exit status 109

FileWave 13 has increased security and the server certificate is part of this security. There are also changes and additional options for FileWave Administrator Preferences. As such, some configuration changes will be necessary.

FileWave Admin
Additionally, if using a self-signed certificate, please observe the necessary steps for FileWave Admin in the following article to ensure you have a local copy of the certificate: Self-Signed SSL Certificates Going Forward

Directions

Exit Status 108

This is likely to be one of the following:

Server Certificate
Autopkg(r) setting - Server Name
Autopkg(r) setting - User/Password
An old expired certificate is in the Keychain

Server Certificate

Confirm that your server meets necessary requirements. For example:

Server Common Name matches Server Name
Certificate has not expired

Further details on certificates can be seen at: Root Trusted SSL Certificate (Using and Renewing)

Server Name

The following preference for server name, configured for Autopkg(r), needs to match the server address/common name and may not be, for example, IP or "localhost".

The following command may be use to confirm the current server settings of Autopkg(r). This should be run as the user and not root:

defaults read com.github.autopkg FW_SERVER_HOST

If the response of the server does not match the server's address/common name, then the value will need to be amended to match. Using the example above, server address/common name "filewave.server.com", the command should be:

defaults write com.github.autopkg FW_SERVER_HOST filewave.server.com

User settings

Prior to FileWave 13, the settings for the user, e.g password, could be left blank and the default password would be used. They must now be filled in.

The following command may be used to set the user and password (example username and password of autopkg): This should be run as the user and not root:

defaults write com.github.autopkg FW_ADMIN_USER autopkg
defaults write com.github.autopkg FW_ADMIN_PASSWORD autopkg

Note, both the above may be observed and set through Autopkgr: 'Folders & Integration' > 'Configure FileWaveImporter'

Expired Certificate

Remove old expired certificates from the keychain. Check to ensure they are removed from both:

Exit Status 109

Manage Administrators

FileWave 13 has additional options and amended default settings for Administrator Preferences. If exit status 109 is seen, this may indicate that the settings for the 'autopkg' Administrator account need addressing.

Ensure the 'autopkg' user has permissions to modify Filesets:

Test

Once any of the above have been amended, re-run the recipes.

AutoPkg with FileWave

Using AutoPkgr with FileWave for Advanced macOS Software Deployment

Description

Ingredients

Directions

Setup FileWave

Setup AutoPkgr

Override Recipes & Trust Relationship

Important

Related Content

Autopkg(r) FAIL_RECIPES_WITHOUT_TRUST_INFO

AutoPkg(r) FAIL_RECIPES_WITHOUT_TRUST_INFO

Description

FileWave 13

Exit Status 108:

Exit Status 109:

Directions

Exit Status 108

Server Certificate

Server Name

User settings

Expired Certificate

Exit Status 109

Manage Administrators

Test