Skip to content

Integrate Fleet MDM services#1590

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
vadika:fleetmdm-integration
Jan 7, 2026
Merged

Integrate Fleet MDM services#1590
brianmcgillion merged 1 commit intotiiuae:mainfrom
vadika:fleetmdm-integration

Conversation

@vadika
Copy link
Copy Markdown
Contributor

@vadika vadika commented Nov 26, 2025
edited
Loading

  • Add fleet module to modules/common/security/fleet
  • Register fleet module in modules/common/security
  • Enable fleet services (Orbit) in guivm

Description of Changes

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

From gui-vm:

sudo mkdir -p /etc/common/ghaf/fleet
sudo install -m 600 /dev/stdin /etc/common/ghaf/fleet/enroll

paste enroll secret, then Ctrl-D

sudo systemctl restart orbit
sudo journalctl -u orbit -n 50 --no-pager

@vadika vadika marked this pull request as draft November 26, 2025 21:05
@vadika vadika force-pushed the fleetmdm-integration branch from 859846d to ec3412c Compare November 28, 2025 11:40
@vadika vadika force-pushed the fleetmdm-integration branch from ec3412c to 26d9ee9 Compare November 28, 2025 11:58
@vadika vadika force-pushed the fleetmdm-integration branch from 26d9ee9 to a5cec98 Compare November 28, 2025 12:00
@vadika vadika force-pushed the fleetmdm-integration branch from a5cec98 to 8bc1d68 Compare November 28, 2025 12:52
@vadika vadika force-pushed the fleetmdm-integration branch from 8bc1d68 to 3d1c03d Compare November 28, 2025 12:55
@Bitumiju
Copy link
Copy Markdown

Bitumiju commented Dec 1, 2025

https://jira.tii.ae/browse/SSRCSP-7407

@vadika vadika force-pushed the fleetmdm-integration branch from 3d1c03d to d20d9fe Compare December 9, 2025 10:54
@vadika vadika marked this pull request as ready for review December 9, 2025 10:54
@vadika vadika requested a review from brianmcgillion December 9, 2025 11:11
@brianmcgillion
Copy link
Copy Markdown
Collaborator

brianmcgillion commented Dec 9, 2025

overall looking good. Regarding the patches. are these patches that we plan to push upstream?

@vadika
Copy link
Copy Markdown
Contributor Author

vadika commented Dec 9, 2025

overall looking good. Regarding the patches. are these patches that we plan to push upstream?

Well, I opened a PR for the upstream, but nobody noticed it in couple of months ... (

@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Dec 15, 2025

Tested quickly on Darter Pro (new image, rebased to mainline)

image
  • The status does not update to the taskbar applet (also a typo?)
Screenshot_2025-12-15_13-45-01
  • Clicking "Connecting..." opens a Chrome window that shows an error.
Screenshot_2025-12-15_13-55-13
  • Also please update the testing instructions, this feedback is based only on what I noticed right away.

@vadika vadika force-pushed the fleetmdm-integration branch from d20d9fe to 9b6ea6a Compare December 28, 2025 18:27
@clayhill66 clayhill66 added Needs Testing CI Team to pre-verify and removed Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon labels Jan 5, 2026
@brianmcgillion
Copy link
Copy Markdown
Collaborator

brianmcgillion commented Jan 5, 2026

needs a rebase.

vunnyso
vunnyso requested changes Jan 5, 2026
View reviewed changes
@brianmcgillion brianmcgillion self-requested a review January 5, 2026 08:02
@vadika vadika force-pushed the fleetmdm-integration branch from 4ba4a94 to dcd9b2b Compare January 5, 2026 09:05
@vadika vadika force-pushed the fleetmdm-integration branch from dcd9b2b to 0f8f471 Compare January 5, 2026 11:56
@vadika vadika requested a review from vunnyso January 5, 2026 11:58
vunnyso
vunnyso requested changes Jan 5, 2026
View reviewed changes
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Jan 5, 2026

waypipe-ssh-keygen.service is failing in gui-vm on all laptops

Jan 05 12:24:42 gui-vm systemd[1]: Starting Generate SSH keys for Waypipe...
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[665]: + mkdir -p /run/waypipe-ssh
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[688]: + echo -en '\n\n\n'
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: + /nix/store/hpvsf3db2q0ij33aw31n953gdkhlmwrg-openssh-10.2p1/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C ''
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: Enter passphrase for "/run/waypipe-ssh/id_ed25519" (empty for no passphrase): Enter same passphrase again: Generating public/private ed25519 key pair.
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: Your identification has been saved in /run/waypipe-ssh/id_ed25519
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: Your public key has been saved in /run/waypipe-ssh/id_ed25519.pub
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: The key fingerprint is:
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: <removed>
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: The key's randomart image is:
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: +--[ED25519 256]--+
<removed>
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: +----[SHA256]-----+
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[665]: + chown 901:users /run/waypipe-ssh/id_ed25519 /run/waypipe-ssh/id_ed25519.pub
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[665]: + cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[712]: cp: cannot create regular file '/run/waypipe-ssh-public-key/id_ed25519.pub': No such file or directory
Jan 05 12:24:42 gui-vm systemd[1]: waypipe-ssh-keygen.service: Main process exited, code=exited, status=1/FAILURE
Jan 05 12:24:42 gui-vm systemd[1]: waypipe-ssh-keygen.service: Failed with result 'exit-code'.
Jan 05 12:24:42 gui-vm systemd[1]: Failed to start Generate SSH keys for Waypipe.

@vadika vadika force-pushed the fleetmdm-integration branch from 0f8f471 to 5a5d93d Compare January 5, 2026 13:06
@vadika
Copy link
Copy Markdown
Contributor Author

vadika commented Jan 5, 2026

waypipe-ssh-keygen.service is failing in gui-vm on all laptops

Jan 05 12:24:42 gui-vm systemd[1]: Starting Generate SSH keys for Waypipe...
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[665]: + mkdir -p /run/waypipe-ssh
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[688]: + echo -en '\n\n\n'
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: + /nix/store/hpvsf3db2q0ij33aw31n953gdkhlmwrg-openssh-10.2p1/bin/ssh-keygen -t ed25519 -f /run/waypipe-ssh/id_ed25519 -C ''
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: Enter passphrase for "/run/waypipe-ssh/id_ed25519" (empty for no passphrase): Enter same passphrase again: Generating public/private ed25519 key pair.
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: Your identification has been saved in /run/waypipe-ssh/id_ed25519
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: Your public key has been saved in /run/waypipe-ssh/id_ed25519.pub
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: The key fingerprint is:
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: <removed>
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: The key's randomart image is:
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: +--[ED25519 256]--+
<removed>
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[689]: +----[SHA256]-----+
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[665]: + chown 901:users /run/waypipe-ssh/id_ed25519 /run/waypipe-ssh/id_ed25519.pub
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[665]: + cp /run/waypipe-ssh/id_ed25519.pub /run/waypipe-ssh-public-key/id_ed25519.pub
Jan 05 12:24:42 gui-vm waypipe-ssh-keygen[712]: cp: cannot create regular file '/run/waypipe-ssh-public-key/id_ed25519.pub': No such file or directory
Jan 05 12:24:42 gui-vm systemd[1]: waypipe-ssh-keygen.service: Main process exited, code=exited, status=1/FAILURE
Jan 05 12:24:42 gui-vm systemd[1]: waypipe-ssh-keygen.service: Failed with result 'exit-code'.
Jan 05 12:24:42 gui-vm systemd[1]: Failed to start Generate SSH keys for Waypipe.

That was unfortunate sidefect of merging main, now fixed.

@vadika
fleet: add FleetDM client with dynamic hostname support
603040c 
Add Fleet MDM client (Orbit) integration for device management:

- Add fleet module with Orbit and Fleet Desktop packages (v1.46.0)
- Patch orbit to support --hostname-file flag for dynamic hostname
  identification from external file instead of system hostname
- Add NixOS-specific patches for script execution and path handling
- Enable Orbit service in guivm with dynamic hostname from
  /etc/common/ghaf/hostname (shared via virtiofs from host)
- Add systemd ConditionPathExists to wait for hostname file

This allows Fleet server to identify devices using the hardware-derived
dynamic hostname generated by ghaf-dynamic-hostname service on the host.

Signed-off-by: vadik likholetov <vadikas@gmail.com>
@vadika vadika force-pushed the fleetmdm-integration branch from 5a5d93d to 603040c Compare January 5, 2026 14:00
@vadika vadika requested a review from vunnyso January 5, 2026 14:01
@leivos-unikie
Copy link
Copy Markdown
Contributor

leivos-unikie commented Jan 7, 2026

Tested on lenovo-x1 that manual steps for enrolling the secret in gui-vm work. Then the device gets enrolled to https://fleetdm.vedenemo.dev/, and shows there correctly across boots. If the device is deleted from https://fleetdm.vedenemo.dev/ it appears again if having internet connection.

@leivos-unikie leivos-unikie added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon and removed Needs Testing CI Team to pre-verify labels Jan 7, 2026
@brianmcgillion brianmcgillion merged commit 644514d into tiiuae:main Jan 7, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@vunnyso vunnyso vunnyso approved these changes

Assignees

No one assigned

Labels

Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@vadika @Bitumiju @brianmcgillion @milva-unikie @leivos-unikie @vunnyso @clayhill66