3 Replies Latest reply on Dec 19, 2013 3:37 PM by jking

    ext.install Command

    timothyt

      I have questions and comments about the ext.install command. This command installs an extension or package of extensions.

       

      The core.help command appears to list all available commands; however, it does NOT include the ext.install command. Execution of core.help?prefix=ext outputs "Error 0 : No commands with prefix 'ext' were found". Nonetheless, execution of core.help?command=ext.install DOES produce output providing usage help for the ext.install command:

       

      1. Is this an officially supported command? Can it be added to the documentation?

       

      Despite the lack of documentation, I have noticed that people have discovered this command and have attempted to use it; but most seem to be having trouble. I believe this is due to the fact that this command requires that multipart/form-data encoding be used when uploading the file; and this can not be done by simply adding the extension parameter to a URL in a web browser. I was able to successfully install an extension using the -F argument and @ with curl. The working command looks like this with curl:

       

      curl.exe -k -u username:password "https://hostname:portnumber/remote/ext.install?deleteIfExists=True" -F extension=@EPOAGENTMETA.zip

       

      Unfortunately, I have been advised that installing an extension using this ext.install command causes a loss of all existing client tasks and assignments. Installing an extension using the web interface does not appear to exhibit this same behavior. As a workaround, I would simply export all client tasks into an XML file using the clienttask.export command beforehand and re-import the client tasks afterwards using the clienttask.importClientTask command; however, all assignments are also lost, and I do not see a command to export, import, or create assignments via the API.

       

      2. Is there any way to prevent the loss of client tasks and assignments when installing an extension using the ext.install command?

        • 1. Re: ext.install Command
          jking

          1. There are internal commands that are available via the web API but that aren't in the "public" api.  The web API actually long predates our exposing it to customers (we've been using it since 4.0); there are many commands that we will probably never document and expose, and there are others that if an argument is made we certainly could document.  The ext.install/ext.uninstall commands are used extremely heavily internally (all of our continuous integration & testing automation for example) as well as in the field (that's the command that the installer uses to install extensions for example, once the application server is laid down and started.  You're absolutely right that command (and a few others, although the python client handles it automatically) uses form data.

           

          In general using an undocumented command is "at your risk."  There's a greater chance that we'll modify a command that is only (believed to be) used internally. 

           

          Installing an extension like that does *not* automatically delete client tasks and assignments.  The installation (and upgrade) of extensions call a reentrant function that does not remove tasks, policies or assignments. 

           

          However, UN-installing an extension does result in the deletion of the software entry, which does a cascade delete through other portions of the actual db schema (we rely heavily on referential integrity), resulting in a loss of policies, policy assignments, tasks, and task assignments.  Same as if you'd uninstalled the extension from the user interface.  Please don't do that without a good backup.

           

          2. That's incorrect.

           

          As a general comment on the ext.install/uninstall command -- installing & uninstalling of extensions is not expected to be a continuous or automated process for a customer; the expected use case is via the download site or (ideally) the software manager.  I'm sure our product manager (Ulli Tanurhan) would love to hear from you about what your use cases are.

           

          Jon

          • 2. Re: ext.install Command
            timothyt

            Thanks for the explanation about public versus unexposed API commands.

             

            I understand that the ext.insall comannd is an unexposed API command, and using such a command carries a risk that the command will be modified in the future. I am asking if this particular command can be exposed as public, and documented. McAfee Security Bulletins, such as SB10043, sometimes require an extension to be upgraded; and rather than providing all of our customers with a manual process, we would like to automate the process. In order to do so, I believe we need an API command.

             

            I just attempted installation of the EPOAGENTMETA.zip file referenced in the Security Bulletin above, using the following command:

            curl.exe -k -u username:password "https://hostname:portnum/remote/ext.install?deleteIfExists=true" -F extension=@EPOAGENTMETA.zip

             

            I lost all client tasks under Menu > Policy > Client Task Catalog > Client Task Types > McAfee Agent > Product Deployment. Is this because the command above contains the deleteIfExists=true parameter? The command won't work without this parameter, as the previous extension has the same name and the new one replaces it. Installing the same extension from the web interface does not exhibit the same behavior. It replaces the extension, and I do not lose these client tasks.

             

            I would love the opportunity to speak with Ulli regarding our use cases. I can tell you that it involves thousands of customers using mission-critial land mobile radio systems, including public safety and first responders throughout the world, as well as governments and agencies for which security is of paramount importance. I'm located at Motorola Solutions corporate headquarters in Schaumburg, Illinois. I think you guys are in Santa Clara, California. Perhaps we could set up a conference call?

             

            We run test cases and vet all updates for our customers before they install them, to ensure that no functionality is broken (That could cost lives in our scenario.) We provide software that delivers these vetted updates to our customers for use on air gapped (network isolated) systems with hundreds of computers, with no manual intervention required. We do not want to tell customers that for McAfee products, a manual process is required in order to mitigate vulnerabilities; nor do we want to our customers to keep asking us why McAfee products keep showing up as vulnerable during vulnerability scans. I am trying to find solutions so that we do not have to go back to developers in engineering and say that future releases of our systems should not include ePO because it is too difficult to patch.

            • 3. Re: ext.install Command
              jking

              That's exactly because the deleteIfExists=true, yes.  I believe that does an uninstall of the extension first.  I thought ext.install would automatically do an upgrade if the extension already exists, but I must be mistaken.

               

              I'll forward a link to this thread to Ulli.

               

              Jon