Portable health checks

[adfoster-r7]

Description

The current implementation of the omnibus health check requires that either linked files match the project's root dir.

For our project we wish to produce builds that work relatively by making use @executable_path, which unfortunately fails the current implementation of the omnibus health check.

Detail

For instance, as an example of a happy path lib, there is a reference directly to /opt/metasploit-framework - the project install dir:

/opt/metasploit-framework/embedded/bin/ruby:
	/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.60.9)
	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1259.32.0)
--->	/opt/metasploit-framework/embedded/lib/libruby.2.6.dylib (compatibility version 2.6.0, current version 2.6.6)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0

Unfortunately the current check does not correctly handle the scenario of @executable_path being present in linked files:

/opt/metasploit-framework/embedded/bin/ruby:
	/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 57337.60.9)
	/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1259.32.0)
--->	@executable_path/../lib/libruby.2.6.dylib (compatibility version 2.6.0, current version 2.6.6)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
--->	@executable_path/../lib/libjemalloc.2.dylib (compatibility version 0.0.0, current version 0.0.0)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

In this scenario the healthcheck fails:

    --> /opt/metasploit-framework//embedded/lib/libruby.2.6.dylib
    DEPENDS ON: libruby.2.6.dylib
      COUNT: 1
      PROVIDED BY: @executable_path/../lib/libruby.2.6.dylib
      FAILED BECAUSE: Unsafe dependency
    --> /opt/metasploit-framework//embedded/lib/libruby.2.6.dylib
    DEPENDS ON: libjemalloc.2.dylib
      COUNT: 1
      PROVIDED BY: @executable_path/../lib/libjemalloc.2.dylib
      FAILED BECAUSE: Unsafe dependency

As we're wanting to use Omnibus to produce builds that can work from any location. It would be great to configure the Omnibus installer to consider any absolute paths to the project's install dir to now considered a failing health check.

Example code

This implementation wouldn't be suitable for landing to chef/omnibus - but it's a good starting point for discussion:

rapid7#1

Omnibus Version

7.0.12

Platform Version

OSX

Build Output

Without being able to configure the health check to support whitelisting links:

    --> /opt/metasploit-framework//embedded/lib/libruby.2.6.dylib
    DEPENDS ON: libruby.2.6.dylib
      COUNT: 1
      PROVIDED BY: @executable_path/../lib/libruby.2.6.dylib
      FAILED BECAUSE: Unsafe dependency
    --> /opt/metasploit-framework//embedded/lib/libruby.2.6.dylib
    DEPENDS ON: libjemalloc.2.dylib
      COUNT: 1
      PROVIDED BY: @executable_path/../lib/libjemalloc.2.dylib
      FAILED BECAUSE: Unsafe dependency

Example requirement: rapid7#1