Just a note for those folks with well-worn bookmarks to this post on Ed Marczak’s blog, Radiotope.com, for authenticating VPN connections with Mac OS X Server’s Open Directory, which is still valid today. When trying to use the System Preferences VPN client/network adapter with the built-in L2TP server in Sonicwall, though, I was curious why OD auth wasn’t working for me, but users that were local to the Sonicwall were. Having been a while since the last time I’d set it up, I went on a search engine spelunking and found a link that did the trick.
In particular, a comment by Ted Dively brought to my attention the fact you need to change the order(in the VPN sidebar item, L2TP Server, when the Configure button pop-up is clicked, it’s under the PPP tab) that the L2TP service is configured to use for authentication type, PAP instead of the more standard MSCHAPv2.
We hope that is of help to current and future generations.
For the first year I’ll be speaking at the newly-rebranded League of Extraordinary Gentlemen League of Professional System Administrators conference in New Brunswick, New Jersey! It’s May 3rd and 4th, and should be a change from the Mac-heavy conferences we’ve been associated with as of late. I’ll be giving a training class, Intro to Mac and iOS Lifecycle Management, and a talk on Principled Patch Management with Munki. Registration is open now! Jersey is lovely that time of year, please consider attending!
For the third year, I’ll be presenting at PSU MacAdmins Conference! This year I’m lucky enough to be able to present two talks, “Backup, Front to Back” and “Enough Networking to be Dangerous”. But I’m really looking forward to what I can learn from those speaking for the first time, like Pepijn Bruienne and Graham Gilbert among others. The setting and venue is top-notch. It’s taking place May 22nd through the 24th, with a Boot Camp for more foundational topics May 21st. Hope you can join us!
We routinely need to change our administrative passwords on multiple computers as part of our security policy. Since we already have remote access to many of our Mac OS X computers through Apple Remote Desktop (ARD), changing that administrator password is quick and simple.
if [ $? = 0 ] ; then
echo "Password reset."
else
echo "Password not reset."
fi
In ARD, click the Send UNIX Command button and paste the script into the top field. Choose to run this command as a specific user and specify root.
From the Template drop down menu in the upper right corner select Save as Template… and save these settings with a descriptive name such as Spin ladmin password.
To use and reuse this template, select the workstations with the old account password and click the Send UNIX Command button in ARD’s toolbar. Choose the Spin ladmin password template from the Template drop down menu. Adjust the account name and password accordingly in the script and then click the Send button.
ARD can spin dozens or hundreds of account passwords in just a few seconds without having to know the original.
False-positive errors muddy our view, so just as many strive to quiet noisy syslogs, we can easily overcome a common complaint we see Retrospect make when doing differential SQL backups: ‘the master DB can’t be DIFF’d’.
Complicating matters is Retro’s SQL connector doesn’t seem to allow you to exclude that one as a source. Simply make an exclusion for ‘file or folder name matches: master’ and you’ll see it get to the master in the log and decide no files necessary to backup, keeping the result of that script error-free.
IT needs to have a way to access FileVault 2(just called FV2 from here on) encrypted volumes in the case of a forgotten password or just getting control over a machine we’re asked to support. Usually an institution will employ a key escrow system to manage FDE(Full Disk Encryption) when working at scale. One technique, employed by Google’s previously mentioned Cauliflower Vest, is based on the ‘personal’ recovery key(a format I’ll refer to as the ‘license plate’, since it looks like this: RZ89-A79X-PZ6M-LTW5-EEHL-45BY.) The other involves putting a certificate in place, and is documented in Apple’s white paper on the topic. That paper only goes into the technical details later in the appendix, and I thought I’d review some of the salient points briefly.
There are three layers to the FV2 cake, divided by the keys interacted with when unlocking the drive:
Derived Encryption Keys(plural), the Key Encrypting Key(from the department of redundancy department) and the Volume Encrypting Key. Let’s use a (well-worn) abstraction so your eyes don’t glaze over. There’s the guest list and party promoter(DEKs), the bouncer(KEK), and the key to the FV2 VIP lounge(VEK). User accounts on the system can get on the (DEK) guest list for eventual entry to the VIP, and the promoter may remove those folks with skinny jeans, ironic nerd glasses without lenses, or Ugg boots with those silly salt-stained, crumpled-looking heels from the guest list, since they have that authority.
The club owner has his name on the lease(the ‘license plate’ key or cert-based recovery), and the bouncer’s paycheck. Until drama pop off, and the cops raid the joint, and they call the ambulance and they burn the club down… and there’s a new lease and ownership and staff, the bouncer knows which side of his bread is buttered.
The bouncer is a simple lad. He gets the message when folks are removed from the guest list, but if you tell him there’s a new owner(cert or license plate), he’s still going to allow the old owner to sneak anybody into the VIP for bottle service like it’s your birthday, shorty. Sorry about the strained analogy, but I hope you get the spirit of the issue at hand.
The moral of the story is, there’s an expiration method(re-wrapping the KEK based on added/modified/removed DEKs) for the(in this case, user…) passphrase-based unlock. ONLY. The FilevaultMaster.keychain cert has a password you can change, but if access has been granted to a previous version with a known password, that combination will continue to work until the drive is decrypted and re-encrypted. And the license plate version can’t be regenerated or invalidated after initial encryption.
So the two institutional-scale methods previously mentioned still get through the bouncer unlock the drive until you tear the roof of the mofotear the club up de- and re-encrypt the volume.
But here’s an interesting point, there’s another type of DEK/passphrase-based unlock that can be expired/rotated besides per-user: a disk-based passphrase. I’ll get to describing that in Part Deux…
“One change happens and I need to redo the whole thing”
“I copy-paste the newest catalogs I see posted on the web, the formatting breaks, and I continually have to go back and check to make sure it’s the newest one”
These are the issues commonly experienced with those who want to take advantage of InstaDMG, and to some, it may be enough to prevent them from being rid of their Golden Master ways. Of course there are a few options to address each of these, in turn, but you may have noticed a theme on blog posts I’ve penned recently, and that is:
BETTER LIVING THROUGH AUTOMATION!
(We’ll get to how automation takes over shortly.) First, to review, a customized InstaDMG build commonly consists of a few parts: the user account, a function to answer the setup assistant steps, and the bootstrap parts for your patch and/or configuration management system. To take advantage of the(hopefully) well-QA’d vanilla catalogs, you can nest it in your custom catalog via an include-file line, and you only update your custom software parts listed above in one place. (And preferably you keep those projects and catalog under version control as well.)
All the concerns paraphrased at the start of this post just happen to be discussed recently on The Graham Gilbert Dot Com. Go there now, and hear what he has to say about it. Check out his other posts, I can wait.
Back? Cool. Now you may think those are all the answers you need. You’re mostly right, you smarty you! SSDs are not so out-of-reach for normal folk, and they really do help to speed the I/O bound process up, so there’s less cost to create and repeat builds in general. But then there’s the other manual interaction and regular repetition parts – how can we limit it to as little as possible? Yes, the InstaDMG robot’s going to do the heavy lifting for us by speedily building an image, and using version control on our catalogs help us track change over time, but what if Integrating the changes from the vanilla catalogs was Continuous? (Answers within!) (more…)
At 318, we write a pretty good amount of content. We have 5 or so authors on staff, write tons of technical documentation for customers and develop a fair amount of courseware. These days, I edit almost as much as I write. And in doing so, I’ve picked up on some interesting trends in how people write, prompting me to write up some tips for the blossoming technical writer out there:
Define the goal. What do you want to say? The text on the back jacket of most of my books was written before I ever wrote an outline. Sometimes I update the text when I’m done with a book because the message can change slightly with technical writing as you realize some things you’d hoped to accomplish aren’t technically possible (or maybe not in the amount of time you need to use).
Make an outline. Before you sit down to write a single word, you should know a goal and have an outline that matches to that goal. The outline should be broken down in much the same way you’d lay out chapters and then sections within the chapter.
Keep your topics separate. A common trap is to point at other chapters too frequently. Technical writing does have a little bit of the find your own adventure aspect, but referencing other chapters is often overused.
Clearly differentiate between section orders within a chapter. Most every modern word processing tool (from WordPress to Word) provides the ability to have a Header or Heading 1 and a Header or Heading 2. Be careful not to confuse yourself. I like to take my outline and put it into my word processing program and then build out my headers from the very beginning. When I do so, I like for each section to have a verb and a subject that defines what we’re going to be doing. For example, I might have Header 1 as Install OS X, with Header 2 as Formatting Drives followed by Header 2 as Using the Recovery Partition followed by Header 3 of Installing the Operating System.
Keep your paragraphs and sentences structured. Beyond the headings structure, make sure that each sentence only has one thought (and that sentences aren’t running on and on and on). Also, make sure that each paragraph illustrates a sequence of thoughts. Structure is much more important with technical writing than with, let’s say, science fiction. Varying sentence structure can keep people awake.
Use good grammar. Bad grammar makes things hard to read and most importantly gets in the way of your message getting to your intended audience. Strunk and White’s Elements of Style is very useful if you hit a place where you’re not sure what to write. Grammar rules are a lot less stringent with online writing, such as a website. When it comes to purposefully breaking grammatical rules, I like to make an analogy with fashion. If you show up to a very formal company in $400 jeans, they don’t care that your jeans cost more than most of their slacks; they just get cranky you’re wearing jeans. Not everyone will pick up on purposeful grammatical lapses. Many will just judge you harshly. Especially if they hail from the midwest.
Define your audience. Are you writing for non-technical users trying to use a technical product? Are you writing for seasoned Unix veterans trying to get acquainted with a new version of Linux? Are you writing for hardened programmers? The more clearly you define the audience the easier it is to target a message to that audience. The wider the scope of the audience the more people are going to get lost, feel they’re reading content below their level, etc.
Know your style guide. According to who you are writing for, they probably have a style guide of some sort. This style guide will lay out how you write, specific grammar styles they want used, hopefully a template with styles pre-defined, etc. I’ve completed several writing gigs, only to discover I need to go back and reapply styles to the entire content. When you do that, something will always get missed…
Quoting is important when writing code. It’s also important to quote some text. If you have a button or text on a screen with one word that begins with a capped letter, you don’t need to quote that in most style guides. But if there’s only one word and any of the words use a non-capped letter or have a special character then the text should all be quoted. It’s also important to quote and attribute text from other locations. Each style guide does this differently.
Be active. No, I’m not saying you should run on a treadmill while trying to dictate the chapter of a book to Siri. Use an active voice. For example, don’t say “When installing an operating system on a Mac you should maybe consider using a computer that is capable of running that operating system.” Instead say something like “Check the hardware compatibility list for the operating system before installation.”
Be careful with pronouns. When I’m done writing a long document I’ll do a find for all instances of it (and a few other common pronouns) and look for places to replace with the correct noun.
Use examples. Examples help to explain an otherwise intangible idea. It’s easy to tell a reader they should enable alerts on a system, but much more impactful to show a reader how to receive an alert when a system exceeds 80 percent of disk capacity.
Use bullets or numbered lists. I love writing in numbered lists and bullets (as with these tips). Doing so allows an author to most succinctly go through steps and portray a lot of information that is easily digestible to the audience. Also, if one of your bullets ends with a period, they all must. And the tense of each must match.
Use tables. If bullets are awesome then tables are the coolest. You can impart a lot of information using tables. Each needs some text explaining what is in the table and a point that you’re usually trying to make by including the table.
Judiciously use screen shots. If there’s only one button in a screen shot then you probably don’t need the screen shot. If there are two buttons you still probably don’t need the screen shot. If there are 20 and it isn’t clear in the text which to use, you might want to show the screen. It’s easy to use too many or not enough screen shots. I find most of my editors have asked for more and more screens until we get to the point that we’re cutting actual content to fit within a certain page count window. But I usually have a good idea of what I want to be a screen shot and what I don’t want to be a screen shot from the minute I look at the outline for a given chapter. Each screen shot should usually be called out within your text.
Repetition is not a bad thing. This is one of those spots where I disagree with some of my editors from time to time. Editors will say “but you said that earlier” and I’ll say “it’s important.” Repetition can be a bad thing, if you’re just rehashing content, but if you intentionally repeat something to drive home a point then repetition isn’t always a bad thing. Note: I like to use notes/callouts when I repeat things.
White space is your friend. Margins, space between headers, kerning of fonts. Don’t pack too much crap into too little space or the reader won’t be able to see what you want them to see.
Proofread, proofread, proofread. And have someone else proofread your stuff.
Jargon, acronyms and abbreviations need to be explained. If you use APNS you only have to define it once, but it needs to be defined.
I keep having editors say “put some personality into it” but then they invariably edit out the personality. Not sure if this just means I have a crappy personality, but it brings up a point: while you may want to liven up text, don’t take away from the meaning by doing so.
Don’t reinvent the wheel. Today I was asked again to have an article from krypted included in a book. I never have a problem with contributing an article to a book, especially since I know how long it takes to write all this stuff. If I can save another author a few hours or days then they can push the envelope of their book that much further.
Technical writing is not a conversation. Commas are probably bad. The word um is definitely bad. Technical writing should not ramble but be somewhat formal. You can put some flourish in, but make sure the sentences and arguments are meaningful, as with a thesis.
Be accurate. Technical reviewers or technical editors help to make sure you’re accurate, but test everything. Code, steps, etc. Make sure that what you’re saying is correct up to the patch level and not just for a specific environment, like your company or school.
Use smooth transitions between chapters. This means a conclusion that at least introduces the next chapter in each. Don’t overdo the transitions or get into the weeds of explaining an entire topic again.
Real writers publish. If you write a 300 page document and no one ever sees it, did that document happen? If the document isn’t released in a timely manner then the content might be out of date before getting into a readers hands. I like to take my outline (step 2) and establish a budget (a week, 20 hours, or something like that).
In a recent Twitter conversation with other folks supporting Macs we discussed ways to programmatically deploy printers. Larger environments that have a management solution like JAMF Software’s Casper can take advantage of its ability to capture printer information and push to machines. Smaller environments, though, may only have Apple Remote Desktop or even nothing at all.
Because Mac OS X incorporates CUPS printing, administrators can utilize the lpadmin and lpoptions command line tools to programmatically configure new printers for users.
lpadmin
A basic command for configuring a new printer using lpadmin looks something like this:
-p = Printer name (queue name if sharing the printer)
-v = IP address or DNS name of the printer
-D = Description of the printer (appears in the Printers list)
-L = Location of the printer
-P = Path the the printer PPD file
-E = Enable this printer
The result of running this command in the Terminal application as an administrator looks like this:
lpoptions
Advanced printer models may have duplex options, multiple trays, additional memory or special features such as stapling or binding. Consult the printer’s guide or its built-in web page for a list of these installed printer features.
After installing a test printer, use the lpoptions command with the -l option in the Terminal to “list” the feature names from the printer:
lpoptions -p "salesbw" -l
The result is usually a long list of features that may look something like:
Each line is an option. The first line above displays the option for Tray 4 and shows the default setting is False. If the printer has the optional Tray 4 drawer installed then enable this option when running the lpadmin command by following it with:
-o HPOption_Tray4=True
Be sure to use the option name to the left of the slash not the friendly name with spaces after the slash.
To add the duplex option listed on the third line add:
-o HPOption_Duplexer=True
And to add the envelope feeder option listed on the fifth line add:
-o HPOption_Envelope_Feeder=True
Add as many options as necessary by stringing them together at the end of the lpadmin command:
In our previous discussion of iOS Backups, the topic of configuration profiles being the ‘closest to the surface’ on a device was hinted at. What that means is, when Apple Configurator restores a backup, that’s the last thing to be applied to the device. For folks hoping to use Web Clips as a kind of app deployment, they need to realize that trying to restore a backup that has the web clip in a particular place doesn’t work – the backup that designates where icons on the home screen line up gets laid down before the web clip gets applied by the profile. It gets bumped to whichever would be the next home screen after the apps take their positions.
This makes a great segue into the topic of configuration profiles. Here’s a ‘secret’ hiding in plain sight: Apple Configurator can make profiles that work on 10.7+ Macs. (But please, don’t use it for that – see below.) iPCU possibly could generate usable ones as well, although one should consider the lack of full screen mode in the interface as a hint: it may not see much in the way of updates on the Mac from now on. iPCU is all you have in the way of an Apple-supported tool on Windows, though. (Protip: activate the iOS device before you try to put profiles on it – credit @bruienne for this reminder.)
Also thanks to @bruienne to the recommendation of the slick p4merge tool
Now why would you avoid making, for example, a Wi-Fi configuration profile for use on a mac with Apple Configurator? Well there’s one humongous difference between iOS and Macs: individual users. Managing devices with profiles shows Apple tipping their cards: they seem to be saying you should think of only one user per device, and if it’s important enough to manage at all, it should be an always enforced setting. The Profile Manager service in Lion and Mountain Lion Server have an extra twist, though: you can push out settings for Mac users or the devices they own. If you want to manage a setting across all users of a device, you can do so at the Device Group level, which generates extra keys than those that are present in a profile generated by Apple Configurator. The end result is that a Configurator-generated profile will be user-specific, and fail with deployment methods that need to target the System. (Enlarge the above screenshot to see the differences – and yes, there’s a poorly obscured password in there. Bring it on, hax0rs!)
These are just more of the ‘potpourri’ type topics that we find time to share after being caught by peculiarities out in the field.
It was our privilege to be contacted by Bizappcenter to take part in a demo of their ‘Business App Store‘ solution. They have been active on the Simian mailing list for some time, and have a product to help the adoption of the technologies pioneered by Greg Neagle of Disney Animation Studios (Munki) and the Google Mac Operations Team. Our experience with the product is as follows.
To start, we were given admin logins to our portal. The instructions guide you through getting started with a normal software patch management workflow, although certain setup steps need to be taken into account. First is that you must add users and groups manually, there are no hooks for LDAP or Active Directory at present (although those are in the road map for the future). Admins can enter the serial number of each users computer, which allows a package to be generated with the proper certificates. Then invitations can be sent to users, who must install the client software that manages the apps specified by the admin from that point forward.
Sample applications are already loaded into the ‘App Catalog’, which can be configured to be installed for a group or a specific user. Uploading a drag-and-drop app in a zip archive worked without a hitch, as did uninstallation. End users can log into the web interface with the credentials emailed to them as part of the invitation, and can even ‘approve’ optional apps to become managed installs. This is a significant twist on the features offered by the rest of the web interfaces built on top of Munki, and more features (including cross-platform support) are supposedly planned.
If you’d like to discuss Mac application and patch management options, including options such as BizAppCenter for providing a custom app store for your organization, please contact sales@318.com
Most any packaging tool for Mac OS X, such as Apple’s PackageMaker, JAMF Software’s Composer, Absolute Software’s InstallEase or Stéphane Sudre’s Iceberg, can create a simple package combining a couple of scripts with a payload file. For this example, the payload will be the snmpd.conf file itself and the scripts will be preflight and postflight scripts to protect existing data and start the SNMP service.
First, create the snmpd.conf file using the instructions in the Create the snmpd.conf file section from the prior post.
Next, create the preflight and postflight scripts using a plain text editor such as TextEdit.app or BBEdit.app. Save each script as “preflight” or “postflight” without any file extensions.
Preflight script
The preflight script stops the SNMP service if it’s running and renames any existing /usr/share/snmp/snmpd.conf file to snmpd.bak followed by a unique date and time.
#!/bin/sh
# Preflight
# Stop the SNMP service if it's running
/bin/launchctl list | /usr/bin/grep org.net-snmp.snmpd
if [ $? = 0 ] ; then
/bin/launchctl unload -w /System/Library/LaunchDaemons/org.net-snmp.snmpd.plist
/usr/bin/logger SNMP service stopped. # Appears in /private/var/log/system.log
fi
# Rename the snmpd.conf file if it exists
if [ -f /usr/share/snmp/snmpd.conf ] ; then
/bin/mv /usr/share/snmp/snmpd.conf /usr/share/snmp/snmpd.bak$( /bin/date "+%Y%m%d%H%M%S" )
fi
exit 0
Postflight script
The postflight script starts the SNMP service
#!/bin/sh
# Postflight
# Start the SNMP service if it's running
/bin/launchctl load -w /System/Library/LaunchDaemons/org.net-snmp.snmpd.plist
if [ $? = 0 ] ; then
/usr/bin/logger SNMP service started. # Appears in /private/var/log/system.log
fi
exit 0
The elements are ready to add to the packaging application. Using Iceberg as an example, create a new new project and select Package from the Core Templates. Name the project “Enable SNMP” and select a location to store the project files such as ~/Iceberg. Copy the snmpd.conf file and preflight and postflight scripts to the ~/Iceberg/Enable SNMP folder for easier access.
Edit any information in the Settings pane to add clarity or leave the defaults automatically populated.
Select the Scripts pane and drag the preflight and postflight scripts into the Installation Scripts window being sure to match the preflight script to the preflight script file and the postflight script to the postflight script file.
Select the Files pane. Right-click the top-level root folder in the files list and select New Folder. Name this new folder “usr”. It should appear at the same level as the Applications, Library and System folders. Continue creating new folders until the /usr/share/snmp folder hierarchy is complete. Then drag in the snmpd.conf file so that it falls under the snmp folder.
Select Archive menu –> Show Info to display each folder’s ownership and permissions. Adjust ownership of the new folders and the snmpd.conf file to owner:root and group:wheel. Adjust permissions to 755 for folders and 644 for the file (see screenshot).
The package is ready. Select Build menu –> Build to create the package. Iceberg places new packages into the project folder: ~/Iceberg/Enable SNMP/build/Enable SNMP.pkg.
Copy the newly created package to a test machine and double-click to run it. Verify that everything worked correctly by running the snmpget command:
SNMPv2-MIB::sysDescr.0 = STRING: Darwin TMI 12.2.0 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64
When satisfied the installer works correctly use a deployment tool such as Apple Remote Desktop, Casper or munki to distribute the package to Mac workstations.
“Write an article called ‘Getting Started with Splunk.’”
I reply:
“What, you think I know all this stuff? This really would be a getting started article.”
But here it is and WOW is Splunk cool!
My only experience with Splunk up to a couple days ago was seeing a T-shirt with “Log is my copilot”. I knew it had something to do with gathering log files and making them easier to read and search. In about an hour I had gone to Splunk’s website to research the product, downloaded and installed it, and started viewing logs from my own system. The Splunk folks have made getting their product into their customer’s hands easy and getting started even easier.
What is Splunk?
Simply put, Splunk can gather just about any kind of data that goes into a log (system logs, website metrics, etc.) into one place and make viewing that data easy. It’s accessed via web browser so it’s accessible on any computer or mobile device such as an iPad.
What do I need to run Splunk?
Practically any common operating system today can run Splunk: Mac OS X, Linux, Windows, FreeBSD and more.
How much does Splunk cost?
Don’t worry about that right now. Download and install the free version. It takes minutes to install and is a no-brainer. Let’s get started.
Getting Splunk
IT managers and directors may be interested in watching the introductory and business case videos with the corporate speak (“operational intelligence” anyone?) and company endorsements. Techs will be interested in getting started. Right on their home page is a big green Free Download button. Go there, click it and locate the downloader for your OS of choice. I downloaded the Mac OS X 10.7 installer to test (and installed it on OS X 10.8 without any issues).
This does require a sign-up to create an account. It takes less than a minute to complete. After submitting the information the 100 MB download begins right away.
While waiting for the download…
When the download is on its way the Splunk folks kindly redirect to a page with some short videos to watch while waiting. Watch this first one called Getting data into Splunk. It’s only a few minutes and this is the first thing to do after getting into Splunk.
Installing and starting Splunk
The download arrives as a double-clickable Apple Installer package. Double-click and install it. Toward the end it opens a simple TextEdit window with instructions for how to start, stop and access the newly installed Splunk site.
Files are installed in /Applications/splunk and resemble a UNIX file system.
Open the Terminal application found in /Applications/Utilities and run the command /Applications/splunk/bin/splunk start. If this is the first time running Splunk it prompts to accept its license agreement. Tap the spacebar to scroll through and read the agreement or type “q” to quit and agree to the license.
Accepting the agreement continues to start Splunk where it displays some brief setup messages.
The setup then provides the local HTTP address for the newly installed Splunk site. Open this in a web browser to get to the login screen. The first login requires that the administrator account password be reset.
Following along with the Getting data into Splunk video, Splunk will need some information. Mac OS X stores its own log files. Let’s point to those.
Click the Add Data link to begin.
Since Mac OS X’s log files are local to the machine, click A file or directory of files.
Click Next to specify local files.
This opens a window that exposes not only Mac OS X’s visible folders but its invisible folders as well. Browse to /var/log/system.log and click the Select button.
For now, opt to skip previewing the log file and click Continue.
Now, let’s opt to monitor not only the system.log file but the entire /var/log folder containing dozens of other log files as well. Note that Splunk can watch rotated and zipped log files too. Click Save to finish adding logs.
Let’s start searching!
The Search window initially displays a list of all logs Splunk is monitoring. To narrow the search change the time filter drop down menu to Last 60 minutes. This will make the results a little easier to see on a system that’s only been running a short while.
Now, search for install*. Splunk will only search for the word “install” without providing the asterisk as a wildcard character. Splunk supports not only wildcard searches but booleans, parentheses, quotes, etc. It will return every instance recorded in the logs that matches the search criteria. It also creates an interactive bar chart along the top of the page to indicate the number of occurrences found for the search at particular times.
To further refine the search, Option+click most any word in the log entries below and Splunk will automatically add the necessary syntax to remove an item. In this case the install* search returned install, installer and installd. Option+clicking installd changed the search criteria to install* NOT installd.
Now what?
Continue exploring the videos to understand Splunk’s possibilities and take advantage of its Splunk Tutorial, which is available online as well as in PDF format for offline viewing. They do a great job leading users through setup and creating reports.
Still asking about price? Good.
The free version remains free but doesn’t include many features that really make it sing such as monitoring and alerts, multiple user accounts and support beyond the Splunk website. Cost depends primarily on the amount of data you want to suck into Splunk and have it watch. It’s not cheap but for an enterprise needing to meet certain service level requirements it beats browsing through multiple servers trying to find the right log with the right information.
FYI, putting together this 1,000-word article probably took me 10 times longer than performing the Splunk install itself and beginning to learn it. It’s really well-done and easy to use. Splunk makes getting started simple.
SNMP can be a valuable tool for monitoring the health of unattended Mac workstations acting as a farm to process information for remote users. If the health of a farm member degrades because its hard drive gets full or a process gets stuck then SNMP can send traps to a Network Management Station to alert the administrator.
Before SNMP will return any useful information an administrator must configure the Mac using the snmpconf command. By default this command runs interactively and prompts him for basic information to create the /usr/share/snmp/snmpd.conf file. However, he can use this file to script the same configuration for other machines without interaction. The script can also run a simple launchd command afterward to start the snmp service.
Create the snmpd.conf file
Creating the snmpd.conf file is as simple as running a command in the Terminal and answering a few questions.
Launch the Terminal application found in /Applications/Utilities.
The Terminal defaults to the current user’s home folder. Verify this using the pwd command. This is where the snmpconf command will create the snmpd.conf file.
Enter snmpconf in the Terminal and press return.
This begins a series of simple questions. The first question is:
The following installed configuration files were found:
1: /etc/snmp/snmpd.conf
Would you like me to read them in? Their content will be merged with the output files created by this session.
Valid answer examples: “all”, “none”,”3″,”1,2,5″
Read in which (default = all):
Press return to accept the default answer “all”.
The next question is:
I can create the following types of configuration files for you.
Select the file type you wish to create:
(you can create more than one as you run this program)
1: snmpd.conf
2: snmptrapd.conf
3: snmp.conf
Other options: quit
Select File:
Enter 1 to choose to create the snmpd.conf file.
Next, choose 1 for Access Control Setup. This will set the community name for both read/write as well as read access. For monitoring purposes an administrator should configure read-only communities such as talkingmoose-read. Set the community name for both SNMPv3 read-only user as well as SNMPv1/SNMPv2 read-only access community name. These may be the same name.
When the read-only communities are set then type finished to exit the access control setup and proceed to the rest of the sections.
Some questions will be for more advanced snmp settings, which some administrators will want to partially or fully customize. For basic snmp functionality either accept the defaults or don’t answer the questions. At minimum, though, complete the Access Control Setup and System Information Setup sections.
After answering the questions and returning to the top level section type quit to complete creating the snmpd.conf file. The snmpconf command places this file in the current working directory in Terminal.
Load snmpd.conf onto another Mac
Loading these settings on another machine requires the same snmpconf command but with some instructions to use the newly created file. Do the following:
Copy the snmpd.conf file to the new machine.
Run the following command on the new machine:sudo snmpconf -R /path/to/snmpd.conf -a -f -i snmpd.conf
This snmpconf command takes the supplied snmpd.conf file (-R /path/to/snmpd.conf) to quietly configure a new one (-a) overwriting anything already configured (-f) and places it in the correct location (-i), which is /usr/share/snmp/.
Start SNMP
After the settings are loaded and a newly created snmpd.conf file exists in /usr/share/snmp/, start the SNMP service:
To verify the settings are applied correctly use the snmpwalk command to read SNMP data from the Mac using the read-only user or community name created when completing the Access Control Setup section earlier:
snmpwalk -v1 -c talkingmoose-read localhost
This should return a lengthy amount of information that begins with something like:
The most efficient deployment method for current and future Mac farm machines is an Apple Installer package. Add the snmpd.conf file as a resource file to the package and add a postflight script to load the file and start the SNMP service.
An administrator may need to allow his users access to the Mac App Store but might prefer they download software only under sanctioned Apple IDs. Using an extension attribute in Casper, he can compile a list of all Apple IDs used on every Mac.
When a user enters an Apple ID to access the Mac App Store, it gets stored in his Home folder in:
~/Library/Preferences/com.apple.storeagent.plist
So long as he doesn’t sign out of the Mac App Store (he’ll probably just quit when he’s done) the ID remains in the file. Multiple users on a machine may use multiple Apple IDs because the credentials are stored for each user rather than once for the computer.
The following script gathers a list of unique Apple IDs from all user accounts and then returns the list to the Casper JSS as an extension attribute.
#!/bin/sh # Get a list of existing .plist files USERFOLDERS=$( find /Users/*/Library/Preferences \ -name com.apple.storeagent.plist ) # Make a list of Apple IDs found in the .plists for APLIST in $USERFOLDERS do IDLIST=$( echo "$IDLIST\n$( defaults read $APLIST AppleID )" ) done # Remove blank and duplicate lines IDLIST=$( echo "$IDLIST" | sed '/^$/d' | uniq ) # Return the result echo "<result>$IDLIST</result>"
To add the following script as an extension attribute in the JSS:
Microsoft Lync can require as much or as little bandwidth as you can give it, according to what you are using Lync for. At its most basic, Lync is a tool for instant messaging. At its most complicated, Lync can plug-in to Microsoft Outlook, schedule a video conference with 10 of your coworkers (without posting the fact that you had said video conference to your Google+ timeline btw), share your screen so you can step your parents through setting up Windows RDP to fix a problem on their computer and pass PBX style traffic to provide voice services; all the while still letting you instant message your wife that you’ll be late coming home because you are stuck on the video conference, a screen share and a phone call also being managed with Lync.
Because you can do so much with Lync, as you start to do some of the more bandwidth intensive tasks, you might notice performance issues. Especially if you have an office of people running Office 365 and Lync Online to communicate with customers and one another. There are two types of performance to be concerned with with regards to any video or VoIP-based teleconference solution. The first is latency and the second is speed. TRIPP stands for the Transport Reliability IP Probe. TRIPP can be used to test your connection and return with information about what kind of performance you can expect to have.
When prompted, provide a Session ID (if you don’t have one, simply enter 0 and hit the Return key).
The test then runs. The first step is to look at latency. Wait for the rest to complete.
When finished, you’ll see a summary page that outlines the kind of performance you can expect from Lync.
If you have latency issues then it’s often due to too many hops for various sessions. This can be difficult to troubleshoot as it’s often up to an ISP to resolve routing table issues or provide better services. Bandwidth problems can be addressed by reducing the number of services on your network or increasing your throughput. You can also associate a higher priority for this type of traffic. Consistency of Service often comes down to QoS.
So far, I’ve managed to run TRIPP on Windows, Linux and as you can see from these screens, OS X.
As batteries die in older Macs their ability to keep the computer’s clock ticking dies with them. Slight interruptions in power can reset the date to January 1, 1970, or January 1, 2000, for newer machines.
Syncing the computer’s clock to a network NTP time server can quickly return it to current time without any effort. However, Macs may not begin syncing right away. That’s a problem for users in Active Directory environments where a discrepancy in time of more than five minutes won’t allow them to log in.
Using Apple Remote Desktop (or an SSH connection to the computer), a remote administrator can issue two simple commands to restart time syncing.
First, verify the time of the remote computer using ARD’s Send UNIX command to get the current time and date. Simply enter the date command and run it as root.
This will return something like: Thr Jan 1 10:56:37 CDT 1970. Active Directory won’t allow any logins.
To correct the time use the systemsetup command to turn time syncing off and then turn it on again:
systemsetup -setusingnetworktime off
systemsetup -setusingnetworktime on
Run the date command again and the clock should now show the current time: Tue Oct 30 11:09:26 CDT 2012. Active Directory users should be able to log in immediately.
To store this quick command for later select Save as Template… from the Template drop down menu and assign it a name.
I’ve given a presentation on my affinity for DeployStudio, yet with it being closed source, it’s sometimes like an enigma (wrapped in a mystery (wrapped in bacon)). However, a workflow exists to enable scripting within it, although the only option besides automatically running it when dropped into a workflow is non-interactively passing arguments to a script. Even with little in the way of documented information, projects have popped up to take advantage of the framework provided.
Most noticeably, Rusty Myers’ BackupRestore scripts enabled quite an interesting workflow: first, you could run one workflow to tar(or ditto) the user folders to a new Backup directory in the repo, with a few customizable exceptions. And then, when either specified or dropped into a workflow that had a restore action precede it, you could put the users and their associated passwords back into place. This is obviously pretty darn useful for clean(er) migrations and/or OS upgrades, or simply refreshing existing workstations with a new base set of software. Many folks in the MacEnterprise community contributed features, including FileVault(version 1) support, and updates were made for the curveball Lion introduced in respect to how passwords are stored(nested inside the user record plist itself.)
I’m in the process of creating a successor to this project, so I thought I’d share some of the experiences I’ve had and pointers I’ve come across as a sysadmin, not a software developer, attempting to get a repeatable task accomplished inside this framework. Tip number zero is the same advice given to all students of programming in scripting languages: don’t write a lot before running and getting feedback. So, I booted a laptop with a few small user folders to my DeployStudio-generated netboot set, authenticated to the interface, and opened terminal. That netboot set includes the optional Python framework(Ruby is another option if you’d like access to that scripting language), which I’ll be using in the future. Along with selecting “Display Runtime log window by default”, I extended the “Quit runtime automatically after__” number to 90 seconds, so when testing inside of a workflow I wouldn’t be kicked out as I iterated and repeated the process.
To get started, I made an “admin” folder inside the repo, put an updated version of the rsync binary in it(since the one in /usr/bin that ships with OS X is pretty ancient), and started writing a script in that directory which I could therefore run from terminal on the netbooted laptop over VNC/ARD. For starters, here’s tip #1:
DeployStudio mounts the repo in /tmp/DSNetworkRepository. While /tmp isn’t read only, you will get out-of-space errors and general unhappiness if you use it for anything except mountpoints.
Tip #2:
No, you can’t use symlinks in those subfolders to point somewhere else on the DeployStudio server, since it assumes the directory the symlink would point to is relative to the root of the netboot set instead. (No, really, it wouldn’t even work when using ln -s on the machine the repo’s hosted from instead of Finder’s aliases, which definitely don’t work in scripts.)
tip #3:
For persnickety folks like myself that MUST use a theme in terminal and can’t deal to not have option set as the meta key, you’re probably bummed that the Preferences menu item is greyed out and command-comma doesn’t seem to work. There is a way, though: from the Shell menu choose Show Inspector. Then from the settings tab, double-click the theme you prefer. The full settings window will appear, and you can have your modern conveniences again.
tip #4:
How does DeployStudio decide what is the first mounted volume, you may wonder? I invite(dare?) you to ‘bikeshed‘(find a more optimized way to accomplish a relatively trivial task) this particular piece of code: system_profiler SPSerialATADataType | awk -F': ' '/Mount Point/ { print $2}' | head -n1
In the case of the restore script, hard-coding the DS_LAST_RESTORED_VOLUME variable (on line 44 in Rusty’s current Lion version), or changing the argument in the workflow to pass that path with the -v flag will remove the dependency on restoring an image before putting user folders back in place.
Two more tips before I go, which are both specific to the task I’m trying to accomplish. Ownership on files will not be preserved when moved to the repo with rsync, so you can create a sparse image or sparsebundle as a destination, and it will even retain ACL’s (certain patched rsync binaries complain about smb_acl’s, like the one I used, which is bundled in DeployStudio’s Tools folder.) As mentioned about /tmp in the NetBoot environment earlier, sparseimages should be created in a subfolder of the repo, or you could easily run into ‘out of space’ errors.
When logging, you can use tee or simply redirect output, but more customized feedback in the actual log window in the Deploy Studio netboot runtime is helpful. There’s a “custom_logger” function used in some of the bundled scripts… which literally does nothing but echo $1 – pretty rudimentary. For output that doesn’t display when run as part of a script, you can redirect that output to /dev/stdout and have it shown instead of fooling around with echo or printf.
e.g. rsync -avz /source /destination >/dev/stdout
There may be a lag if verbose output happens in a short amount of time, as the main log file in the repo is being written to simultaneously to what is printed onscreen.
Oh, and the silliest thing I’ve noticed: your script needs to be owned by root:wheel and 777 in the scripts folder of the repo in order to show up in the workflow interface for selection… It’s got it’s quirks, but it’s just about the best out there!
318 Inc. CTO Charles Edge and Solutions Architect alumni Zack Smith were back at the MacSysAdmin Conference in Sweden again this year, and the slides and videos are now available! All the 2012 presentations can be found here, and past years are at the bottom of this page.
Let’s say, hypothetically, you’ve been in the Mac IT business for a couple revisions of the ol’ OS, and are familiar with centralized management from a directory service. While we’re having hypothetical conversations about our identity, let’s also suppose we’re not too keen on going the way of the dinosaur via planned obsolescence, so we embrace the fact that Configuration Profiles are the future. Well I’m here to say that knowing how the former mechanism, Managed Preferences (née Managed Client for OS X, or MCX) from a directory service interacted with your system is still important.
Does the technique to nest a faux directory service on each computer locally(ergo LocalMCX), and utilize it to apply management to the entire system still work in 10.8 Mountain Lion? Yes. Do applied Profiles show settings in the same directory Managed Preferences did? Yes… which can possibly cause conflicts. So while practically, living in the age of Profiles is great when 802.1x used to be so hard to manage, there are pragmatic concerns as well. Not everyone upgraded to Lion the moment it was released, just over a year ago, so we’re wise to continue using MCX first wherever the population is significantly mixed.
And then there’s a show-stopper through which Apple opened up a Third-Party Opportunity (trademark Arek Dreyer): Profiles, when coming straight out of Mac OS X Server’s 10.7 or 10.8 Profile Manager service, can only apply management with the Always frequency. Just like the former IBM Thinkpads, you could have any color you wanted as long as it’s black. No friendly defaults set by your administrator that you can change later, Profiles settings, once applied, was basically frozen in carbonite.
So what party stepped in to address this plight? ##osx-server discussions were struck up by the always-generous never-timid @gregneagle, about the fact that Profiles can actually, although undocumented, contain settings that enable Once or Often frequency. Certain preferences can ONLY by managed at the Often level, because they aren’t made to be manageable system-wide, like certain application (e.g. Office 2011) and Screen Saver preferences (since those live in the user’s ~/Library/ByHost folder.)
The end result was Tim Sutton’s mcxToProfile script, hosted on Github, which works like a champ for both of the examples just listed. Note: this script utilizes a Profiles Custom Settings section only, so for the things already supported by Profiles (like loginwindow) it’s certainly best to get onboard with what the $20 Server.app can already provide. But another big plus of the script is… you can use it script without having ProfileManager set up anywhere on your network.
So there you go, consider using mcxToProfile to update your management, and give feedback to Tim on the twitters or the GitHubs!
iPhoto is one of those apps that pretty much just works. But there are a few tips and tricks that we’ve picked up along the way, that we’d like to share with you.
The first: any time you’re having iPhoto problems, create a test library. To do so, hold down the option key when opening iPhoto.
When iPhoto opens, instead of a list of all your pretty pictures, you’ll see a screen that lists all of the iPhoto libraries available and options to browse to one (Other Library), create a new one (Create New) and choose one in the list. Click Create New.
Choose a location to save your iPhoto library and a name (e.g. TESTTESTTEST) and then click on the Save button.
The new library is created. If your problems go away then you have now triangulated them to the library itself. If the problems do not go away, then try a new user account on the system to see if the issue is with the profile and if the problems still persist then try moving the library to a new computer and seeing if it opens.
Assuming that the problem is with the iPhoto library (it usually tends to be) then close iPhoto and back the database up immediately. Then, open it again, this time holding down the Command and Option keys. When iPhoto opens, it opens the iPhoto First Aid screen, very helpful with iPhoto library problems. There are four options in the list. The options include:
Repair Permissions: Repairs the permissions of objects (I’ve yet to see this fix a problem, but I’m sure it can as it’s there).
Rebuild Thumbnails: Delete the thumbnails for photos and recreate them.
Repair Database: Checks the database for any errors and resolves them if possible. I’ve rarely found an issue this step did not resolve.
Rebuild Database: Rebuild the database from the files and metadata that don’t involve the database. Use this as a last resort.
I usually start with the top and work my way down, but YMMV. Now, in the event that the database can’t be repaired you’re not totally screwed. There are a few little third party utilities that can do things to the iPhoto database, but in my experience if a repair doesn’t work then you might be in a jam. As with many Apple apps, the iPhoto Library is actually a bundle. Within that bundle are a number of files, including .db files and .data files, property lists, caches, a directory of Thumbnails, another of Previews and another of Masters. Corruption can be in any of these. The most critical element is the Master directory, where the original images are stored. While not desirable, you can delete (move, not delete) aspects of the iPhoto database from this directory and allow them to be recreated until you locate the actual bad elements and see what kind of data is stored in them.
Finally, backup is just a very important aspect of any computing environment. Provided you have a good backup, Humpty Dumpty can be put back together from all the .db and .data parts of the database, journals, caches and img files if need be. While restoring an iPhoto Library from a backup is not always desirable, it will usually beat having to redo the Faces, Locations, Tags and other metadata for all the elements that comprise iPhoto!
Mountain Lion and Mountain Lion Server are now available on the OS X App Store. With a host of new features, notably including the ability to mirror desktops to Apple TV, Notification Center, Messages and other features, Mountain Lion is sure to be a boon to many an organization. But some features are also now missing, such as DHCP and Podcast Producer in OS X Server and of all things, negative mode.
Mountain Lion is one of the more incremental OS updates that Apple has released and so migrating from Lion to Mountain Lion is sure to be a breeze for many environments. But it’s still a major OS update and so should be taken carefully, as new features such as Gatekeeper are likely to give some environments fits. Before jumping into the App Store, be aware of all the various aspects of deployment. 318 can work with customers to plan and implement such migrations. Call your Professional Services Manager or contact sales@318.com for more information.
Previously in our series on commonly overlooked things in bash, we spoke about being specific with the binaries our script will call, and mentioned conventions to use after deciding what to variable-ize. The rigidity and lack of convenience afforded by bash starts to poke through when we’re trying to abstract re-usable inputs through making them into variables, and folks are commonly tripped up when trying to have everything come out as intended on the other side, when that line runs. You may already know to put quotes around just about every variable to catch the possibility of spaces messing things up, and we’re not even touching on complex ‘sanitization’ of things like non-roman alphabets and/or UTF-8 encoding. Knowing the ‘order of operation expansion’ that the interpreter will use when running our scripts is important. It’s not all drudgery, though, as we’ll uncover features available to bash that you may not have realized exist.
For instance, you may know curly braces can be used did you know there’s syntax to, for example, expand to multiple extensions for the same filenames by putting them in curly braces, comma-separated? An interactive example(with set -x) cp veryimportantconfigfile{,-backup} + cp veryimportantconfigfile veryimportantconfigfile-backup
That’s referred to as filename (or just) brace expansion, and is the first in order of the (roughly) six types of expansion the bash interpreter goes through when evaluating lines and ‘token-ized’ variables in a script.
Since you’re CLI-curious and go command line (trademark @thespider) all the time, you’re probably familiar with not only that you can use tilde(~) for a shortcut to the current logged-in users home directory, but also that just cd alone will assume you meant you wanted to go to that home directory? A users home gets a lot of traffic, and while the builtin $HOME variable is probably more reliable if you must include interaction with home directories in your script, tilde expansion (including any subdirectories tagged to the end) is the next in our expansion order.
Now things get (however underwhelmingly) more interesting. Third in the hit parade, each with semi-equal weighting, are
a. the standard “variable=foo, echo $variable” style ‘variable expressions’ we all know and love,
b. backtick-extracted results of commands, which can also be achieved with $(command) (and, worse came to worse, you could force another expansion of a variable with the eval command)
c. arithmetic expressions (like -gt for greater than, equal, less than, etc.) as we commonly use for comparison tests,
and an interesting set of features that are actually convenient (and mimic some uses of regular expressions), called (misleadingly)
$. dollar sign substitution. All of the different shorthand included under this category has been written about elsewhere in detail, but one in particular is an ad-hoc twist on a catchall that you could use via the ‘shell options’, or shopt command(originally created to expand on ‘set‘, which we mentioned in our earlier article when adding a debug option with ‘set -x‘). All of the options available with shopt are also a bit too numerous to cover now, but one that you’ll see particularly strict folks use is ‘nounset‘, to ensure that variables have always been defined if they’re going to be evaluated as the script runs. It’s only slightly confusing that a variable can have an empty string for a value, which would pass this check. Often, it’s the other way around, and we’ll have variables that are defined without being used; the thing we’d really like to look out for is when a variable is supposed to have a ‘real’ value, and the script could cause ill affects by running without one – so the question becomes how do we check for those important variables as they’re expanded?
A symbol used in bash that will come up later when we cover getopt is the colon, which refers to the existence of an argument, or the variables value (text or otherwise) that you’d be expecting to have set. Dollar sign substitution mimics this concept when allowing you to ad hoc check for empty (or ‘null’) variables by following a standard ‘$variable‘ with ‘:?’ (finished product: ${variable:?})- in other words, it’s a test if the $variable expanded into a ‘real’ value, and it will exit the script at that point with an error if unset, like an ejector seat.
Moving on to the less heavy expansions, the next is… command lookups in the run environments PATH, which are evaluated like regular(western) sentences, from left to right.
As it traipses along down a line running a command, it follows that commands rules regarding if it’s supposed to expect certain switches and arguments, and assumes those are split by some sort of separation (whitespace by default), referred to as the Internal Field Separator. The order of expansion continues with this ‘word splitting’.
And finally, there’s regular old pathname pattern matching – if you’re processing a file or folder in a directory, it find the first instance that matches to evaluate that – pretty straightforward. You may notice we’re often linking to the Bash Guide for Beginners site, as hosted by The Linux Documentation Project. Beyond that resource, there’s also videos from 2011(iTunesU link) and 2012(youtube) Penn State Mac Admins conference on this topic if you need a refresher before we forge ahead for a few more posts.
The default shell for Macs has been bash for as long as some of us can remember(as long as we forget it was tcsh through 10.2.8… and before that… there was no shell, it was OS 9!) Bash as a scripting language doesn’t get the best reputation as it is certainly suboptimal and generally unoptimized for modern workflows. To get common things done you need to care about procedural tasks and things can become very ‘heavy’ very quickly. With more modern programming languages that have niceties like API’s and libraries, the catchphrase you’ll hear is you get loads of functionality ‘for free,’ but it’s good to know how far we can get, and why those object-oriented folks keep telling us we’re missing out. And, although most of us are using bash every time we open a shell(zsh users probably know all this stuff anyway) there are things a lot of us aren’t doing in scripts that could be better. Bash is not going away, and is plenty serviceable for ‘lighter’, one-off tasks, so over the course of a few posts we’ll touch on bash-related topics.
Some things even a long-time scripter may easily overlook is how we might set variables more smartly and _often_, making good decisions and being specific about what we choose to variable-ize. If the purpose of a script is to customize things in a way that’s reusable, making a variable out of that customization (say, for example, a hostname or notification email address) allows us to easily re-set that variable in the future. And in our line of work, if you do something once, it is highly probable you’ll do it again.
Something else you may have seen in certain scripts is the PATH variable being explicitly set or overridden, under the assumption that may not be set in the environment the script runs in, or the droids binaries we’re looking for will definitely be found once we set the path directories specifically. This is well-intentioned, but imprecise to put it one way, clunky to put it another. Setting a custom path, or having binaries customized that could end up interacting with our script may cause unintended issues, so some paranoia should be exhibited. As scientists and troubleshooters, being as specific as possible always pays returns, so a guiding principle we should consider adopting is to, instead of setting the path and assuming, make a variable for each binary called as part of a script.
Now would probably be a good time to mention a few things that assist us when setting variables for binaries. Oh, and as conventions go, it helps to leave variable names that are set for binaries as lowercase, and all caps for the customizations we’re shoving in, which helps us visually see only our customized info in all caps as we debug/inspect the script and when we go in to update those variables for a new environment. /usr/bin/which tells us what is the path to the binary which is currently the first discovered in our path, for example ‘which which’ tells us we first found a version of ‘which’ in /usr/bin. Similarly, you may realize from its name what /usr/bin/whereis does. Man pages as a mini-topic is also discussed here. However, a more useful way to tell if you’re using the most efficient version of a binary is to check it with /usr/bin/type. If it’s a shell builtin, like echo, it may be faster than alternatives found at other paths, and you may not even find it necessary to make a variable for it, since there is little chance someone has decided to replace bash’s builtin ‘cd’…
The last practice we’ll try to spread the adoption of is using declare when setting variables. Again, while a lazy sysadmin is a good sysadmin, a precise one doesn’t have to worry about as many failures. A lack of portability across shells helped folks overlook it, but this is useful even if it is bash-specific. When you use declare and -r for read-only, you’re ensuring your variable doesn’t accidentally get overwritten later in the script. Just like the tool ‘set’ for shell settings, which is used to debug scripts when using the xtrace option for tracing how variables are expanded and executed, you can remove the type designation from variables with a +, e.g. set +x. Integers can be ensured by using -i (which frees us from using ‘let’ when we are just simply setting a number), arrays with -a, and when you need a variable to stick around for longer than the individual script it’s set in or the current environment, you can export the variable with -x. Alternately, if you must use the same exact variable name with a different value inside a nested script, you can set the variable as local so you don’t ‘cross the streams’. We hope this starts a conversation on proper bash-ing, look forward to more ‘back to basics’ posts like this one.
The Luggage is shaping up to be the go-to packaging software for Mac Admins. Getting started can be daunting for some, though, so I’ve narrated a video taking you through the steps required to set it up. Not included:
- Getting a Mac developer.apple.com account (while this process can mostly be done for free, it’s the best and easiest way if you do have access)
- Downloading the tools from the Mac Dev Center (Command Line Tools and Auxiliary Tools for Xcode)
- Choosing your favorite text editor (no emacs vs vi wars, thanks)
It was the pleasure of two 318′ers to attend and present at PSU Mac Admins Conference last month, and lickety-split, the videos have been made available! (Slides should appear shortly.) Not only can you pass the time away with on-demand streaming from YouTube, you can also download them for offline access (like the plane) at the iTunesU channel. Enjoy the current most popular video!
