At MacWorld 2011, Ed Marczak and Clay Caviness gave a presentation called A Week in the life of Google IT. It included quite the bombshell, that Google was open-sourcing its Managed Software Update (Munki) server component for use on the Google App Engine (or GAE). Some began immediately evaluating the solution, but Munki itself was still young, and the enterprise-intent of the tool made it hard for smaller environments to consider evaluating. Luckily, the developers at Google kept at it, and just like GAE graduated from beta and other Google products got a facelift, a new primate now stands in our midst (mist?): Simian 2.0!
With enhancements more than skin deep, this release ups the ante for competing ‘munkiweb’ admin components, with rich logs and text editor-less manifest generation. For every package you’d like to distribute, only one run of the Munki makepkginfo tool is required – the rest can be done with web forms. No more ritual running of makecatalogs, just click the snazzy buttons in the interface!
Unlike the similarly GAE-based Cauliflower Vest, Simian does not require a Google account for per-client secure transmission, which makes evaluation easier. While GAE has ‘billable‘ levels, the free version allows for 1GB of storage with 1GB of upload and… yup, 1GB of download. While GAE may not be quite as straightforward to calculate the cost of as other ‘Platform as a Service’ offerings, it is, to use a phrase, ‘dumb cheap’. The only time the server’s instance would cost you during billable operation is when Admins are maintaining the packages stored, or when clients are actively checking in (by default once a day) and pulling packages down. As Google ‘dogfood’s the product, they have reported $.75/client per YEAR in the way of GAE-related costs.
Getting started with Simian is not a walk in the park, however: you must wrap your brain around the concept of a certificate authority (or CA), understand why the configuration files are a certain way based on the Simian way of managing Munki, and then pay close attention as you deploy your customized server and clients. Planning your Simian deployment starts with either creating or reusing an existing certificate authority, which would be a great way to leverage Puppet if it’s already running in your environment. Your server just needs to have its private key and public certificate signed by the same authority as the clients to secure their communication. Small or proof-of-concept deployments can use this guide to step you through a quick Certificate Authority setup.
When it comes to the server configuration, it’s good to specify who will be granted admin access, in addition to the email contact info for your support team. The GAE instance requires a Google account for authentication, and it is recommended that access is restricted to users from a particular Google Apps domain (free or otherwise). One tripping point is when allowing domain access to the GAE instance, you need to go to a somewhat obscure location in your GoogleApps dashboard (linked from above where the current services are listed on the dashboard tab, as pictured):
Ready to take the plunge? Once configurations have been set in the three files specified in the wiki, and the certs you’ll use to identify and authenticate your server, CA, and a client are stowed in the appropriate directories, go ahead and send it up to the great App Engine in the sky.
See our follow-up article