This is the initial release of a product that I hope I can get developed more fully. It’s designed to, on the host Mac, prepare a repository of packages for cloud distribution by Amazon Web Services’ S3 file service. It’s not fully complete, in that you will have to take some steps to either add a Cloudfront Distribution to the bucket, or prepare the bucket for public file service. It relies on the awscli command line library to create the S3 bucket based on a set of AWS Credentials, which you’ll need.
As with Munki in a Box, prepare your variables carefully and then fire the script off. Unlike Munki in a Box, you then need to either prepare your S3 bucket for public distribution (not always recommended) or setup a Cloudfront Distribution on top of it and distribute middleware and encryption keys to your clients.
I do want to automate the CF creation in the future, and Clayton Burlison’s munki-terraform seems to be the right way to handle this, I just haven’t been able to make my brain understand enough terraform to roll it in.
If you’ve got questions or concerns, I’m happy to hear them, please file an issue in Github. Pull requests will also be gleefully accepted.
It’s MacDevOps YVR week, one of my favorite of the year. This morning, Clayton Burlison released an awesome package called terraform-munki that does something super helpful: it creates a set of terraform templates to create useful resources within your own AWS account to prepare an S3 bucket, and create a CloudFront Distribution with a TLS certificate.
This is exactly what I’ve been working around in my development of munki-in-a-cloud, which will replace munki-in-a-box due to the deprecation of Server.app’s web services by Apple later this year. I have the script done, except for the creation of the CloudFront Distribution, which I was reading all about when Clayton suddenly said “Oh! I did that! And I’m releasing it this week!”
So I’ll be figuring out which parts of terraform-munki are helpful to this new project and will get used or adapted into munki-in-a-cloud.
The goal is the same as munki-in-a-box: A script to create a functional munki environment and repository, and make it ready for use in the cloud. With a future version of macOS removing the Web service functionality entirely, it seems prudent to look at good cloud options.
If you’ve got opinions on a project like this, I’d love to talk more with you. Find me on the Mac Admins Slack to talk about it more.
Thanks very much to the folks at Amsys for having me out to London to present my talk this year at MacADUK, called Munki Mistakes Made Right. Over the last few years, I’ve done probably 25 munki installations, in groups as small as a few clients, or as many as a hundred. There are always challenges in implementing Munki well, especially as the product matures and grows and the ecosystem around it changes to add tools like autopkg, Jamf Pro, and other solutions that can be co-implemented with Munki.
I’ve learned a lot from my implementations, and I want to share that with everyone, that, as the saying goes, that my mistakes may be avoided for future generations of admins. I’ve prepared a few sections of this presentation on various mistakes I’ve made (security mistakes, configuration mistakes, catastrophic mistakes) and how we addressed them in practice. This talk shouldn’t be seen as totally conclusive of all the mistakes that one can make – folks are always coming up with new and creative ways to break things, as well they should – but it’s a good place for me to talk about the ways we’ve been changing our existing environments to make them better, stronger, and faster.
There are some things that I’ve released recently, code-wise, that get callouts in this presentation, and I want to make sure they’re called out clearly here for ease of use:
Munki in a Box 1.5.1
I released Munki in a Box 1.5.1 last week, and it was largely a maintenance release. The following changes should have been expected: by default, Munki in a Box will now setup HTTP Basic Auth set on a password of your choosing. In addition, it’s designed to be used with an HTTPS-native server, which you should be using anyway. The old security branch, which 1.5.0 was based on was something that walked that line, but it was time to fold that branch back in. So I did.
In addition, MIAB 1.5.1 now creates local overrides for all the autopkg recipes that are specified in the initial command variable, to better handle the trust package portion of autopkg.
Change Munki, Tell Slack
As part of the talk, I’m going to explain why a configuration manager or Mac-capable MDM is your best friend, but facing a lack of those for budgetary or administrative reasons, I’m going to give you a tool to deploy changes to your fleet in reportable ways.
Both will handle a scripted change of your Munki preferences file and pass that information along to a Slack channel of your choosing via a webhook.
Slides & Notes
I’m making my slides and presenters notes available as a PDF for Download, in case you might enjoy it. If you have comments on the scripts above, please let me know, or suggestions for converting them to python, both are welcome.
Tonight I’ve released a test branch of Munki-in-a-Box that adds a significant feature: Out of the box HTTP Authentication over SSL for a higher level of security.
Previous versions of Munki-in-a-Box have leveraged transport layer security to make sure that the packages and manifests sent from the server to the client were not captured in transit. TLS is helpful for making sure that you’re talking with the right server, provided that you haven’t accepted a false certificate. This new version seeds the authentication credentials to the client through the ClientInstaller.pkg file created by the script, and then provides HTTP Basic Authentication setup files for your Server.
This does make a pretty stark change: The Software Repo now has to be in the Server’s path, and by default, it will be a folder marked munki_repo in /Library/Server/Web/Data/Sites/Default. Server cannot apply .htaccess and .htpasswd files outside of /Library/Server, so the repository has to live there directly instead of in /Users/Shared.
You can set the password for HTTP Basic Authentication in the initial declaration of variables.
Next up? Figuring out how to automate the setup of a CA for device certificate signing.
When Rich Trouton recently blogged about automating the setup of Server.app, we talked a bit about how it might apply to Munki in a Box. The idea of having a version that you could run entirely without having to have pre-loaded Server.app was attractive, as it would save steps.
On the heels of the work earlier this week with getting webappctltamed for use at the command line, I had all the pieces necessary to complete the project, just a week after commissioning.
To use this script to its fullest, you need a copy of the AppStore Installer Package for Server.app (here’s how to grab it), as well as a good hostname to use for your server. That means the hostname needs to be ready in your DNS for the script to work. I suppose I could write a check for that, and will for beta 2.
Apple’s Server.app offering has a strong command line interface that is usually tied to the serveradmin command verb. This is great when you want to start or stop the web service, as well as view all of the Apache settings:
sudo serveradmin start web
sudo serveradmin stop web
sudo serveradmin settings web
But the thing I really, really wanted to do with serveradmin was turn on the PHP Web Application, because Munkireport-PHP relies on it being running, and if serveradmin can’t engage the PHP application engine, I was going to be unable to control it programmatically, or view its status with a check.
I submitted a bug to Apple that it wasn’t available as part of serveradmin, and I fully expected it to be closed with “functions as intended.”
And it was!
But there was a pleasant note at the bottom below:
You can enable/disable PHP from the command line, just not with serveradmin. The supported way is:
sudo webappctl [start|stop] com.apple.webapp.php
This, of course, got me reading the (ample) manage for webappctl.
webappctl recognizes the start or stop argument to activate or de-activate the webapp specified by webapp-name. If the webapp-name is specified as "-", the start/stop/status action applies to all webapps represented with a plist present in /etc/apache2/webapps/. In the case of a restart "-" action, the set of running webapps are stopped, then started. (In the case of a restart for a specific webapp, the webapp will be stopped, then started, even if it was not running before.) If the status argument is specified, a list of enabled webapps is displayed. The tree[s] argument displays the hierarchy of webapps declared by the requiredWebApps property. The optional vhost-name argument specifies the name of the virtual host though which the webapp is to be proxied. If omitted the default wild-card virtual host is used.
This means that you can easily start or stop the PHP and Python web applications programmatically with the following commands:
This opens the door further for a version of Munki in a Box that could configure Server.app if it isn’t already, including the activation of the web service and the PHP web application service. This is good news.
One of the projects I’ve been working on for the last year is Munki in a Box, designed to take your bare Mac server to being a fully-implemented and ready-to-roll Munki server with automatic management through AutoPkg and AutoPkgr, GUI configuration through MunkiAdmin, as well as an inventory control scheme using Munkireport-PHP.