Thursday, 19 January 2017

Validating your Munki manifests and pkgsinfos

Sometimes, bad things happen to your .plist files. Thus, it is prudent to run the following check on your Munki repo before deploying into production:

find {manifests,pkgsinfo} -type f -exec xmllint --output /dev/null {} \;

This will find all the files under the manifests and pkgsifo directories, check them for well-formedness (but not content; you might still have a typo in what you actually want to say!), and report only on the errors.

The output is sent to /dev/null, as xmllint would otherwise spew out all valid plist files to the terminal, effectively hiding any problems you might have had. A --quiet|-q option would have been cleaner...

Wednesday, 23 November 2016

Things i'd like to learn as a sysadmin

These are (some of) the technologies i'd like to be proficient in, as a Mac sysadmin:

  • imagr
  • autodmg and other ways to create images
  • ...and packages
  • munki + git + autopkg + some kind of CI for linting and deployment
  • puppet + gitlab-ci + linting + deployment
  • ansible + gitlab-ci + linting + deployment
  • esxi + ansible (+ ci for linting)
  • santa
  • crypt2
  • lokgging, monitoring and alerting with TICK, ELK + topbeat, osquery and/or sensu
  • mdm (micromdm)
  • profiles
  • mcollective
  • sensu + puppet
  • docker
  • clever and useful dashboards
  • reposado

I use many of these technologies at work, but i still feel like i'm an inproficient hack with most of them. And as a sysadmin, i really like to know what i'm doing.

Tuesday, 21 June 2016

Changing your network password on OS X Server

Macs often a local account to log on to their computers, even in a business environment (which may come as a chock to Windows admins). Changing the local password is just System Preferences → Users & Groups → Change password. This also works nicely if the Macs authenticate to a network server (or tends to). But to change the password of one's network account when the computer is not tied to a domain or an LDAP server, things get a little different.

As a user, go to the web page of your server (more specifically, the Mac server, running Open Directory -- hereafter just called The Server). If the sysadmin has done the job well, there should be fairly generic page coming up with links to a My Documents, All Activity, Wikis and People ... and at the bottom of the page, a link to Change Password. Click it. Authenticate, if needed, and change your password. Easy, if not altogether obvious.

Now if you are the sysadmin, things are yet more complicated. First, your server should have an SSL certificate. You should probably enable the Wikis service from the, if for no other reason that It Works On My Computer (we did that for the sole purpose of having a shared team calendar!). Now enable the Websites service. Double-click the bit that says Server Website (SSL) and check ☑ Allow users to change their password. Yeah, i admit it is well hidden. And now, users can change their network password! Woo-hoo!

Thursday, 19 May 2016

Removing unnecessary Puppet reports

A Puppet server i'm managing was running out of disk space and the culprit turned out to be Puppet's rather verbose report files. I had a whole bunch of reports which simply informed that the following umpteen files were not changed at all. This is both useless and wasteful, at 38 megs a report, per server, twice an hour. Even though the environment is small, i ended up with 22 gigs of reports...

After much googling and stackoverflowing, i came up with the following script:

#!/bin/bash grep -Pzl "status: unchanged(\n)metrics" /opt/puppetlabs/server/data/puppetserver/reports/*/*.yaml > $(dirname $0)/unchanged-reports # this is one long line, not four while read p; do sed '/metrics:/,$d' $p > ${p}.0 rm $p mv ${p}.0 $p done < $(dirname 0)/unchanged-reports

Run as root. Comment out the rm and mv bits if you're nervous or you just want to experiment.

The command line switches for grep (only work on GNU Grep, ie on Linux):

P turns on experimental Perl regexp mode and can potentially break things
z will effectively allow for multiline regexp patterns
l will return the file name where the pattern was found rather than the pattern itself

And then you can automate this, say, with cron.

In addition to this script, i use logrotate to compress and eventually remove old report files.

Sunday, 15 May 2016

Mac tip: what's eating your net

Mac command line tip of the day:


...and then press c and d.

This will show you which programs (or more to the point, processes) use your network connection and how much. c collapsed the rows so you don't get one line per connection (you can get back to the expanded view by pressing e). “Delta mode” d would show you how much network capacity each program (or connection, if you're in expanded view) is using right now and pressing d again will take you to showing the total amount of traffic transported.

If you want to get geeky, you can toggle p to see the number of bytes transported rather than the more human readable so and so many megs or gigs.

Use the arrow keys to scroll to the sides for more statistics (use j to select which stats to display) and up-and-down if you have a really large number of programs on the list, or are watching the expanded view.

Finally, h will bring you the help screen so you don't have to remember all the keys i just wrote about :D

Tuesday, 21 July 2015

How to get the IP address of a Mac

Every time you connect a new network adapter to a Mac, you get a new Ethernet device configured to your computer. This is of both logical and expected, but it means that you can't really tell what the name of your currently active network interface is. This makes things like checking your IP address a bit cumbersome.

And here's a shell script to remedy:

interface=$(route get default| awk '/interface: / {print $2}')
ipconfig getifaddr $interface

This will only return the IP address of your default NIC. If you have more than one active network interface, you'll have to take the long route :)

Thursday, 25 June 2015

I made an Internet Button

Along comes a few days of solo summer vacation and i’m off to the countryside. So what can a man do out in the wild? Hack.

An Internet Button is a button which, when you press it, makes something happen on the Internet. It’s the Internet of things equivalent of a Hello, World! program, and i made one yesterday built on the Proton Core platform.

A Core is basically an Arduino compatible microcontroller with a Wi-Fi chip slapped on, and a cloud environment to support the whole shabang. I’ve had two of these Spark Cores (as they were known then) for well over a year now, since backing them on a Kickstarter campaign, but i’ve never really got around doing anything sensible with them. The problem was always that the Wi-Fi connection dropped after some time and then the program crashed. So i borrowed my chips to a couple of colleagues (on who used them to draw attention and open a door. Eventually i got them back, and they were left to gather dust in my geek cave.

Since the new Particle Proton chips are finally going to ship now, i’d read a bit on the documentation and decided to give my Cores another spin. The results, along with the instructions on how to get the button on the Internet, are on Github.