Herding cats: managing a mobile Unix platform
This page is a vademecum for a paper presented at the LISA 05 conference. Many thanks to the people at RSUG for hosting this page. The Powerpoint presentation is here.
All scripts, programs, etc listed here can be used with any open source license compliant with the OSDL open source definition at OSDL. Exceptions to this rule are noted below...
Why Mac OS X?
The weighted score analysis can be found here. It was used to determine the best platform for our user base.
SSL scripts
The SSL scripts to create, sign and revoke SSL certificates. These are used by regserv to automatically create certificates on request. Note that we use these certificates mainly as a way to identify machines to the radmind server (and allow different images to exist based on the CN of the certificate). Also we wanted encrypted traffic where possible. Note that regserv is based on the radmind source code, it is therefor released under the same source code license as radmind.
Radmind
Patches against radmind can be found in the patches section of the radmind project website. Amongst these are patches to:
- compress the wire traffic of the radmind protocol (most of our users work a considerable amount of time out of the office, and we need to be able to push updates quickly)
- check an entire loadset (tcheck)
- add a "don't care" flag to radmind (makes radmind ignore files completely)
- add local lcksum capability (lcsum normally only works on the server)
Note that radmind is (C) University of Michigan and has its own license restrictions. These patches are therefor released under the same license.
Backups
Wout Mertens at Cisco made an rsync front-end to make things easier for the user. The software backs up the client to a server which can then be backed up using your regular backup infrastructure. The source code is here.
Asset tracking
The asset tracking software was written in house by Tom Norwood at Cisco. It's precompiled SQL code for Oracle, you can find the source here.
Various tidbits
The largest set of scripts is located here, these are all the scripts we use to manage the Mac OS X clients.
- hooks: these are the login and logout hooks called by loginwindow.
- check/set machine ownership
- check for/download machine's client certificates
- create postfix config from template
- create filevault for user if none exists
- log logins to asset tracking database
- install user shell files (.bashrc, etc) and preferences
- check for forced reboot flag
- radmind: all the scripts used to keep the system up-to-date.
- lower level scripts used by login hooks
- creation scripts for golden image (generic image dumped on new boxes)
- tools for creating loadsets
- ...
- system: what we needed to manage the system. This is a collection of small tools to e.g.:
- check user passwords
- create filevaults
- report on IP addresses
- system owner and serial number
- fix netinfo cache issues
- add/delete users from netinfo
- rebuild kext kernel extension cache
- change application directory timestamps (so finder rebuilds the cache)
- show the current IP address in the loginwindow