nopkg and installcheck_script example
1,495 views
Skip to first unread message
Greg Neagle
Sep 6, 2012, 1:54:33 PM9/6/12
to munk...@googlegroups.com
This is creeping awfully close to configuration management, but I thought I'd post this anyway. Here's an example of using the new "nopkg" installer_type together with an installcheck_script to ensure a certain bit is installed in syslog.conf:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>autoremove</key>
<false/>
<key>catalogs</key>
<array>
<string>production</string>
</array>
<key>description</key>
<string>Configures syslog for some nefarious purpsoe.</string>
<key>display_name</key>
<string>Nefarious syslog configuration</string>
<key>installcheck_script</key>
<string>#!/bin/sh
# see if the nefarious config is already in place
/usr/bin/grep "@loghost:514" /private/etc/syslog.conf >/dev/null
if [ $? -ne 0 ]; then
# write the nefarious config to syslog.conf
echo "" >> /etc/syslog.conf
echo "# forward nefarious messages to loghost" >> /etc/syslog.conf
echo "local5.* @loghost:514" >> /etc/syslog.conf
# tell syslogd to reinitialize
/usr/bin/killall -HUP syslogd
fi
# exit 1 to say we don't need an install (cause we just did it)
exit 1
</string>
<key>installer_type</key>
<string>nopkg</string>
<key>minimum_os_version</key>
<string>10.6.0</string>
<key>name</key>
<string>nefarious_syslog_conf</string>
<key>uninstallable</key>
<false/>
<key>version</key>
<string>2.0</string>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>autoremove</key>
<false/>
<key>catalogs</key>
<array>
<string>production</string>
</array>
<key>description</key>
<string>Configures syslog for some nefarious purpsoe.</string>
<key>display_name</key>
<string>Nefarious syslog configuration</string>
<key>installcheck_script</key>
<string>#!/bin/sh
# see if the nefarious config is already in place
/usr/bin/grep "@loghost:514" /private/etc/syslog.conf >/dev/null
if [ $? -ne 0 ]; then
# write the nefarious config to syslog.conf
echo "" >> /etc/syslog.conf
echo "# forward nefarious messages to loghost" >> /etc/syslog.conf
echo "local5.* @loghost:514" >> /etc/syslog.conf
# tell syslogd to reinitialize
/usr/bin/killall -HUP syslogd
fi
# exit 1 to say we don't need an install (cause we just did it)
exit 1
</string>
<key>installer_type</key>
<string>nopkg</string>
<key>minimum_os_version</key>
<string>10.6.0</string>
<key>name</key>
<string>nefarious_syslog_conf</string>
<key>uninstallable</key>
<false/>
<key>version</key>
<string>2.0</string>
</dict>
</plist>
Timothy Sutton
Sep 6, 2012, 2:59:27 PM9/6/12
to munk...@googlegroups.com
Huh. I just did a nopkg type the other day to add users to _lpadmin, except I'd followed an example of a previous post on here re: Dropbox, and did the "install" part in the preinstall_script.. except in my case, I want to also be able to remove it.
I can't think of an elegant way to contain the install logic within installcheck_script as you've done and still be able to support removal.. but this seems to work well enough.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>autoremove</key>
<false/>
<key>catalogs</key>
<array>
<string>testing</string>
<key>display_name</key>
<string>System Settings: Add 'everyone' to '_lpadmin'</string>
<string>#!/bin/bash
# Get UUID of everyone group
EVERYONE=`dsmemberutil getuuid -G everyone`
# Check if everyone's UUID is in _lpadmin's NestedGroups
! dscl /Local/Default -read Groups/_lpadmin NestedGroups | grep "$EVERYONE"
</string>
<key>minimum_os_version</key>
<string>10.6.8</string>
<key>name</key>
<string>Settings_AddEveryoneToLpadmin</string>
<key>preinstall_script</key>
<string>#!/bin/sh
/usr/sbin/dseditgroup -o edit -a everyone -t group _lpadmin
</string>
<key>unattended_install</key>
<true/>
<key>uninstall_method</key>
<string>uninstall_script</string>
<key>uninstall_script</key>
<string>#!/bin/sh
/usr/sbin/dseditgroup -o edit -d everyone -t group _lpadmin
</string>
<key>uninstallable</key>
<true/>
<key>version</key>
<string>2012.08.31</string>
</dict>
</plist>
I can't think of an elegant way to contain the install logic within installcheck_script as you've done and still be able to support removal.. but this seems to work well enough.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>autoremove</key>
<false/>
<key>catalogs</key>
<array>
<string>production</string>
</array>
<key>description</key>
<string></string>
</array>
<key>description</key>
<key>display_name</key>
<string>System Settings: Add 'everyone' to '_lpadmin'</string>
<key>installer_type</key>
<string>nopkg</string>
<key>installcheck_script</key>
<string>nopkg</string>
<string>#!/bin/bash
# Get UUID of everyone group
EVERYONE=`dsmemberutil getuuid -G everyone`
# Check if everyone's UUID is in _lpadmin's NestedGroups
! dscl /Local/Default -read Groups/_lpadmin NestedGroups | grep "$EVERYONE"
</string>
<key>minimum_os_version</key>
<string>10.6.8</string>
<key>name</key>
<string>Settings_AddEveryoneToLpadmin</string>
<key>preinstall_script</key>
<string>#!/bin/sh
/usr/sbin/dseditgroup -o edit -a everyone -t group _lpadmin
</string>
<key>unattended_install</key>
<true/>
<key>uninstall_method</key>
<string>uninstall_script</string>
<key>uninstall_script</key>
<string>#!/bin/sh
/usr/sbin/dseditgroup -o edit -d everyone -t group _lpadmin
</string>
<key>uninstallable</key>
<true/>
<key>version</key>
<string>2012.08.31</string>
</dict>
</plist>
Greg Neagle
Sep 6, 2012, 3:04:28 PM9/6/12
to munk...@googlegroups.com
Right; there's no removal with this approach.
-Greg
-Greg
nbalonso
Dec 22, 2012, 2:47:42 AM12/22/12
to munk...@googlegroups.com
I am thinking on implementing a nopkg file with an installcheck_script to open some settings to non admin users.
My question is wether the installcheck is executed in every Munki run. I understand it does. Any recommendation to save some cpu cycles?
I also understand that anything I put into the custom conditions folder in the clients is also executed every run. So create an array of permissions and check the ManagedInstallReport.plist could be even slower.
An environment with an average of 9.000 daily Munki runs is quite sensitive to this things
Joe Wollard
Dec 22, 2012, 11:05:55 AM12/22/12
to munk...@googlegroups.com, munk...@googlegroups.com
I am thinking on implementing a nopkg file with an installcheck_script to open some settings to non admin users.My question is wether the installcheck is executed in every Munki run.
They do as do uninstall_check scripts.
I understand it does. Any recommendation to save some cpu cycles?
Be efficient? ;-)
Joe Wollard
Dec 22, 2012, 11:21:44 AM12/22/12
to munk...@googlegroups.com
It just occurred to me that there is at least one simple thing you could do to make your scripts a little less CPU heavy. In general, there might be some pkgsinfo items that you want to make sure are installed, but maybe you can afford to be a little relaxed with how frequently those installations are checked.
In your scripts (custom conditions, installcheck_script and uninstallcheck_script), you could simply write a cached results file and exit accordingly. For example:
installcheck_script:
does a cache file exist?
YES:
has the cache expired or can it be trusted?
TRUSTED:
exit with cached value
EXPIRED:
delete cache file
…do heavy lifting here…
write results to cache file
exit with appropriate value
Let's say you've got munki set to wake up about once every hour. If you decide to trust your cached results for 12 hours, then your installcheck_script really only runs its full payload twice per day instead of ~24.
Reply all
Reply to author
Forward
0 new messages