Multi-admin Munki administration
317 views
Skip to first unread message
Mike Solin
Jun 1, 2015, 1:36:57 PM6/1/15
to munki-...@googlegroups.com
Hey everyone -
I’m starting to explore the possibility of allowing multiple people admin-level access to our Munki repository. At the moment, the server itself is a Windows 2012 r2 VM, the web server is IIS, and I’m mounting the repository over SMB. We have Munki Enroll set up too, so PHP is running within IIS. I generally use a combination of the CLI tools and MunkiAdmin on my Mac (I also have AutoPkg running periodically through AutoPkgr). Besides AutoPkg and Munki Enroll, I’m generally the only person touching the repository, so this works pretty well.
Our group has recently expanded, and I’ve been asked to explore the possibility of multiple admins for the Munki repository. Ideally, I’d like to continue using MunkiAdmin, but I’m open to using another tool (even if that requires moving the Munki server to another OS, like Linux). I’m concerned about multiple admins clobbering each other’s work - Git might help with this, but I don’t know how Munki Enroll and AutoPkg would complicate Git commits to the repository. Git would also give us a trail of changes that could be audited, which would be excellent.
Mandrill looks like a good candidate - it seems to support Git and multiple users from the screenshots. I haven’t dug deep enough to determine if it can do AD/LDAP. Is anyone else using Mandrill, or something similar? Is there a good way to use MunkiAdmin for this instead? I see the latest version of MunkiAdmin supports preflight and postflight scripts - but for multiple users to use MunkiAdmin, they’d still need to periodically reload the interface.
To complicate things further, I plan to add SSL and HTTP Basic Authentication in the future too, so anything we move to would need to be compatible with that (if the solution is a web interface).
Any ideas?
Hannes Juutilainen
Jun 1, 2015, 2:10:43 PM6/1/15
to munki-...@googlegroups.com
I would strongly guide you towards using version control regardless of the tools you're using to make edits.
But for MunkiAdmin:
MunkiAdmin is originally designed to be used with a local copy of the repository and it really wants exclusive access to the repo while running. If multiple admins access the repo with multiple MunkiAdmin instances you will run into conflicts sooner or later (probably sooner). MunkiAdmin supports opening a repository on a network share but that will always be slow and there's no way to know if the files are being used by someone else.
The way we deal with AutoPkg is to have it create a commit every time it makes changes to the repo. Every admin is instructed to do a git pull before starting to edit MunkiAdmin.
With version control, you get more good things. Just to name a few:
- Ability to easily revert changes
- Ability to see who did what, when and hopefully why
- Easier deployment to multiple servers
--
Hannes Juutilainen
--
You received this message because you are subscribed to the Google Groups "munki-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-discus...@googlegroups.com.
To post to this group, send email to munki-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/CAN1%2Bh_ZtaeAfK2pmzr_JukYS8eN19UxS-Ff0wHA%3D9t%2B7bis3qg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Mike Solin
Jun 1, 2015, 3:28:27 PM6/1/15
to munki-...@googlegroups.com
Thank you, Hannes! I agree - version control is going to be very useful. I’ve had a few instances recently where I wanted to roll things back or compare changes, and I’m still the only admin.
So in your environment, everyone keeps a local copy of the repository, then commits their changes to the server? If that’s the case, how do you handle the large ‘pkgs' directory?
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/C280F6D1-D16F-4DE1-92C1-6F4E9BBA70ED%40mac.com.
Clayton Burlison
Jun 1, 2015, 6:15:41 PM6/1/15
to munki-...@googlegroups.com
Mike,
Alister posted two articles regarding git-fat. It might be of interest to your large 'pkgs' directory issue.
https://www.afp548.com/2014/12/01/git-fat-intro-part-two-setup-and-migration/.
As for comments to your original questions: I have no experience with using IIS for anything however the setup for SSL and basic auth using linux is pretty straight forward. Mandrill is great for editing plist info, adding/removing software to manifests, and has support to limit what users can modify via regex. The only downside is Mandrill won't solve your issue of uploading software to your munki repo. Besides that is is my main editor for changes to my repo. Also, has support for git built in so great addition to MunkiAdmin.
As for comments to your original questions: I have no experience with using IIS for anything however the setup for SSL and basic auth using linux is pretty straight forward. Mandrill is great for editing plist info, adding/removing software to manifests, and has support to limit what users can modify via regex. The only downside is Mandrill won't solve your issue of uploading software to your munki repo. Besides that is is my main editor for changes to my repo. Also, has support for git built in so great addition to MunkiAdmin.
Clayton
Mike Solin
Jun 7, 2015, 5:55:37 PM6/7/15
to munki-...@googlegroups.com
Thanks, Clayton! Allister’s first article helps fill the gaps considerably - need to do some research to see if this is the best approach for us. There are a lot of moving parts here!
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-discuss/d470a5b6-3813-40a7-baa1-7458feb6715e%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages