Munki - deploying new computers.
275 views
Skip to first unread message
Rob Middleton
Jul 21, 2010, 7:01:28 AM7/21/10
to munk...@googlegroups.com
Hi folks,
Thought I would share one of the ways I am using Munki.
Rather than any initial image based deployment I am deploying with Munki directly on-top of a raw 10.6 - either as reinstalled or as delivered by Apple. If an install can be made to work with InstaDMG it can also be made to work by installing the packages directly with Munki.
The process is summarised thus:
- install munki, munki configuration & bootstrapping packages on the target machine in an offline mode (so we can modify the computer before it insists on running the setup wizard)
- touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup on the target volume
- reboot and wait for the 3 reboots or so for munki to install applications & Apple updates.
- once complete the computer is in the same state as all other managed machines.
In detail:
* new computer, prior to booting, placed into target disk mode and connected to a suitable Mac to install the bootstrapping packages.
* packages installed on the target (all can be bundled into a single .mpkg):
- createUser.pkg installs a central admin account
- clearReg.pkg prevents the welcome wizard running on first boot of the target
- FirstBoot.pkg
installs a script to set the timezone on first boot of the target & anything else that needs to be done immediately on first boot.
- munkiSettings.pkg installs:
/Library/Preferences/ManagedInstalls.plist
/Library/Managed Installs/certs (both client & server.pem)
touches: /Users/Shared/.com.googlecode.munki.checkandinstallatstartup
- munki.pkg the standard munki package (however with the reboot required flag removed)
* eject the target & reboot it
* munki runs and installs the latest applications
* munki reboots the computer (currently ensure you have a reboot required package in the list of installs, I currently install a payload and script free package called 'Reboot')
* munki runs and installs the first round of Apple updates (perhaps a combo updater)
* munki reboots
* munki runs and installs a second round of Apple updates (latest Java, iTunes, etc)
* may reboot
* The computer is finished when idle at the login screen for more than 20 seconds.
* All is installed by Munki & Munki will now keep the computer updated as well.
Rationale:
* we have a relatively small fleet, < 200 Macs. This method is a little slower than imaging methods in absolute time, however requires no additional time spent by the computer support person deploying the computer (automatic). It leverages the work already required to keep a computer up to date, thus there is no additional work required to maintain an initial deployment technique.
* this method is unfussed that Apple has released new hardware not yet supported by the previous 10.x.x updater. It just installs our stuff on-top of Apple's stuff and ensures it is all up-to-date.
Utility packages:
createUser.pkg (offline creation of a user account 10.4/10.5/10.6 - contained password is stored in one-way hash format)
clearReg.pkg (prevents the welcome wizard running at first boot)
FirstBoot scripts:
** /Library/LaunchDaemons/au.org.centenary.FirstBoot.plist (run once at boot)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>au.org.centenary.FirstBoot.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/CENTENARY/FirstBoot.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
** /Library/Application Support/CENTENARY/FirstBoot.sh (do some things as root, perhaps ordinarily done by the setup wizard, then delete the LaunchDaemon entry, then delete itself)
#!/bin/bash
# Set TimeZone while booted.
/usr/sbin/systemsetup -settimezone Australia/Sydney
/usr/sbin/systemsetup -setnetworktimeserver time.asia.apple.com
/usr/sbin/systemsetup -setusingnetworktime on
rm /Library/LaunchDaemons/au.org.centenary.FirstBoot.plist
sleep 15
# No longer any need for this initial run script.
# use srm instead of rm if this script is sensitive
rm "$0"
exit 0
Regards,
Rob Middleton.
IT Systems Administrator
Centenary Institute
Sydney, Australia.
Greg Neagle
Jul 21, 2010, 9:22:41 AM7/21/10
to munk...@googlegroups.com
Thanks for this writeup. I'm actually doing something very similar. I do have a DeployStudio/NetBoot server that can deliver an initial image, but this image is Apple's 10.6.4 (currently) with three additional packages: munkitools, a createUser-type package, and a clearReg-type package. Munki installs everything else.
When Apple introduces new hardware that we can't yet boot from our DeployStudio server, we just manually install munkitools on a new machine and let 'er rip, much as you describe.
-Greg
--
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To post to this group, send email to munk...@googlegroups.com.
To unsubscribe from this group, send email to munki-dev+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/munki-dev?hl=en.
Philip Rinehart
Jul 21, 2010, 9:28:35 AM7/21/10
to munk...@googlegroups.com
I'm doing something similar, though a bit of a variation. We use hard drives to restore (our network isn't sufficient to do otherwise), and let munki install everything on top. It keeps the image very small. Our restore times from a drive are ~4 minutes.
P.
Gary Bernstein
Jul 26, 2010, 3:04:24 PM7/26/10
to munk...@googlegroups.com
Thanks all these write ups. I am working on this very scenario right now and this is good food for thought. I was actually going down this path, but where I got stuck is creating the image that gets installed. I want to have be able to boot any machine (current or new) so that I can have munki do the rest of the updates.
How do you keep the main image up to date?
I’ve been playing with instadmg and I am having an issue getting a 10.5 installer disk up to 10.5.8. I keep thinking there has to be another way to get a clean disk image to start with.
Thanks
-Gary
How do you keep the main image up to date?
I’ve been playing with instadmg and I am having an issue getting a 10.5 installer disk up to 10.5.8. I keep thinking there has to be another way to get a clean disk image to start with.
Thanks
-Gary
<http://www.afp548.com/filemgmt/index.php?id=3D101> http://www.afp548.com/filemgmt/index.php?id=3D101
clearReg.pkg (prevents the welcome wizard running at first boot)
FirstBoot scripts:
** /Library/LaunchDaemons/au.org.centenary.FirstBoot.plist (run once at boot)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" " <http://www.apple.com/DTDs/PropertyList-1.0.dtd> http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>au.org.centenary.FirstBoot.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/CENTENARY/FirstBoot.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
** /Library/Application Support/CENTENARY/FirstBoot.sh (do some things as root, perhaps ordinarily done by the setup wizard, then delete the LaunchDaemon entry, then delete itself)
#!/bin/bash
# Set TimeZone while booted.
/usr/sbin/systemsetup -settimezone Australia/Sydney
/usr/sbin/systemsetup -setnetworktimeserver <http://time.asia.apple.com> time.asia.apple.com <http://time.asia.apple.com>
/usr/sbin/systemsetup -setusingnetworktime on
rm /Library/LaunchDaemons/au.org.centenary.FirstBoot.plist
sleep 15
# No longer any need for this initial run script.
# use srm instead of rm if this script is sensitive
rm "$0"
exit 0
Regards,
Rob Middleton.
IT Systems Administrator
Centenary Institute
Sydney, Australia.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- "The reward for work well done is the opportunity to do more."
-- "I tried, but it didn't work" is a lot better than "I wish I'd tried."
Gary R. Bernstein Director of Computer Information & Access
bern...@illinois.edu Krannert Center for the Performing Arts
217-244-1038 College of Fine & Applied Arts - UIUC
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Greg Neagle
Jul 26, 2010, 3:11:28 PM7/26/10
to munk...@googlegroups.com
If you are deploying 10.5.8 this is a one-time task, as Apple isn't making any more hardware that will run 10.5.8. I was able to use InstaDMG to build a 10.5.8 image. It no longer needs to be kept "up-to-date" as long as it boots all the relevant hardware, as munki can apply any new updates. (Security, Safari, iTunes, etc)
As for Snow Leopard, I used Apple's System Image Utility to build a 10.6.4 image. I'll need to create a new one if/when we buy new hardware that won't boot from this image, but other than that, there is no need to keep it "up-to-date".
-Greg
Gary Bernstein
Jul 26, 2010, 3:36:06 PM7/26/10
to munk...@googlegroups.com
Agreed.
I (and others) seem to be having issues with instadmg and 10.5. ( http://www.afp548.com/forum/viewtopic.php?showtopic=27149&lastpost=true#27374 )
Perhaps I need to see if I can get SIU to create these images. I don’t need to do this often (especially in this economy), but I would like to have something in place to relatively easily update my base image when the time comes.
-Gary
I (and others) seem to be having issues with instadmg and 10.5. ( http://www.afp548.com/forum/viewtopic.php?showtopic=27149&lastpost=true#27374 )
Perhaps I need to see if I can get SIU to create these images. I don’t need to do this often (especially in this economy), but I would like to have something in place to relatively easily update my base image when the time comes.
-Gary
On 7/26/10 2:11 PM, "Greg Neagle" <gregn...@mac.com> wrote:
If you are deploying 10.5.8 this is a one-time task, as Apple isn't making any more hardware that will run 10.5.8. I was able to use InstaDMG to build a 10.5.8 image. It no longer needs to be kept "up-to-date" as long as it boots all the relevant hardware, as munki can apply any new updates. (Security, Safari, iTunes, etc)
As for Snow Leopard, I used Apple's System Image Utility to build a 10.6.4 image. I'll need to create a new one if/when we buy new hardware that won't boot from this image, but other than that, there is no need to keep it "up-to-date".
-Greg
On Jul 26, 2010, at 12:04 PM, Gary Bernstein wrote:
Thanks all these write ups. I am working on this very scenario right now and this is good food for thought. I was actually going down this path, but where I got stuck is creating the image that gets installed. I want to have be able to boot any machine (current or new) so that I can have munki do the rest of the updates.
How do you keep the main image up to date?
I’ve been playing with instadmg and I am having an issue getting a 10.5 installer disk up to 10.5.8. I keep thinking there has to be another way to get a clean disk image to start with.
Thanks
-Gary
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" " <http://www.apple.com/DTDs/PropertyList-1.0.dtd> http://www.apple.com/DTDs/PropertyList-1.0.dtd" <http://www.apple.com/DTDs/PropertyList-1.0.dtd%22> >
<plist version="1.0">
<dict>
<key>Label</key>
<string>au.org.centenary.FirstBoot.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/CENTENARY/FirstBoot.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
** /Library/Application Support/CENTENARY/FirstBoot.sh (do some things as root, perhaps ordinarily done by the setup wizard, then delete the LaunchDaemon entry, then delete itself)
#!/bin/bash
# Set TimeZone while booted.
/usr/sbin/systemsetup -settimezone Australia/Sydney
/usr/sbin/systemsetup -setnetworktimeserver <http://time.asia.apple.com <http://time.asia.apple.com/> > time.asia.apple.com <http://time.asia.apple.com> <http://time.asia.apple.com <http://time.asia.apple.com/> >
/usr/sbin/systemsetup -setusingnetworktime on
rm /Library/LaunchDaemons/au.org.centenary.FirstBoot.plist
sleep 15
# No longer any need for this initial run script.
# use srm instead of rm if this script is sensitive
rm "$0"
exit 0
Regards,
Rob Middleton.
IT Systems Administrator
Centenary Institute
Sydney, Australia.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-- "The reward for work well done is the opportunity to do more."
-- "I tried, but it didn't work" is a lot better than "I wish I'd tried."
Gary R. Bernstein Director of Computer Information & Access
bern...@illinois.edu <x-msg://13/bern...@illinois.edu> Krannert Center for the Performing Arts
217-244-1038 College of Fine & Applied Arts - UIUC
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Rob Middleton
Jul 26, 2010, 10:10:03 PM7/26/10
to munk...@googlegroups.com
Hi Lach,
Your mention of radmind reminds me of a Munki+radmind concept I was toying with for labs. I don't have need for it here (no labs), but the initial thought seemed neat.
The idea is that on a campus with multiple labs with varying install sets: use Munki to update a master machine for each lab (master machine not in the lab iteself), and use radmind to make multiple computers identical to that one in an efficient manner.
Multiple lab configurations can then be updated by the Munki admin releasing a new version of software (update being deployed to lab master machines, and the organisation's more diverse laptops+desktops). If desired the lab master can be tested at that point. The lab master, never having been used by untrusted users is then pushed out to all the lab machines with radmind. Radmind having the benefit of ensuring that no filesystem changes have been made that change behaviour (these being undetectable by Munki).
This might allow labs with varying loads of Adobe software can be deployed from a single piece of administration then pushed through to radmind without getting into a mess with the FLEXNet licensing blob nor the sqlite registry databases.
I guess I wouldn't use Munki in a lab environment if you really need to be sure no changes have been made by the students. But that doesn't mean I wouldn't want to leverage the work I had done in pushing updates out to the rest of the fleet.
That said - I could be sprouting garbage :-) - I'm sure those actually dealing with labs each day have played with various automated cascading techniques to reduce their workload.
Cheers,
Rob.
On 27/07/2010 11:33 AM, Lachlan Stewart wrote: (subject: Munki - deploying new computers.)
Your mention of radmind reminds me of a Munki+radmind concept I was toying with for labs. I don't have need for it here (no labs), but the initial thought seemed neat.
The idea is that on a campus with multiple labs with varying install sets: use Munki to update a master machine for each lab (master machine not in the lab iteself), and use radmind to make multiple computers identical to that one in an efficient manner.
Multiple lab configurations can then be updated by the Munki admin releasing a new version of software (update being deployed to lab master machines, and the organisation's more diverse laptops+desktops). If desired the lab master can be tested at that point. The lab master, never having been used by untrusted users is then pushed out to all the lab machines with radmind. Radmind having the benefit of ensuring that no filesystem changes have been made that change behaviour (these being undetectable by Munki).
This might allow labs with varying loads of Adobe software can be deployed from a single piece of administration then pushed through to radmind without getting into a mess with the FLEXNet licensing blob nor the sqlite registry databases.
I guess I wouldn't use Munki in a lab environment if you really need to be sure no changes have been made by the students. But that doesn't mean I wouldn't want to leverage the work I had done in pushing updates out to the rest of the fleet.
That said - I could be sprouting garbage :-) - I'm sure those actually dealing with labs each day have played with various automated cascading techniques to reduce their workload.
Cheers,
Rob.
On 27/07/2010 11:33 AM, Lachlan Stewart wrote: (subject: Munki - deploying new computers.)
Hi Rob and all,
Yeah I second the thanks for all the writeups. This a exactly the approach I'd like to take with this, with an inital deploystudio boot / image / package install. Sounds like it works great.
I'll keep playing with Munki once I am done debugging some radmind loadsets. :)
Cheers,
Lach
On 21/07/2010, at 9:01 PM, Rob Middleton wrote:
Hi folks,
Thought I would share one of the ways I am using Munki.
<snip>
Reply all
Reply to author
Forward
0 new messages