MunkiAdmin sync on “Save”

The idea was to use MunkiAdmin‘s script features to automatically rsync changes from a management machine to a machine hosting the repo for clients access. My testng case was syncing from a macOS machine to Ubuntu 16.04. This utilizes rsync with psk’s, great documentation specifically on check out Digital Ocean‘s article.

The Script

The main bread and butter is a simple rsync script:

/usr/local/bin/rsync -vrlt -e "ssh -i /Users/$macUSER/.ssh/id_rsa.pub" --chmod=$symbolic --chown=&nixUSER:$nixGROUP /macOS/munki_repo/* $nixUSER@$nixHOST:/nix/munki_repo/

So to break it down…

-vrlt
  • v
    • verbose
  • r
    • recursive
  • l
    • symlinks (optional? probably not needed in a munki_repo specifically)
  • t
    • preserve times
-e
  • specify the remote shell
    • ssh
    • -i
      • identity file
    • /Users/$macUSER/.ssh/id_rsa.pub
      • The key you would like to use (that also exists under authorized keys on the receiving server”
--chmod=$symbolic
  • specify the modification privileges via symbolic
    • 4744=go+r,u+rwxs
    • I just cheated, here.
--chown=&nixUSER:$nixGROUP
  • change the ownership
    • user:group
/macOS/munki_repo/*
  • local repo
$nixUSER@$nixHOST:/nix/munki_repo/
  • destination admin@host
  • :path/to/repo_destination

Tip: That should do it, you can always use -n or –dry-run to check this sync without actually syncing any data.

  • -n, –dry-run “perform a trial run with no changes made”

MunkiAdmin Integration

I added the command as well as some logging items to a bash script, and saved it as repository-postsave.

MunkiAdmin full documentation on custom scripts is available here, though its pretty cut and dry:

  • scripts should be saved in <repository>/MunkiAdmin/scripts/ or ~/Library/Application Support/MunkiAdmin/scripts/.
  • The presave scripts can abort the save by exiting with anything other than
  • All of the scripts are called with the working directory set to the current repository root.

Further more according to MunkiAdmin documentation, MunkiAdmin looks for executable files (with any extension) with the following names:

  • pkginfo-presave
  • pkginfo-postsave
  • manifest-presave
  • manifest-postsave
  • repository-presave
  • repository-postsave

I chose repository-postsave because a sync would be the last thing we would want to do. I moved my script to <repository>/MunkiAdmin/scripts/, reloaded MunkiAdmin, and then added a pkg to test.

Quick Test

I figured why not test it with a worst possible case..? How about a 10.11.6 upgrade pkg, 6.24 GB? Yeehaw.

So I imported via munkiimport, and then reloaded MunkiAdmin. As the script is tied to “Save” in munki admin, no sync occurs until then…

I hit “Save” and everything died:

Screen Shot 2017-05-02 at 7.45.54 AM.png

But not really, I had a hunch that it was just working hard, and MunkiAdmin was waiting until the script exited, and those suspicions were confirmed:

Screen Shot 2017-05-02 at 7.45.59 AM.png

Once the transfer processes completed, MunkiAdmin was back to normal.

Much success! As a note smaller more regular pkg/infos and catalog files really quickly* (your milage may vary depending on your speeds).

Caveats

rsync 3.1, Your keen eye may have picked up on /usr/local/bin/rsync vs /usr/bin/rsync, as one may expect on macOS. Unfortunately macOS ships with rsync v2.6.9, which does not support the –chown functionality, so I had to brew err pursue other avenues for rsync to completely work in this capacity…

Implications

No manual rsync of your repo anymore! Well… actually its still manual on “Save” but its automatic!

If you use MunkiAdmin this scripting has a lot of potential for different automation tasks, git integrations or whatever you may do to your repos after “saving,” to pkgs or whatever your use case may call for- I really like this integration and I just thought I’d share this bit I found useful.

Munki, Docker and why you’d want to even try. The video!

Here  is a video from PSU MacAdmins where I take a high level look at Munki, Docker and why you’d want to even try to get them to play nice with one another- or what better options for hosting your repo may be…

 

I love what the folks on the PSU MacAdmins team have been doing for the community, you can read more about them and the PSU MacAdmins conference here.

Munkireport-PHP on Docker

In my previous post I delved into getting a munki repo with ssl client-server cert protecting up and running on a docker host. You can read that here.

So the next step I wanted to get up and running next to it was the great tool Munkireport-PHP.  More than likely if you are looking into docker as an option for a munki repo server you have some experience with munkireport-php as a reporting tool for your fleet. I am not endorsing this as the only way or even a preferred way- I just wanted to see what it looked like to get it up and running on a docker host- and it was super easy (in comparison to getting a munki repo configured and up and running).

Continue reading

Munki-Docker & SSL (proofing a concept)

Edit:

The ustwo docker munki git repo has been removed, thanks to Clayton Burlison you can see a forked version here https://github.com/clburlison/docker-munki-ssl

Intro

This is a stumbling journey of a layman and how he got a proof of concept munki repo secured with ssl in some way on a docker host. Before this I knew little about docker, less about ssl/certs and had barely touched Ubuntu let alone a server version.

enhanced-14836-1414320930-8

The end game: Have a Munki Repo that requires client side ssl certs for authentication (as a means to protect for un authorized access to a repo) and hosted in a docker environment (for easy maintenance and recreation of servers in multiple locations.

Continue reading