Radmind

1
Radmind
Managing Macs, One Computer, One Loadset, One
File at a Time

• David J. Blezard
• Academic Computing Systems
• University of New Hampshire

2
RevRDistRemember This?

• If you do, then you are truly an
• Old School Mac admin

3
radmind - A suite of Unix command-line tools and
a server designed to remotely administer the file
systems of multiple Unix machines. For Mac OS X,
there's also a graphical interface.

• Research Systems Unix Group
• University of Michigan
• http//radmind.org
• BSD open-source license

4
The Learning Curve
Return
Effort
5
The Learning Curve
Universal
Automation
K in K
Return
Certificates Customizing
Overloads
Cloning
Concepts Tools
Effort
6
The Concepts

• config - file used to identify clients (IP, DN,
  or certificates) and indicate which command file
  to use
• command file (.K) - a precedence-based listing of
  other command files and transcripts to be used
  for a given client
• transcript (.T) - a listing of filesystem objects
  (file, directory, hard link, sym link, etc)
  including type, path, mode, uid, gid, size,
  modification date, as appropriate
• negative transcript - a transcript listed as an
  n item in a command file, specifies items to
  (mostly) ignore
• positive transcript - a transcript listed as a
  p item in a command file, specifies items to
  actively manage
• special file - an s item in a command file for
  cases where a unique file is needed for each
  client based on IP address

7
The Tools

• ktcheck - check for and retrieve command files
  and transcripts for the client
• fsdiff - compare filesystem to transcripts
  producing a transcript of differences
• lapply - act on an applicable transcript to
  update the client, retrieving files from the
  server as needed
• lcreate - uploads a creatable transcript and
  associated files to the server
• lcksum - verifies the checksums and file sizes in
  a transcript in comparison to the actual files
• lfdiff - retrieves a file from the server and
  diffs it with the one on the client
• lmerge - merge two or more transcripts and their
  files together
• radmind - the server process (TCP port 6662, by
  default)
• twhich - find transcript lines matching a given
  filesystem path

8
Examples
config
132.177.80.57 admin1.K standard
clusters.K supertec supertec.K art
art.K .unh.edu default.K
9
Examples
command
k Xcode.K k MacOSX-Universal-10.4-core.K p
standard-cert.T p sccadmin.T k cluster_apps.K k
iLife-6.K k course_apps.K k cluster_config.K n
TemporaryStorage-negative.T n Scripts-10.4-negativ
e.T n 10.4-lab-negative.T
10
Examples
transcript
a /.DS_Store 0664
501 80 1124905865 6242 JN8ktMbeo9IQfOWrwB2I
z6COsg a /Applications/.DS_Store
0664 501 80 1124906133 15458
yV83tHTR2MuCIE/emnXTwFuhvY f /Applications/Utili
ties/.DS_Store 0644 501 80 1124906030
12292 HSkuMOrXCh9LJ68db5LO5tRDc d
/Library/FontCollections 0775 0
80 f /Library/FontCollections/Chinese.collection
0664 0 80 1124907120 1341
kuSajTEy/N4gJnOC/qKIg85YuX8 f /Library/FontCollec
tions/Classic.collection 0664 0 80
1124907120 899 zZBltjDob6MyDkyy5ekGyFNvJaw f
/Library/FontCollections/Fixed\bWidth.collection
0664 0 80 1124907120 864
CIzB7soinUjNcaq95cwVqOlms 3A f
/Library/FontCollections/Fun.collection
0664 0 80 1124907120 872
pS6reZJq3g5BtrfKhGtfZY8syPQ f /Library/FontCollec
tions/Japanese.collection 0664 0 80
1124907120 2477 jYzJINEU77KPaEXjndGvJletak f
/Library/FontCollections/Korean.collection
0664 0 80 1124907120 1217
66vkRZ108oFz7gu0MGUunP5kT6k f /Library/FontCollec
tions/Modern.collection 0664 0 80
1124907120 815 YKrlhkWCgTjZsldzEbB8TzALTw0 f
/Library/FontCollections/PDF.collection
0664 0 80 1124907120 856
HMlFpOGowQlyjzw2oSrDum40Sak f /Library/FontCollec
tions/Web.collection 0664 0 80
1124907120 1164 QLS3JaEOuP8XdF03kXmhHySGyww f
/Library/Preferences/.GlobalPreferences.plist
0644 0 80 1122308014 890
k0Pk7bFaEvjyr2DdzvSkyFwIaeM f /Library/Preference
s/DirectoryService/ContactsNodeConfig.plist 0600
0 80 1122308282 456 3wmoFxFOKxMxagjq tGH
KBD0lf1s
11
Create a Loadset
Requires Configured machine Simple command file
referencing a negative transcript Negative
transcript
Requires radmind installed and running Negative
transcript uploaded already (lcreate -N
negative.T)
n negative.T
12
Notes about Negative

• The negative transcript(s) are key!
• You can have more than one negative
• Some things on Mac OS X cannot be managed
• /.vol
• /dev
• Some things should not be managed
• /.Spotlight-V100
• /Network
• Some thing you decide based on circumstance
• /User
• /private/var/db/netinfo
• Good starting negatives are in the Radmind
  Assistant package contents Resources directory

13
Create a Loadset
cd / fsdiff -C -o/base.T .
(insert long wait here)
14
Create a Loadset
Edit base.T to remove any extraneous items
15
Create a Loadset
lcreate -h server.foo.edu /base.T
(insert another long wait here)
16
Check in a Loadset
cd /var/radmind lcksum -c sha1 tmp/transcript/base
.T mv tmp/transcript/base.T transcript/base.T mv
tmp/file/base.T file/base.T
17
Check in a Loadset
Create a command file
p base.T n negative.T
Edit config file
.lab.foo.edu lab.K
18
Update a Machine
ktcheck -h server.foo.edu
19
Update a Machine
cd / fsdiff -A -o/zzz.T .
20
Update a Machine
uid 0
uid 501
lapply -h server.foo.edu /zzz.T
21
Radmind Assistant

• Radmind Assistant
• Radmind Transcript Editor
• Radmind Server Manager
• Start here, if you are not inclined to
  Terminal.app

22
Options

• Use relative paths instead of absolute ones to
  allow management of filesystems not mounted on
  /( Paths in transcripts will begin with ./)
• Target disk mode
• Boot from repair hard drive
• NetBoot
• Checksums can increase security and reliability
• Add -c sha1 to ktcheck and fsdiff
• Options in Radmind Assistant to enable checksums
• Checksums do greatly increase the time for fsdiff
  to scan the filesystem
• Compression
• Add -z1 to -z9 to ktcheck and lapply and to the
  radmind server process
• Only helps on slow networks due to processor load
  on the server

23
Overloads

• Additional software titles, configuration
  changes, customizations, updates, etc
• 5 step process
• Radmind a machine to match the server
• Install software, make changes, etc
• Create new loadset with just the differences
• Check the loadset for extraneous items
• Check in loadset and add to command file

24
Demo
25
Customizing Machines

• Leveraging the power of Radmind and multiple
  loadsets
• Different machines can get different groupings
• Scanner stations get scanner software
• Media stations get Final Cut
• Classroom computers set to auto-login
• The key is being able to uniquely identify
  machines or groups of machines...

26
Identifying Machines

• You have assigned IP addresses?
• Cool! Easy! Done!
• You live in a DHCP world (like most of us)?
• Well...Ummm...Let me introduce you to the world
  of certificates...

27
Certificates - Creating

• They are not that bad!!!
• Create your own Certificate Authority
• Give it a long life-span
• Create a certificate for the server
• Set the Common Name to the FQDN of the server
• Create a certificate for each group of
  machines(or each machine)
• Common Name set to the name of the group
• Read the cookbooklthttp//rsug.itd.umich.edu/softw
  are/radmind/files/radmind-tls-0.9.1.pdfgt

28
Certificates - Using

• List the Common Name of the cert in the config
  file
• Put the ca.pem and the servers cert.pem in
  /var/radmind/cert on the server
• Edit the Radmind StartupItem to include -w2
• Restart the server process
• Put the ca.pem and the appropriate groups
  cert.pem on the client machine in
  /var/radmind/cert
• Run ktcheck and lapply with -w2
• Radmind Assistant has preferences for Security
• Manage certificates
• Set to Verify Client and Server

29
Certificates - Expire

• They expire
• You will forget
• You will scramble
• To renew
• To redeploy
• Especially if the certificate has expired so
  Radmind is no longer useful
• Try not to forget
• And if you CA expires, you are starting over!

30
Best Practices

• The best practice is to install each and every
  application as a separate overload
• Similarly, each update is a separate overload
  that can be added in or pulled if there is a
  problem
• Eventually merge updates with parent loadsets,
  if desired, via lmerge
• Makes it simple to take on management of new
  groups of machines with different software needs

31
K in K

• A recently-added feature
• Makes managing diverse setups much simpler
• Group transcripts by type or function
• BaseOS.K
• Applications.K
• Internet.K
• iLife.K
• Create the main command file from these as well
  as positive and negative transcripts
• Adding updates is simple since you only modify
  the one .K file, not one for each kind of machine

32
K in K - Example

• Lab.K
• p MacOSX-10.4.7.T
• p MSOffice.T
• p Firefox.T
• n lab-negative.T
• Scanner.K
• k Lab.K
• p ScannerSoftware.T

33
Automation

• Dont reinvent the wheel!
• Use either scripts included in Radmind Assistant
  (radmind.hook) or Entman (Univ. of Utah)
• iHook can be used to put a graphical interface on
  scripts (RSUG at Univ. of Michigan)
• Run Radmind at boot, at logout, or at a scheduled
  time
• Radmind Assistant also includes automation
  options for user home directory management

34
Universal Radmind

• Universal boot images are a neat parlor trick,
  but in many cases, ultimately more trouble to
  support than they are worth. Since they are
  unsupported by Apple, you are on your own when it
  comes to troubleshooting issues you may
  encounter. Only you can determine if you have
  the skills, patience, and inclination to do so.
• Greg Neagle, Disney
• radmind-users_at_lists.sourceforge.net
• October 16, 2006
• But if you do want to do it, it is possible!

35
Universal Radmind

• Technique developed by Andrew Mortensen (Univ. of
  Michigan)
• lthttp//rsug.itd.umich.edu/software/radmind/files/
  CreatingUniversalTigerWithRadmind.pdfgt
• Make an OS loadset from a PowerPC machine
• Make an OS loadset from an Intel machine
• Create a command file that lists both loadsets
  with the Intel one having the higher priority
• Since the Intel files are Universal binaries,
  they have both sets of code
• The PowerPC loadset is masked and contributes
  only the PowerPC-specific files that are missing
  otherwise

36
Universal Downsides

• Unsupported
• Some applications are Intel-only or PowerPC-only
• OpenOffice.org
• Matlab
• Totally unsupported
• PowerPC machines using a Universal image will not
  be able to get OS updates via Software Update
• No, really, you are completely on your own here!
• Only a stop-gap until Leopard ships
• You can support both platforms by using certs to
  put different OS loadsets on different hardware
  so it is not really necessary

37
Radmind Pitfalls

• Poor for initial deployment - takes hours!
• Check your overloads carefully to make sure that
  you are not distributing extra files you do not
  want
• Prebinding leads to some issues
• Make Xcode transcripts lower priority than the OS
• Problems rebooting the machines after some major
  OS updates (10.3 ?10.4 10.4.7 Intel ?10.4.8
  Intel)
• Interrupted OS updates can leave machines in
  non-functional states
• Your negative must be correct and appropriate
• But generally, it rocks!

38
Radmind Resources

• Radmind _at_ U Michigan lthttp//radmind.orggt
• Radmind _at_ Sourceforgelthttp//sourceforge.net/pro
  jects/radmind/gt
• Official site (releases, bug reports, CVS, etc)
• Users mailing list is excellent
• iHook lthttp//rsug.itd.umich.edu/software/ihook/gt
  
• Entman lthttp//www.macos.utah.edu/documentation/s
  ystem_deployment/entman.htmlgt
• MacEnterprise.org lthttp//macenterprise.org/gt