davidnelson.net

Author: David

  • Monitoring Apple Caching Server Status via MunkiReport

    Occasionally the Caching service on macOS will stop working due to a network outage or a glitch on Apple’s end.

    It’s a simple enough fix — all you have to do is turn the service off and on again. But how do you know that it’s offline? It’s easy if you use MunkiReport with the Caching module enabled.

    Just save the code below as a script on your MunkiReport database server and set it up as an hourly cron job. It looks for caching activity reported in the last two hours, and kicks off an alert if no results are found. (Be sure to read the notes below.)

    #!/bin/bash

cachingactivity=`/bin/mysql munkireport -e "select \
collectiondate from caching where collectiondate > \
timestampadd(hour, +6, now()) order by \
collectiondate desc;"`;

if [[ $cachingactivity == "" ]]; then
     echo "Caching service may be offline."
fi

    Considerations:

    • The user who runs the script needs to have a MySQL credential stored in their .my.cnf file.
    • Make sure cron is able to send you alerts. (Working MTA, and MAILTO=”user@domain” appears before this job is listed.)
    • You may need to modify the timezone offset (+6) to something suitable for your location. I’m at UTC-8, so +6 means my script looks for caching server activity reported within the last two hours.
    • Depending on how many clients there are, and whether any of them are on 24/7, you may need to adjust how far back your cron job is looking for records to avoid false error reports. Or only schedule it to check weekdays but not weekends.
    • Obviously this doesn’t provide up-to-the-minute alerting, but it should still help you notice if something is wrong before anyone else does.
    • With multiple caching servers, one could go down and you would not be alerted. The true purpose of this script is make sure that the caching service is working somewhere. It’s not concerned about calling out individual servers.

  • Creating HFS+ disk images from folders in High Sierra

    In macOS 10.13, if you use Disk Utility to create a new image from a folder, it will be APFS formatted.

    These images can only be read on 10.12 or newer, and there’s no option to pick a different format in the GUI.

    Instead you can use hdiutil in Terminal make a folder into an HFS+ disk image:

    hdiutil create -srcfolder /my/folder -fs HFS+ /my/image.dmg

  • Munki, Monolithic Imaging, and Microsoft Office 2016 Volume License Serializer

    If you have Macs that were cloned from an already-activated system (either via monolithic imaging, or one-off machines that were migrated or experienced hardware failure) you will find that your Office 2016 activation is broken. You will also find that Munki doesn’t know it needs to re-run the Office 2016 serializer since a receipt already exists for it.

    I was able to work around this by adding a couple scripts to the serializer’s pkgsinfo. First I added an installcheck_script that looks for a file in /Users/Shared which contains the serial of the computer on which Office was activated. If it doesn’t match the computer’s serial, or if it doesn’t exist, then the serializer package will run. Then we use a postinstall_script to write the serial number of the current computer to this file so we know it’s been activated on this machine and doesn’t need to run again.

    installcheck_script:

    #!/bin/bash

machineserial=`system_profiler SPHardwareDataType | awk '/Serial/ {print $4}'`

activatedserial=`cat /Users/Shared/.office2016activatedserial`

if [[ $machineserial == $activatedserial ]]; then

exit 1

fi

    postinstall_script:

    #!/bin/bash

system_profiler SPHardwareDataType | awk '/Serial/ {print $4}' > /Users/Shared/.office2016activatedserial

  • Deploying Epson EasyMP Multi PC Projection for Mac

    When adding Epson EasyMP Multi PC Projection 2.1.0 to Munki, I found that the built-in postinstall script fails.

    Some digging revealed that the script was expecting a file to exist at </tmp/mpp-72B3FDFF-9513-4CED-96C3-34881FC77AB8>. It reads that file and uses the value contained for the “ClientMode” preference in </Library/Preferences/com.epson.EasyMP_Multi_PC_Projection.Settings/mppsettings.xml>

    On a successful install the the GUI, that preference is just the integer “0”. So I added the following preinstall script to my Munki pkgsinfo.

    #!/bin/bash
echo "0" > /tmp/mpp-72B3FDFF-9513-4CED-96C3-34881FC77AB8

    The postinstall script is appeased and EasyMP Multi PC Projection 2.1.0 installs successfully. No direct modification or repackaging necessary.

  • Using SSH Keys for Passwordless Authentication

    SSH keys can provide an additional layer of security (if you also disable password authentication on the server), or they can simplify the process of connecting to remote servers. For our purposes we’re interested in the latter – connecting to the server without entering a password.

    The basic idea is that you create a public/private key pair on your computer, then upload the public key to the remote server. When you connect to the remote server, your computer can use the private key to authenticate instead of entering your password.

    First we’ll create the key:

    ssh-keygen -f ~/.ssh/id_rsa -N ""

    If a key already exists, you’ll be asked if you want to overwrite it. If this happens you can respond by pressing “n” (no) and continue to the next step.

    Next we need to upload the key to the server. Replace “user” with your username, and “host” with the address of the SSH server.

    ssh-copy-id -i ~/.ssh/id_rsa user@host

    If it worked, you should now be able to SSH to the remote host without entering your password.

  • Desktop Picture Profile Creator

    DesktopPictureProfileCreator is a simple bash script that generates mobileconfig profiles for managing the desktop picture on macOS computers.

    Run the script followed by the path to the image you want to set as the desktop picture. For example “sh DesktopPictureProfileCreator.sh /Library/Desktop\ Pictures/Aqua\ Blue.jpg”. Whatever path you specify must exist in the same location on the computer(s) you intend to deploy it to.

    The profile will be created on the desktop of whichever user runs the script. In the example above, the profile would appear at ~/Desktop/Desktop-Aqua-Blue-jpg.mobileconfig

    For more info and to download, check out my mobileconfigs repository on GitHub.

  • File ownership considerations with Nginx and php-fpm

    I recently switched my CentOS 7 web server over to Nginx and php-fpm.

    From my experience with Apache I assumed that PHP scripts would be executed by the same user the web server is running as — ‘nginx’ in this case. But this could no longer be taken for granted since php-fpm is a separate process from the web server.

    In my configuration php-fpm was actually running as the ‘apache’ user. This meant any files that need to be writable by PHP scripts should still be owned by that user or group rather than ‘nginx’.

    A common scenario where this matters is if your users need to be able to install WordPress updates, Plugins, or Themes via the browser without entering additional credentials. In order for this to work, the web server (or in this case, php-fpm) must be able to write to the files in question.

    If you are wrestling with file permissions, or are unsure of the correct permissions to set in this scenario, be sure to confirm which user and group are specified in /etc/php-fpm.d/www.conf

    # grep "^user\|^group" /etc/php-fpm.d/www.conf 
user = apache
group = apache

    Or you can check the actual running process with pstree:

    $ pstree -ua | grep "nginx\|php"
  |-nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   |-nginx,nginx
  |   `-nginx,nginx
  |-php-fpm
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   |-php-fpm,apache              
  |   `-php-fpm,apache

  • Scheduling Reboot of Motorola Cable Modem

    UPDATE: This no longer works for me because a recent firmware update removed the Restart command from the web interface.

    Periodically my Motorola SURFboard SB6141 cable modem stops talking to the outside world. I don’t know why, but restarting the modem fixes it every time. Rather than having to regularly power-cycle it by hand – or, heaven forbid, buy new hardware – I decided to schedule an automatic reboot.

    The modem itself doesn’t have a facility for automatic reboots, but it has a web page with a button to restart it! <http://192.168.100.1/cmConfig.htm> So all we have to do is automate the clicking of that button.

    If you have this model, or a similar one, this command should work. Just paste it into your terminal/console program and hit Enter, and see if you temporarily lose connectivity to the Internet. If you do, then it worked:

    /usr/bin/curl http://192.168.100.1/reset.htm -G -d reset_modem=Restart%20Cable%20Modem > /dev/null

    Once you verify it works for your modem, add it as a cron job. Mine looks like this, running daily at 4:30am:

    30 4 * * * /usr/bin/curl http://192.168.100.1/reset.htm -G -d reset_modem=Restart%20Cable%20Modem > /dev/null

    Tips:

    • The only real dependency is that you have curl installed. On Mac OS X, CentOS, and Debian it lives at /usr/bin/curl but if you’re using a different distro/OS you’ll want to make sure the path is correct.
    • Verify the IP of your cable modem is correct. For most/all Motorola models it’s 192.168.100.1 but try Googling yours if that doesn’t bring up a status page in a browser.
    • If the IP is correct, make sure the values passed by the restart button are the same as my example. (Go to the page that has the button, make sure that URL matches my example, then view source to make sure the name and value of the button match.)

  • Yosemite Captive Portal Fix

    A number of Yosemite Macs are having problems with our organization’s Wi-Fi captive portal.

    If you don’t first sign in via the window presented by Captive Network Assistant, the system appears to have zero network connectivity. You can’t ping anything, you can’t perform DNS lookups, etc. It’s as if the OS is actively blocking all attempted connectivity until it knows you have succeeded in authenticating.

    Consequently, Browsers throw errors instead of presenting our captive portal page. This is a big problem, since in many cases the Captive Network Assistant app was previously disabled or deleted!

    I found I could whitelist our network so that it lets applications try connecting even if the Captive Network Assistant has not yet been placated.

    Just copy the command below, replacing NAMEOFNETWORK with the SSID of your captive portal network. A reboot may be necessary, but it may also be enough to simply switch Wi-Fi off and on again.

    sudo /usr/libexec/PlistBuddy -c "Add ScrapingParameters:DisabledRealms:0 string @NAMEOFNETWORK" /Library/Preferences/SystemConfiguration/CaptiveNetworkSupport/Settings.plist

  • AirPrintProfileCreator

    AirPrintProfileCreator is a simple bash script which aids you in creating mobileconfig profiles that enable iOS devices to print to a CUPS server.

    Download and run the script on your server (“sudo sh AirPrintProfileCreator.sh”) and follow the prompts on screen. When the profile has been created, you can install it on your iOS device via Configurator, MDM, or just post it online or email it to yourself.

    The script should work on any recent Mac or other *nix systems with CUPS installed, but I have only tested on OS X v 10.9. Your CUPS server must have a static/reserved IP.

    For more info and to download, check out my mobileconfigs repository page on GitHub.