Archive

Author Archive

Encrypted Time Machine Backups on Time Capsule (Mountain Lion)

July 30, 2012 Leave a comment

The [first pass] Mountain Lion update to the Encrypted Time Machine Backups on Time Capsule post: the script (mostly) works, as do the backups themselves (mostly).

Unfortunately, the script fails to properly detect the Wifi adapter’s Mac address (which I think has to do with changes to the output of system_profiler, something that should be fixable).

Mountain Lion makes visible changes to the process, namely, it will detect that the sparse bundle is present and encrypted:

It will furthermore ask and automagically remember both the TimeCapsule password and the encrypted disk image password. which means we no longer need to fiddle with Keychain Access:

But wait, I said “mostly”. It turns out Time Capsule will resize the sparse bundle image to (it seems) the size of the physical media hosting the image. While this can be changed back with hdiutil, I don’t yet know if Mountain Lion will simply resize it back in the next backup iteration.

Take some, lose some.

Categories: macos, sysadmin Tags: , , ,

Encrypted Time Machine Backups on Time Capsule

June 18, 2012 1 comment

With Lion, Mac OS X gained the ability to encrypt Time Machine backups on directly-attached disks, but this is not supported on Time Capsule. An additional potential issue is that Time Machine backups will consume all available space on a device, which in my particular case is undesirable. So I wanted a way to both encrypt said backups and limit the amount of space they can consume. There are a number of good resources on this topic, such as Michael “Nozbe” Sliwinski’s Mac OSX Lion Secure Backup to Time Capsule with Size Limit and Jason Discount’s Encrypted, Rotating Time Machine Backups on Snow Leopard (which works on Lion as well). But, since I have a small herd of Macs to shepherd, I prefer a script to do most of the work for me (see below).

You have to perform these steps from the admin user account on your system (not root, and no sudo).

First, mount your Time Capsule disk. You can do this from the Finder and ask it (if you haven’t already) to remember the password in your keychain. Second, edit the Time Capsule’s name in the script below. The real magic of the script happens in the highlighted lines with hdiutil).

#!/bin/bash

TC="TimeCapsule"

UUID=`system_profiler SPHardwareDataType | egrep 'Hardware UUID' \
      | awk '{print $3}'`
echo "UUID: $UUID" >&2
NAME=`system_profiler SPSoftwareDataType | grep 'Computer Name' \
      | awk '{print $3}'`
echo "Name: $NAME" >&2
APMAC=`system_profiler SPNetworkDataType | grep 'Hardware: AirPort' -A 25 \
      | grep 'MAC Address' | awk '{print $3}' | sed -e 's/://g'`
echo "Mac Address: $APMAC" >&2

SPRSBNDL_NAME="/Volumes/${TC}/${NAME}_${APMAC}.sparsebundle"
echo "Sparse Bundle: $SPRSBNDL_NAME" >&2
if [ -z "$UUID" ] || [ -z "$NAME" ] || [ -z "$APMAC" ]; then
   echo "error: unable to determine uuid, name or mac address" >&2; exit 1
else
   echo "creating sparsebundle $SPRSBNDL_NAME" >&2
   if hdiutil create -encryption AES-128 -size 500G -type SPARSEBUNDLE \
                     -nospotlight -volname "${NAME}TM@${TC}" -fs "HFS+J" \
              ${SPRSBNDL_NAME}; then
      (
       cat <<ENDPLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backupd.HostUUID</key>
    <string>$UUID</string>
</dict>
</plist>
ENDPLIST
      )>${SPRSBNDL_NAME}/com.apple.TimeMachine.MachineID.plist
   fi
fi

Finally, you still have to manually move the keychain entries for the Time Capsule disk and your encrypted image from the Login keychain to the System keychain with the Keychain Access app, but everything else is handled for you. Note that the script assumes you are connecting to your Time Capsule over WIFI, not via wired ethernet, and since the output from System Profiler isn’t the most parseable, it may not grab the right MAC address if you, for instance, have multiple network interfaces. The above has proven to work well on laptops. In any event, you can always enter the correct MAC address into the scripts (remove colons).

If you are currently performing backups to your Time Capsule unencrypted, the creation of the encrypted image may not work, as a non-encrypted sparse bundle probably already exists and is set to be used with Time Machine. You have to delete the existing non-encrypted image.

Finally, one of the nice things about this approach is that you can resize the resulting image whenever is convenient with hdiutil resize, as long as you have not used up the allotted space. Also, I have successfully Time Machine Scheduler to change Time Machine’s scheduling (since I don’t really need Time Machine cranking up every hour).

Senedsa and Elesai

I am very pleased to announce the release of two new tools that I hope will prove to be useful additions to your operational arsenal:

  • Senedsa is a small utility and library that wraps around the Nagios send_nsca utility
  • Elesai is a wrapper around LSI’s MegaCli utility

Both of them are distributed as Ruby gems.

Senedsa

Senedsa is something I have been meaning to write for quite some time. A fair amount of the tools I have written over the last few years (most notably Zettabee and Theia) have had monitoring capabilities built-in, mostly in the form of a Nagios passive monitor. I have moved to developing in Ruby essentially full-time (I still do some Python and some shell scripting, but that’s mostly in maintenance mode), and after I went down the path of writing Elesai, I simply had to write Senedsa, since the ridiculous cut-and-paste maneuver was getting old (and frankly, embarrasing).

I pondered using Kevin Bedell‘s send_nsca gem, but in the end I decided to implement the Senedsa wrapper, primarily because we have other non-Ruby code (shell scripts) that use send_nsca in its native form, and I suspected that would be the case for most other shops. While that implies a fork whenever it is used, it is not something we are doing at high frequency.

Senedsa be be used both as cli utility (which is handy to test your send_nsca installation or perhaps to be called from shell scripts, tho that implies you are be forking both ruby and send_nsca) or a library from within your Ruby scripts.

Elesai

Elesai is a wrapper around LSI’s MegaCli utility that provides access to common types of information about LSI RAID controllers (currently physical and virtual disks) without the need to “speak martian” (run MegaCli -h to see what I mean). It is a line-oriented tool so that it can be combined with other Unix command-line tools to process and manipulate the data (i.e., sedawk, and friends). It also provides a check action (currently as a Nagios plugin in both active and passive modes) which monitors the health of the array and its components and reports it accordingly (this is not yet configurable).

The exercise of developing Elesai has be useful in a number of ways. Perhaps the most significant one has been the realization of something I have actually known for quite some time but had not fully solidified in my mind: each and every tool monitoring if it is doing any regular work in production. Full-stop. Clearly this is something I had been doing already (Zettabee being the primary example), but it has now been elevated to full requirement.

The second aspect was the use of state machines to parse pseudo-structured output like that of MegaCli, where identifying the current element being processed becomes trickier. The usual (or perhaps the one I have seen implemented more often) approach is a set of nested if-then-else (or case) statements matching the appropriate regular expressions with state variables sprinkled around. This normally works, up until the point where the parser needs changes or additions six months after the code was written. Elesai itself will need several additions in the not-too-distant future, as it currently only shows information about physical and virtual disks (and does not, for instance, take spans into account): information about the adapters themselves and batteries are high in the list of new features.

So there had to be a better way. I first looked into the excellent Parslet library, but it really wasn’t the right tool for this job. I had had state machines lingering in my mind for quite some time, and that turned out to be a incredibly good fit, especially when using the wonderful workflow state machine implementation.

If you need to deal with LSI RAID controllers, I hope you find Elesai a worthy tool to add to your toolbox. It’s easy to install: gem install elesai. Do please report problems and feature enhancements in the issue tracker, or better yet, and if you’re up to it, fork it and contribute. Ditto Senedsa.

Categories: ruby, tools Tags: , , , , ,

XN Tags

December 3, 2011 Leave a comment

ning, 24hourlaundry, core, playground, xncore, it’s the firewall, it’s nfs, terminal mushroom cloud, filer, blue man group, release plan, deployment, 167, 735, 285, it’s not a platform, platform, cross indexer, beacon, tomcat, postgress, oracle, mysql, java, zope, nagios, php, solaris zone, netapp, f*ck, mac, galaxy, theia, xno, xnq, xna, mogwee, resolvers, app cores, app core wabble, ooc, eoc, imoc, cmoc, ops, eng, core eng, app dev, advo, qa, sjc1, snv1, snv2, dfw1, ruby, python, automation, 915 meeting, api council, snapbaby, zettabee, admin, adminjr, rebar.

Categories: miniblog, ning Tags: , ,

Lion in the Living Room

November 17, 2011 Leave a comment

A few months ago, when Mac OS X Lion came out, I tried installing it on the Mac Mini in the living room. It failed. Miserably. After a couple of hours of trying different things (including making a bootable USB installation disk) I gave up, since it had thankfully not horked the Snow Leopard install. Life went on.

I had hoped that a newer release might have fix the issue, which was apparently related to having the internal disks in a RAID set. The symptom is that Lion would boot and get stuck with a rolling candy bar. With 10.7.2, I still had issues. I went brave and decided to nuke the internal drives (which required some diskutil CLI love in the form of having eraseDisk go on both internal drives for a few minutes, enough to remove the RAID metadata). Progress ensued.

But then got the cryptic, unhelpful, and decidedly generic “There was a problem installing Mac OS X. Try reinstalling” message.

What?!

Oh well, nothing the Googletron couldn’t take care of.

And so another Lion cub is roaming the house, stuck in the living room, restoring entertainment media.

Categories: macos, miniblog Tags: , ,

BusyCal

October 31, 2011 Leave a comment

A couple of weeks ago the Mac App Store featured a calendar app I had not seen before: BusyCal. It’s the gorgeous, customizable and very usable desktop calendar that iCal should have always been. Highly recommended.

Categories: macos, miniblog Tags: , ,

Zettabee and Theia

October 21, 2011 Leave a comment

It’s hard to believe it has almost a year since we started the process of open sourcing tools, but it has indeed been that long, and it picked up steam a few weeks ago, when pushed out nddtune, which is admittedly a very simple tool. Today we’re continuing that effort with a couple of more significant tools: Zettabee and Theia.

A Little History

About four years ago, we had a very real need to have fairly detailed performance metrics for NetApp filers. At the time, the available solutions relied on SNMP (NetApp’s SNMP support has historically been weak) or were NetApp’s own, which, asides from expensive, were hard to integrate with the rest of our monitoring infrastructure (which is comprised of Nagios and Zenoss). As such, we set out to write a tool that would both perform detailed filer monitoring (for faults and performance) and that would be able to interface with those systems. Theia was born.

In more recent times, as we were looking at beefing up our DR strategy, we found ourselves needing a good ZFS-based replication tool, and set out to write Zettabee, which gave us an opportunity to dive deeper into ZFS capabilities.

Let the Games Begin

Today we’re very excited to be releasing those two tools into the open. Theia has been in production for the last four years, dutifully keeping an eye on our filers, while Zettabee has been pushing bits long-distance for well over nine months. We are working on putting together a roadmap for future work, but are happy to have them out in the open for further collaboration. Tim has written a good post on some of the work he has done to make this happen, and I am grateful for his help on this endeavor.

Categories: python, ruby, tools

Steve Jobs: 1955 – 2011

October 5, 2011 Leave a comment

Categories: 1 Tags:

NRPE and Solaris SMF

September 7, 2011 Leave a comment

NRPE running under Solaris SMF control.

The SMF manifest:

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='application/monitoring/nrpe' type='service' version='0'>
    <single_instance/>
    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    </dependency>
    <dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/network/service'/>
    </dependency>
    <dependency name='name-service' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/name-services'/>
    </dependency>
    <instance name='default' enabled='true'>
      <dependency name='config-file' grouping='require_all' restart_on='refresh' type='path'>
        <service_fmri value='file://localhost/usr/local/etc/nrpe/nrpe.cfg'/>
      </dependency>
      <exec_method name='start' type='method' exec='/local/lib/svc/method/nrpectl start' timeout_seconds='30'>
        <method_context working_directory='/var/tmp'>
          <method_credential user='nrpe' group='nrpe' privileges='basic,sys_resource,!proc_info,!file_link_any' limit_privileges='basic,sys_resource,!proc_info,!file_link_any'/>
        </method_context>
      </exec_method>
      <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
      <exec_method name='refresh' type='method' exec='/local/lib/svc/method/nrpectl refresh' timeout_seconds='60'/>
      <property_group name='nrpectl' type='application'>
        <propval name='NRPE_CFG' type='astring' value='/usr/local/etc/nrpe/nrpe.cfg'/>
        <propval name='NRPE_FQB' type='astring' value='/usr/local/sbin/nrpe'/>
      </property_group>
    </instance>
    <template>
      <common_name>
        <loctext xml:lang='C'>NRPE</loctext>
      </common_name>
      <documentation>
        <doc_link name='nagios.org' uri='http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf'/>
      </documentation>
    </template>
  </service>
</service_bundle>

The associated method:

#!/bin/sh

. /lib/svc/share/smf_include.sh

NRPE_FQB=`svcprop -p nrpectl/NRPE_FQB $SMF_FMRI`
NRPE_BIN=`basename $NRPE_FQB`
NRPE_CFG=`svcprop -p nrpectl/NRPE_CFG $SMF_FMRI`

pid=`pgrep -x -d " " $NRPE_BIN`

case $1 in
   'start')   if [ -z "$pid" ]; then
                 smf_clear_env
                 $NRPE_FQB -c $NRPE_CFG -d >&2
                 if pgrep -x -d " " $NRPE_BIN >/dev/null 2>&1; then
                    :
                 else
                    echo "NRPE failed to start" >&2
                    exit $SMF_EXIT_ERR_FATAL
                 fi
              else
                 echo "NRPE already running (pid=$pid)" >&2
                 exit $SMF_EXIT_ERR_OTHER
              fi
              ;;
   'refresh') if [ -z "$pid" ]; then
                 echo "NRPE not running; nothing to refresh" >&2
                 exit $SMF_EXIT_ERR_OTHER
              else
                 pkill -x $NRPE_BIN
              fi
              ;;
esac
exit $SMF_EXIT_OK

Season to taste.

Categories: solaris, sysadmin Tags: , , ,

[X]HTML Parsing with RegEx

Categories: miniblog
Follow

Get every new post delivered to your Inbox.