Archive

Archive for the ‘sysadmin’ Category

Encrypted Time Machine Backups on Time Capsule (Mountain Lion)

July 30, 2012 Leave a comment

The [first pass] Mountain Lion update to the Encrypted Time Machine Backups on Time Capsule post: the script (mostly) works, as do the backups themselves (mostly).

Unfortunately, the script fails to properly detect the Wifi adapter’s Mac address (which I think has to do with changes to the output of system_profiler, something that should be fixable).

Mountain Lion makes visible changes to the process, namely, it will detect that the sparse bundle is present and encrypted:

It will furthermore ask and automagically remember both the TimeCapsule password and the encrypted disk image password. which means we no longer need to fiddle with Keychain Access:

But wait, I said “mostly”. It turns out Time Capsule will resize the sparse bundle image to (it seems) the size of the physical media hosting the image. While this can be changed back with hdiutil, I don’t yet know if Mountain Lion will simply resize it back in the next backup iteration.

Take some, lose some.

Categories: macos, sysadmin Tags: , , ,

Encrypted Time Machine Backups on Time Capsule

June 18, 2012 1 comment

With Lion, Mac OS X gained the ability to encrypt Time Machine backups on directly-attached disks, but this is not supported on Time Capsule. An additional potential issue is that Time Machine backups will consume all available space on a device, which in my particular case is undesirable. So I wanted a way to both encrypt said backups and limit the amount of space they can consume. There are a number of good resources on this topic, such as Michael “Nozbe” Sliwinski’s Mac OSX Lion Secure Backup to Time Capsule with Size Limit and Jason Discount’s Encrypted, Rotating Time Machine Backups on Snow Leopard (which works on Lion as well). But, since I have a small herd of Macs to shepherd, I prefer a script to do most of the work for me (see below).

You have to perform these steps from the admin user account on your system (not root, and no sudo).

First, mount your Time Capsule disk. You can do this from the Finder and ask it (if you haven’t already) to remember the password in your keychain. Second, edit the Time Capsule’s name in the script below. The real magic of the script happens in the highlighted lines with hdiutil).

#!/bin/bash

TC="TimeCapsule"

UUID=`system_profiler SPHardwareDataType | egrep 'Hardware UUID' \
      | awk '{print $3}'`
echo "UUID: $UUID" >&2
NAME=`system_profiler SPSoftwareDataType | grep 'Computer Name' \
      | awk '{print $3}'`
echo "Name: $NAME" >&2
APMAC=`system_profiler SPNetworkDataType | grep 'Hardware: AirPort' -A 25 \
      | grep 'MAC Address' | awk '{print $3}' | sed -e 's/://g'`
echo "Mac Address: $APMAC" >&2

SPRSBNDL_NAME="/Volumes/${TC}/${NAME}_${APMAC}.sparsebundle"
echo "Sparse Bundle: $SPRSBNDL_NAME" >&2
if [ -z "$UUID" ] || [ -z "$NAME" ] || [ -z "$APMAC" ]; then
   echo "error: unable to determine uuid, name or mac address" >&2; exit 1
else
   echo "creating sparsebundle $SPRSBNDL_NAME" >&2
   if hdiutil create -encryption AES-128 -size 500G -type SPARSEBUNDLE \
                     -nospotlight -volname "${NAME}TM@${TC}" -fs "HFS+J" \
              ${SPRSBNDL_NAME}; then
      (
       cat <<ENDPLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backupd.HostUUID</key>
    <string>$UUID</string>
</dict>
</plist>
ENDPLIST
      )>${SPRSBNDL_NAME}/com.apple.TimeMachine.MachineID.plist
   fi
fi

Finally, you still have to manually move the keychain entries for the Time Capsule disk and your encrypted image from the Login keychain to the System keychain with the Keychain Access app, but everything else is handled for you. Note that the script assumes you are connecting to your Time Capsule over WIFI, not via wired ethernet, and since the output from System Profiler isn’t the most parseable, it may not grab the right MAC address if you, for instance, have multiple network interfaces. The above has proven to work well on laptops. In any event, you can always enter the correct MAC address into the scripts (remove colons).

If you are currently performing backups to your Time Capsule unencrypted, the creation of the encrypted image may not work, as a non-encrypted sparse bundle probably already exists and is set to be used with Time Machine. You have to delete the existing non-encrypted image.

Finally, one of the nice things about this approach is that you can resize the resulting image whenever is convenient with hdiutil resize, as long as you have not used up the allotted space. Also, I have successfully Time Machine Scheduler to change Time Machine’s scheduling (since I don’t really need Time Machine cranking up every hour).

NRPE and Solaris SMF

September 7, 2011 Leave a comment

NRPE running under Solaris SMF control.

The SMF manifest:

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='application/monitoring/nrpe' type='service' version='0'>
    <single_instance/>
    <dependency name='fs-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    </dependency>
    <dependency name='network-service' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/network/service'/>
    </dependency>
    <dependency name='name-service' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/milestone/name-services'/>
    </dependency>
    <instance name='default' enabled='true'>
      <dependency name='config-file' grouping='require_all' restart_on='refresh' type='path'>
        <service_fmri value='file://localhost/usr/local/etc/nrpe/nrpe.cfg'/>
      </dependency>
      <exec_method name='start' type='method' exec='/local/lib/svc/method/nrpectl start' timeout_seconds='30'>
        <method_context working_directory='/var/tmp'>
          <method_credential user='nrpe' group='nrpe' privileges='basic,sys_resource,!proc_info,!file_link_any' limit_privileges='basic,sys_resource,!proc_info,!file_link_any'/>
        </method_context>
      </exec_method>
      <exec_method name='stop' type='method' exec=':kill' timeout_seconds='60'/>
      <exec_method name='refresh' type='method' exec='/local/lib/svc/method/nrpectl refresh' timeout_seconds='60'/>
      <property_group name='nrpectl' type='application'>
        <propval name='NRPE_CFG' type='astring' value='/usr/local/etc/nrpe/nrpe.cfg'/>
        <propval name='NRPE_FQB' type='astring' value='/usr/local/sbin/nrpe'/>
      </property_group>
    </instance>
    <template>
      <common_name>
        <loctext xml:lang='C'>NRPE</loctext>
      </common_name>
      <documentation>
        <doc_link name='nagios.org' uri='http://nagios.sourceforge.net/docs/nrpe/NRPE.pdf'/>
      </documentation>
    </template>
  </service>
</service_bundle>

The associated method:

#!/bin/sh

. /lib/svc/share/smf_include.sh

NRPE_FQB=`svcprop -p nrpectl/NRPE_FQB $SMF_FMRI`
NRPE_BIN=`basename $NRPE_FQB`
NRPE_CFG=`svcprop -p nrpectl/NRPE_CFG $SMF_FMRI`

pid=`pgrep -x -d " " $NRPE_BIN`

case $1 in
   'start')   if [ -z "$pid" ]; then
                 smf_clear_env
                 $NRPE_FQB -c $NRPE_CFG -d >&2
                 if pgrep -x -d " " $NRPE_BIN >/dev/null 2>&1; then
                    :
                 else
                    echo "NRPE failed to start" >&2
                    exit $SMF_EXIT_ERR_FATAL
                 fi
              else
                 echo "NRPE already running (pid=$pid)" >&2
                 exit $SMF_EXIT_ERR_OTHER
              fi
              ;;
   'refresh') if [ -z "$pid" ]; then
                 echo "NRPE not running; nothing to refresh" >&2
                 exit $SMF_EXIT_ERR_OTHER
              else
                 pkill -x $NRPE_BIN
              fi
              ;;
esac
exit $SMF_EXIT_OK

Season to taste.

Categories: solaris, sysadmin Tags: , , ,

TimeMachine and Logged Out Users

January 5, 2011 Leave a comment

With the deployment of the MacMini3,1 as an important box, I wanted to have timely backups and easy recovery, and that is one thing Snow Leopard does rather well with TimeMachine. Attach a disk, configure as a TimeMachine destination, and done, right? Not exactly: I noticed that TimeMachine was only backing up the system if there was a user logged in, something that’s rather rare on this box (in fact, there is generally no display or keyboard attached to it).

It turns out that this is normal behavior, as the system unmounts all external volumes when a user logs out, including TimeMachine volumes (this does not apply to network volumes, just volumes physically attached to the system). There are some edge cases that affect somewhat this behavior (such us when FileVault is in use), but it can be completely disabled:

defaults write /Library/Preferences/SystemConfiguration/autodiskmount \
     AutomountDisksWithoutUserLogin -bool true

I went ahead and rebooted the system. TimeMachine now works even when users are not logged in.

Categories: macos, sysadmin Tags: , , ,

Macmini3,1 and PowerBook5,8

January 4, 2011 Leave a comment

macmini_systemprofiler.jpg

A few months ago the aging Early 2009 Mac Mini in the living room was replaced with a 2010 model. The old one was having a hard time keeping up with HD content (mainly in terms of performance but also flat out refusing to display iTunes HD content after the upgrade to Snow Leopard) and the 1080p display over the DVI to HDMI adapter over-scanning issues were rather tiresome. The 2010 model did away with all that: faster CPU, more memory and native HDMI took care of those issues, which left a perfectly functional Macmini3,1 searching for a mission in life, a mission I had found even before I pulled the trigger on the new model.

A small server in the office that I use to store backup copies of precious data away from my main desktop system, such as music and photos, is also the authoritative repository of software that gets pushed to all the other systems I use or care for. Additionally, it runs a small mail setup (mx + imap) for two personal domains and other bits of useful software, such as a personal wiki. It was been working flawlessly for quite some time, but I have been wanting to reduce the office’s power footprint, especially while I travel, which was challenging given the system needed to be up all the time.

Thus, the mission is defined: the Mac Mini needs to take over the services that run continuously so the other system can be powered off at will.

The migration is nearly complete: mail is flowing and the software repository is up to date. The wiki bits are still a work in progress, but those are not as critical, primarily because Evernote has largely replaced (and enhanced) the wiki use. None of this would have been possible without the MacPorts Project community, at least not as fast and seamlessly as it has been. So there is happiness in the living room and there is happiness in the office.

On other related news, the aging PowerBook5,8 is finally headed for retirement. It has been a good 5+ years run, but in the end, it was entirely too slow now that its last user had embraced digital photography and was using quite heavily. I’m not sure what I will do with it: the recycling center should be its final destination, but there is an emotional link to that laptop that keeps me from doing it. It was the first laptop I bought at Ning (before we actually purchased Apple products at the office) and it has served us very well.
Categories: macos, sysadmin Tags: , , ,

Githubed!

November 3, 2010 Leave a comment

In recent moths, we (“we” as in Ning) have started to open up some of our code to the community at large. There is quite a bit of useful stuff in there (23 public repositories and counting), compliments of powerhouses like brianm, davidsklar or tomdz (to name a few). We have also started sharing code from the Operations side of the house, in hopes that it is useful to other Operations shops out in the ether.

Our first entry in this regard, at pierre‘s suggestion, is a Nagios plugin for Tableau servers, check_tableau_systeminfo, which is currently a little rough around the edges but quite usable. There is a new version right around the corner with some polish applied to said edges, and we are preparing a host of other tools for release that we currently use every day in our production environment.

Our production environment is currently comprised of 2000+ nodes, which makes it a relatively large environment that provides a fair amount of interesting operational problems to solve. And problems solvers is something we are actively looking for, i.e., we are hiring! Ning is the largest platform in the world for creating custom social networks, currently hosting 70,000 paid subscribers (up from 15,000 before we transitioned from the prior “freemium” model), and serving over 80 million unique visitors monthly. This makes us one of the top 100 sites in the US, and, according to CNBC.com, one cool company to work for (indeed!).

Check out the openings, check out the code, and come play in our playground.

Nagios Forked: Icinga

March 18, 2010 Leave a comment

I found out recently that Nagios was forked into Icinga. It looks interesting, and the new web interface is heading over to sexyland fast. I will take it out for spin soon and see how it handles our current configuration (which relies heavily on object inheritance). The team at Icinga has already built a fair number of improvements for Nagios proper. It may be the fastest path to nirvana to a more usable Nagios install for shops heavily invested in Nagios.

Categories: sysadmin Tags: , ,
Follow

Get every new post delivered to your Inbox.