Feb 1, 2012 Posted on Feb 1, 2012 | 0 comments
So you’ve lovingly crafted your never booted image in InstaDMG. It’s fully up to date and lovely. And then you try to enable FileVault 2. As you have no Recovery HD, it’s not going to happen.
I’ve tried several methods to get around this, including taking an image of an existing Recovery HD. It worked (ish), but didn’t feel right. Then I found this post on google +. I’ve lovingly ripped off the method and put it into a package for deployment with DeployStudio, ARD, or anything else that can take normal packages. You can download everything from my GitHub, usage instructions are in the readme.
Jan 1, 2012 Posted on Jan 1, 2012 | 0 comments
Recently, I was tasked with moving a client’s web server from a box in their office, to something a little more robust when they put something up there that caused the server to go nuts (30 mb/s nuts!).
The main goals were:
Fast, scalable web server Multiple FTP users for the client’s web team to modify the site Integrates with their existing CrashPlan PROe backup system. Use GUI’s as much as possible for admin so lower level techs could make changes on the server.
After considering several options, we decided to go with Linode. I’ve had great success hosting my own site with them, and as we had full access to the box, we could install anything we wanted – including CrashPlan.
So, first things first. Get yourself a Linode account. Start off with the cheapest 512 account and work your way upwards if you need the horsepower. Once you’ve got your account, pick your data centre, and get your VM up and running. We usually go for Ubuntu 10.04 LTS as you’ll find the most support online for that.
Now you’ve got your Ubuntu Linode up and running, let’s get the web server up and running (mostly borrowed from the Linode Library).
It’s much easier if you set up an A record for your new VM, so for the purposes of this, we’ll call our new VM linode.example.com.
The code-type font is stuff your should be putting into your terminal window, one line at a time (but to be honest, if I have to tell you that, maybe this isn’t the right thing to be following…)
Set the hostname
echo "linode.example.com" > /etc/hostname
Get everything up to date:
apt-get update
apt-get upgrade
apt-get install php5 apache2 mysql-server
Bash in your chosen MySQL root password when you’re prompted, and you’re done.
That’s all you need for the most basic web server, but I’m a Mac admin, I quite like having a GUI if I can, so let’s get one installed. I quite like webmin, but it’s not quite a straightforward as we’d like.
First install the dependencies:
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl apt-show-versions libapt-pkg-perl
You’ll notice there’s a failure there, so we’ll have to hunt that down ourselves. Grab the latest version from: http://mirrors.kernel.org/ubuntu/pool/universe/libm/libmd5-perl/
cd /tmp
wget http://mirrors.kernel.org/ubuntu/pool/universe/libm/libmd5-perl/libmd5-perl_2.03-1_all.deb
dpkg -i libmd5-perl_2.03-1_all.deb
Now to grab the latest version of Webmin:
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.570_all.deb
dpkg -i webmin_1.570_all.deb
Now you should be able to log into webmin with your root username and password at https://linode.example.com:10000
I’m not going to tell you how to set up Apache – there’s plenty enough on the internet. It’s easy with Webmin, the Apache defaults are reasonably sensible. Just make a directory for your web files, and point a new virtual host at the directory. If you get stuck, a good tutorial can be found at http://doxfer.webmin.com/Webmin/Name-BasedVirtualHosting
We’re nearly done with this part, just a little housekeeping to do. First, a little cleaning up of the MySQL install. Accept the defaults that this script offers:
mysql_secure_installation
If you’re going to be running something like WordPress, chances are you’re going to want your server to send emails.
apt-get install exim4
dpkg-reconfigure exim4-config
In the configuration wizard, choose Internet Site for the first option, bash in your Linode’s hostname (it should already be there – if it’s not check you’ve set the hostname correctly), and make sure that your server will only accept SMTP connections from itself by putting 127.0.0.1 in the next box. In the box asking which domains to accept relays for, enter your Linode’s hostname and localhost. Leave the relay domains and relay machines fields blank, and select No when asked about keeping DNS queries down. On the next question on how to store incoming mail, choose whatever you want as you won’t be getting any incoming mail here. Finally, accept the default “non-split” part for how to store the configuration file.
For a little security through obscurity, I like to change the port that webmin listens on as well. Log in, go to Webmin -> Webmin Configuration -> Ports and Addresses, and change the listening port to something of your choosing.
Whilst you’re there, you might want to change the port that SSH is on as well. In Webmin, you’ll want to be looking at Servers -> SSH Server -> Networking
Finally, I like to disable the root user.
First add your own user (give the user a password etc), then add them to the admin group (the user’s in this group are automatically added to sudoers).
adduser myuser
adduser myuser admin
Now log in as your new user and make sure you can sudo – once that’s working, you can disable the root user:
sudo passwd -l root
Assuming everything is working up to this point, change the DNS for your site to point to your new Linode, sit back and congratulate yourself for giving yourself one less physical box to worry about.
You’ve now got a basic webserver up and running on Linode with a GUI to manage the server. Next time, we’ll go over setting up an FTP server with virtual users (with a GUI!), and backing up the server with CrashPlan PROe, including performing a full dump of the mysql databases every night so they’re backed up properly.
Dec 10, 2011 Posted on Dec 10, 2011 | 0 comments
We’ve been using a 10.7 Server in the office since Lion was released, but it is only now that I’m about to install an all Lion office, so will get the chance to use Profile Manager in a real install. Over the last few months, I’ve noticed a couple of things:
Don’t bother using a self signed SSL certificate. Preferences will fail to push seemingly at random without a proper certificate. For what they cost, get over to Godaddy and buy yourself a cheap certificate and save yourself hours of head scratching. On first glance, Profile Manager seems to be lacking load of options that we had in Workgroup Manager. Remember that your can upload your own plists, so we can still set all of the options that we could before. I’ve not been able to set Mobility preferences using Profile Manager, so have had to fall back to MCX for this as the client mac steadfastly refuses to use the settings I’ve set in Profile Manager. If anyone has any ideas about this, I’d love to hear them. If you’re using DeployStudio, your can cut out a load of post imaging faffing about with enrolling the mac by using an Enrolment Profile and then using the workflow item in DS to get the client talking to your server.
Nov 29, 2011 Posted on Nov 29, 2011 | 0 comments
Starting with Lion Server, a fair bit of data is now stored in Postgres databases. If you use Time Machine, you’ll get this backed up properly for you. If you use a proper backup solution (I prefer CrashPlan), you won’t get automated dumps. This script rectifies this, by dumping all of your Postgres data, and keeping 7 days worth.
You can grab the code, along with a pre-built pkg installer from GitHub.
Configuration
By default, the script puts it’s backups in /Backups/Postgres – if you wish to change it, you will need to edit line 3 of /usr/local/pgbackup/pgbackup.sh
FINAL_BACKUP_DIR=/path/where/you/want/things/kept
The LaunchDaemon will trigger the script every night at 21:00. If you wish to change this, you will need to edit the CalendarStartInterval part of com.grahamgilbert.pgbackup.plist
Nov 22, 2011 Posted on Nov 22, 2011 | 5 comments
The problem
Lion Server takes over every ethernet interface when you enable any web services (Web, Wiki, Profile Manager, basically anything!). This leaves us with two options: putting Kerio on a non-standard port and getting the users to type that in every time, or completely disabling apache and not using any of the good stuff that came with Lion Server. Or, we could work out a way to redirect users to the right port number when they hit mail.example.com
Enter Reverse Proxy. This takes the request for the mail.example.com virtual host, and redirects it to our custom HTTPS port (8843).
How to do it
The files you need are on my GitHub. Replace mail.example.com with the FQDN of your mail server.
Set up your lion server first. Configure SSL certificates, OD and web services the way you like it. Export your private key for the signed SSL certificate from the keychain. Install Kerio Connect. Import the private key and your signed certificate. Set Kerio to use only port 8800 for HTTP and 8843 for HTTP and HTTPS, respectively. Set Kerio to bind it’s services to All Interfaces rather than a specific IP address. (I’ve found that services won’t start when it’s listening on all IPs, but will when it can listen to all – don’t ask me why!) In Server.app, configure mail.example.com in Web. Set it to use port 443, set the root folder to whatever you want (it won’t be used). In Hardware, set the virtual host you just created to use the right ssl cert. In terminal:
cd /path/to/the/files/you/downloaded
In terminal again:
sudo cp httpd_kerio.conf /etc/apache2/httpd_kerio.conf
And again:
sudo cp webapps/com.grahamglbert.kerio.plist /etc/apache2/webapps/com.grahamglbert.kerio.plist
One last time:
sudo webappctl start com.grahamgilbert.kerio mail.example.com
What’s happening
By default, when you specify a vhost to use ssl in lion server, any requests to port 80 are redirected to 443. Once it’s wrapped in ssl, it’s redirected transparently to 8843, so the user is sent to the webmail login.
The plist file is the core of the webapp mechanism that was introduced with lion server. Within that all we’re doing is importing the httpd_kerio.conf file (which just has a standard apache reverse proxy directive) and telling the app to always use ssl. The webappctl command is simply telling the webapp mechanism to load our plist and start it on the mail.example.com vhost.
Known Issues
Entourage
Entourage accounts will need to be reconfigured with the Kerio setup tool. They don’t seem to like communicating with the server over port 443 when the reverse proxy is running – they will have issues sending email.
Kerio Services
The services in Kerio Admin will need to be set to run on All Interfaces rather than a set IP address, as they won’t start on a specific address (it is unknown whether this is because of the reverse proxy / webapp process or if this is a general Lion issue). If the service has stopped, the webapp will need to be restarted:
sudo webappctl stop com.grahamgilbert.kerio mail.example.com
sudo webappctl start com.grahamgilbert.kerio mail.example.com
