 |
 |
Jennifer
Nieland |
Using
Radmind & iHook for maintaining machines in a lab setting
These
instructions are written based on notes I kept while learning the process
of getting Radmind to work on a test machine and server, using the exact software
setup we will be using in our student and teaching labs, starting this summer.
I have tried to be as detailed as possible, covering every step of the process,
as well as how to recover from problems, so that I can repeat this as quickly
and easily as possible in the future. Credit must go to Ryan Schwartz for
providing the basis for the first part of this document. His original post
is reproduced on page 11.
We
had two main requirements in getting our labs setup for students: kerberized
login to a default student account, and machine maintenance at logout, to
reset the machine to a known good state, similar to the way revrdist works
in MacOS 9 and earlier. Radmind was the recommended choice.
Getting
Started with Radmind
1.
Install the radmind server. (custom install, select server pieces, startup
item, NOT server tutorial files)
2.
Open a terminal window on the radmind server
admin% sudo touch /var/radmind/command/command.K
3.
Install radmind on your client machine, including the client tutorial files.
5.
Open Terminal as an admin user and type the following:
admin% sudo cp /path/to/macosx-negative-desktop.T /var/radmind/client
(enter your password)
(The default download location is the desktop. Just drag the
file into the terminal window after typing cp and a space to get the full
path automatically.)
6.
Edit /var/radmind/client/macosx-negative-desktop.T to suit your needs (fsdiff
-1 filename generates the line to add to the transcript for 'filename'). Use
vi to avoid issues with long lines.
admin% sudo vi /var/radmind/client/macosx-negative-desktop.T (if you get an error that access is denied, type sudo -s at
the prompt and enter your password.)
Lines
that need to be commented out:
#f /Library/Preferences/DirectoryService/.DSRunning
#f /private/etc/ssh_host_dsa_key.pub
#f /private/etc/ssh_host_key
#f /private/etc/ssh_host_key.pub
#f /private/etc/ssh_host_rsa_key
#f /private/etc/ssh_host_rsa_key.pub
#f /private/var/msgs/bounds
#f /private/var/slp.regfile
#f /usr/share/man/whatis.db
Just
add the # at the beginning of the line.
Delete
the /Users/ line completely. We want to manage, not ignore this (which is
what the Negative transcript tells Radmind to do).
6a.
To get the next step to work, run
admin% sudo /usr/local/bin/lcreate -n /var/radmind/client/macosx-negative-desktop.T
6b.
Keep running the command in 6a until there is no output.
7.
(still in Terminal)
admin% sudo /usr/local/bin/lcreate -N -h your.radmind.server.edu
/var/radmind/client/macosx-negative-desktop.T
(add
a -v for verbose before the transcript filename to see the server communication)
8.
On the server, launch Radmind Assistant.
9.
Open the Server Console (option+apple+S).
10. You should see a new transcript in the "Newly Created Loadsets" drawer. Select it and click the "recycle" icon to update it, then click the check mark icon to verify it.
11. When it's verified, you can drag it to the Production Loadsets drawer to make it active and available to clients.
12. You will need to add your client to the config file. Click the Add Client button. Enter the DNS name or IP address of the client under the Hosts column (Ex. Pismo430w.design.iastate.edu), and select the command file from the Command File list (click in this area, and you’ll get a list of all command files on your server).
13. Drag macosx-negative-desktop.T onto the Command File Entry pane.
14. Click the ‘p’ in the left most column and change it to ‘n’ (this makes it a ‘n’egative transcript vs. a ‘p’ositive or a ‘s’pecial)
15. Click the
buttons “Save command file” and “Save Config”
16.
On the client, open Radmind Assistant. Edit the Preferences to add your Radmind
server as the default server. You may have to quit and relaunch the Radmind
Assistant to get this to take. Select Session-->Create New Loadset and
follow the instructions (don't update - this is a fresh install and the server
doesn't know what's managed yet). Give the transcript a descriptive name based
on if it is positive, negative, or special. Click the Continue button.
17.
Review the transcript and delete lines for files that you don't want to see
on machines when they are managed (temp files/caches/etc) then upload the
new loadset to the server. (This is nearly impossible to do without having
done this at least once - as you run into errors uploading, keep a list of
lines to delete from the transcripts of future uploads)
Delete
the following line for certain:
/private/etc/printcap
and
save the transcript.
18.
The upload can take up to 5 hours or more based on the size of your image
(tests based on an image of around 1.5 GB).
If
there is an error in the upload:
ex.
"Radmind Assistant encountered an error: line 128379, size in transcript
does not match size in file" (means size has changed between the time
when the transcript was produced and the file itself started to upload, which,
since it takes 5 hours, could very well be possible)
19.
On the Client, locate the last line stored by opening the Radmind Assistant
Log (command - l), and reading the last line before the error - it will have
":stored" at the end of it. Open the Transcript Editor (shift-command-t),
and scroll to that line. Note the line following the last line stored. Write
this down. Quit the Radmind Assistant.
20.
On the server, delete the incomplete loadset and old transcript from the /var/radmind/tmp/file
and /var/radmind/tmp/transcript/ folders. Ex:
admin% sudo -s
root# rm -r /var/radmind/tmp/file/pismoxLoadset.T (this deletes the actual files: rm -r
will delete a directory and all of its contents)
root# rm /var/radmind/tmp/transcript/pismoxLoadset.T (this deletes the transcript)
21.
On the Client, open the Radmind Assistant. Choose "Create New Loadset"
from the FILE menu. Name the new loadset.
Ex: pismo-positive.T. Click Continue.
22.
Once the new transcript has been written, click the "Review Transcript
Contents" button. This will open the transcript in the Transcript Editor.
Scroll to the line that caused the error (ex: /private/etc/printcap), and
delete it (click on the line, and click the Trash icon in the window bar).
Save the transcript, and close the Transcript Editor.
23.
Click the Continue button to upload the new Loadset to the server.
24.
Repeat as necessary, keeping detailed notes on lines that caused problems.
As
each upload can take up to 6 hours, this is a long, arduous process
Once
the Loadset is stored:
25. On the server, launch Radmind Assistant.
26.
Open the Server Console (option+apple+S). You should see a new transcript
in the "Newly Created Loadsets" drawer. Select it and click the
"recycle" icon to update it, then click the check mark icon to verify
it.
27.
When it's verified, drag it to the Production Loadsets drawer to make it active
and available to clients.
28.
Select the command file for your client in the left pane, then drag the positive
transcript onto the Command File Entry pane.
29.
Make sure that the loadset is marked 'p' for positive.
30.
Click the buttons "Save command file" and "Save Config"
31.
Test the load set (here's where it gets even more fun, because it may not
work even then).
32.
On the Client: Open the Radmind Assistant.
33.
Press the Continue button - this is on the Radmind Updater screen.
34.
Select your Radmind server from the list, or enter its name or IP address.
Click Continue. Enter your password to authenticate. The client will connect
with the server and verify that it has the most up-to-date command files and
related transcripts.
35.
After this is done, the Radmind Assistant will examine the file system for
differences. Press Continue to scan the disk for changes.
36.
If there are any differences found, click the Continue button to apply those
changes. This shouldn't take long, since you just uploaded the loadset.
37.
Once all changes have been applied, the Radmind Assistant will tell you the
update has completed. Click the Finish button to end the update session.
Creating
Overloads
Once
you have your base configuration loaded and working, you can add your applications
and make any other configuration changes to your setup. I my case, I added
applications first, then created a separate overload for both our kerberized
login, and iHook configurations.
38. Install new software or make any configuration changes necessary.
39.
Open the Radmind Assistant. Choose "Create New Loadset" from the
FILE menu.
40.
Name the new loadset decriptively. ex. applications-overload.T.
41.
Create the transcript. Once it is stored, click the "Review Loadset Contents"
button and make sure that the transcript is listing the additions.
42.
Quit the Transcript Editor, saving any changes (or not, as you wish).
43.
Click the Continue button to start storing the loadset.
44.
If you receive any errors, note the last line stored (command - l opens the
log).
45.
On the Server, delete the failed loadset and transcript.
admin% sudo -s
root# rm -r /var/radmind/tmp/file/applications-overload.T
root# rm /var/radmind/tmp/transcript/applications-overload.T
46.
On the client, create a new loadset and click the "Review Transcript
Contents" button. Locate the line you noted earlier. Delete the next
line and save the transcript. Quit the Transcript Editor.
47.
Click the Continue button to store the loadset on the server. If you get another
error, repeat the whole process.
48.
Once the loadset is stored, on the server, update and verify the transcript.
Move it to the Production Loadsets drawer, then add it to your command file,
just after the base load entry, and before the negative entry. Save the command
file.
49.
On the Client, use the Radmind assistant to update the machine and get the
new command file, and verified transcript.
Repeat
this as needed. I had specific reasons for not creating a single overload
containing all applications, and kerberized login and iHook configurations.
You may not need multiple overloads in your setup.
iHook
- Using iHook to run a logout script that calls Radmind, compares the client
to the image, and replaces modified items.
1.
Open the iHook disk image and copy the iHook application to the Applications
folder on the client.
2.
Open Terminal and type:
admin% sudo -s
password: ######
3.
Edit the sample script that calls radmind using the vi editor.
root#: vi /Volumes/iHook/Sample\ Hooks/Bourne\ Shell\ Hooks/sh-radmind-logout.hook
4.
Set the TLS auth level to 0, and replace the reference to the radmind.server.edu
with the server name or IP address (just match what you put in the Radmind
Preferences).
When
you enter vi, type
:set verbose showmode (press the "return" key)
The
current mode (Command, Insert, Append, etc.) will be displayed in the lower
right hand of the terminal window. You
can switch from edit mode to Command mode by pressing the ESC key. Use the
"x" key in Command mode to delete characters. Use the "a"
key to append to a line, and the "i" key to insert characters.
Set
the TLS AuthLevel to 0:
authlevel="-w
0"
Change
the rserver entry to:
rserver="-h your.radmind.server.edu" (your server IP or DNS name)
5.
You will need to edit references to the radmind tools to use full paths. Go
through the document and add /usr/local/bin/ to the following entries:
Changes
are in bold. (This is not the full script.)
# We want ktcheck's output to be displayed in the drawer,
so we
# redirect it to stderr:
/usr/local/bin/ktcheck -c sha1 $rserver $authlevel 1>&2
rc="$?"
...
# run fsdiff, redirecting output to a file. Error messages
will automatically
# appear in the drawer.
/usr/local/bin/fsdiff -A $cksum $fsdiffpath > $fsdiffoutput
...
echo Applying changes....
/usr/local/bin/lapply $cksum $rserver $authlevel $fsdiffoutput 1>&2
case "$?" in
0)
break
;;
1)
echo Apply failed, no changes made
exit 1
;;
2)
echo Apply failed, trying again...
echo %OPENDRAWER
sleep 2
echo %0
echo Checking for changes on the server...
/usr/local/bin/ktcheck -c sha1 $rserver $authlevel 1>&2
continue
;;
6.
When finished editing, press the ESC key to enter Command mode and type
:w /etc/logout.hook
This
will save the script as "logout.hook" in the /etc/ directory so
that iHook will use it at logout (this is the default name).
7.
Next, we need to edit the ttys file to call this LogoutHook at logout.
root#: vi /etc/ttys
Change
this line (changes are in bold):
console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow"
vt100 on secure window=/System/Library/CoreServices/WindowServer onoption-"/usr/libexec/getty
std.9600"
to:
console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
-LogoutHook
/Applications/iHook.app/Contents/MacOS/iHook" vt100 on secure window=/System/Library/CoreServices/WindowServer
onoption-"/usr/libexec/getty std.9600"
note: If you have a LoginHook in addition to a LogoutHook, the LoginHook entry appears immediately after ".../loginwindow" and before "- LogoutHook"
8.
Write the file by entering ":w", and pressing the return key.
9.
Restart the machine to let the changes take effect.
10.
Login under your administrator account and open Terminal.
11.
At the prompt, type:
admin% sudo chmod 0755 /etc/logout.hook
This
sets the correct permissions for the script and makes it executable.
12.
Logout to test that this works. The iHook window should appear. Any error
messages will open an error log tray. However, this disappears after two minutes
of no activity, so you need to watch this carefully.
13.
In order to get fsdiff to actually run at every logout, you will need to delete the "exit 0" line
in the logout.hook script:
# Check exit status of ktcheck. If > 1, an error occurred.
# If there aren't any updates from the server, skip the rest
of
# the script. This keeps logout times to a minimum.
case "$rc" in
0)
echo No updates
sleep 2
exit
0 --- delete this line!
;;
This
forces fsdif to examine the filesystem for changes, and makes the logout script
do what we need it to do, instead of not updating unless something has changed
on the server.
14.
To add a custom background to the iHook status screen, open the logout.hook
script in vi.
admin% sudo -s
root# vi /etc/logout.hook
Add
this line to the script, just after the opening comments:
echo %BACKGROUND \
/Library/Images/iHookwait.png (I used Photoshop to create a transparent PNG file
with our college logo. This file was then stored in an Images directory I
created in the Library.)
15.
Save the file, exit vi, and quit Terminal.
What
NOT to do in order to save your sanity:
1.
Do NOT just comment out the /Users/ line in the negative transcript once you
realize that your Users folder is not being managed. If you do, your entire
Users folder will be pretty much deleted.
Attempting
to restore a machine with just MacOSX installed does not work correctly -
users are not propagated correctly. Nor does recreating the users work as
expected.
Moral
of the story - DON'T MESS UP OR YOU
WILL BE RELOADING THE IMAGE!
To
Recover from this:
If
you forget to remove the /Users/ entry from the macosx-negative-transcript.T
file (this is an existing sample file from the radmind people), there is a
way to add back in management of the Users folder. Follow these steps CAREFULLY.
Messing up means the deletion of the Users folder. Do this if you have already
uploaded your baseload and configured your users before discovering that your
Users folder was not being managed.
On
the Client:
1.
Edit the macosx-negative-desktop file.
admin% sudo -s
root# vi /var/radmind/client/macosx-negative-desktop.T
Delete
the /Users/ reference (comments and all)
Save
the file.
2.
Exit sudo mode, and upload the transcript to the server.
root# (control-d) (to logout)
admin% sudo /usr/local/bin/lcreate -N -h your.radmind.server.edu
/var/radmind/client/macosx-negative-desktop.T
On
the Server:
3.
Open the Radmind Assistant and switch to the Radmind Server Assistant. Update
and verify the new transcript.
4.
Delete the old macosx-negative-desktop.T file from the "Production Loadsets"
pane. Select the config file for the client machine, and select the correct
command file. Delete the reference to the macosx-negative-desktop.T file and
save the command file.
5.
Move the new macosx-negative-desktop.T loadset to the "Production Loadsets"
window. Then, drag it to the command file entry window (while still in the
correct command file). Set the type to 'n', and make sure it is the last entry
in the command file. Click the "Save Command File" button.
On
the Client:
Now
we need to make a new user-overload.
6.
Open the Radmind Assistant and choose "Create New Loadset" from
the FILE menu. (Skip the update screen - if you update now, your entire Users
folder will be DELETED).
7.
Give the new loadset a name - ex. "user-positive.T"
8.
Once the transcript is created, click the "Review Loadset Contents"
button. You will need to delete the following line:
/Users/admin/Library/Preferences/edu.umich.radmindtranscripteditor.plist (quite obvious, actually, since you are
using it at the moment)
9.
Save the transcript by clicking the Save Transcript button, and close the
transcript editor.
10.
In the Radmind assistant, click the "Continue" button. The loadset
should be uploaded to the server without incident.
11.
When it is uploaded, click the Finish button, and quit the Radmind Assistant.
On the Server:
12.
Update and verify the loadset and move it to the Production Loadset window.
13.
Add the transcript (user-positive.T) to the command.K file for the client
machine.
The
order the entries should appear in the command.K file:
p
pismo-positive.T --- This is the base load, the original
positive transcript
p
Kerberos-overload.T --- This is our kerberized login overload.
p
iHook-overload.T --- This is the overload for our iHook
logout item.
p
user-positive.T --- This is my user overload that I
had to create after not noticing the Users line in the negative transcript.
n
macosx-negative-desktop.T --- This is the negative transcript I
downloaded and modified.
14.
Save the Command file by clicking the Save Command File button.
On
the Client:
15.
Launch the Radmind Assistant and update the machine.
Load
other Clients
Clients are loaded using NetRestore, which uses a disk image created by Carbon Copy Cloner (check the “Prepare for NetRestore” option in the CCC Prefs), from FireWire drives. Radmind will be used only to maintain the systems in the labs, and install new applications, not to propagate a complete image to fresh machines. (These notes are specific to the way I will be setting up lab machines.)
1. Connect the
FireWire drive to computer to be loaded (machine should be off).
2. Turn on the drive. Hold down the option key on the keyboard and turn on
the computer.
3. Select the Boot drive (this is usually a clone of a standard MacOS X system
install built from our newest machines to ensure maximum compatibility.
4. Wait for the machine to boot.
5. Launch NetRestore (I usually add this as a login item, to save time).
6. Select the image you wish to use (Lab_Image_asr.dmg) from the Source dialog
(or drag the disk image to that field), and select the destination drive from
the pulldown list.
7. From the FILE menu, choose “Post_Restore actions”. Set the
Computer Name to Graphics Lab XX (or whatever you name your machines). This
sets the Computer and Rendevous name in the Sharing panel.
8. Click the lock icon in the NetRestore window to authenticate, and click
the Restore button.
9. When you reboot, you will need to rename the boot drive of the freshly
restored machine, since it will take the name of the disk image (i.e. Lab_Image).
You may also need to reset your energey saver prefs.
Conclusions
On the whole, Radmind seems to do very nearly what I needed in the labs, namely,
a way to keep the machines configured correctly, and to reset the generic
labuser account. This is just one way to configure lab machines. I have left
out ISU specific instructions for kerberized login to a generic user account.
Those instructions can be found at http://www.public.iastate.edu/~macosx/
under the MacOS X Project section, for those of you on campus.
More
Radmind information:
Radmind
Documentation
- http://rsug.itd.umich.edu/software/radmind/documentation.html
Radmind
macosx-negative-desktop.T
- http://rsug.itd.umich.edu/software/radmind/macosx.html
Radmind
Listserv archives
- http://listserv.rice.edu/archives/radmind.html
- This listserv is a great source of information.
MacOS
X Labs (Radmind docs) - http://www.macosxlabs.org/documentation/documentation.html
Radmind Manual - http://www.gal.co.uk/software/radmind/
iHook
- http://rsug.itd.umich.edu/software/ihook/
iHook
Sample Scripts
- http://rsug.itd.umich.edu/software/ihook/hooks.html
The
following items are copies of original correspondence, a sample negative transcript,
and a sample iHook logout.hook script.
Original
e-mail from Ryan Schwartz to the Radmind Listserv
From
popserve Tue Feb 4 10:13:55 2003
Date: Tue,
4 Feb 2003 10:12:57 -0600
Reply-To:
RADMIND -- Discussion based list for the tool Radmind
<RADMIND@listserv.rice.edu>
Sender:
RADMIND -- Discussion based list for the tool Radmind
<RADMIND@listserv.rice.edu>
From:
Ryan Schwartz <rschwart@WISC.EDU>
Subject:
Re: [RADMIND] Error message: Bad file descriptor
Comments:
cc: help@mail.pediatrics.wisc.edu
To:
RADMIND@listserv.rice.edu
Here's
some (very basic) instructions on creating an initial loadset
from
scratch, without the tutorial files:
I'm
assuming some basic knowledge of using the Terminal, so standard disclaimer:
following these instructions may, on the off chance, somehow hose up your
system . As always, use at your own risk. (problems are not likely, but I
may get hit by lightning someday...)
1.
Install your radmind server. (custom install, select server pieces, startup
item, NOT server tutorial files)
2.
sudo touch /var/radmind/command/command.K
3.
Install radmind on your client machine.
4.
Download the macosx-negative-desktop.T from the Mac OS X section on radmind.org
5.
Open Terminal.app as an admin user and type the following: sudo cp /path/to/macosx-negative-desktop.T
/var/radmind/client (enter your password)
6.
Edit /var/radmind/client/macosx-negative-desktop.T to suit your needs (fsdiff
-1 filename generates the line to add to the transcript for 'filename')
6a.
To get the next step to work, run sudo lcreate -n /var/radmind/client/macosx-negative-desktop.T
and comment/delete out files that throw an error from the negative transcript.
6b.
Keep running the command in 6a until there is no output.
7.
(still in Terminal) sudo lcreate -N -h server.ip.address.or.fqdn /var/radmind/client/macosx-negative-desktop.T (add a -v before the transcript filename to see the server
communication)
8.
Hop over to the server and launch Radmind Assistant.app
9.
Open the Server Console (option+apple+S).
10.
You should see a new transcript on the bottom of the drawer. Select it and
click the 'recycle' icon to update it, then click the check mark to verify
it.
11.
When it's verified, you can drag it to the top half of the drawer to make
it active and available to clients.
12.
Select your command.K in the left pane, then drag macosx-negative-desktop.T
onto the right pane.
13.
Click the 'p' in the leftmost column and change it to 'n' (this makes it a
'n'egative transcript vs. a 'p'ositive or a 's'pecial)
14.
Click the buttons "Save command file" and "Save Config"
15.
Hop back to your client, open Radmind Assistant.app, and select Session-->Create
New Loadset and follow the instructions (don't update - this is a fresh install
and the server doesn't know what's managed
16.
Review the transcript and delete lines for files that you don't want to see
on machines when they are managed (temp files/caches/etc) then upload the
new loadset to the server.
17.
Go have a cup of coffee or three, since the upload takes a while.
As
for updating your clients against the new loadset, that's another tutorial.
Hope
this helps - I'm going to write up some prettier directions (for my boss and
co-workers, in case I get hit by a bus) and will post the location to this
list when I get them finished.
Others
who have more experience, please feel free to make corrections/suggestions.
I just tried the steps above and verified that it works, but am always interested
in feedback.
-RTS
>On
Monday, February 3, 2003, at 10:11 PM, Wesley Craig wrote:
>
>On
Monday, February 3, 2003, at 10:56 PM,
Tim Mosely wrote:
>Im
new to radmind and have the same problem "/dev/fd/10 Bad file
>descriptor"
>as
above. I also am trying to perform the initial steps of creating a
>New
>Radmind
Loadset from a (template) client machine. I have looked in
>/var/radmind/client/and
found no command.K or (your/my)negative.T
>
>Run
the installer again. Under "Installation
Type", choose
>"Customize". Select all of the client bits, particularly
the "Client
>tutorial
files". These include the
example command.K and negative.T
>for
creating an initial loadset.
>
>:wes
--
Ryan
Schwartz
Pediatrics
Computer support
rschwart@facstaff.wisc.edu
Negative
Transcript - full text (edited)
download
from http://rsug.itd.umich.edu/software/radmind/macosx.html
# Lines starting
with '#' and blank lines are ignored.
#
To uncomment a line, remove the '#'
#
#
This transcript is for Mac OS X 10.2.x.
It works reasonably well for
#
personal machines, allowing the owner of the machine to manage account,
#
system preferences, etc, while managing the contents of /Applications
#
and other OS-level data centrally.
#
#
DO NOT USE this file without first reviewing it!
#