Archive
First Boot Package Install.pkg
As covered previously, Greg Neagle’s createOSXinstallPkg is a versatile tool for installing or upgrading Mac OS X in a variety of situations. One of the nicer features is that you can edit the OS X installer to install additional packages.
However, the limitations of the OS X install environment mean that there are a number of installers that won’t install correctly. In particular, packages that rely on pre- or postflight scripts to perform important tasks may fail to run properly in the OS X install environment.
To help work around this limitation, I’ve developed First Boot Package Install.pkg, an installer package that enables other packages to be installed at first boot.
It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.
Read more…
Changes to XProtect’s Java browser plug-in version management
In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.
The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559
This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.
FileVault 2 session at Penn State MacAdmins Conference 2013
I’ll be speaking about FileVault 2 at the Penn State MacAdmins Conference 2013, which is being held from May 22nd – 24th, 2013 in State College. For those interested, my talk will be on Thursday, May 23.
For a description of what I’ll be talking about, please see the Managing FileVault 2 on Mountain Lion session description. You can see the whole list of speakers here on the Sessions page.
Script to run remote commands via SSH
As a follow-on to my earlier post about running remote commands with SSH, I noticed I was repeatedly running particular commands via SSH on remote machines. I was copying and pasting the bits I needed into Terminal, but it was still a manual process and manual processes should be scripted whenever possible.
Here’s the script I wrote to solve my particular problem.
#!/bin/bash
# At the prompt, enter the IP address
# or DNS name of the machine you want
# to connect to.
echo -n "Enter IP Address or Domain Name: "
read ipaddress
# At the prompt, enter the username
# of the account you want to log in
# with.
echo -n "Enter Username: "
read username
# At the prompt, enter the command that
# you want to run on the remote machine.
echo -n "Enter the command you want to run on the remote machine: "
read command
echo ""
echo ""
# Error checking to verify that the correct
# information has been entered. If incorrect
# info has been entered, selecting No will
# exit the script.
echo "Is the information below correct?"
echo ""
echo "Remote machine: $ipaddress"
echo "Username: $username"
echo "Command: $command"
echo ""
echo "If it is correct, select Yes"
echo ""
select yn in "Yes" "No"; do
case $yn in
Yes) echo "OK, the script will continue."; break;;
No ) echo "To avoid errors, the script will need to be restarted. Exiting the script."; exit 0;;
esac
done
echo ""
echo ""
# Check to see if the command needs to be
# run with root privileges. If root privileges
# are needed, the SSH connection will force
# pseudo-tty allocation, which allows the command
# to be run via sudo
echo "Does this command need to run with root privileges? Once you select Yes or No, the command will run on the remote machine."
echo "Note: You will be prompted if authentication is required. If running the command as root, you may be prompted twice."
echo ""
select yn in "Yes" "No"; do
case $yn in
Yes) echo ""; ssh -t $username@$ipaddress "sudo $command"; break;;
No ) echo ""; ssh $username@$ipaddress "$command"; break;;
esac
done
#Exiting the script
echo ""
echo ""
echo "Finished running the remote command"
exit 0
The script is also available on my GitHub repo at the following location:
ASR’s hidden documentation
As part of trying to trace down a separate mystery, the folks in the ##osx-server IRC room made an interesting discovery: Apple’s asr tool has hidden documentation.
Normally, to access Apple’s documentation on a command-line tool, you would use man toolname_here or toolname_here help. asr has both of those, but it also has a separate command that reveals additional asr options not mentioned in the regular man or help pages.
With asr help, you get the following output:
Usage: asr
is one of the following:
asr help | version
asr restore --source --target []
asr restore --source asr:/// --file []
asr server --source --config []
asr imagescan --source [--filechecksum] [--nostream] [--SHA1]
is in bytes but may end with a scale factor (b, k, m, g)
common are any of:
--source path or url to disk image file, mountpoint, or
web accessible disk image
--puppetstrings print out messages in format good for machine parsing
--verbose display verbose output
--debug display debug output
restore are any of:
--target path to volume or mountpoint
--erase formats target volume
--format target format when erasing (defaults to source)
--noprompt don't require confirmation on erase
--noverify don't checksum results
--buffers number of buffers to use in block copy
--buffersize size of buffers to use in block copy
--csumbuffers number of buffers for the checksum if different
--csumbuffersize size of buffers for the checksum if different
--timeout max wait for stream in multicast client mode
server are any of:
--interface Use 'if' as the interface for the server's
outgoing stream
--config server configuration file in plist format
imagescan are any of:
--filechecksum calculate file checksum
--nostream don't reorder file for multicast streaming
--SHA1 add a SHA-1 checksum to the image
However, when you run FULL_USAGE=1 asr help, you get the following output:
Usage: asr
is one of the following:
asr help | version
asr restore --source --target []
asr restore --source asr:/// --file []
asr server --source --config []
asr imagescan --source [--filechecksum] [--nostream] [--SHA1]
asr partition --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr freeze --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr thaw --target [--recovery] [--modifyrecovery]
asr adjust --target [--settype ]
is in bytes but may end with a scale factor (b, k, m, g)
common are any of:
--source path or url to disk image file, mountpoint, or
web accessible disk image
--puppetstrings print out messages in format good for machine parsing
--verbose display verbose output
--debug display debug output
restore are any of:
--target path to volume or mountpoint
--hidden restore to the hidden customer software partition
--erase formats target volume
--format target format when erasing (defaults to source)
--noprompt don't require confirmation on erase
--noverify don't checksum results
--buffers number of buffers to use in block copy
--buffersize size of buffers to use in block copy
--csumbuffers number of buffers for the checksum if different
--csumbuffersize size of buffers for the checksum if different
--timeout max wait for stream in multicast client mode
server are any of:
--interface Use 'if' as the interface for the server's
outgoing stream
--config server configuration file in plist format
imagescan are any of:
--filechecksum calculate file checksum
--nostream don't reorder file for multicast streaming
--SHA1 add a SHA-1 checksum to the image
There are now four additional options listed:
asr partition --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr freeze --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr thaw --target [--recovery] [--modifyrecovery]
asr adjust --target [--settype ]
The question I don’t know the answer to is “What do these options do?”
I’ve seen asr adjust used to correct an incorrectly set Recovery HD partition, but I’m not familiar with what asr freeze and asr thaw do.
Do you know? Let me know in the comments.
FileVault Setup.app – local FileVault 2 encryption setup and enforcement
I was recently asked to help test a new utility called FileVault Setup for setting up and enforcing FileVault 2 encryption. It’s designed to be a user-friendly interface for Apple’s fdesetup tool on OS X 10.8.x which supports turning on FileVault 2 encryption and enabling a single user account.
One nice thing about this tool from my perspective is that it’s designed to be independent of any server-based resources. To the best of my knowledge, this is the first tool I’ve seen that allows FileVault encryption to be enforced on a machine entirely from the machine’s own resources. See below the jump for the details.
Booting into single-user mode on a FileVault 2-encrypted Mac
I recently communicated with a Mac admin who was concerned about using FileVault 2 in his environment because he didn’t want to lose access to tools like single-user mode. Like a number of Mac admins, he’d found single-user mode valuable in helping to diagnose and fix issues on troublesome Macs.
Fortunately, Apple makes it reasonably easy to boot into single-user mode on a FileVault 2-encrypted system. Here’s how to boot into single-user on a FileVault 2-encrypted system:
1. Hold down Command-S after powering the system.
2. The Mac will be begin booting into single user, then the FileVault 2 pre-boot login screen will appear.
3. Authenticate at the FileVault 2 pre-boot login screen by selecting an account and providing the account’s password.
4. The Mac will then unlock and continue booting into single-user mode.
To show what this looks like, I’ve made a short video showing the process. In this instance, I booted into single-user mode and performed a disk check using fsck, then continued with the rest of the boot process.
Managing Safari’s Java whitelist
Safari 6.0.4 and later (for Mac OS X 10.7.x and 10.8.x), and 5.1.9 and later (for Mac OS X 10.6.x) now prompts you to enable the Java browser plug-in on a website-by-website basis. When a Java applet is allowed, it is added to a whitelist in Safari’s Security settings.
This was going to be an issue at my workplace, as we have a couple of applications that rely on Java applets running through the browser. To help fix this and manage the Safari Java whitelist, I’ve written a couple of scripts. These scripts are designed to add websites to Safari’s Java whitelist without overwriting existing entries. For more details, see below the jump.
Migrating OS X VMs files without VMware Standalone Converter
In one of the comments to my earlier post about migrating OS X VMs to ESXi, Alan Gordon mentioned another way to convert an OS X VM’s vmdk file to an ESXi-compatible format.
Since the process I developed is ultimately about getting the OS X VM’s vmdm file up to the ESXi server, then building a new VM on the ESXi server to use that vmdk file, this is an easier technique because it allows us to skip using VMware Standalone Converter altogether. Instead, this procedure will use the vmware-vdiskmanager tool included with VMware Fusion and the VMware vSphere Client application. See below the jump for details.
Running Java 7 in a VMware Fusion 10.8.x VM
As mentioned previously, I’ve moved the majority of my testing to OS X VMs running in either VMware Fusion or VMware ESXi. However, there has been one component of my build testing that I still needed actual Macs for: testing Oracle’s Java 7 updates. The reason for this is that Java 7 crashes when run inside of a VMWare Fusion VM.
Oracle has certified the following virtualization solutions as being Oracle JDK 7 and JRE 7 Certified System Configurations:
Certified:
Not certified:
VMware virtualization solutions
Microsoft virtualization solutions
Unfortunately, that meant unless Oracle or VMware stepped up, Java 7 wasn’t going to run inside an OS X VM. Fortunately, VMware stepped up. There is now a script available from VMware to patch liblwawt.dylib in the Java 7 Runtime Environment. The patch addresses the Java 7 crashing issue, allowing Java 7 Update 17 to run normally in an OS X 10.8.3 VM.
The patch is specific to 10.8.x VMs and does not work in 10.7.x VMs at this time.
I’ve posted a copy of the Python script that applies the patch here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/vmware_fusion_java_7_patch
I’ve also built a payload-free package to run the script:
Recent Comments