Archive
First Boot Package Install.pkg
As covered previously, Greg Neagle’s createOSXinstallPkg is a versatile tool for installing or upgrading Mac OS X in a variety of situations. One of the nicer features is that you can edit the OS X installer to install additional packages.
However, the limitations of the OS X install environment mean that there are a number of installers that won’t install correctly. In particular, packages that rely on pre- or postflight scripts to perform important tasks may fail to run properly in the OS X install environment.
To help work around this limitation, I’ve developed First Boot Package Install.pkg, an installer package that enables other packages to be installed at first boot.
It’s designed for use with createOSXinstallPkg with the goal of allowing installer packages that can’t run in the OS X Install environment to be used as part of a createOSXinstallPkg deployment workflow. See below the jump for the details.
Read more…
Changes to XProtect’s Java browser plug-in version management
In last night’s XProtect update, Apple added two new version checks. The first new check looks for Apple’s com.apple.java.JavaAppletPlugin Java browser plug-in identifier. This Apple Java browser plug-in is running on Mac OS X 10.6.x or was installed on 10.7.x or later by Java for OS X 2012-005 or earlier. Installing Java for OS X 2012-006 and later on 10.7.x and 10.8.x automatically removes the Apple Java browser plug-in.
The second new check looks for Apple’s com.apple.java.JavaPlugin2_NPAPI Java browser plug-in identifier. In this case, the Apple Java plug-in was re-enabled using the procedure in the following Apple KBase article: http://support.apple.com/kb/HT5559
This update also removes the Oracle Java browser plug-in version check from 10.6.x’s XProtect. Both new Apple Java version checks and the Oracle Java browser plug-in version check are in the 10.7.x and 10.8.x XProtect. See below the jump for the details.
ASR’s hidden documentation
As part of trying to trace down a separate mystery, the folks in the ##osx-server IRC room made an interesting discovery: Apple’s asr tool has hidden documentation.
Normally, to access Apple’s documentation on a command-line tool, you would use man toolname_here or toolname_here help. asr has both of those, but it also has a separate command that reveals additional asr options not mentioned in the regular man or help pages.
With asr help, you get the following output:
Usage: asr
is one of the following:
asr help | version
asr restore --source --target []
asr restore --source asr:/// --file []
asr server --source --config []
asr imagescan --source [--filechecksum] [--nostream] [--SHA1]
is in bytes but may end with a scale factor (b, k, m, g)
common are any of:
--source path or url to disk image file, mountpoint, or
web accessible disk image
--puppetstrings print out messages in format good for machine parsing
--verbose display verbose output
--debug display debug output
restore are any of:
--target path to volume or mountpoint
--erase formats target volume
--format target format when erasing (defaults to source)
--noprompt don't require confirmation on erase
--noverify don't checksum results
--buffers number of buffers to use in block copy
--buffersize size of buffers to use in block copy
--csumbuffers number of buffers for the checksum if different
--csumbuffersize size of buffers for the checksum if different
--timeout max wait for stream in multicast client mode
server are any of:
--interface Use 'if' as the interface for the server's
outgoing stream
--config server configuration file in plist format
imagescan are any of:
--filechecksum calculate file checksum
--nostream don't reorder file for multicast streaming
--SHA1 add a SHA-1 checksum to the image
However, when you run FULL_USAGE=1 asr help, you get the following output:
Usage: asr
is one of the following:
asr help | version
asr restore --source --target []
asr restore --source asr:/// --file []
asr server --source --config []
asr imagescan --source [--filechecksum] [--nostream] [--SHA1]
asr partition --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr freeze --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr thaw --target [--recovery] [--modifyrecovery]
asr adjust --target [--settype ]
is in bytes but may end with a scale factor (b, k, m, g)
common are any of:
--source path or url to disk image file, mountpoint, or
web accessible disk image
--puppetstrings print out messages in format good for machine parsing
--verbose display verbose output
--debug display debug output
restore are any of:
--target path to volume or mountpoint
--hidden restore to the hidden customer software partition
--erase formats target volume
--format target format when erasing (defaults to source)
--noprompt don't require confirmation on erase
--noverify don't checksum results
--buffers number of buffers to use in block copy
--buffersize size of buffers to use in block copy
--csumbuffers number of buffers for the checksum if different
--csumbuffersize size of buffers for the checksum if different
--timeout max wait for stream in multicast client mode
server are any of:
--interface Use 'if' as the interface for the server's
outgoing stream
--config server configuration file in plist format
imagescan are any of:
--filechecksum calculate file checksum
--nostream don't reorder file for multicast streaming
--SHA1 add a SHA-1 checksum to the image
There are now four additional options listed:
asr partition --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr freeze --target [--testsize ]
[--retestsize ] [--recoverysize ]
asr thaw --target [--recovery] [--modifyrecovery]
asr adjust --target [--settype ]
The question I don’t know the answer to is “What do these options do?”
I’ve seen asr adjust used to correct an incorrectly set Recovery HD partition, but I’m not familiar with what asr freeze and asr thaw do.
Do you know? Let me know in the comments.
FileVault Setup.app – local FileVault 2 encryption setup and enforcement
I was recently asked to help test a new utility called FileVault Setup for setting up and enforcing FileVault 2 encryption. It’s designed to be a user-friendly interface for Apple’s fdesetup tool on OS X 10.8.x which supports turning on FileVault 2 encryption and enabling a single user account.
One nice thing about this tool from my perspective is that it’s designed to be independent of any server-based resources. To the best of my knowledge, this is the first tool I’ve seen that allows FileVault encryption to be enforced on a machine entirely from the machine’s own resources. See below the jump for the details.
Booting into single-user mode on a FileVault 2-encrypted Mac
I recently communicated with a Mac admin who was concerned about using FileVault 2 in his environment because he didn’t want to lose access to tools like single-user mode. Like a number of Mac admins, he’d found single-user mode valuable in helping to diagnose and fix issues on troublesome Macs.
Fortunately, Apple makes it reasonably easy to boot into single-user mode on a FileVault 2-encrypted system. Here’s how to boot into single-user on a FileVault 2-encrypted system:
1. Hold down Command-S after powering the system.
2. The Mac will be begin booting into single user, then the FileVault 2 pre-boot login screen will appear.
3. Authenticate at the FileVault 2 pre-boot login screen by selecting an account and providing the account’s password.
4. The Mac will then unlock and continue booting into single-user mode.
To show what this looks like, I’ve made a short video showing the process. In this instance, I booted into single-user mode and performed a disk check using fsck, then continued with the rest of the boot process.
Managing Safari’s Java whitelist
Safari 6.0.4 and later (for Mac OS X 10.7.x and 10.8.x), and 5.1.9 and later (for Mac OS X 10.6.x) now prompts you to enable the Java browser plug-in on a website-by-website basis. When a Java applet is allowed, it is added to a whitelist in Safari’s Security settings.
This was going to be an issue at my workplace, as we have a couple of applications that rely on Java applets running through the browser. To help fix this and manage the Safari Java whitelist, I’ve written a couple of scripts. These scripts are designed to add websites to Safari’s Java whitelist without overwriting existing entries. For more details, see below the jump.
Migrating OS X VMs files without VMware Standalone Converter
In one of the comments to my earlier post about migrating OS X VMs to ESXi, Alan Gordon mentioned another way to convert an OS X VM’s vmdk file to an ESXi-compatible format.
Since the process I developed is ultimately about getting the OS X VM’s vmdm file up to the ESXi server, then building a new VM on the ESXi server to use that vmdk file, this is an easier technique because it allows us to skip using VMware Standalone Converter altogether. Instead, this procedure will use the vmware-vdiskmanager tool included with VMware Fusion and the VMware vSphere Client application. See below the jump for details.
Running Java 7 in a VMware Fusion 10.8.x VM
As mentioned previously, I’ve moved the majority of my testing to OS X VMs running in either VMware Fusion or VMware ESXi. However, there has been one component of my build testing that I still needed actual Macs for: testing Oracle’s Java 7 updates. The reason for this is that Java 7 crashes when run inside of a VMWare Fusion VM.
Oracle has certified the following virtualization solutions as being Oracle JDK 7 and JRE 7 Certified System Configurations:
Certified:
Not certified:
VMware virtualization solutions
Microsoft virtualization solutions
Unfortunately, that meant unless Oracle or VMware stepped up, Java 7 wasn’t going to run inside an OS X VM. Fortunately, VMware stepped up. There is now a script available from VMware to patch liblwawt.dylib in the Java 7 Runtime Environment. The patch addresses the Java 7 crashing issue, allowing Java 7 Update 17 to run normally in an OS X 10.8.3 VM.
The patch is specific to 10.8.x VMs and does not work in 10.7.x VMs at this time.
I’ve posted a copy of the Python script that applies the patch here on my GitHub repo:
https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/vmware_fusion_java_7_patch
I’ve also built a payload-free package to run the script:
Migrating OS X VMs to a VMware ESXi server
I’ve started using ESXi servers more and more for hosting my test Macs, both here and at work. As part of that, I’ve found it to be considerably easier for me to build the VM inside of VMware Fusion on my Mac and move it to ESXi, then build it from scratch on my ESXi server.
That said, I’ve found the process for moving OS X VMs has not been straightforward. When I first tried moving 10.8.x VMs, I tried both VMware’s OVF Tool and VMware’s Standalone Converter, but neither initially appeared to provide me with the ability to transfer working OS X 10.8.x VMs.
In the end, I was able to find a way to use VMware’s Standalone Converter to transfer 10.8.x VMs, but the process involves some extra steps on the ESXi server’s end.
The process I’ve developed involves using a Windows 7 VM running inside of VMware Fusion, with the VMware Standalone Converter application installed. One thing to note before proceeding further is that I did not try this with a vSphere server. All my work has been done with VMware’s free ESXi server, so it may be that there’s an easier way to do this with vSphere. See below the jump for details.
Setting the default boot drive from the boot volume menu
This has been previously documented in a few places, but I just ran across this handy way to set the default boot drive from the boot volume menu.
When you start up a Mac holding down the Option key, the boot volume menu appears and displays all available bootable volumes. When you select a drive by clicking on it or selecting it with the arrow keys on your keyboard, it’ll boot from that drive until the next reboot. At the next reboot, unless you hold down the Option key again, the Mac will boot from whatever drive was set in the Startup Disk preference pane to be the default boot drive.
However, there’s also a way to change the default boot volume from the boot volume menu. In this case, once you got to the boot volume menu, you can let go of the Option key, then hold down the Control key. At that point, you should see the upward arrow icon that points at the currently selected drive turn into a circular arrow.
Once you select that drive and boot from it, it will now also be set as the Mac’s default boot drive.
Recent Comments