This document goes through the process of creating a negative radmind transcript and a base OS X server transcript. It is assumed that the OS X server has been installed and all the current software updates have been applied. For the commands below the following information is used: Radmind server : catbert.lsait.lsa.umich.edu Radmind client : client.lsait.lsa.umich.edu Client IP : 141.211.67.168 Negative srv Transcript : srv-negative.T Base srv Transcript : srv-base.T Command file on Radmind server : 10.3-base-srv.K Radmind Tools Version : 1.3.0 The above information should be changed to appropriate values for your environment. It is also assume that radmind has already been installed on the server. The radmind tools will be installed on the client and the command line interface ( CLI ) will be used to create and load the transcripts. ################################################################################ # # Create the base server trancripts. This should only be done once. # # The following steps should be performed on the radmind client. I.e. the # OS X server that will be used to create the negative and base transcripts. # The commands below need to be run with root privileges. 1) Download and install the RadminsTools package on the client. # The packages is available at http://www.radmind.org # The package will install the tools but will not create some of the # necessary directories. 2) Create any necessary and missing directory structure. client# mkdir /var/radmind/client client# cd /var/radmind/client 3) Create a list of files to exclude. This will be used to generate the negative transcript. Place the list of files into a text file called list. Below is a list of files and provides a good starting point. NOTE : Order is important. The files should be listed in lexigraphical order /.Trashes /.hotfiles.btree /.vol /Library/Caches /Library/ColorSync/Profiles/Displays /Library/Logs /Library/Preferences/.GlobalPreferences.plist /Library/Preferences/DirectoryService/.DSRunningSP2 /Library/Preferences/SystemConfiguration /Library/Preferences/com.apple.loginwindow.plist /Network /System/Library/Caches /System/Library/CoreServices/.disk_label /System/Library/Extensions.kextcache /System/Library/Extensions.mkext /Users /Volumes /automount /dev /mach.sym /private/etc/cups/certs/0 /private/etc/hostconfig /private/etc/hostconfig.personal /private/etc/hostconfig~ /private/etc/ssh_host_dsa_key /private/etc/ssh_host_dsa_key.pub /private/etc/ssh_host_key /private/etc/ssh_host_key.pub /private/etc/ssh_host_rsa_key /private/etc/ssh_host_rsa_key.pub /private/var/backups // NEW /private/tmp /private/var/db /private/var/log /private/var/radmind/client /private/var/root /private/var/run /private/var/servermgrd /private/var/spool /private/var/tmp /private/var/vm /usr/share/man/whatis.db 4) Create the negative transcript, based on the list of files in the text file 'list.' client# for i in `cat list` > do > /usr/local/bin/fsdiff -1 -c sha1 $i >> srv-negative.T > done 5) The negative transcript needs to be listed in the clients command file before creating the base transcript. The file /var/radmind/client/command.K should not exist until it is created with the command below. client# echo "n srv-negative.T" >> command.K 6) Create the transcript for the base server image. client# /usr/local/bin/fsdiff -C -c sha1 -v -o srv-base.T / 7) Upload the negative transcript to the radmind server. Since this is a negative transcript the -N flag is used. See the man page for lcreate for more information. client# /usr/local/bin/lcreate -i -c sha1 -N -w0 \ -h catbert.lsait.lsa.umich.edu \ srv-negative.T 8) Upload the server base transcript to the radmind server. Note that the -N flag is not specified. This results in the files, associated with the srv-base transcript to be uploaded to the server. See the man page for lcreate for more information. client# /usr/local/bin/lcreate -i -c sha1 -w0 \ -h catbert.lsait.lsa.umich.edu \ srv-base.T ################################################################################ # # The following command should be run on the radmind server. The commands should # be run should with root privileges. 9) Move the transcripts and files from the staging area to the production area. server# cd /var/radmind/tmp server# cd file; mv * /var/radmind/file ; cd .. server# cd transcript; mv * /var/radmind/transcript; cd .. 10) Verify that all the files have been uploaded successfully. This command has to be run for the negative transcript since "null" sized files have been uploaded as place-holders and the sizes in the negative.T transcript will not match. You can run lcksum with -N flag to just check and not correct the srv-base.T transcript. If any corrections are made for srv-base.T then a problem most likely occured when uploading the files to the radmind server. server# cd /var/radmind/transcript server# /usr/local/bin/lcksum -c sha1 srv-negative.T server# /usr/local/bin/lcksum -c sha1 srv-base.T 11) Enable the client to be able to use the new transcripts. This will require creating a command file, which contains the new transcripts. Create the file and it should only contain the two lines. server# vi /var/radmind/command/10.3-base-srv.K p srv-base.T n srv-negative.T 12) After creating the command file the radmind server has to be configured to to allow the client access to the command file. Add the line below to the config file. The first line that matches is used, similar to tcp-wrappers configuration, so care should be taken in where in the file the line is added. server# vi /var/radmind/config 141.211.67.168 10.3-base-srv.K ################################################################################ The radmind server should be now be configured with the new transcripts and to allow the client to access them. The following steps below should once again be performed on the radmind client and will require root privileges. 13) Copy the command file and transcripts from the server. client# /usr/local/bin/ktcheck -c sha1 -h catbert.lsait.lsa.umich.edu 14) "Sync" the machine based on the new command file and transcript. **** WARNING **** THIS WILL MODIFY YOUR MACHINE!!! client# /usr/local/bin/fsdiff -A -c sha1 / | /usr/local/bin/lapply -h catbert.lsait.lsa.umich.edu **** WARNING **** THIS WILL MODIFY YOUR MACHINE!!! ################################################################################ At this point the client should be configured and look like the base server image. You can run the following command to verify that there is not difference between the client and the base server image. client# /usr/local/bin/fsdiff -A -c sha1 / NOTES: The following three files are under "radmind" control. However when a machine is reboot the date/time stamp is changed as the system boots. So radmind will tag the files as changed and will reset the date/time stamp based of the transcripts. /private/etc/ipfilter/ipfw.conf.apple /private/etc/smb.conf /private/var/slp.regfile ################################################################################ # ## Configure server and services # # At this point the server should look like a the base OS X server radmind # image. The system is now ready to be configured. # If any of the the configurations required a reboot make sure that you do not # include the files above ( unless the contents have actually changed ) ################################################################################ # ## Create host specific radmind transcript # # The following command should be run on the radmind client. The commands should # be run should with root privileges. 15) Create a transcript to capture all the differences between the base server class and the configuration changes made above. client# /usr/local/bin/fsdiff -C -c sha1 -v \ -o client.lsait.lsa.umich.edu.T / 16) Remove any unecessary files. Some of the files such as ipfw.conf.apple will be idenitified as different, but the only difference is the date/time stamp and this could change during every reboot. This files can be safey ignored and inherit the date/time stamp from the srv-base.T transcript. For other files that need to be excluded an host-specific negative transcript will need to be created. Remove the lines, for those file from, client.lsait.lsa.umich.edu.T and put them into client-lsait.lsa.umich.edu-negative.T. 17) Upload the negative client-specific transcript. client# /usr/local/bin/lcreate -i -c sha1 -N -w0 \ -h catbert.lsait.lsa.umich.edu \ client.lsait.lsa.umich.edu-negative.T 18) Upload the postive client-specific transcript. client# /usr/local/bin/lcreate -i -c sha1 -w0 \ -h catbert.lsait.lsa.umich.edu \ client.lsait.lsa.umich.edu.T ################################################################################ # # The following command should be run on the radmind server. The commands should # be run should with root privileges. 19) Move the transcripts and files from the staging area to the production area. server# cd /var/radmind/tmp server# cd file; mv * /var/radmind/file ; cd .. server# cd transcript; mv * /var/radmind/transcript; cd .. 20) Verify that all the files have been uploaded successfully. This command has to be run for the negative transcript since "null" sized files have been uploaded as place-holders and the sizes in the negative.T transcript will not match. You can run lcksum with -N flag to just check and not correct the positive transcript. If any corrections are made for client.lsait.lsa.umich.edu then a problem most likely occured when uploading the files to the radmind server. server# cd /var/radmind/transcript server# /usr/local/bin/lcksum -c sha1 client.lsait.lsa.umich.edu-negative.T server# /usr/local/bin/lcksum -c sha1 client.lsait.lsa.umich.edu.T 21) Enable the client to be able to use the new transcripts. This will require creating a command file, which contains the new transcripts. Create the file and it should contain the lines below. server# vi /var/radmind/command/client.lsait.lsa.umich.edu.K p srv-base.T n srv-negative.T p client.lsait.lsa.umich.edu.T n client.lsait.lsa.umich.edu-negative.T 22) After creating the command file the radmind server has to be configured to to allow the client access to the command file. Add the line below to the config file. The first line that matches is used, similar to tcp-wrappers configuration, so care should be taken in where in the file the line is added. server# vi /var/radmind/config 141.211.67.168 client.lsait.lsa.umich.edu.K 23) Verify on the client that everything works. Nothing should sync down and only date/time stamps should be modified. client# /usr/local/bin/fsdiff -A -c sha1 / client# ################################################################################ # ## Appendix ######################################## # # Installing Radmind Tools from the command line client# cd /tmp client# gunzip RadmindTools-1.3.0.pkg.tgz client# tar xvpf RadmindTools-1.3.0.pkg client# rm RadmindTools-1.3.0.pkg.tar client# sudo installer -pkg ./RadmindTools-1.3.0.pkg -target / installer: Package name is Radmind Tools 1.3.0 installer: Installing onto volume mounted at /. installer: The install was successful. ######################################## # # Configuring a machine to use radmind client# sudo mkdir /var/radmind/client srv# vi /var/radmind/config # add 141.211.67.89 10.3-base-srv.K client# sudo /usr/local/bin/ktcheck -h catbert.lsait.lsa.umich.edu client# sudo /usr/local/bin/fsdiff -A -c sha1 /