Contribute  :  Advanced Search  :  Directory  :  Forum  :  FAQ's  :  My Downloads  :  Links  :  Polls  
AFP548 Changing the world one server at a time.

advanced search 

Sections

Home
AFP548 Site News (104/2)
Articles (266/27)
Apple (45/2)
Extended KB (3/1)
Ask AFP548 (16/37)
Reviews (5/1)
Security (16/2)
Tips (130/8)
Third Party Applications (51/5)
Odds and Ends (27/1)
Podcasts (2/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

Poll

Do you have an offsite disaster recovery site?
Yes, a full backup data center!
Yes, a remote server!
Yes, um, I take the tapes home.
No! My company won't pay for it!
No! DR is for saps!
Results
339 votes | 1 comments
Welcome to AFP548
Tuesday, February 09 2010 @ 08:21 am CST
   

Image Creation Revolution

Friday, August 31 2007 @ 07:40 am CDT
Contributed by: macshome
Views: 26,452
Articles

Image creation is one of the few things on Mac OS X that has been around long enough to be considered a time honored tradition. In fact, the first article I wrote for the site after the redesign was Disk Imaging for Mac OS X Made Easy and after nearly a quarter of a million reads it is our most popular article. There is a problem though. In the three years since I wrote that piece I've built hundreds, if not thousands of asr images, and I've been doing it wrong the whole time.

Odds are you've been doing it wrong too and once you read this two part series on imaging you will never return to building images the old way. The future is now and there is a better way.

Read on for more... 



The Problem

This isn't to say that everything in my previous article is wrong. It is the documented way to create an image from an existing Mac and therein lays the rub. This whole time we've been imaging existing Macs and that is just a bad way to do things. When you image an existing Mac you get existing cruft. Things like the NetworkInterfaces.plist are created on first boot and they contain information about the Mac that is currently booting.

I recently saw this cause an issue when an image created on a Mac Pro was deployed to anything with an AirPort card. Since the Mac Pro has two ethernet interfaces it assigned en1 to one of these. When a machine with a single NIC and an AirPort booted the image the AirPort was braindead as the system assumed that en1 was a gigabit ethernet NIC. Sure a solution could be to remove the NetworkInterfaces.plist before you image the drive, but that's a pain and is easy to forget. You also end up with things like .DS_Store files all over the place, Spotlight indexes, and other stuff that ideally shouldn't be sent out for deployment.

Even worse is when you live on the image for a while to test it first. You can forget all sorts of stuff and even worse not realize what is left behind. I've seen deployment images go out with interesting browser histories, or hundreds of MB in caches in the local admin account. This is all stuff you want to avoid on all sorts of levels.

Apple knows this is an issue and the scrub functionality of hdiutil helps out greatly, but it won't catch everything. That leaves it to the sysadmin to catch everything and that's just more work for you.

Let me tell you how I used to build images and see if this sounds familiar:

  1. I create a "prefect" Mac.
  2. I use it for a while to make sure it all works.
  3. When I'm ready I trigger a cleanup script that removes all the Machine and user specific files I can think of.
  4. I image that drive and deploy it to a pilot group.

Wrong, wrong, wrong. And I'll show you a better way in just a few moments.

More Problems

While the above might seem like a big deal it's not the worst of it. A huge problem in the above workflow is the amount of work that it takes. What happens when the next SecUpd comes out or the new seemingly bi-weekly Office patch is released? You go through that whole procedure again. Often you can skip a step and just image a fresh workstation, but it's still a pain to do and even worse, a pain to document.

Quick! Tell me every non-Apple application you have on your deployment image. How about every configuration change? How about the GUID of the local admin user? If the auditors demanded it by close of business could you provide a list of every file that has been added or modified beyond the Apple defaults? Some of you can probably do this. You are probably also using radmind and spend your days hunkered over a glowing LCD. I know, I used to be there too. I'm now a member of the Reformed radmind Admin Club.

If you are like most of us out there with monolithic deployment images you really have no idea what is in that image. You know you installed CS3 and Office, but what does that mean? SOX auditors aren't known for thier funny side at work and they don't like vague descriptions of what is on a disk.

The Solution (Seriously)

This is going to sound like a joke to many of you, but here it is. Use installer packages. No, really. Use installer packages when creating your images.

There are some really good reasons to move to a pkg based system:

  • Packages are a standard format
  • Packages can be installed with a variety of tools
  • Packages can run scripts
  • Packages are auditable.

What I'm proposing you do is move to a fully packaged based install. No more manual tweaks to files; no more scripts run by hand. Put it all in packages. When you do this you modularize the imaging process. No longer do you need to remember what tweaks you do where. You simply put it in a package.

A nice benefit to all of this is that you can now push these updates with all sorts of tools to your existing deployments or migrate to other deployment tools with great ease. What do NetInstall, Casper, puppet, ARD, and FileWave all have in common? They can use the pkg format. If you already have all of your deployment in pkg form then you are ready to go if you move to one of those systems. Even better, Apple's CSS Group (Custom Software Solutions) can take all of those packages and then deliver pre-imaged Macs to your door. If this sounds nice ask your SE for more details.

To create all these packages you have a bunch of options these days. The most popular three seem to be PackageMaker, Composer, and Iceberg. My recommendation is to use a combination of the first two. Between the two of them you can get everything bundled up pretty quickly.

PackageMaker is Apple's official packaging tool and for sysadmin types it allows us to create very specific packages to run a script or to drop a few files here and there.

Composer is from JAMF Software and is now available separately from the Casper Suite. Composer is a snapshot based tool for creating packages of application installs. I know that PackageMaker has some snapshotting tools at the command line, but Composer is just so easy to use that it's well worth the purchase. (Here's a quick tip. You can purchase Composer for half-price if you have an ARD license.)

Another advantage of packages is that they are easy to audit too. With a package based install you are a simple lsbom run, or even Show Files... in the Installer, away from knowing every single file you have installed or modified on the deployment image.

So now we have the understanding that packages create a modular, repeatable, auditable source for creating a deployment image. The question you now have though is how to use all these packages to your advantage and avoid the lived-in image problem?

Stay on Target

One of the nice features of the Apple Installer is that we can target just about any volume we choose. All you need to do is pick the target and let fly with all of your packages, in order, to a volume. Then image that and you have your never booted Mac OS X image. Clean and tasty.

Your first thought may be to target an external drive, but Mac OS X is more flexible than that. The ideal target is a disk image since it requires no extra hardware. Now for those of us with single disk systems this can create a host of performance issues due to IO contention. But what do you care about that if it happens while you sleep?

The Big Tease

You read that right, while you sleep. Perhaps the greatest advantage to all of this is that a fully package based install can be fully automated. Part two of the series is going to cover this in detail, but I'll give you a tease now.

In order to automate your ASR image creation you only need to do the following:

  1. Create three folders. One contains the OS install, one the Apple Updates, and one your custom packages.
  2. Write a script to install all of these, in the correct order, and then spit out an ASR image.

Luckily we have done step two for you. We call it InstaDMG and it is going to change the way you image forever.

I'm putting the final cleanup tweaks on the script now, and will release it soon, but you can already see the advantages this is going to bring.

Imagine that you have created and populated the three folders. Now schedule InstaDMG to run every night and every morning you have a fresh image waiting to be tested. The next time an update comes out all you need to do is drop it in the correct folder and wait. The most effort you will ever need to put forth is to package an update that didn't come in a pkg. As more developers adopt the package format even that is a dwindling task.

InstaDMG promises to deliver fully-automated nightly builds of deployment images and free you from system building drudgery.

But Wait There's More...

InstaDMG is just one part of the suite of tools designed to make your life easier. Since we are fully automating the image creation process we might as well automate first round QA testing as well.

After InstaDMG creates the image we can have it blast it onto another partition and reboot. Once that is done we can then turn to a tool like Redstone's Eggplant to automate all of the basic testing that we need to pass the SLA (Service Level Agreement) we have with the users. Having that SLA allows us to stop feature creep in our images and it allows you to define what is considered a "good" image and what is not.

Using Eggplant you can create a test suite that validates the basic SLA that has been established. Things like does Word launch, can Safari log into the intranet sites, do all my Photoshop actions work, things like that. This SLA is a contract with the user base that if each point on the checklist works, it's a good image.

If everything passes the Eggplant suite then you are ready to push the image or updates to your pilot group. Remember that all of this has been automated for you during the night. All you need to do is sleep.

Part two is coming soon, and then InstaDMG can be yours as well. Stay tuned...

 

What's Related

Story Options

Advertising

Image Creation Revolution | 34 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Image Creation Revolution
Authored by: sketch on Friday, August 31 2007 @ 01:16 pm CDT
Yeah I've been packaging my customizations for a long time now. Makes life so much easier when you have to rebuild for the new models.
Image Creation Revolution
Authored by: Anonymous on Friday, August 31 2007 @ 02:15 pm CDT
Yea me too I have always made packages.....the only time I don't is when I install large apps like Adobe CS 3 or something large like that or something that scatters files everywhere. Thats where Composer is nice, but its not free anymore. It was free for a short period. Package Maker is nice with its setup now, but it seriously needs to be like Composer with being able to create a snapshot packages like composer can and I see that coming very soon I hope.

I have asked Apple time and time again about another issue is for us to be able to check in our own packages into our local Apple Software Update servers.....simply check your updates in and enable them.......then all that has to happen is software update run on our clients which we do every Friday with a cronjob.

-DB
Image Creation Revolution
Authored by: Anonymous on Friday, August 31 2007 @ 04:42 pm CDT
Yeah this sounds like a better way of doing the slow imaging process when new software updates/OS security updates arrive on the scene. Is it possible you can write a in-depth guide on how to do this stuff in part 2?

Got a question for ya, what if you need to set custom login scripts at login to start monitoring software, logout hooks etc? Do you just script this aswell? What about startup delays to alleviate other networking issues? Are these in the core image or waht?

Ive worked with Apples CSS team in the past on a medium sized rollout. i was quite surprised they used the package format. But tbh back then i was a noobie to imaging. They gave me all our customizations on DVD and instructions on how to deploy with there MultiMSD installer package. Very cool indeed.
Yeah, but how...
Authored by: hetjan on Monday, September 03 2007 @ 05:26 am CDT
I know its not strictly on topic, but I'm tempted to ask you to include how one would go about doing archive and install via the terminal.....
Image Creation Revolution
Authored by: Anonymous on Monday, September 03 2007 @ 05:57 am CDT
I haven't used this package format was was planning to.

I was also planning to use several Folders:
Mac OS X Install
Apple Updates
3rd Party Applications & their updates
Local Patches (Login Hooks, Scripts etc)

May use some hierachy with 3rd party applications
eg a separate sub-folder for each 3rd party application (or suite) & it's updates.

So I would be interested in your script, but then may want to modify it slightly to handle a slightly different container structure.

Haven't played with eggplant, but that sounds interesting too.
Install the OS onto a disk image?
Authored by: Anonymous on Monday, September 03 2007 @ 02:06 pm CDT
I am new into imaging and I have 2 questions (or comments, if you will):
1. How do I install an OS onto an image (instead of an external drive)?
-> When I tried to do so, the installer said that this volume (the image) cannot be started from and it would not let me continue.
2. How do you work around packages that demand to be installed on a running system?
-> I tried to install iWork '08 and the installer said it could only be installed onto a running system.

Waiting for part 2… René
Image Creation Revolution
Authored by: Anonymous on Tuesday, September 04 2007 @ 03:02 pm CDT
You mention "audit" options, but I am pretty sure your can't audit package installer scripts, unless you open the script and review & understand everything it is doing. Also, we run into many, many "crappy apps" that install with incorrect permissions, absolute paths, write outside user space and etc, etc., including many Apple installations So, you are proposing using a snapshoting utility for every install and doing an audit and then test, edit your outputted package installer? Also, does your solution provide a solution for tripwire the file system? How can you make sure files haven't been added or modified, run a complete audio of the package? What about the package installer scripts?
Image Creation Revolution
Authored by: jaharmi on Tuesday, September 04 2007 @ 03:41 pm CDT
You are not always a “simple lsbom run” away from knowing what happens in a .pkg or .mpkg file … anything can happen in any of the scripts associated with that installer’s preflight, postflight, preinstall, postinstall, preupgrade and postupgrade scripts. This is not to discount the utility of using Installer packages or metapackages. You should, however, use them with your eyes open — especially if you did not create them.
Image Creation Revolution
Authored by: Anonymous on Thursday, September 06 2007 @ 10:25 pm CDT
I can't believe you're a sellout. I'm never taking your articles seriously again.
Image Creation Revolution
Authored by: Theilgaard on Tuesday, September 11 2007 @ 09:28 am CDT
I can understand how easy it is to provide upgrades to old machines and don't have to go through the list of folder to delete every time the image has to be updated.

But how do you suggest to start out? Are you using packages from the very beginning, or do you create the first image as usual, and then update it using packages? That part is not exactly clear to me.

Images I create are using a standard administrator account (I probably do not need this when Panther arrives, but until then, anyway). I also create certain settings for network interfaces and so on, so how do you handle all that?
Not a substitute for radmind
Authored by: Anonymous on Friday, September 14 2007 @ 10:09 am CDT
I can understand the appeal of using packages. I initially built a system around the same. It included uninstalls and rollbacks.

But we abandoned it. In practice if you want a truly verifiable filesystem you need to use something like radmind.

Rollbacks and changes are easy and efficient with radmind. No need to reimage in most cases.

Now radmind is not easy to setup and learn and you need a management system behind it to make it useful and flexible and provide maximum benefit.
Currently if your fulltime support staff is weak and you dont have a solid management system for radmind, then packages are probably the best you can do, but if you are serious about managing your macs and your have more than a few, i would hire someone that can learn radmind. It is worth it in the end.
Image Creation Revolution
Authored by: dom9inic on Monday, September 17 2007 @ 02:19 am CDT
Forgive my ignorance but, doesn't this rule out custom home folders? My typical imaging process ends with me creating a default user and setting up all app prefs etc, then ditto'ing that custom home folder to be the User Template. Don't see how I could do that with this package method. Please correct me as I'm liking the look of this system.

---
dom

Image Creation Revolution
Authored by: Anonymous on Thursday, September 20 2007 @ 08:02 am CDT
Really looking forward to part 2 and InstaDMG. Is it coming soon? Separately, how does this procedure handle hardware that has a custom version of the OS (i.e. 2.2/2.4GHz MacBook Pros)? Do you use the specific hardware's OS build and can it be deployed to other hardware (i.e. iMacs, Mac Pros)?
Image Creation Revolution
Authored by: foilpan on Monday, October 22 2007 @ 09:17 am CDT
is part 2 on the way? i'm interested in reading about your approach in detail.

thanks.
Image Creation Revolution
Authored by: Gary Bernstein on Monday, February 11 2008 @ 09:19 am CST
I was reading this and liked what I was hearing, but being a radmind users, the two things that I don't see this addressing are:

1) I can have 100 different setups and customize what apps are installed on each machine with radmind. While it is a little more work with radmind, I can have certain items core to all 100 machines and then decide that only certain users will have a certain application (like Adobe Indesign or Photoshop).

2) There doesn't seem to be any plan for updates. It looks like your thought is to update machines by reinstalling everything. Or am I missing something? With our radmind setup, we put out updates and all my machines check in with radmind nightly and get any updates over night.

Having said that, I like the idea of using packages instead of radmind transcripts, if those other issues were addressed some how.
Image Creation Revolution
Authored by: scw9000 on Thursday, March 27 2008 @ 10:31 am CDT
You'll probably want to put in something like this after the Base OS has been installed to the scratch DMG:

# unmount the Base OS DMG
/usr/sbin/diskutil eject $CURRENT_OS_MOUNT_DEV

(you'll need to get the /dev/???? into $CURRENT_OS_MOUNT_DEV from the hdiutil command like you did for the other image)
Image Creation Revolution
Authored by: Anonymous on Friday, September 12 2008 @ 02:36 pm CDT
Has part two been posted? I've searched but cannot find it.

 Copyright © 2010 AFP548
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 1.49 seconds