Software Update Server

I can't believe I never wrote this up, but I've been using the Software Update Server included with Mac OS X Leopard Server since I upgraded the servers at my old job. If your network — or Apple's servers — are ever slow to get updates, having your own centralized SU Server can make a world of difference. But it's most useful when you have a bunch of Macs you need to update all at once. Try doing ten or so over the Internet at the same time. You'll get errors and failures, and you'll kill your network pretty quickly as all those updates come in at once. But updating a lab full of Macs from your own dedicated Software Update Server will not only not fail, it'll actually be quite fast since your using only internal bandwidth, of which you should have plenty. Setting one of these up is pretty easy, but there are a couple gotchas I always have to remember. So here we go.

  1. Activate the service in Server Admin.

    Activate Software Update Service

  2. Configure the service. I like to configure the SU Server to "Automatically copy all new updates from Apple." This is the easiest, and I like things easy. But otherwise I use the default settings.

    Configure Service Options

  3. Start the service and list the updates. And here's one of the gotchas: when you first start the service there is no indication that anything is happening. There is no progress bar and nothing will appear in the list of updates. But in fact the SU Server is downloading all the updates (several Gigs) in the background. The easiest way to prove that this is actually happening is to run the df command, then run it again. You should see your root drive getting gradually fuller as the server downloads the updates. This first download will take a long time. I like to let it go overnight.

    Updates

  4. When you return the next morning, the list should be populated with all the available updates, as seen above. (Also, you see about 10-15 GBs of data in the Software Update Server's data store, which is here: /usr/share/swupd/html/content/downloads/.) The last step then — and the thing I often forget — is to tell your client Macs where to get their Software Updates. To do this you'll need a computer list in Workgroup Manager. Add any computers you want to use your SU Server to the list. Then go to the Preferences pane for the group and select Software Update. Set the URL for the SU Server to: http://server.domain.com:8088/index.sucatalog

    Create Computer Group

  5. After saving that configuration, logging out and logging back in should be all you need to do on your clients to pick up the server. After doing so, run Software Update and you'll see the name of your SU Server in the menubar of the interface. This confirms you're successfully getting updates from the server.

    It Works!

Congrats! You're not a total moron. Enjoy!

UPDATE:

Reader Dennis points out in the comments that individual clients can be configured to look to the SUServer for updates without being part of a WGM group or managed by the server at all. This is done by modifying a preference on the client system, which you would do thusly:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://systemsboy.su.server.com:8088/"

That command can, of course, be sent en masses using Apple Remote Desktop's "Send Unix Command" directive.

And, if you want to revert to the standard method of checking for updates, looking at Apple's servers, delete the "CatalogURL" entry in the preference file by running:

sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

Thanks for the tip, Dennis!

Exposé and the Tab Key

I don't know if this is general knowledge or not, and I'm not a big Exposé user, so I could easily be ignorant of such a thing, but I just discovered that you can cycle through Exposé-activated applications using the tab or tilde keys. Here's what you do:

  • Hit the Exposé key (which is F3 on my nifty metal keyboard).
  • Hit the tab key. This will tab to the next application and display it as though it were in Exposé's application window mode, showing all the app's open windows.

    Exposé Tab Selection

  • Continue hitting tab to bring subsequent apps to the front.
  • Hit the tilde key to cycle backwards through apps.
  • Hit the Return or Enter key to activate the selected app.

This is pretty cool. Who knows, maybe it'll even encourage me to start using Exposé.

Maybe.

Too Many Computers

That title's not meant as a complaint. It's just that I've noticed that over the years I've tended to use fewer and fewer system add-ons and customizations than I once did. And I realize that it's because I use so many different computers. There used to be a time when I would customize the hell out of my Mac. After installing all my apps I'd get to setting up my user account, tricking out all my apps so that they behaved just like I liked, and installing and configuring any number of productivity utilities to make my life easier. It took forever, and it was a huge pain, but once it was done I could navigate my computer quickly and effortlessly.

Those days are pretty much over at this point. I no longer do much to change the default configuration of my home account in any meaningful way. I barely customize the Dock. I may change the Desktop background. On my primary computers I can't live without a pasteboard history, so on those machines I'll install the excellent(!) PTHPasteboard. And there are certain Terminal settings I really enjoy. But that's about it. I don't even install my beloved Butler anymore.

Too Many Computers!

There are certain things that have contributed to this. For one, Leopard's Spotlight is a great application launcher, largely mitigating the need for Butler. (Yes, there are other things that Butler does that I miss, but I can live without most of them — but application launching is a deal-breaker.) Spaces helps a lot with window management, so I don't need the sort of hot corner stuff I used to do. And the newer Mac keyboards have iTunes control built in.

But the main reason for this change (or lack thereof) is the plain fact that I'm simply touching too many computers in the course of the day to ever really consistently customize them. And if it's not consistent, it's not going to be very efficient, because every time you go to a different computer your system breaks. I was getting to the point where I'd go to one of the many computers I have to access on a regular basis — a staff member's machine, or some workstation somewhere — and I'd start frantically hitting the keys for some custom key-command I'd set at home, getting frustrated when nothing happened. At some point I realized that this inconsistency was actually hurting my productivity. So I made the conscious decision to learn a new way.

Over the past year or so I've gotten used to working with the system in as out-of-the-box a configuration as possible. Which ain't half bad, I have to say. Apple has really done a fine job of making the initial user experience good for both new and experienced users alike. It's quite remarkable. And I love not having to set much up beyond installing my apps. It's akin to how I felt when I gave up my car to move to Manhattan. You think you'll miss it, but you end up realizing what a burden it actually was. It's kind of great to have everything I need on any newly installed Mac. And now that I don't rely on that other stuff, I don't miss it at all.

I know as "power users" we like to add to and configure our machines out the wazoo, and I've certainly been no exception. But as a SysAdmin, I have to say, the less of this I do, the better my user experience has been. Surprising, yes. But totally true.

Just Open It

One of the new security measures in Leopard is a confirmation dialog that pops up anytime you attempt to open a file or executable bundle that was downloaded from the internet. You may have seen this dialog after downloading and launching a new application, for instance. It looks something like this: Leopard Quarantine: Yes, I Am Sure, Thank You Very Much

Some have hailed this as a breakthrough in security standards, I'm sure, though I can't find any specific sources to cite. Most folks who notice such things are actually rather annoyed by the alerts, likening them to similar attempts at security in versions of Windows. Indeed, it's difficult to make the argument that such a warning would be very effective at preventing user-initiated security breaches. In reality it's just the sort of warning that most people click through because 99% of the time it's unwarranted. This has most SysAdmins and advanced users asking, "Why bother?" After which they promptly ask themselves, "How do I turn this shit off?"

The bad news is that there doesn't seem to be a GUI way. There is no simple System Preferences checkbox for the alert. The good news is that there appears to be at least a couple possibilities for getting this done.

The first approach involves watching whatever folder you use for downloads, either via a Folder Action or via a Launch Daemon. The basic gist is that anytime that folder gets modified a script runs that removes the flag that causes the warning to appear from all items in the downloads folder. Because, you see, that's all that's going on. Anytime something is downloaded to your computer, Leopard flags it. When you open it in the Finder, the flag triggers the alert. Confirmation of the alert removes the flag. That's the mechanism. Using the watch folder method simply disables the flag, which is akin to hitting that "Open" button in the alert, only it happens automatically in the background.

There are a couple problems with this method. First off, it's difficult to implement, and second, it breaks anytime you decide to start using a different folder for downloads. And then there's the obvious fact that it's just plain ugly: a script workaround to disable an OS feature? Bluglgh! Terrible!

A better solution would be some sort of preference file. Apple often enables — but hides from the GUI — certain advanced preferences, allowing more savvy users to set the preference either by the addition of a preference (.plist) file, or by using the defaults command. There are all sorts of mods for the Dock, for instance, that, while unavailable through the GUI can be set via defaults. It appears that Apple has provided such an invisible preference for the Leopard download alert as well. And if you know how to create and edit a .plist file, activating the preference and disabling the alerts is fairly straightforward.

Some Background The instructions I'm about to provide have been posted in numerous other spots on the Web. But when I went searching for this info there seemed to be no single place that explained not just how to perform the modification, but also what it did and how the mechanism we're defeating works in the first place. So I wanted to provide some background info about just exactly what's going on here.

Metadata The first piece of this puzzle is the basic concept of metadata. Metadata is often best described simply as "data about data." And in Leopard we (or, more particularly, developers) finally have the ability to add arbitrary metadata. That is, as a developer, you can add any sort of descriptive data you want to your files and the files your application creates. Mac OS X 10.5 and up can read that metadata, interpret it and behave accordingly. So, to follow our example, when we download Camino from the Internet, the Mac OS (specifically, the Finder) adds some metadata to our Camino application, and that metada says, "This application was downloaded from the internet and has not been flagged for approval." Now, when we go to open the application for the first time, the Mac OS also knows to behave a certain way based on this metadata, and so we see that alert pop up. Clicking the "Open" button writes new metadata to the file, and that metadata now says, "This application has been opened and flagged for approval." The OS now knows not to present the alert the next time the app is opened. Such is the power of metadata.

By the way, I should mention that you can actually tell which files have metadata associated with them by doing a long file listing:

DrMac:~systemsboy$ ls -l Movies
drwxr-xr-x   9 systemsboy  staff        264 Nov 14 09:35 .
drwxr-xr-x  10 systemsboy  staff        296 Nov  7 17:20 ..
-rw-r--r--@  1 systemsboy  staff  407041761 Oct 31 15:45 DownloadedMovie.mov
-rw-r--r--   1 systemsboy  staff  407041761 Oct 31 15:45 LocalMovie.mov


Notice the "@" symbol at the end of the permissions info for the DownloadedMovie.mov file? That means that this file has metadata associated with it.

You can look at any metadata your files contain by way of the xattr command. The command is simple to use:

DrMac:~systemsboy$ xattr -l Movies/DownloadedMovie.mov
Movies/DownloadedMovie.mov: com.apple.quarantine: 0000;48fa188d;Firefox.app;|org.mozilla.firefox


Here we can see that our DownloadedMovie.mov has an Apple-branded quarantine flag, and that it was downloaded with Firefox. Nice!

UTIs The next piece of the puzzle comes in the form of something called Universal Type Identifiers, or UTIs. UTIs are a specific kind of metadata that are meant to describe and define types of files. So, our Camino application has metadata not only that tells the OS that it came from the Big Bad Internet (BBI), but also what sort of file (or in this case bundle) it is, namely that it's an application. This particular piece of metadata is the UTI, and there are a bunch of them. The complete list can be found on Apple's Developer site. UTIs can be extremely useful, and they'll actually allow us some flexibility in defeating Apple's quarantine mechanism. Because with UTIs we can specify which sorts of files trigger the alert and which don't, which is pretty great if you need it. And even if you don't, it's something that might come in handy down the line.

The Defeat So, with that out of the way, let's step through our method for disabling the Mac OS alert for downloaded files.

  1. The first thing we'll need is a file in our Preferences folder called "com.apple.DownloadAssessment.plist." If you have one, great, if not make one, either with Property List Editor, TextEdit or whatever text editor you have handy.
  2. Next, populate the file with this data:
     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
       "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
      <dict>
        <key>LSRiskCategoryNeutral</key>
        <dict>
          <key>LSRiskCategoryContentTypes</key>
          <array>
            <string>public.item</string>
          </array>
        </dict>
      </dict>
    </plist>
  3. Finally, restart the Finder.

From here on out, the OS will flag any item downloaded from the BBI (the UTI "public.item") as "Neutral." This should completely eliminate any sort of alert regarding downloads. Of course, there are exceptions — and I'll talk about them in a minute — but this should mostly do the trick.

Using UTIs and the Risk Categories outlined here, you can vary and specify the OS behavior for a wide range of file types. Want downloaded applications to raise the alert, but HTML files to be considered safe? Not a problem. Just specify as much in the plist file. It might look something like this:

 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
   "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LSRiskCategoryUnsafeExecutable</key>
    <dict>
      <key>LSRiskCategoryContentTypes</key>
      <array>
        <string>public.executable</string>
      </array>
    </dict>
  </dict>
  <dict>
    <key>LSRiskCategory</key>
    <dict>
      <key>LSRiskCategoryContentTypes</key>
      <array>
        <string>public.html</string>
      </array>
    </dict>
  </dict>
</plist>


Now, applications we've downloaded from the Internet (UTI "public.executable") will be treated as "Unsafe Executables" and will prompt the quarantine alert. But downloaded HTML files (UTI "public.html") will be treated as "Safe" and be exempt from the alert. As you can probably gather, you could get really, really fine-grained here if you needed to. Most folks will be covered with the first example, but as a SysAdmin it's always good to know you have options.

Exceptions Now earlier I mentioned exceptions. And one of those exceptions is Camino itself. Remember earlier when I specified that developers could add metadata to files? It's important to understand that it's not always the Finder or even the Mac OS itself that's creating this metadata. Applications themselves can also write metadata to files, and that's exactly what Camino does. Anytime you download a file with Camino it adds it's own metadata to the download. And that metadata will trigger the Mac OS's quarantine alert. So the above hack fails for applications such as these, and there's not much to be done about it. The rationale for Camino's approach is at least partially detailed in bug report 464333 on Camino's developer site.

UPDATE: The folks at Camino are now re-examining the issue.

Further Reading Credit where due, I collected all my info on this topic from the following sources: The Folder Action Hack Arbitrarily Extensible Metadata Uniform Type Identifiers (UTIs) Download Security Assessments Creating and/or Modifying the Preference File

And inspiration and help for this post came from an excellent bunch of comments in another article right here on this very site.

In Conclusion I have to admit, I find what Apple is doing here fascinating. I'm not sure that popup alerts for every downloaded file is a great idea in practice, but I do think it's an interesting example of what's possible with metadata and highlights just how useful this addition to the OS could be if leveraged properly. Imagine if metadata were something in the hands of everyday users. Imagine if you could assign your own set of actions based on your own set of metadata tags. It could fundamentally change the way you interact with your computer, essentially allowing you to program it at will to your whims. And maybe someday it will, if Apple sees the potential here and continues to push forward with this Great Metadata Experiment in fresh and innovative ways.

Secondary DNS in Leopard

I covered secondary DNS configuration in Tiger (10.4) Server a while back. And while the buttons have moved around a bit, most of those instructions apply to Leopard as well. Leopard does have one fairly cool new addition worth mentioning, though: forwarders. Generally I'm setting up secondary DNS for internal networks, and generally those internal DNS servers  serve DNS only for the internal networks. Everything outside the internal network is handled by external DNS servers (or by DNS servers that sit on a network of which we are a subdomain), and our internal DNS servers need to know who those server are. These external servers are called forwarders, in DNS parlance. They are the first stop for all DNS outside your local network. And you can now set them on your secondary DNS server in the Leopard Server Admin application.

Leopard's Forwarders Pane

To get to the settings, navigate to the "Settings" tab under the DNS service. In the bottom-most pane of the window you will see a box labeled "Forwarder IP Addresses:" Click the plus sign to add a server to the list, then type in an IP address. Typically you will add two addresses, one for the primary external DNS server and one for the secondary. These will often be your ISP's DNS servers, though if you're on a subdomain of a larger network you'll use the DNS servers for that network's domain (i.e. the subdomain systemsboy.com.mail will use the DNS servers for the domain systemsboy.com). Once you've entered and saved the settings, restart your DNS service and you're off to the races.

Requests for internal network resources will still be handled by your internal DNS server, but now external requests for things like "google.com" will be passed to the appropriate external DNS server. Even if your secondary has to take over DNS duties for a long period of time, you'll still be able to properly reach the Big Bad Internet without having to use cached or stale settings.

This is a very handy addition to the DNS configuration GUI in Server Admin.