Difference between revisions of "DeployStudio Runtime for End Users"
Rustymyers (talk | contribs) |
Rustymyers (talk | contribs) |
||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | == Why? == | |
− | We use DeployStudio Server to deploy packages and system images in our environment. | + | We use DeployStudio Server to deploy packages and system images in our environment. The current method is to have staff, whom are standard accounts (non-admin), NetBoot to DeployStudio and log in using their AD credentials. Since they do not have admin rights, they are not able to install their own software or updates. I want to leverage the DeployStudio Runtime.app (Runtime) application on clients computers and allow staff to install a predefined set of software, without them having to NetBoot. They would also be able to request additional software to be served through the Runtime application. |
+ | The basic idea is giving power to the users to install their own software and patches. | ||
+ | |||
+ | |||
+ | === Make Me Sudo === | ||
In order to allow non-admin (standard) users to run Runtime, they have to have a way to launch it as root. Enter /etc/sudoers... | In order to allow non-admin (standard) users to run Runtime, they have to have a way to launch it as root. Enter /etc/sudoers... | ||
− | |||
The /etc/sudoers (sudoers) file allows us to give a specific user or group sudo rights to run single or multiple commands. In this instance, we want the users to run the Runtime app as sudo, but to make it easy it has to be started from a script. To make it really easy, we will wrap it into an app later. | The /etc/sudoers (sudoers) file allows us to give a specific user or group sudo rights to run single or multiple commands. In this instance, we want the users to run the Runtime app as sudo, but to make it easy it has to be started from a script. To make it really easy, we will wrap it into an app later. | ||
− | First, in /etc/sudoers file we give the group | + | First, in /etc/sudoers file we give the group “DOMAIN\domain users” a user alias: |
This line give the domain users group an alias of “STAFF”. | This line give the domain users group an alias of “STAFF”. | ||
− | + | User_Alias STAFF=%DOMAIN\\domain\ users | |
Line 25: | Line 28: | ||
Understand? NO PASSWORD REQUIRED! | Understand? NO PASSWORD REQUIRED! | ||
− | + | STAFF ALL = NOPASSWD: /usr/sbin/dsruntime.sh | |
Ok, thats cool, but whats that you ask? We don’t have a script to run at /usr/sbin/dsruntime.sh? | Ok, thats cool, but whats that you ask? We don’t have a script to run at /usr/sbin/dsruntime.sh? | ||
− | + | === Let Me Run === | |
We want to create a script that will open the Runtime application as root. Create the file at /usr/sbin/dsruntime.sh with these contents: | We want to create a script that will open the Runtime application as root. Create the file at /usr/sbin/dsruntime.sh with these contents: | ||
− | < | + | <syntaxhighlight lang="bash"> |
− | + | #!/bin/bash | |
− | + | #Open DeployStudio with Sudo | |
− | #!/bin/bash | + | cd /Applications/Utilities/DeployStudio\ Runtime.app/Contents/MacOS/ |
− | #Open DeployStudio with Sudo | + | sudo ./Runtime |
− | cd /Applications/Utilities/DeployStudio\ Runtime.app/Contents/MacOS/ | + | </syntaxhighlight> |
− | sudo ./Runtime | ||
− | </ | ||
− | |||
− | |||
Give it permissions to run: | Give it permissions to run: | ||
− | sudo chown root:wheel dsruntime.sh && sudo chmod 500 dsruntime.sh | + | sudo chown root:wheel dsruntime.sh && sudo chmod 500 dsruntime.sh |
− | This script changes into the Runtime.app directory and opens the binary as root using sudo. Since we have edited the sudoers file to run the script file as root, the commands inside of it run as root. Don’t believe me? Add | + | This script changes into the Runtime.app directory and opens the binary as root using sudo. Since we have edited the sudoers file to run the script file as root, the commands inside of it run as root. Don’t believe me? Add |
+ | say `whoami` | ||
+ | to the end of the script and run it from the terminal. Make sure your volume is up, what does it say? | ||
So now we can open the Runtime app from the terminal using the command: | So now we can open the Runtime app from the terminal using the command: | ||
− | + | <syntaxhighlight lang="bash"> | |
− | sudo bash /usr/sbin/dsruntime.sh | + | sudo bash /usr/sbin/dsruntime.sh |
− | + | </syntaxhighlight> | |
It’s a little too much to ask a user to do, although most could, so lets make it easier for them. | It’s a little too much to ask a user to do, although most could, so lets make it easier for them. | ||
+ | === Make Me Pretty === | ||
Create another script called platypus.sh on your desktop. Enter these as the contents: | Create another script called platypus.sh on your desktop. Enter these as the contents: | ||
− | #!/bin/bash | + | <syntaxhighlight lang="bash"> |
− | sudo /usr/sbin/dsruntime.sh & | + | #!/bin/bash |
+ | sudo /usr/sbin/dsruntime.sh & | ||
+ | </syntaxhighlight> | ||
Download and install Platypus: http://sveinbjorn.org/platypus | Download and install Platypus: http://sveinbjorn.org/platypus | ||
Line 65: | Line 69: | ||
Open Platypus and drag the script from your desktop to the “Script Path:” field. | Open Platypus and drag the script from your desktop to the “Script Path:” field. | ||
Change your identifier and author, and whatever other settings you’d like. This is what I’m using: | Change your identifier and author, and whatever other settings you’d like. This is what I’m using: | ||
− | + | ||
+ | http://dl.dropbox.com/u/5442688/Platypus.png | ||
Create your new app and double click it! You should see it for a second and then see DeployStudio Runtime.app open without needing a password! | Create your new app and double click it! You should see it for a second and then see DeployStudio Runtime.app open without needing a password! | ||
− | + | === Share The Fun === | |
− | + | Coming soon... Package and deploy! | |
− | + | UPDATE: The DeployStudio group has built in this function to the current release of DeployStudio! rc123 now adds a line to /etc/sudoers to allow runtime admin access. The line they use in /etc/sudoers is, no doubt, more secure than what I used: | |
− | + | <syntaxhighlight lang="bash"> | |
+ | %everyone ALL=NOPASSWD: /Applications/Utilities/DeployStudio\ Runtime.app/Contents/MacOS/Runtime.bin | ||
+ | </syntaxhighlight> | ||
− | + | ||
+ | === Issues === | ||
− | + | ==== Packages Task Empty ==== | |
+ | I was trying to run a install of a package, so I opened the package task. It was empty for some reason. Other machines were fine, and it worked on the server with Runtime, NetBoot too. | ||
+ | After checking the logs, I noticed that the repository said it had mounted at /tmp/DSNetworkRepository/Packages/ | ||
+ | When I navigated to the folder, it was empty...no repository! No other folders were in there either. They were just empty folders left over from some error. I deleted the /tmp/DSNetworkRepository folder: | ||
+ | rm -R /tmp/DSNetworkRepository | ||
+ | Then I was able to mount the repository and install a package! | ||
− | + | [[Category:DeployStudio]] |
Latest revision as of 12:49, 25 October 2010
Contents
Why?[edit]
We use DeployStudio Server to deploy packages and system images in our environment. The current method is to have staff, whom are standard accounts (non-admin), NetBoot to DeployStudio and log in using their AD credentials. Since they do not have admin rights, they are not able to install their own software or updates. I want to leverage the DeployStudio Runtime.app (Runtime) application on clients computers and allow staff to install a predefined set of software, without them having to NetBoot. They would also be able to request additional software to be served through the Runtime application.
The basic idea is giving power to the users to install their own software and patches.
Make Me Sudo[edit]
In order to allow non-admin (standard) users to run Runtime, they have to have a way to launch it as root. Enter /etc/sudoers...
The /etc/sudoers (sudoers) file allows us to give a specific user or group sudo rights to run single or multiple commands. In this instance, we want the users to run the Runtime app as sudo, but to make it easy it has to be started from a script. To make it really easy, we will wrap it into an app later.
First, in /etc/sudoers file we give the group “DOMAIN\domain users” a user alias:
This line give the domain users group an alias of “STAFF”.
User_Alias STAFF=%DOMAIN\\domain\ users
Next, we need to tell the sudoers file what the STAFF group can run:
This line says the STAFF alias can run the script at /usr/sbin/dsruntime.sh using sudo, as root, WITHOUT prompting for a password.
Understand? NO PASSWORD REQUIRED!
STAFF ALL = NOPASSWD: /usr/sbin/dsruntime.sh
Ok, thats cool, but whats that you ask? We don’t have a script to run at /usr/sbin/dsruntime.sh?
Let Me Run[edit]
We want to create a script that will open the Runtime application as root. Create the file at /usr/sbin/dsruntime.sh with these contents:
#!/bin/bash
#Open DeployStudio with Sudo
cd /Applications/Utilities/DeployStudio\ Runtime.app/Contents/MacOS/
sudo ./Runtime
Give it permissions to run:
sudo chown root:wheel dsruntime.sh && sudo chmod 500 dsruntime.sh
This script changes into the Runtime.app directory and opens the binary as root using sudo. Since we have edited the sudoers file to run the script file as root, the commands inside of it run as root. Don’t believe me? Add
say `whoami`
to the end of the script and run it from the terminal. Make sure your volume is up, what does it say?
So now we can open the Runtime app from the terminal using the command:
sudo bash /usr/sbin/dsruntime.sh
It’s a little too much to ask a user to do, although most could, so lets make it easier for them.
Make Me Pretty[edit]
Create another script called platypus.sh on your desktop. Enter these as the contents:
#!/bin/bash
sudo /usr/sbin/dsruntime.sh &
Download and install Platypus: http://sveinbjorn.org/platypus
Open Platypus and drag the script from your desktop to the “Script Path:” field. Change your identifier and author, and whatever other settings you’d like. This is what I’m using:
http://dl.dropbox.com/u/5442688/Platypus.png
Create your new app and double click it! You should see it for a second and then see DeployStudio Runtime.app open without needing a password!
[edit]
Coming soon... Package and deploy!
UPDATE: The DeployStudio group has built in this function to the current release of DeployStudio! rc123 now adds a line to /etc/sudoers to allow runtime admin access. The line they use in /etc/sudoers is, no doubt, more secure than what I used:
%everyone ALL=NOPASSWD: /Applications/Utilities/DeployStudio\ Runtime.app/Contents/MacOS/Runtime.bin
Issues[edit]
Packages Task Empty[edit]
I was trying to run a install of a package, so I opened the package task. It was empty for some reason. Other machines were fine, and it worked on the server with Runtime, NetBoot too. After checking the logs, I noticed that the repository said it had mounted at /tmp/DSNetworkRepository/Packages/ When I navigated to the folder, it was empty...no repository! No other folders were in there either. They were just empty folders left over from some error. I deleted the /tmp/DSNetworkRepository folder:
rm -R /tmp/DSNetworkRepository
Then I was able to mount the repository and install a package!