Thin Imaging with DeployStudio, MCX and Munki

From AFP548 Wiki
Revision as of 12:49, 1 April 2012 by Natewalck (talk | contribs) (→‎Example New Machine Workflow)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Overview[edit]

Thin Imaging is a great way to deploy light weight, standard desktop configurations. It is generally not the best for bulky lab images (50gb+), but it is perfect for images that are used as a standard base for your Institution. Typically, you will have an image that is close to a standard OS X install, but with specific software and settings added to it. Why worry about putting these settings into the image itself when you can add them after the fact using DeployStudio, Munki and MCX. Doing your images this way offers several advantages even over Modular Images (Pre-built).

The method discussed here is applied in two ways. Firstly, it is applied to machines as they come from Apple, without applying an image to them. The second method applies a fully updated base images ("vanilla") as well as everything that the "New" computer workflow does.

  • Pros:
    • Agile - No need to rebuild images for a setting change or due to frequent updates. Less time waiting for images to build.
    • Universal- When you add a software update into Munki, not only do existing machines get the update, but all fresh images have the latest version as well. No need to update software in two or three different places.
    • Versatile - When you get new machines from Apple, you don't need to reimage them. You use DeployStudio to add settings/bindings and let MCX/Munki handle software and settings. You no longer *need* special images for those machines released after one point release but before another (Tbolt machines being a perfect example).
  • Cons:
    • Slightly longer process from start to finish
    • More moving parts

The main pieces for this Thin-Imaging example are listed below and will be covered in more detail later in this article.

  • DeployStudio
    • Imaging, Bindings and some non-MCX settings if necessary
  • MCX
    • Applies Settings
  • Munki
    • Software Installs and updates

DeployStudio Workflow[edit]

The DeployStudio workflow is responsible for getting your machine ready for first boot.

With this method of prepping your machines, you will have a "New" machine workflow and a "Refresh" workflow. The only different between the two workflows is that "Refresh" applies a fully updates 10.6.x Image before adding AD/OD binding and Munki.

Example New Machine Workflow[edit]

Important: With machines from Apple, the Hard Drive is ALWAYS "Macintosh HD". Since we are not restoring an image, all these tasks must have Target Volume: set to "Macintosh HD" If you do not do this, it won't know where to apply the tasks. This workflow assumes that you are managing munki's ManagedInstalls.plist using MCX.

  • Hostname Form
  • Time task
  • AD Binding Task
  • OD Binding Task - Make sure you are entering a "Computer Group" in the Hostname form. When you do this and bind to OD, this machine gets placed into the group specified and it will pull down the MCX settings upon firstboot. This is part of the magic that makes it work.
  • Configure Task
  • Install Task - munkitools (latest version)
  • Meta Workflow - Image Settings
    • createUser.pkg - Creates admin user
    • Login Wallpaper
  • Generic Task - firstboot.sh - Postponed
    • Add whatever you normally would to firstboot (see Firstboot Script Commands for settings that you might want to use). Make sure the following is added at the end of your firstboot script:
echo "Setting munki to bootstrap mode..."
touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup

echo "Forcing MCX Settings Refresh..."
killall DirectoryService

echo "Finished applying firstboot settings."

echo "Sleeping for 60 seconds..."
sleep 60

By adding this snippet, you will set munki to run upon first boot, make MCX refresh it settings so it pulls down the ManagedInstalls.plist that munki needs to run and then wait 60 seconds for good measure. If you are not using MCX for munk's settings, you can remove the "killall DirectoryService" lines as well as the "sleep 60" lines. You can use defaults write to pre-stage the settings or you can deliver ManagedInstalls.plist using a .pkg file on the DeployStudio workflow. All are viable options, but I prefer to manage it using MCX.

Example Refresh Machine Workflow[edit]

Note: Since this is applying a base image and wiping out whatever is on the machine, you will want to use the "Install on the last restored volume" checkbox for all of these workflow tasks. This workflow assumes that you are managing munki's ManagedInstalls.plist using MCX.

  • Hostname Form
  • Restore Task - 10.6 Vanilla Install (This can be done as a meta workflow so that when you update your 10.6 Vanilla Install workflow, all your other workflows are updated as well).
  • Time task
  • AD Binding Task
  • OD Binding Task - Make sure you are entering a "Computer Group" in the Hostname form. When you do this and bind to OD, this machine gets placed into the group specified and it will pull down the MCX settings upon firstboot. This is part of the magic that makes it work.
  • Configure Task
  • Install Task - munkitools (latest version)
  • Meta Workflow - Image Settings
    • createUser.pkg - Creates admin user
    • Login Wallpaper
  • Generic Task - firstboot.sh - Postponed
    • Add whatever you normally would to firstboot (see Firstboot Script Commands for common settings). Make sure the following is added just before the end of your firstboot script.
echo "Setting munki to bootstrap mode..."
touch /Users/Shared/.com.googlecode.munki.checkandinstallatstartup

echo "Forcing MCX Settings Refresh..."
killall DirectoryService

echo "Finished applying firstboot settings."

echo "Sleeping for 60 seconds..."
sleep 60

Once again, by adding this snippet, you will set munki to run upon first boot, make MCX refresh it settings so it pulls down the ManagedInstalls.plist that munki needs to run and then wait 60 seconds for good measure. If you are not using MCX for munk's settings, you can remove the "killall DirectoryService" lines as well as the "sleep 60" lines. You can use defaults write to pre-stage the settings or you can deliver ManagedInstalls.plist using a .pkg file on the DeployStudio workflow. All are viable options, but I prefer to manage it using MCX.

MCX Settings[edit]

I am not going to go into details on managing settings with MCX as there are TONS of resources on this topic already. The only thing that I will mention is that I *highly* suggest manging Munki's ManagedInstalls.plist settings file. You can just drag this into Workgroup Manager and set your ClientIdentifier, SoftwareRepoURL, etc. Make sure you manage them as always and never manage "LastCheckDate", "LastCheckResult", etc.

Munki[edit]

The goal with munki is to have a manifest, or a group of manifests (using included_manifests key) that contains all the software that you would like to have installed upon first boot. Here is an example of what you might want to install on a standard Faculty/Staff/Employee type image. This is a Manifest for a FacultyStaff image.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>catalogs</key>
        <array>
                <string>production</string>
        </array>
        
        <key>included_manifests</key>
        <array>
                <string>common</string>
        </array>        
                
        <key>managed_installs</key>
        <array>
			<string>CiscoAnyConnect</string>
			<string>Fetch</string>		
			<string>KeyAccess</string>		
		 	<string>Office2011</string>
			<string>AdobePhotoshopCS5</string>		
        </array>
        <key>managed_updates</key>
        <array>
     		<string>CommunicatorUpdate</string>       			
        </array>
        <key>managed_uninstalls</key>
        <array>
        </array>        
        <key>optional_installs</key>
		<array>
			<string>AcrobatXPro</string>
			<string>AdobeDreamweaverCS5</string>
			<string>AdobeFlashProCS5</string>		
			<string>AdobeIllustratorCS5</string>	
			<string>AdobeInDesignCS5</string>
			<string>GoogleChrome</string>
			<string>GoogleEarth</string>
			<string>GoogleSketchUp</string>
			<string>TextWrangler</string>
			<string>SMARTNotebook</string>			
		</array>
</dict>
</plist>

This would install everything listed under Managed_Installs and everything under optional_installs would be available for the end-user to install via Managed Software Updates.app. This is a very basic view of what you can do with munki. If you wanted to add printers, you could have them in your Manifest as well.