BuySellAds.com

Our DNA is written in Objective-C
Jump

Software Update Server Guide

Once you get to a level of having more than a single Mac you might find it a bit of a hassle having to download and install all updates for all your Macs from Apple over the Internet. When you check for updates then every Mac will by default connect to Apple’s catalog of updates and download the updates from there.

This is where a Software Update Server (SUS) starts making sense. Let me share some things that I learned over the past 2 days investigating how to best set this up for our work group in the office as well as for all the Macs I have at home.

In stark contrast to Windows there is no special server operating system in the Mac world. The OS is the same between OS X and OS X Server. Since Lion the Server part is just a thing you can buy on the Mac App Store. And it’s also gotten cheaper than ever before. At 16 Euros it is a total no-brainer if you can benefit from it. And benefit you do if you have one permanently running Mac that does Server-y things.

So the equation is simple: an Mac + OS X + Server App = Mac OS X Server.

What is a bit more complicated is the possible combinations of servers and clients, because for some weird reason Apple puts an artificial limit on which can serve which.

  • OS X Server on Mountain Lion can provide Apple Software Updates to OS X Mountain Lion, OS X Lion, and Mac OS X v10.6 clients.
  • Lion Server Software Update Service can provide Apple Software Updates to OS X Lion, Mac OS X v10.6, and Mac OS X v10.5 clients.
  • Mac OS X Server v10.6 Software Update Service can provide Apple Software Updates to OS X Lion, Mac OS X v10.6, Mac OS X v10.5, and Mac OS X v10.4 clients.
  • Mac OS X Server v10.5 Software Update Service can provide Apple Software Updates to Mac OS X v10.5 and Mac OS X v10.4 clients.
  • Mac OS X Server v10.4 Software Update Service can provide Apple Software Updates to Mac OS X v10.4 clients only.

This means any OS X Server can only serve updates up to its own level. Lion cannot serve updates from Mountain Lion.

Mountain Lion Server

If you are able to dedicate a modern MacMini to take on the task of a MoLo Server then this is the easiest approach. The latest generation MacMinis have an incredibly low power consumption. 10.8 runs on all MacMinis from early 2009 or newer, so you can possibly get a used one for quite a bargain if you don’t yet have one.

On 10.8 all you need to do is to start the Server app, after having purchased it. Then you see the “Software Update” service under Services.

All you have to do is to flip the switch to turn it on. You have two options: Automatic will take care of everything, Manual allows you to manually download and enable specific updates. I recommend leaving this on Automatic unless you want to specifically prevent a certain update from being presented to your clients.

On Server you can individually enable just the services that you actually are using. But even if SUS is the only service you will ever want, the convenience and speed for updating all your Macs easily is worth the expense.

Once you have set up the service you have to be patient until SUS has copied all the available update packages from Apple’s server over the Internet to your server’s hard disk. Depending on your connection that can take upwards of 10 hours.

Client Setup

The clients for your SUS are the individual Macs. Apple knows two kinds of Macs: managed or unmanaged. Managed Macs get administrated via the Apple Remote Desktop app. Unmanaged Macs are all others. Remote Desktop carries a higher price tag than Server, 70 Euros are something to not spend so easily. I guess you’ll want that if you actually have 5 or more workstations and a couple of servers when the benefit of a central app for managing these starts making sense.

The configuration of the individual Macs boils down to setting a singto setting a defaults setting. Since all my Macs are unmanaged, that means opening a terminal window and issuing a command like:

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://su.example.com:8088/index.sucatalog

To query the current setting you can output the value with defaults read.

defaults read /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

And to revert to the default setting i.e. having updates come from Apple you remove the CatalogURL setting.

sudo defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

Andrew Wellington has created a Mac app Software Update Enabler that is able to do these settings without having to use terminal.

Lion Server, NOT

The MacMini server I have running to serve my home network is just a teensy bit too old to make the cut off for Mountain Lion. This means I am stuck with Lion on it until I can find a replacement. Lion was the first OS that also had the separate Server App for download via the Mac App Store. At the time of this writing it is not available so I suspect that Apple might have discontinued it.

I had gotten the Server App for Lion unlocked in my purchases when I purchased the MacMini server for my office a few days before the MoLo release. Through the Apple’s UpToDate program I had then also gotten codes to unlock Server for Mountain Lion as well MoLo itself. After having seen how easy the server setup was on 10.8 I tried the same at home but to my astonishment I couldn’t find the SUS setup.

Turns out it was only with 10.8 that Apple had consolidated (and simplified) all server things in a single app. Under Lion you need an additional free app called Server Admin Tools. There the setup of SUS is almost identical, albeit with a few settings that Apple has simplified away.

Unfortunately – as mentioned above – you cannot serve updates for anything after Lion from Lion server. So I’m only mentioning this for completing the picture. If all we had available where Apple’s solutions then I would be out of luck for my home network. Also another severe drawback is that you cannot use mapped network shares for the place to save the downloads on, only plugged in or internal hard disks.

Fortunately there is an Open Source solution that does not have these drawbacks.

Reposado – The Open Source SUS

Walt Disney Animation Studios (WDAS) anticipated the need for a FOSS solution to this problem. And so they created Reposado which is available on GitHub. They describe it such:

Reposado is a set of tools written in Python that replicate the key functionality of Mac OS X Server’s Software Update Service. Reposado, together with the “curl” binary tool and a web server such as Apache 2, enables you to host a local Apple Software Update Server on any hardware and OS of your choice. Reposado is licensed under the new BSD license.

Lion has Apache 2 and Python built-in. So the general setup is achievable even if you are no Linux-guru.

First I connected an external hard disk for storing the downloads because the internal hard disk would be too limited. I named it ExtraHDD.

The I cloned out the sources for Reposado from github right onto ExtraHDD. You only need the source for building as far as I understood.

sudo -i
cd /Volumes/ExtraHDD
git clone https://github.com/wdas/reposado.git
cd reposado
python setup.py build
python setup.py install

This builds and installs Reposado into /usr/local/bin.

Next we need folders on ExtraHDD to keep the html and the meta information.

cd /Volumes/ExtraHDD
mkdir meta
chmod 777 meta
mkdir html
chomod 777 html

I didn’t know (or care to know) the user that is is used by Apache for accessing these so I just made them writeable and searchable for everybody.

The final step in configuring is to call the configurator and specify the above created paths as well as the server name and port. Still as root we configure Reposado.

repoutil --configure
Path to store replicated catalogs and updates []: /Volumes/ExtraHDD/html
Path to store Reposado metadata []: /Volumes/ExtraHDD/meta
Base URL for your local Software Update Service
(Example: http://su.your.org -- leave empty if you are not replicating updates) []: http://miniserver.lan:8088

Reposado does not have a daemon or constantly running process. Rather every time repo_sync is run the repository is synched with Apple and this builds a set of static files that need to be served by a web server.

Because I had Lion server already set up I used the Web service configuration there to set up the update site to run on port 8088.

A true geek would probably do the Apache configuration on the shell but I preferred the ease of the Server tool. The new site was set to listen on port 8088 and serve the contents of our html folder. To test that you can put an index.htm page containing some text in the html folder and see if this appears if you open the URL in Safari.

The final step for setting up Reposado is to do the initial sync, again as root, calling repo_sync. This is the command that you will want to execute regularly, possibly on a chron job.

Again you have to be patient for the initial sync to finish because several Gigabytes of packages are being downloaded here.

I’ve seen some Unix cracks configure Rewrite rules for Apache so that the correct index file is automatically served depending on the client. Though that reeks too much of black magic to me, so I prefer to set the clients up as mentioned in the client_configuration.txt file.

For 10.8 the update URL is: http://miniserver.local:8088/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

For 10.7 the update URL is: http://miniserver.local:8088/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog

Test the URLs in Safari, they should return a large XML plist.

OS X Server 10.6+10.7, YES

Apparently the above mentioned support document claiming that you could only serve 10.8 clients from a 10.8 server is not entirely accurate. It is true that Mountain Lion Server keeps the software updates in a different location than before. Both configuration files and cached downloads are now located in /Library/Server/Software Update.

But the mechanism for serving catalogs and downloads has not change. Alexandre Torres documented (in Portuguese) the necessary changes to the configuration to enable support for higher OS versions than you’re running the server on.

swupd.plist in /etc/swupd requires addition of the new catalogs:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PurgeUnused</key>
<true/>
<key>autoEnable</key>
<true/>
<key>autoMirror</key>
<true/>
<key>autoMirrorOnlyNew</key>
<false/>
<key>limitBandwidth</key>
<false/>
<key>maxDownloadSpeed</key>
<integer>0</integer>
<key>metaIndexURL</key>
<string>http://swscan.apple.com/content/meta/mirror-config-1.plist</string>
<key>otherCatalogs</key>
<array>
<string>index-leopard.merged-1.sucatalog</string>
<string>index-leopard-snowleopard.merged-1.sucatalog</string>
<string>index-lion-snowleopard-leopard.merged-1.sucatalog</string>
<string>index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
</array>
<key>portToUse</key>
<integer>8088</integer>
<key>updatesDocRoot</key>
<string>/var/db/swupd/</string>
<key>valueBandwidth</key>
<integer>0</integer>
</dict>
</plist>

swupd.conf is the configuration for the built-in Apache server with which SUS serves the clients. It needs to have these rewrite rules, they are toward the end of the file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Darwin/9
RewriteRule ^/index\.sucatalog$ /index-leopard.merged-1.sucatalog
RewriteCond %{HTTP_USER_AGENT} Darwin/10
RewriteRule ^/index\.sucatalog$ /index-leopard-snowleopard.merged-1.sucatalog
RewriteCond %{HTTP_USER_AGENT} Darwin/11
RewriteRule ^/index\.sucatalog$ /index-lion-snowleopard-leopard.merged-1.sucatalog
RewriteCond %{HTTP_USER_AGENT} Darwin/12
RewriteRule ^/index\.sucatalog$ /index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog
</IfModule>

These rules make it possible for any app that reports the OS X version as Darwin/## to be served the appropriate merged catalog file. Those catalogs are symbolic links to these file’s real location html/content/catalogs/others below the swup data root. If your SUS does not create the files for added catalogs then you can simply remove the others folder and SUS will recreate it with the appropriate contents.

You might be getting an error 403 if you try to open the index.sucatalog. Don’t worry about that, it takes a while but will eventually resolve itself. It looks like this happens while SUS is busy doing something during starting up. Just keep an eye on the log.

This is what my log looks like typically after starting the SUS. Checking for Updates only starts to work after you see the “Sync Complete”.

Sep 22 11:10:29 miniserver.lan swupd_syncd[543] : swupd_syncd 10.7 (107.2) for Mac OS X Server 10.7 (Darwin/x86_64) 
Sep 22 11:10:29 miniserver.lan swupd_syncd[543] : ========== Sync Started ==========
Sep 22 11:10:30 miniserver.lan swupd_syncd[543] : Support for 10.4 updates is no longer available in this version of swupd_syncd.
Sep 22 11:14:24 miniserver.lan swupd_syncd[543] : Auto-copy (ONLY NEW) option selected. Applying setting to products.
Sep 22 11:14:24 miniserver.lan swupd_syncd[543] : Auto-enable option selected. Applying setting to all products.
Sep 22 11:17:15 miniserver.lan swupd_syncd[543] : Auto-copy (ONLY NEW) option selected. Applying setting to products.
Sep 22 11:17:15 miniserver.lan swupd_syncd[543] : Auto-enable option selected. Applying setting to all products.
Sep 22 11:19:44 miniserver.lan swupd_syncd[543] : Auto-copy (ONLY NEW) option selected. Applying setting to products.
Sep 22 11:19:44 miniserver.lan swupd_syncd[543] : Auto-enable option selected. Applying setting to all products.
Sep 22 11:21:11 miniserver.lan swupd_syncd[543] : Auto-copy (ONLY NEW) option selected. Applying setting to products.
Sep 22 11:21:11 miniserver.lan swupd_syncd[543] : Auto-enable option selected. Applying setting to all products.
Sep 22 11:21:23 miniserver.lan swupd_syncd[543] : Sync Complete

Alexandre Torres recommends this script to reset swupd should the need arise. For example if you start seeing a _productIdUpdate update. This means that the catalog needs to be rebuilt. Note that you need to update the path if you don’t store the updates in /var/db/swupd as is the default setting.

sudo serveradmin stop swupdate; sudo rm -rf /etc/swupd/.last_run /etc/swupd/.pending /etc/swupd/.start_time /etc/swupd/.sync_done /etc/swupd/com.apple.server.swupdate.plist /etc/swupd/com.apple.server.swupdate.plist.previous /var/db/swupd/html/catalogs.sucatalog* /var/db/swupd/html/index* /var/db/swupd/html/content/catalogs/*; sudo rm -rf /var/log/swupd/swupd*; sudo serveradmin start swupdate

Conclusion

As soon as you have more than one Mac it is increasing your update comfort and decreasing your bandwidth usage to have a Software Update Server running. If you can then use the cheap 10.8 Server for this purpose. If you cannot, then Reposado is a viable alternative which can be setup on any old MacMini or even Linux box. Or if you already have an established 10.7 server you can modify it to serve your MoLo machines as well.


Categories: Recipes

%d bloggers like this: