MunkiWebAdmin on OS X 10.8 Server

Updated 2013, Aug 14: I have updated our server to the most current version of MunkiWebAdmin. I did a clean install connecting to a current database. 10.8.4 with mod_wsgi is serving pages with no trouble. I just have a few other issues to work out. For example, only one catalog is showing. I think I have some permissions issues. I will write a new article and link to it from here.

If you are a Macintosh administrator handling more than five to ten macs and aren’t familiar with Munki, shame on you. This open source project has already saved my team hours of manual work during our newest deployment. Plus, we’ve only scratched the surface of what Munki can do.

What is Munki? MunkiWebAdmin?

Munki is an free and open source toolset to manage and serve (with a web based repository) and set of packages for an organization’s deployment of Macs. MunkiWebAdmin (MWA) is a web-based system that reports on your Munki deployed machines.

I’ll write more about our implementation and our environment sometime in the future. Right now, I want to focus on getting MWA running on OS X Server.

MunkiWebAdmin, meet Mountain Lion.

I have installed Munki and MWA on a Mac running OS X 10.8.2, Server 2.2. This one central Mac server is hosting Munki catalogs and manifests for over 20 school buildings. For now, it just made sense to put MWA on the same server. Time will tell if that works out for us in the long run. I’m not betting on it either way.

The directions given in the MunkiWebAdmin docs are great for initially installing MWA as a test platform. Read these. Learn them. Love them. One caveat here, I installed MWA in /usr/local/ as opposed to the /Users/Shared/ directory. It’s an institutional preference.

As I continued on with MWA, I realized that our fleet of thousands of Macs had a tendency to tax the dev environment on our server. A quick Twitter conversation with Greg, the owner of the Munki project, helped me realize the error of my ways. Namely, don’t use a dev server for production. Always the little things. So, I decided the MWA would live on with this server using Apache and mod_wsgi.

It just so happens that OS X 10.8.2 and Server 2.2 have mod_wsgi installed by default. Time to crack open Apple’s stellar documentation, and get this up and running!

What? Oh, wait…

Apple doesn’t have stellar documentation, you say?

Mediocre? No?

How about sparse? Can I get some sparse documentation?

Hmmm… Okay. None is it?! Fan-TAS-tic.

Off we go.

Let’s make it work.

Here are the assumptions.

  • OS X 10.8.2
  • Server 2.2
  • Web service configured and running
  • Munki is setup
  • MunkiWebAdmin is setup and running in a virtual environment per documentation

One more thing…

Instead of using SQLite as referenced in the documentation, I connected MWA to a MySQL database. As far as I could tell, this was facilitated by simply installing the MySQL-Python package. sudo easy_install mysql-python Once that was done, I believe it all worked.

Using your text editor of choice, create the following file: /usr/local/munkiwebadmin_env/munkiwebadmin/munkiwebadmin.wsgi (via MWA docs)

Add the following text :

import os, sys
import site

MUNKIWEBADMIN_ENV_DIR = '/usr/local/munkiwebadmin_env'
os.environ['PYTHON_EGG_CACHE'] = '/usr/local/munkiwebadmin_env/munkiwebadmin/python-eggs'

# Use site to load the site-packages directory of our virtualenv
site.addsitedir(os.path.join(MUNKIWEBADMIN_ENV_DIR, 'lib/python2.7/site-packages'))

# Make sure we have the virtualenv and the Django app itself added to our path
sys.path.append(MUNKIWEBADMIN_ENV_DIR)
sys.path.append(os.path.join(MUNKIWEBADMIN_ENV_DIR, 'munkiwebadmin'))

os.environ['DJANGO_SETTINGS_MODULE'] = 'settings'

import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()

I had to make a couple changes to fit my environment. site.addsitedir(...) was changed to reflect the correct path to the Python library. The docs said 2.6, but MWA is shipping with 2.7 now. I also needed to set os.environ['PYTHON_EGG_CACHE']. I believe this was a result of using MySQL. I could be wrong.

Next, create the the file /Library/Server/Web/Config/apache2/httpd_munkiwebadmin.conf :

WSGIScriptAlias / /usr/local/munkiwebadmin_env/munkiwebadmin/munkiwebadmin.wsgi
WSGIDaemonProcess munkiwebadmin user=munkiwebadmin group=munki
Alias /static/ /usr/local/munkiwebadmin_env/munkiwebadmin/site_static/
<Directory /usr/local/munkiwebadmin_env/munkiwebadmin>
    WSGIProcessGroup munkiwebadmin
    WSGIApplicationGroup %{GLOBAL}
    Order deny,allow
    Allow from all
</Directory>

This was also adapted from the MWA docs on Linux setup. According to a discussion in Apple’s support forums and a post on StackOverflow, we only need the first line. However, I’m assuming that since the munkimwebadmin_env ended up running under the munki:munkiweb user:group, I should probably keep the relevant lines from the original Linux setup docs. It works fine for me. I have not tried removing the lines.

Finally, we create the WebApp .plist file at /Library/Server/Web/Config/apache2/webapps/com.example.munkiwebadmin.plist :

<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>name</key>
    <string>com.example.munkiwebadmin.wsgi</string>
    <key>displayName</key>
    <string>MunkiWebAdmin</string>
    <key>launchKeys</key>
    <array/>
    <key>proxies</key>
    <dict/>
    <key>installationIndicatorFilePath</key>
    <string>/usr/local/munkiwebadmin_env/munkiwebadmin/munkiwebadmin.wsgi</string>
    <key>includeFiles</key>
    <array>
        <string>/Library/Server/Web/Config/apache2/httpd_munkiwebadmin.conf</string>
    </array>
    <key>requiredModuleNames</key>
    <array>
        <string>wsgi_module</string>
    </array>
</dict>
</plist>

As near as I can tell, this is the magic file for the Web pane in Server.app. Once in the Web service pane, create a new site on port 8000, enable python webapps and click the button for Advanced options. In the very bottom of the settings window, you should see your new WebApp available. Enable it. If it isn’t there, restart the Web service and repeat.

Updated 2013, Mar 13: I had an incorrect file in the installationIndicatorFilePath above. Pointed out by Azadi in the comments. Thanks Azadi, hopefully this solves your problem. Also, I hadn’t planned on allowing comments on this site, but I’m glad I did for just this reason. I really need to address the comments stylesheet, though.

Updated 2013, Jul 31: Thanks go out to Bruce for the correction in the comments. A caveat however, we have not updated to the latest release of MWA, so I haven’t tested this myself. It’s all on you Bruce!

So I now have MWA running through the built in mod_wsgi on the built in Apache server in OS X. Frankly, I still can’t believe I got it to work since I am no real Apache admin. If I feel up to it, I might do some benchmarking. However, we are mid-deployment on seven new labs and repurposing the old machines to eight others. I may not have the time.

Tagged , , , , , , ,

11 thoughts on “MunkiWebAdmin on OS X 10.8 Server

  1. Azadi Saryev says:

    No matter what I try, I just can’t make it work with Apache – the MunkiWebAdmin webapp never shows up in the list of available webapps.

    Why is installationIndicatorFilePath in your plist file set to /Library/Server/Web/Data/WebApps/munkiwebadmin/wsgi.py ? There is no such dir/file – should it be manually created at some point? I tried changing that value to /usr/local/munkiwebadmin_env/munkiwebadmin/munkiwebadmin.wsgi – than the webapp showed up in the list, but it also brought down Apache 🙁

    Any suggestions? Thanks!

  2. Joe says:

    I must be doing something wrong, or misunderstanding something. I created a new site for port 8000, and assigned the SSL cert that I use for https, but when I try to access the port 8000 site with https I get an error saying that Safari can’t establish a secure connection.

    • Brian Mickelson says:

      If you remove the SSL cert, does it connect okay?

    • Brian Mickelson says:

      I just checked on my production and development servers. With my posted configuration, I can toggle SSL on and off without any connection trouble from clients.

      While we use a certificate signed by our own internal CA (root cert is obviously installed on all clients used for testing), I don’t think that is the problem.

      Please send me some more info to try and help you out.

      • Joe says:

        I don’t know what information to provide, but here’s the conf file for the “site” I created. I’m not even sure why we make sites since MWA was already running on port 8000 before doing the steps you’ve added. The “why” we have to do these things to get MWA running over SSL is not obvious to me.

        more /Library/Server/Web/Config/apache2/sites/0000_any_8000_cpstaffx1.msb.priv.conf ServerName cpstaffx1.msb.priv ServerAdmin admin@example.com DocumentRoot “/Library/Server/Web/Data/Sites/any_8000_” DirectoryIndex index.html index.php /wiki/ default.html CustomLog /var/log/apache2/access_log combinedvhost ErrorLog /var/log/apache2/error_log

            <IfModule mod_ssl.c>
                    SSLEngine On
                    SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
                    SSLProtocol -ALL +SSLv3 +TLSv1
                    SSLProxyEngine On
                    SSLCertificateFile "/etc/certificates/cpstaffx1.msb.priv.28686C70BA7445E79895E7320C9FD414DB4BBE42.cert.pem"
                    SSLCertificateKeyFile "/etc/certificates/cpstaffx1.msb.priv.28686C70BA7445E79895E7320C9FD414DB4BBE42.key.pem"
                    SSLCertificateChainFile "/etc/certificates/cpstaffx1.msb.priv.28686C70BA7445E79895E7320C9FD414DB4BBE42.chain.pem"
                    SSLProxyProtocol -ALL +SSLv3 +TLSv1
            </IfModule>
        
  3. Joe says:

    Got it. The problem was I had MWA running already from the launchdaemon. Once I stopped the launched job (and moved the plist to a safe spot) all works well now

  4. […] Klingt einfacher als es dann war. Die Anleitung ist nicht mal schlecht, zumal eine zusätzliche Anleitung für die Installation im Zusammenspiel mit dem mod_wsgi […]

  5. Bruce Gardner says:

    With the latest version of munkiwebadmin, I had to change line 3 in httpd_munkiwebadmin.conf from:

    Alias /static/ /usr/local/munkiwebadmin_env/munkiwebadmin/static/

    to:

    Alias /static/ /usr/local/munkiwebadmin_env/munkiwebadmin/site_static/

Leave a Reply