krypted August 20th, 2011
Posted In: iPhone
krypted August 13th, 2011
Posted In: Uncategorized
krypted August 11th, 2011
Posted In: Uncategorized
Enabling Time MachineThe first thing to know is that pretty much everything you do in Time Machine is going to require elevated privileges. So if you are writing a script, it should run as such, or if you’re running each command independently you will likely need to prefix them with sudo. Let’s start with a computer that doesn’t have Time Machine enabled. To enable it, use tmutil along with the enable verb:
tmutil enableTo disable Time Machine, use the disable verb:
tmutil disableThis is the equivalent of sliding the Time Machine slider between the ON and OFF positions.
tmutil enablelocalBut these don’t yet associate Time Machine with any disks or configure any of the settings. One of the first things people usually do when they enable Time Machine is to configure a destination volume for backups as you cannot backup if you don’t have a place to backup to. This is done using the setdestination verb. The destination can be a local file system or a network mounted share. To set a destination as a local volume, simply follow the setdestination verb with an argument that indicates the path to use. For example, if you are pointing backups to a volume called remade:
tmutil setdestination /Volumes/reamdeSetting a destination will either write data into a DestinationVolumeUUIDs key in /Library/Preferences/com.apple.TimeMachine.plist. The contents of the key match the Volume UUID output of diskutil info. For example:
diskutil info disk1s2 | grep Volume UUIDTherefore, it is possible to swap UUIDs using a script on a biweekly or weekly basis or using tmutil along with the volume name, to match an offsite rotation rather than changing the volume in the System Preference pane.
Dealing with Network MountsIn the case of a network mounted share, you would still use the setdestination verb, but define that the target location is a network mount by embedding a URL into the command rather than a file system path. The traditional URL will consist of protocol followed by :// followed by the hostname/sharename. We can go an extra step and also embed the username and password delimited by a colon and prefixing the hostname, using an @ to separate the credentials and the hostname. For example, if we wanted to define a hostname of tm.krypted.com with a share of snowcrash and a username of neal with a password of theU to access that share we would use the following:
tmutil setdestination afp://neal:theU@tm.krypted.com/snowcrashGiven that you might not want the password embedded into the command, you can use -p to enter a password manually (the password will not be displayed in the terminal screen). In this case, leave the username embedded into the path as follows:
tmutil setdestination -p afp://email@example.com/snowcrashWhile the inclusion of a computer name in the path of actual Time Machine backups seems to indicate that it is OK to allow multiple computers to use it, doing so seems discouraged in Apple’s Time Machine documentation. Therefore, sticking with one computer per share will likely be the most secure and least corruptible means of backup. While creating a bunch of shares for backups might seem daunting at first, it’s worth mention that you can script share creation, per client computer in OS X Server using the sharing command. For example, to create a share for a computer named neal in /Shared with AFP only and no guest access:
sharing -a /Shared/neal -s 100 -g 000To list computers in Open Directory:
dscl /LDAPv3/127.0.0.1 -list ComputersVariabalizing the dscl output into an array and creating machine-specific shares would then net a share per computer (assuming all computers have corresponding records in the directory service). Likewise, shares can be built using a DeployStudio, Absolute Manage or Casper machine export as well.
Configuring the Backup SourceIn Time Machine, all data is backed up by default. Therefore, rather than define what the source is, you define what the source is not. Once a target location has been defined, the next thing many Time Machine users do is define any data that is not to be kept in the Time Machine backups. This is done with the addexclusion verb. These exclusions are defined using the Options button of the Time Machine System Preference pane as well. To use the addexclusion verb, simply define a list of items that are not to be backed up as arguments separated by spaces. The tmutil command will then use those items as an array. If you have one item to exclude, simply list the path. For example, to exclude the OS X Developer Tools:
tmutil addexclusion /DeveloperOr to disable a number of items (below we are only backing up /Users):
tmutil addexclusion /System /Library /Applications /var /etc /Developer /Groups /Incompatible Software /Volumes /bin /cores /usr /tmp /temp /opt /net /home /Shared Items /Network /GroupsProvided no errors occur the command should have run properly. The isexcluded verb then allows you to see which source locations are being excluded. Use the verb similarly to addexclusion:
tmutil isexcluded /DeveloperA minus sign means it’s being excluded and a plus sign means it’s being backed up. You could also just grab the first position of the output:
tmutil isexcluded /Developer | cut -c 1You can also use this as a sanity check prior to performing restores at a lower depth. For example, there is no reason to try to recover a file called /Users/cedge/Desktop/systemoftheworld.pdf if it hasn’t been backed up:
tmutil isexcluded /Users/cedge/Desktop/systemoftheworld.pdf | cut -c 1The arguments for addexclusion are not all of the items being excluded. Instead, you are adding items, but others may already be present. Also, you can define the same exclusion multiple times without adding each item to the list of excluded items. To remove an item, use the removeexclusion verb (you can separate these with spaces as well):
tmutil removeexclusion /VolumesFinally, addexclusion and removeexclusion have a -p option. By default, if you move an item that has been defined as an exclusion, the exclusion will move with the item. You can specify a -p option to set the path for the exclusion as static:
tmutil addexclusion -p /etcThere are also a number of exclusions that are included by default. These are defined in the .exclusions.plist. The non-default exclusions are stored in the ExcludeByPath array in /Library/Preferences/com.apple.TimeMachine.plist. These are not shown to an end user in the Time Machine System Preference pane though. Those paths can be found in the SkipPaths array within the same file. By default, the backup source needs to be connected to power. This setting corresponds to the Back up while on battery power checkbox in the Time Machine System Preference pane’s Option overlay. That setting can be disabled using defaults to write a 1 into the RequiresACPower key: defaults write /Library/Preferences/com.apple.TimeMachine RequiresACPower 0
Manually Running BackupsOnce you have defined your source and target, it’s time to test a backup. The tmutil command allows you to kick off a backup immediately run tmutil with the startbackup verb.
tmutil startbackupEither the backup will work or the Finder will display an error that the backup could not complete. If the system performance is poor during backups or you need to stop one for another reason: use the stopbackup verb:
tmutil stopbackupIn Time Machine a snapshot is an incremental or a fill (aka initial) backup. These are stored on a target volume, or backup disk. For example, the previously used snowcrash volume will contain a snapshot:
Managing BackupsThe Time Machine System Preference pane doesn’t give you a lot of features for managing retention and recycling media. But with OS X Lion, you can now manage and delete given snapshots of data, thus allowing for manually cleaning out your backups (or doing so with a script that has a lot more logic than the default settings). To see a list of snapshots, use the listbackups verb:
tmutil listbackupsYou will see output of each snapshot on the computer:
/Volumes/EncryptedTMBackup/Backups.backupdb/stephenson.krypted.com/2011-08-09-181840 /Volumes/EncryptedTMBackup/Backups.backupdb/stephenson.krypted.com/2011-08-09-195105To just see that last snapshot:
tmutil latestbackupThe fitting delete verb is used for such a task and is able to take the argument of an old snapshot (or an array of such) to delete. For example, to delete snapshot 2011-08-09 -181840 for computer stephenson.krypted.com on /Volumes/EncryptedTMBackup
tmutil delete /Volumes/EncryptedTMBackup/Backups.backupdb/stephenson.krypted.com/2011-08-09-181840You can also calculate how much drift has occurred between snapshots:
tmutil calculatedrift /Volumes/EncryptedTMBackup/Backups.backupdb/stephenson.krypted.com/2011-08-09-195105The calculatedrift verb will show the amount of data added, removed and changed between each backup as well as output the averages of drift between backups (helpful in capacity planning and reporting). To compare a snapshot to a file system path (or paths), use the compare verb. This is handy for figuring out which snapshots you might be able to nuke if you’re scripting a delete process. The compare verb is one of the more complicated as there are a number of options for how to compare data.
tmutil compare /Volumes/EncryptedTMBackup/Backups.backupdb/stephenson.krypted.com/2011-08-09-195105The output can be a bit verbose as it looks at each directory. You can limit the depth using a -D option. You can also specify a number of different options to specify what differences to look for when performing lookups. The output of compare is helpful if you preflight your backups with a sanity check to verify there is enough room (otherwise the user might get a Time Machine error dialog).
Other OptionsThe tmutil command also has options for troubleshooting, moving disks and restores. The restore verb can be handy as you can send restore scripts to clients over ARD or even build a self-restore portal with more options than can be found in the TIme Machine restore screen (I’d recommend using the -v option with restores, btw). The inheritbackup verb can be used to take ownership of a machine directory, useful when moving disks or shares between clients. The associatedisk verb can be used to attach a disk to a backup, thus allowing you to skip beginning backups all over again if the UUID of a disk changes. Also, the options in 10.6 are still applicable. To suppress the dialog to make all new disks a TimeMachine volume:
defaults write com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool YESBackups are also still kicked off by com.apple.backupd-auto.plist, stored in /System/Library/LaunchDaemons and the interval between backups can be changed using the StartInterval key here. For example, if you set it to 360 then backups will occur every 6 minutes instead of 60, or more likely, if you set the integer to 14400 then your backups will occur every 4 hours instead of every hour.
Puzzle PiecesTo take a few pieces from this article and combine them. Setting up a basic backup (provided that you have a known volume name per client) is as easy as the following basic, quick and dirty shell script:
/usr/bin/tmutil enable /usr/bin/tmutil enablelocal /usr/bin/tmutil setdestination /Volumes/BACKUP /usr/bin/tmutil addexclusion /System /Library /Applications /var /etc /Developer /Groups /Incompatible Software /Volumes /bin /cores /usr /tmp /temp /opt /net /home /Shared Items /Network /Groups /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine RequiresACPower 0 defaults write com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool YES
krypted August 10th, 2011
Tags: addexclusion, change times for backups, com.apple.TimeMachine, defaults write com.apple.TimeMachine, enablelocal, Lion, Mass Deploy Time Machine, OS X 10.7, package, prompt for formatting, setdestination, startinterval, Time Machine, tmutil
krypted August 9th, 2011
Posted In: Mac OS X
krypted August 8th, 2011
TerminalType = "xterm-color";This small issue pales in comparison (especially because it is easily remedied) to how great the ability to take Terminal into full screen mode, have it state fully open and show the last run commands, assign background images and other little cool tricks are. There are also lots of new commands in Lion, such as tmutil that you’re sure to love if you haven’t made the upgrade yet!
krypted August 7th, 2011
Posted In: Mac OS X
/System/Library/PrivateFrameworks/LoginUIKit.framework/Versions/A/Frameworks/LoginUICore.framework/Versions/A/Resources/appleLinen.pngYou can also configure a message to be shown to users. This message, often referred to as an Acceptable Use Policy, can be used as a policy banner that users must accept in order to log into a computer. To set a policy banner, create a file called PolicyBanner.txt, PolicyBanner.rtf, or PolicyBanner.rtfd with the information you want displayed for end users. Save this file to /Library/Security. Then, the contents of the file will be used as a login banner users will be required to click on the Accept button in order to login.
/Library/Security/PolicyBanner.txtYou can also use Profile Manager and Managed Preferences to manage the items from the System Preferences pane and set a message at the LoginWindow as well. These are available under the Login Window section of Profile Manager. Update: Those crazy kids at AFP548 have posted a video on YouTube with additional info on Profile Manager. That video can be found here. Update2: For
krypted August 6th, 2011
krypted August 5th, 2011
dseditgroup -o create . com.apple.access_ftpBy default the group is empty and so once enabled, no one will have access to the FTP service. So let’s add everybody:
dseditgroup -o edit . -a everyone -t com.apple.access_ftpNow let’s fire up FTP using the ftp.plist Apple kindly left us in /System/Library/LaunchDaemons:
launchctl load -w /System/Library/LaunchDaemons/ftp.plistEnable FTP on Shares By default share points in Lion have AFP and SMB enabled. The sharing command can be used to list and augment shares. To list:
sharing -lMake note of the name for a share that you would like to enable FTP for, as well as whether AFP and SMB are enabled. Think of 3 boolean slots, with the first slot being AFP, the second FTP and the third SMB. Let’s use an example share of Seldon. Let’s also say AFP and SMB are enabled on Seldon by default. So sharing can be used to make a change (-e for edit) on the Seldon share, setting the services (-s) to 111:
sharing -e Seldon -s 111Or to enable just FTP (given that this example is a dedicated FTP server):
sharing -e Seldon -s 010And let’s say Seldon is a bit promiscuous and so we’re also going to enable guest for the FTP share:
sharing -e Seldon -g 010Finally, provide the permissions via chmod to grant or deny access at a file and folder level and you’re done. FTP on future shares can be enabled with two or three commands so FTP management really isn’t all that big a deal. Command line doesn’t always mean hard. In fact, some times it’s easier ’cause you’re not hunting around in nested screens for what to click on. Having said that, who knows if this is a temporary reprieve from Apple to finally get away from a protocol older than I am. We would all do well to switch to something more secure…
krypted August 2nd, 2011