Tiny Deathstars of Foulness

Let’s start out with what’s actually available in the Server Admin CLI: serveradmin. The serveradmin command, followed by settings, followed by san shows a few pieces of information:

bash-3.2# serveradmin settings san
san:computers = _empty_array
san:primaryController = "95C99FB1-80F2-5016-B9C3-BE3916E6E5DC"
san:ownerEmail = ""
san:sanName = "krypted"
san:desiredSearchPolicy:_array_index:0 = ""
san:serialNumbers = _empty_array
san:dsType = 0
san:ownerName = "Charles Edge"
san:managePrivateNetwork = yes
san:metadataNetwork = ""
san:numberOfFibreChannelPorts = 2
san:role = "CONTROLLER"

Here, we see the metadata network, the GUID of the primary (active) MDC, the name of the SAN, an array of serial numbers (if applicable – in a purely Mountain Lion/Mavericks SAN they aren’t), the owner info plugged in earlier and the metadata network interface being used.
Next, we’ll take a peak at the fsm process for each volume:

bash-3.2# ps aux | grep fsm
root 7030 0.7 0.7 2694708 62468 ?? Ss 10:18AM 0:03.08 /System/Library/Filesystems/acfs.fs/Contents/bin/fsm BettyWhite mdm.pretendco.lan 0
root 6834 0.1 0.0 2478548 2940 ?? S 10:10AM 0:01.37 fsmpm -- -- /var/run/fsmpm-sync.6800 1800

Next, we can look at the version rev, which shows that the Server Revision is the same as in Mavericks, but the build number has incremented by 19 commits:

bash-3.2# cvversions
File System Server:
Server Revision 5 Branch Head
Created on Tue Sep 13 09:59:14 PDT 2015
Built in /SourceCache/XsanFS/XsanFS-527/buildinfo
Host OS Version:
Darwin 14.0.0 Darwin Kernel Version 14.0.0: Sat Sep 24 01:15:10 PDT 2015; root:xnu-2738. x86_64

Next, we’ll check out the contents of /Library/Preferences/Xsan. First the volume configuration file:

bash-3.2# cat BettyWhite.cfg
# Globals
AllocationStrategy Round
FileLocks Yes
BufferCacheSize 32M
Debug 0x0
CaseInsensitive Yes
EnableSpotlight Yes
EnforceACLs Yes
SpotlightSearchLevel ReadWrite
FsBlockSize 16K
GlobalSuperUser Yes
InodeCacheSize 8K
InodeExpandMin 0
InodeExpandInc 0
InodeExpandMax 0
InodeDeleteMax 0
InodeStripeWidth 0
JournalSize 16M
MaxConnections 139
MaxLogSize 10M
MaxLogs 4
NamedStreams Yes
Quotas Yes
QuotaHistoryDays 7
ThreadPoolSize 256
UnixIdFabricationOnWindows Yes
UnixNobodyUidOnWindows -2
UnixNobodyGidOnWindows -2
WindowsSecurity Yes
# Disk Types
[DiskType LUN2Type]
Sectors 488355807
SectorSize 512
# Disks
[Disk LUN2]
Type LUN2Type
Status UP
# Stripe Groups
[StripeGroup All]
Status Up
StripeBreadth 16
Metadata Yes
Journal Yes
Exclusive No
Read Enabled
Write Enabled
Rtmb 0
Rtios 0
RtmbReserve 0
RtiosReserve 0
RtTokenTimeout 0
MultiPathMethod Rotate
Node LUN2 0
Affinity All

The above is not the XML I was thinking we’d see, but the same format and variables previously available. The configuration for the SAN itself is XML though:

bash-3.2# cat config.plist




Charles Edge

The automount file is a plist as well:

bash-3.2# cat automount.plist





The aux-data is also a plist:

bash-3.2# cat BettyWhite-auxdata.plist






Next, cvadmin remains basically unchanged, with the addition of restartd/startd/stopd (managing the fem and the removal of :

Xsanadmin (BettyWhite) > help
Command summary:
activate, debug, dirquotas, disks, down, fail, filelocks, fsmlist, help, latency-test, multipath, paths, proxy, qos, quit, quotas, quotacheck, quotareset, ras, repfl, repquota, repof, resetrpl, rollrj, select, show, start, stat, stop, up, who, ?
activate [ | ]
Activate a File System .
This command may cause an FSM to activate.
If the FSM is already active, no action is taken.
debug [ [+/-] ]
Get or Set (with ) the FSS Debug Flags.
Enter debug with no value to get current setting and bit meanings.
Value should be a valid number. Use 0x to indicate hexadecimal.
If the ‘+’ or ‘-’ argument is used, only specified flags
will be modified.
‘+’ will set and ‘-’ will disable the given flags.
dirquotas <create|mark|destroy>
The ‘create’ command turns the given directory into the root of a
Directory Quota namespace. The command will not return until the
current size value of the directory is tallied up. The ‘mark’
command also turns the given directory into the root of a
Directory Quota namespace, but the current size value is left
uninitialized.  The command ‘quotacheck’ should be run later to
initialize it. The ‘destroy’ command destroys the namespace
associated with the given directory.  The directory’s contents
are left unchanged.
disks [refresh]
Display the acfs Disk volumes visible to this machine.
If the optional “refresh” is used, the volumes will.
be re-scanned by the fsmpm.
disks [refresh] fsm
Display the acfs meta-data Disk volumes in use by the fsm.
If the optional “refresh” is used, additional paths to these
volumes may be added by the fsm.
Bring down stripe group .
fail [ | ]
Failover a File System .
This command may cause a stand by FSM to activate.
If the FSM is already active, the FSM will
shut down. A stand-by FSM will take over or the
FSM will be re-launched if it is stand-alone.
fsmlist [] [on ]
Display the state of FSM processes, running or not.
Optionally specify a single to display.
Optionally specify the host name or IP address of the system
to list the FSM process(es) on.
help (?)  This message.
latency-test [ | all] []
Run an I/O latency test between the FSM process and one
client or all clients.  The default test duration is
2 seconds.
multipath < balance | cycle | rotate | static | sticky >
Change the Multi Path method for stripe group
to “balance”, “cycle”, “rotate”, “static”, or “sticky”.
Display the acfs Disk volumes visible to this machine
grouped according to the “controller” identity.
proxy [ long ]
proxy who
Display Disk Proxy Servers, and optionally the disks
they serve, for this filesystem
The “who” option displays all proxy connections
for the specified host.
qos       Display per-stripe group QOS statistics.
quit      Exit
Query cluster-wide file/record lock enforcement.
Enter filelocks with no value to get current setting.
Currently Cluster flocks are automatically used on Unix.
Windows file/record locks are optional.
Get the current state of the quota system
quotas get <user|group|dir|dirfiles>
Get quota parameters for user, group, or directory .
quotas set <user|group|dir|dirfiles>
Set current quota parameters for user, group, or directory
. can be the name of a user or group or the
path to a directory. For users and groups, it can also be an
integer interpreted as a uid or gid.  Setting the hardlim,
softlim, and timelim to 0 disables quota enforcement for that user,
group, or directory. The values for hardlim and softlim are
expressed in bytes when setting user, group, or dir values.  When
setting dirfiles values, they are numbers of regular file inodes.
The value for timelim is expressed in minutes.
Recalculate the amount of space consumed (the current
size field of the quota record) by all users,
groups, and directory namespaces in the file system. This
command can be run on an active file system although file
updates (writes, truncates, etc.) will be delayed until
quotacheck has completed.
Like quotacheck, but deletes the quota database before
performing the check. All limits and directory namespaces
will be lost. Use with extreme caution.
ras enq “detail string”
Generate an SNFS RAS event.  For internal use only.
ras enq “detail string”
Generate a generic RAS event.  For internal use only.
Generate quota reports for all users, groups, and directory
namespaces in the file system. Three files are generated:
1. quota_report.txt – a “pretty” text file report.
2. quota_report.csv – a comma delimited report
suitable for Excel spreadsheets.
3. – a list of cvadmin commands that
can be used to set up an identical quota database
on another Xsan.
Generate a report of currently held locks
on all connected acfs clients.
Generate a report of currently open files
on all connected acfs clients.
resetrpl [clear]
Repopulate Reverse Path Lookup (RPL) information.
The optional “clear” argument causes existing
RPL data to be cleared before starting repopulation.
Note: “resetrpl” is only available when cvadmin is
invoked with the -x option.  Running resetrpl
may significantly delay FSM activation.  This command
is not intended for general use.  Only run “resetrpl”
when recommended by Technical Support.
restartd [once]
Stop and start the process.
For internal use only.
Force the FSM to start a new restore journal.
This command is only used on a managed file system
select [ | | none]
Select the active File System .
Typing “select none” will de-select the current FSS.
If the FSM is inactive (standing by) it cannot be selected.
Using this command with no argument shows all active FSSs.
show [ ] [ long ]
Show all stripe groups or a specific stripe group .
Adding the modifier “long” shows more verbose information.
start [on] []
Start the File System Service for .
When running on an HA MDC, the local service is started and
then an attempt is made to start the service on the peer MDC.
Optionally specify the hostname or IP address to start the
FSM on that MDC only.
startd [once]
Start the process.
For internal use only.
stat      Display the general status of the file system.
stats [clear]
Display read/write statistics for the file system.
If clear, zero the stats after printing.
stop [on] [] |
Stop the File System Services for
or . Stopping by name without specifying a
hostname will stop all instances of the service, and will
cancel any pending restart of the service on the local system.
Stopping by name on a particular system will stop or cancel
a restart of the service on that system.  Stopping by
number only stops the service associated with the index.
Indexes are displayed on the left side as “nn>” when.
using the “select” command.
Stop the process.
For internal use only.
Bring up stripe group .
If there are no stripe groups that have exclusively numeric names,
the stripe group index number shown in the “show” command may be
used in place of .
who [] [long]
List clients attached to file system.
In the short form, “who” returns the following information:
- acfs I.D.       – Client License Identifier
- Type            – Type of client connection
FSM              – File System Manager (FSM) connection
ADM              – Administrative (cvadmin) connection
CLI              – File system client connection. May be
followed by a CLI type character:
S – Disk Proxy Server
C – Disk Proxy Client
H – Disk Proxy Hybrid Client
- Location        – Client’s hostname or IP address
- Up Time         – Total time client has been connected to FSM
- License Expires – Date client’s license will expire
In the long form, “who” returns network path, build, latency
and reconnect information, if available.
Administrative and FSM clients return a limited set of information.
Xsanadmin (BettyWhite) > select
List FSS
File System Services (* indicates service is in control of FS):
1>*BettyWhite[0]        located on (pid 7030)

September 25th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Xsan

Tags: , , , , , ,

Leave a Comment

Under the hood, OS X Server has a number of substantial changes; however, at first the Server app (Server 5) appears to have had very few changes. The changes in the Server app were far more substantial in the El Capitan version (and Yosemite for that matter) of OS X Server. All of the options from OS X are still there and using the new command line interface for managing the service, there are far more options than ever before.

The DNS service in OS X Server, as with previous versions, is based on bind 9 (BIND 9.9.7-P2 to be exact). This is very much compatible with practically every DNS server in the world, including those hosted on Windows, OS X, Linux and even Zoe-R.

The first time you open the DNS Service click on the DNS service in the ADVANCED section of the list of SERVICES.

Screen Shot 2015-09-08 at 10.15.41 PM

Then, click on the cog wheel icon below the list of records and click on Show All Records.

Screen Shot 2015-09-08 at 10.16.09 PM

At the Records screen, you’ll now see forward and reverse record information. Click the Edit… button for the Forwarding Servers field. Here, you’ll be able to enter a Forwarders, or DNS servers that resolve names that the server you’re using can’t resolve using its own DNS records.

Screen Shot 2015-09-08 at 10.17.27 PM

Click the plus sign to enter the IP address of any necessary Forwarders. Enter the IP address of any Forwarding servers, then click OK to save your changes.

Screen Shot 2015-09-08 at 10.18.27 PM

Once back at the main DNS service control screen, click the Edit… button for Perform lookups for to configure what computers the DNS server you are setting up can use the DNS service that the server is hosting.

Screen Shot 2015-09-08 at 10.27.31 PM

At the Perform Lookups screen, provide any additional subnets that should be used. If the server should be accessible by anyone anywhere, just set the “Perform lookups for” field at the DNS service screen to “all clients”.

All you have to do to start the DNS is click on the ON button (if it’s not already started, that is). There’s a chance that you won’t want all of the records that are by default entered into the service. But leave it for now, until we’ve covered what everything is. To list the various types of records:

  • Primary Zone: The DNS “Domain”. For example, would likely have a primary zone of
  • Machine Record: An A record for a computer, or a record that tells DNS to resolve whatever name is indicated in the “machine” record to an IP address, whether the IP address is reachable or not.
  • Name Server: NS record, indicates the authoritative DNS server for each zone. If you only have one DNS server then this should be the server itself.
  • Reverse Zone: Zone that maps each name that IP addresses within the zone answer with. Reverse Zones are comprised of Reverse Mappings and each octal change in an IP scheme that has records mapped represents a new Reverse Zone.
  • Reverse Mapping: PTR record, or a record that indicates the name that should respond for a given IP address. These are automatically created for the first IP address listed in a Machine Record.
  • Alias Record: A CNAME, or a name that points to another name.
  • Service Record: Records that can hold special types of data that describe where to look for services for a given zone. For example, iCal can leverage service records so that users can just type the username and password during the setup process.
  • Mail Exchanger Record (aka MX record): Mail Exchanger, points to the IP address of the mail server for a given domain (aka Primary or Secondary Zone).
  • Secondary Zone: A read only copy of a zone that is copied from the server where it’s a Primary Zone when created and routinely through what is known as a Zone Transfer.

Screen Shot 2015-09-08 at 10.26.44 PM

When you click on the plus sign, you can create additional records. Double-clicking on records (including the Zones) brings up a screen to edit the record. The settings for a zone can be seen below.

 Screen Shot 2015-09-08 at 10.28.19 PM

These include the name for the zone. As you can see, a zone was created with the hostname rather than the actual domain name. This is a problem if you wish to have multiple records in your domain that point to the same host name. Theoretically you could create a zone and a machine record for each host in the domain, but the right way to do things is probably going to be to create a zone for the domain name instead of the host name. So for the above zone, the entry should be rather than (the hostname of the computer). Additionally, the TTL (or Time To Live) can be configured, which is referenced here as the “Zone data is valid for” field. If you will be making a lot of changes this value should be as low as possible (the minimum value here is 5 minutes). Once changes are made, the TTL can be set for a larger number in order to reduce the amount of traffic hitting the server (DNS traffic is really light, so probably not a huge deal in most environments using an El Capitan Server as their DNS server). Check the box for “Allow zone transfers” if there will be other servers that use this server to lookup records.

Additionally, if the zone is to be a secondary zone configured on another server, you can configure the frequency to perform zone transfers at this screen, how frequently to perform lookups when the primary name server isn’t responsive and when to stop bothering to try if the thing never actually ends up coming back online. Click on Done to commit any changes made, or to save a new record if you’re creating a new zone.

“Note: To make sure your zone name and TLD don’t conflict with data that already exists on the Internet, check here to make sure you’re not using a sponsored TLD.” —

Double-click on a Machine record next (or click plus to add one). Here, provide a hostname along with an IP address and indicate the Zone that the record lives in. The IP Addresses field seems to allow for multiple IPs, which is common in round robin DNS, or when one name points to multiple servers and lookups rotate amongst the servers. However, it’s worth mentioning that when I configure multiple IP addresses, the last one in the list is the only one that gets fed to clients. Therefore, for now at least, you might want to stick with one IP address per name.

Screen Shot 2015-09-08 at 10.29.37 PM

Note that the above screen has the domain in the zone field and the name of a record, such as www for the zone called, for example, krypted.lan. Click Done to commit the changes or create the new record.

Next, let’s create a MX record for the domain. To create the MX for the domain, click on the plus sign at the list of records.

Screen Shot 2015-09-08 at 10.31.46 PM

Select the appropriate zone in the Zone field (if you have multiple zones). Then type the name of the A record that you will be pointing mail to. Most likely, this would be a machine record called simply mail, in this case for krypton.lan, so mail.krypted.lan. If you have multiple MX records, increment the priority number for the lower priority servers.

As a full example, let’s create a zone and some records from scratch. Let’s setup this zone for an Xsan metadata network, called krypted.xsan. Then, let’s create our metadata controller record as starbuck.krypted.xsan to point to and our backup metadata controller record as apollo.krypted.xsan which points to First, click on the plus sign and select Add Primary Zone.

Screen Shot 2015-09-08 at 10.33.11 PM

At the zone screen, enter the name krypted.xsan, check the box for Allow zone transfers (there will be a second server) and click on the Done button. Click on the plus sign and then click on Add Machine record.

Screen Shot 2015-09-08 at 10.33.56 PM

At the New Machine Record screen, select krypted.xsan as the Zone and then enter starbuck as the Host Name and click on the plus sign for IP Addresses and type in Click on Done to commit the changes.

 Screen Shot 2015-09-08 at 10.34.35 PM

Repeat the process for Apollo, entering apollo as the Host Name and 10.0.03 as the IP address. Click Done to create the record.

Setting Up Secondary Servers

Now let’s setup a secondary server by leveraging a secondary zone running on a second computer. On the second El Capitan Server running on the second server, click on the plus sign for the DNS service and select Add Secondary Zone.

Screen Shot 2015-09-08 at 10.25.19 PM

At the Secondary Zone screen, enter krypted.xsan as the name of the zone and then the IP address of the DNS server hosting that domain in the Primary Servers field. Click Done and the initial zone transfer should begin once the DNS service is turned on (if it hasn’t already been enabled).

Managing DNS From The Command Line

Now, all of this is pretty straight forward. Create a zone, create some records inside the zone and you’re good to go. But there are a lot of times when DNS just needs a little more than what the Server app can do for you. For example, round robin DNS records, bind views, etc. Therefore, getting used to the command line is going to be pretty helpful for anyone with more than a handful of records. The first thing to know about the DNS command line in OS X El Capitan Server is to do everything possible using the serveradmin command. To start the service, use the start option:

sudo serveradmin start dns

To stop the service, use the stop option:

sudo serveradmin stop dns

To get the status of the service, including how many zones are being hosted, the last time it was started, the status at the moment, the version of bind (9.8.1 right now) and the location of the log files, use the fullstatus option:

sudo serveradmin fullstatus dns

A number of other tasks can be performed using the settings option. For example, to enable Bonjour Client Browsing, an option previously available in Server Admin, use the following command:

sudo serveradmin settings dns:isBonjourClientBrowsingEnabled = yes

Subnets can be created programmatically through serveradmin as well. Let’s look at what our krypted.xsan subnet looks like, by default (replace your zone name w/ krypted.xsan to see your output):

sudo serveradmin settings

Now, let’s say we’d like to disable bonjour registration of just this zone, but leave it on for the others on the server:

sudo serveradmin settings = no

The entire block can be fed in for new zones, if you have a lot of them. Just remember to always make sure that the serial option for each zone is unique. Otherwise the zones will not work properly.

While serveradmin is one way to edit zone data, it isn’t the only way, you can also use the dnsconfig options described in In /private/var/named are a collection of each zone the server is configured for. Secondary zones are flat and don’t have a lot of data in them, but primary zones contain all the information in the Server app and the serveradmin outputs. To see the contents of our test zone we created, let’s view the /Library/Server/named/db.krypted.xsan file (each file name is db. followed by the name of the zone):

cat /var/named/db.krypted.xsan

Add another record into the bottom and stop/start DNS to immediately see the ramification of doing so. Overall, DNS is one of those services that seems terribly complicated at first. But once you get used to it, I actually find manually editing zone files far faster and easier than messing around with the Server app or previously Server Admin. However, I also find that occasionally, because the Server app can make changes in there that all my settings will vanish.

Troubleshooting is another place where the command line can be helpful. While logs can be found in the Server app, I prefer to watch log entries live as I perform lookups using the /Library/Logs/named.log file. To do so, run tail -f followed by the name of the file:

tail -f /Library/Logs/named.log

Also, see for information on forcing DNS propagation if you are having issues with zone transfers. Finally, you can manage all records within the DNS service using the new /Applications/ command line tool. I’ve written an article on managing DNS using this tool, available here.

September 21st, 2015

Posted In: Mac OS X Server, Xsan

Tags: , , , , , , , , ,

One Comment

You can use the UUID of a SAN MDC in Xsan to perform a lot of tasks. To locate the UUID of a SAN MDC in Xsan:

sudo serveradmin settings san:UUID

The output is just the GUID of the san client UUID. Now you know.

July 7th, 2015

Posted In: Xsan

Tags: , , , , ,

sFlow is an industry standard that allows network equipment with the appropriate agents to send data to sFlow collectors, which then analyze network traffic. You can install sFlow on routers, switches, and even put agents on servers to monitor traffic. Brocade (along with most other switch manufacturers) supports sFlow.

Before you do anything log into the switch and check the current flow configuration:

show sFlow

To configure, log into the switch and use the the int command to access an interface. From within the interface, use the following command:

sflow forwarding

Then exit the interface using the very difficult to remember exit command:


Repeat the enablement of forwarding for any other necessary interfaces. Next, we’ll configure a few globals that would be true across all interfaces. The first is the destination address, done using the destination verb followed by the IP and then the port (I’m using the default 6343 port for sFlow):

sflow destination 6343

Set the sample rate:

sflow sample 512

Set the polling interval:

sflow polling-interval 30

Finally, enable sFlow:

sflow enable

January 2nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Network Infrastructure, Xsan

Tags: , , , , , , , , ,

Setting up OS X Server has never been easier. Neither has upgrading OS X Server. In this article, we’ll look at upgrading a Mac from OS X 10.8 or 10.9 running Server 2 or Server 3 to OS X 10.10 (Mavericks) running Server 4.

The first thing you should do is clone your system. The second thing you should do is make sure you have a good backup. The third thing you should do is make sure you can swap back to the clone should you need to do so and that your data will remain functional on the backup. The fourth thing you should do is repeat all that and triple check that your data is there!

Once you’re sure that you have a fallback plan, let’s get started by downloading OS X Yosemite from the App Store. I would also purchase the Server app first while Yosemite is downloading. Screen Shot 2014-11-04 at 7.15.56 PM Once downloaded, you’ll see Install OS X Yosemite sitting in LaunchPad. Once downloaded, you’ll see Install OS X Yosemite sitting in LaunchPad, as well as in the /Applications folder.

Screen Shot 2014-11-04 at 5.09.18 PM

Open the app and click Continue (provided of course that you are ready to restart the computer and install OS X Yosemite).

Screen Shot 2013-10-04 at 4.45.46 PMAt the licensing agreement, click Agree (or don’t and there will be no Mavericks for you).

Screen Shot 2013-10-04 at 4.45.48 PMAt the pop-up click Agree again, unless you’ve changed your mind about the license agreement in the past couple of seconds.

Screen Shot 2013-10-04 at 4.45.52 PMAt the Install screen, click Install and the computer will reboot and do some installation fun stuff.

Screen Shot 2013-10-04 at 4.45.54 PMOnce done and you’re looking at the desktop, download the latest version of the Server app you should have purchased previously, if you haven’t already. Then open it.

Screen Shot 2014-11-04 at 5.13.05 PM
If prompted that the Server app was replaced, click OK. Then open the app.

Screen Shot 2013-10-04 at 5.48.52 PMAt the Update screen, click Continue (assuming this is the server you’re upgrading).

Screen Shot 2014-11-04 at 5.13.09 PMAt the Licensing screen, click Agree.

Screen Shot 2014-11-04 at 5.13.12 PMWhen prompted for an administrator account, provide the username and password of an administrator and click OK.

Screen Shot 2014-11-04 at 7.28.07 PMWhen the app opens, verify DNS (absolutely the most important element of this upgrade), etc and then check that configured services still operate as intended. If you end up deciding that you no longer need OS X Server, just delete the app and the contents of /Library/Server and you’re good. Handle with Care.

November 4th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Network Infrastructure, Xsan

Tags: , , , , , ,

Yosemite brings Xsan 4, which brings a new way to add clients to an Xsan. Xsan Admin is gone. From now on, instead of scanning the network using Xsan Admin. we’ll be adding clients using a Configuration Profile. This is actually a much more similar process to adding Xsan clients to a StorNext environment than it is to adding clients to Metadata Controllers running Xsan 3 and below. But instead of making a fsnameservers file, we’re plugging that information into a profile, which will do that work on the client on our behalf. To make the Xsan configuration profile, we’re going to use Profile Manager.

To get started, open the Profile Manager web interface and click on a device or device group (note, these are scoped to systems so cannot be used with users and user groups). Then click on the Settings tab for the object you’re configuring Xsan for.

Screen Shot 2014-10-29 at 11.37.14 AM

Click Edit for the profile listed (Settings for <objectname>) and scroll down until you see the entry for Xsan.

Screen Shot 2014-10-29 at 11.37.32 AM

From the Xsan screen, click Configure.

Screen Shot 2014-10-29 at 11.37.41 AM

This next screen should look a little similar, in terms of the information you’ve plugged into the Xsan 4 setup screen. Simply enter the name of the Xsan in the Xsan Name field, the IP address or host names of your metadata controllers in the File System Name Servers field and the Authentication Secret from the Xsan screen in the Server app into the Authentication Secret field. Click OK to close the dialog.

Screen Shot 2014-10-29 at 11.38.29 AM

Click Save to save your changes. Then you’ll see the Download button become clickable.

Screen Shot 2014-10-29 at 11.44.15 AM

The profile will download to your ~/Downloads directory as Settings_for_<OBJECTNAME>.mobileconfig. So this was called test and will result in a name of Settings_for_test.mobileconfig. That profile will automatically attempt to install. If this is an MDC where you’re just using Profile Manager to bake a quick profile, or if you don’t actually want to install the profile yet, click Cancel.

Screen Shot 2014-10-29 at 11.43.43 AM

If you haven’t worked with profiles that much, note that when you click Show Profile, it will show you what is in the profile and what the profile can do.

Screen Shot 2014-10-29 at 11.43.59 AM

Simply open this file on each client (once you test it of course) and once installed, they’ll automatically configure to join your Xsan. If you don’t have a Profile Manager server, you can customize this file for your environment (YMMV): Settings_for_test.mobileconfig

October 30th, 2014

Posted In: Mac OS X Server, Xsan

Tags: , , , , , , , , ,

OS X Yosemite running the Server app has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for OS X Server called server setup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in Yosemite Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python. And the scripts tend to change year over year/release over release.

One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of OS X Server intend for certain tasks to occur.

Looking At Services

This is also where I learned that Apple had put an Open Directory backup script in /Applications/ (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book:

sudo serveradmin settings addressbook:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings addressbook:ErrorLogFile=error.log

You can change either by changing what comes after the = sign. Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following:

sudo serveradmin settings afp:errorLogPath = “/Library/Logs/AppleFileService/AppleFileServiceError.log”

The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using:

sudo serveradmin settings afp:activityLogPath = “/Library/Logs/AppleFileService/AppleFileServiceAccess.log”

The activity log is disabled by default and enabled using the command:

sudo serveradmin settings afp:activityLog = yes

The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs. The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs:

sudo serveradmin settings calendar:DefaultLogLevel = “warn”

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings calendar:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings calendar:ErrorLogFile=error.log

You can changing either by changing what comes after the = sign.
Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/ ) point to any increased logging during migration.

The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging:

sudo slapconfig -enableslapdlog

The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower.

By default Messages, or iChat Server, logs a lot. See the following for what is logged:

sudo serveradmin settings jabber:logLevel = “ALL”

Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via:

cat /Applications/

The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. Global log locations are controlled using the mail:global:service_data_path key, which indicates a path that logs are stored in (as usual many of these are in /Library/Server):

sudo serveradmin settings mail:global:service_data_path = "/Library/Server/Mail"

To see the virus database logging levels (which should usually be set to warn):

sudo serveradmin settings mail:postfix:virus_db_log_level

To see the spamassassin logging levels:

sudo serveradmin settings mail:postfix:spam_log_level

To see the actual postfix logging level:

sudo serveradmin settings mail:postfix:log_level

To enable timestamps on logs:

sudo serveradmin settings mail:imap:logtimestamps = yes

To set the dovecot logging to info:

sudo serveradmin settings mail:imap:log_level = “info”

To set increased logging per function that dovecot performs, see the config files in /Applications/, each of which has a logging section to do so.

The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM):

sudo serveradmin settings netboot:logging_level = “HIGH”

The Postgres service uses a log directory, configured with postgres:log_directory:

sudo serveradmin settings postgres:log_directory = “/Library/Logs/PostgreSQL”

The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output.

The Xsan service logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data.

The smb service has a file /Library/Preferences/SystemConfiguration/ with a key for log level that can be used for more verbose output of the service.

The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these:

sudo serveradmin settings = “/var/log/ppp/vpnd.log”
sudo serveradmin settings = “/var/log/ppp/vpnd.log”
sudo serveradmin settings = “/var/log/ppp/vpnd.log”
sudo serveradmin settings = “/var/log/ppp/vpnd.log”

By default, verbose logging is enabled, which you can see with:

sudo serveradmin settings
sudo serveradmin settings
sudo serveradmin settings
sudo serveradmin settings

The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs:

sudo serveradmin settings web:defaultSite:customLogPath

Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information.

Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure Yosemite Server’s built-in web service to conform to the standards of most modern web log analyzers.


Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

October 28th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Xsan

Tags: , , , , , , , , , ,

I work with a lot of network storage and video world stuff. While most in the editorial world prefer FinalCut, Avid, Adobe and other tools for video management, I do see the occasional task done in iMovie. By default, iMovie doesn’t support using assets stored on network volumes. However, you can make it. To do so, just use defaults to write with a boolean allowNV key marked as true:

defaults write allowNV -bool TRUE


April 25th, 2014

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Unix, Windows Server, Xsan

Tags: , , , , ,

Qlogic fibre channel switches are about the most common I see in Xsan environments. A common frustration when managing a Qlogic switch is that the Java runtime used to manage the switch is blocked from most OS X systems by default. But it’s pretty easy to get into them with a couple of minor adjustments.

To get started, first download and install the latest Java from here. Once installed, open System Preferences on your Mac and then open the Java Preferences. Here, click on the Security tab.

Screen Shot 2014-03-17 at 10.43.11 AM

Click Edit Site List… In the pop-up, click Add and enter http:// followed by the name or IP address of your switch.

Screen Shot 2014-03-17 at 10.42.45 AM

Click on OK to commit your changes. Then access the switch address from Firefox (what I use for these) or whatever browser you prefer. Because the switch has a self-signed certificate, you’ll be prompted with a  security warning. Here, click the checkbox for “I accept the risk and want to run this application” and then click on the Run button.

Screen Shot 2014-03-17 at 10.40.21 AM

You’ll then be prompted by another Security Warning dialog. This one is indicating that the Java applet is potentially unsafe. Because we somewhat trust Qlogic, click Don’t Block. You’ll have to click this one every time you access the switch.

Screen Shot 2014-03-17 at 10.43.48 AM

The switch interface then opens and you can manage your switch as needed.

Screen Shot 2014-03-17 at 10.45.20 AM


March 24th, 2014

Posted In: Xsan

Tags: , , , , , , ,

I have used a variety of tools for testing the speed of Xsan volumes. But none have been as easy as the BlackMagic Disk Speed Test. It’s cute, it’s fast, it’s very informative and it requires no Terminal, unlike the other tools I’ve used for years. To use Disk Speed Test, first download it from the Mac App Store (it’s free). Then mount the volume you’d like to test and open the Disk Speed Test app.



Click on the Settings icon in the middle and select the volume you’d like to test.


Then click Start. Enjoy.

March 22nd, 2014

Posted In: Mac OS X, Mac OS X Server, Xsan

Tags: , , ,

Next Page »