OMG! APPLE IS GUTTING SERVER.APP!!!! Don’t panic.
neverhadtofight.com/macadmins2018
Introduce the topic I began this trying to find the best methods to migrate from Server.app Just one person’s experience, not intended to be the be all and end all of Server.app migration You can find this Google Slide deck at neverhadtofight.com/macadmins2018
This is on every slide
neverhadtofight.com/macadmins2018
You can find this Google Slide deck at neverhadtofight.com/macadmins2018, that URL appears on every slide. Adam Anklewicz
[email protected] neverhadtofight.com twitter.com/a_ankle aanklewicz on MacAdmins Slack neverhadtofight.com/macadmins2018
My name is Adam Anklewicz, you can find my musings about music and film and IT on my website neverhadtofight.com. I’m on Twitter and the MacAdmins slack. I’m also here, so say hi. IT Manager The Leo Baeck Day School [email protected] leobaeck.ca neverhadtofight.com/macadmins2018
I’m also the IT Manager for The Leo Baeck Day School, an IB World School, and the only Reform Jewish day school in Canada. We have campuses in Toronto and Vaughan, Ontario, Canada. Our IT department consists of myself and another gentleman named Shaun, who is also here this week. However, we need a third. Do you want to be the third? Email me, find me, talk to me. #youmustbelegallyabletoworkinCanada neverhadtofight.com/macadmins2018 Charles Edge
krypted.com
neverhadtofight.com/macadmins2018
Shortly after I got approved for this topic, I saw that Charles was posting on Twitter and his blog about this very topic. His website was quite a resource, and I would suggest people check that out. macOS vs the world
neverhadtofight.com/macadmins2018
You have a Mac. Use it. There may be many other and better ways to run some of these services, but there’s no point in wasting a perfectly good server. Let’s keep running macOS What are you using Server.app for?
Survey time!
neverhadtofight.com/macadmins2018 What I’m going to talk about...
Web
DNS
Wiki
DHCP
Caching
NetInstall
neverhadtofight.com/macadmins2018 Test Server
VMWare Fusion
macOS 10.13
Install VMWare tools
Install Server.app
neverhadtofight.com/macadmins2018
I created a virtual machine in VMWare Fusion. Then I could clone the machine and start the next step from there over and over again. Web
Turned on Web
Confirmed it was working
Gave VM a static IP
Created DNS record for testserver.example.com
Set firewall rule
Installed Let’s Encrypt certificate (previously documented here)
Installed MunkiReport neverhadtofight.com/macadmins2018
I needed a base starting point for the Web Server to migrate from: One of the most important steps in this entire process was checking to see if things were working. MunkiReport because PHP and database, and what I use in production for the school. Web to MAMP
neverhadtofight.com/macadmins2018
My first transition to try was Web to MAMP VM Clone What is LAMP What is MAMP GUI neverhadtofight.com/macadmins2018
First thing I did was download MAMP Then I turned off the Websites service Installed MAMP /Applications/MAMP
neverhadtofight.com/macadmins2018
In the Applications/MAMP folder, I ran MAMP neverhadtofight.com/macadmins2018
Stop/Start buttons I pressed the big button that says Start Servers. Tested it to make sure it works neverhadtofight.com/macadmins2018
This is preferences pane First I went to the Web-Server pane and set the directory I wanted for the webroot. I kept it at the default of /Library/Server/Web/Data/Sites/Default Next, I came to this ports tab and clicked on that magic “Set Web * MySQL ports to…” button Done
...Sorta
neverhadtofight.com/macadmins2018
Done. ● Sorta. ● We now need to discuss data security SSL!
neverhadtofight.com/macadmins2018
Encrypts traffic What is Let’s Encrypt Free 90 day certificate The certificate says that your site is what you say it is.
Couldn’t find any documentation on the process for Server.app, so I figured it out and wrote the documentation. You can access it on my website. When I documented the process, the server was running 10.12.6. This process works with 10.13
Describe process ● Install Homebrew ● Install certbot ● Certbot puts a document in a publicly accessible folder on your webserver ● Let’s Encrypt checks that it can access that document ● It then issues the certificate and puts in in a folder on your computer. ● You then need to grab those certs and drag and drop them into Server.app
https://www.neverhadtofight.com/blog/2017/12/12/lets-encrypt-on-a-macos-machine-r unning-10-12-6-and-server-app/ privkey.pem -> munkireport.example.com.key
fullchain.pem -> munkireport.example.com.crt
Move files to /Applications/MAMP/conf/apache
/Applications/MAMP/conf/apache/httpd.conf
# Include /Applications/MAMP/conf/apache/extra/httpd-ssl.conf
neverhadtofight.com/macadmins2018
Rename certs, move them to the proper directory, edit the httpd.conf
Uncomment that include. Edit /Applications/MAMP/conf/apache/extra/httpd-ssl.conf and search for General setup for the virtual host. From there, you’ll want to enter the path to the web files.
LoadModule ssl_module modules/mod_ssl.so
Listen 443
neverhadtofight.com/macadmins2018
At this point you just need to set up some basics in this filme. The path to the web files, the path to the .cert and .key files, and the Server Name. Done
...Really
neverhadtofight.com/macadmins2018 Web to Apache
neverhadtofight.com/macadmins2018
So… let’s talk about the transition from Web to Apache. neverhadtofight.com/macadmins2018
I tested the existing server, and it worked just fine. I then turned off Websites in Server.app Edit /etc/apache2/httpd.conf
# LoadModule php7_module libexec/apache2/libphp7.so
Then restart Apache
> sudo apachectl restart
Test again
neverhadtofight.com/macadmins2018
Uncomment by removing the # Restart the apache service, test again Test PHP
> sudo nano /Library/WebServer/Documents/phpinfo.php
neverhadtofight.com/macadmins2018
First we need to create a file in the root directory And paste in the a very small php script.
● If you notice, Apache’s root directory is different from Server.app’s and it’s a lot shorter. So we have no files of our own there, just default Apache files ● If PHP isn’t working, all you’ll see is the php script in plain text in your web browser. Test PHP
Browse testserver.example.com/phpinfo.php
neverhadtofight.com/macadmins2018
Go to your web browser and put in the url to your server Transfer files
> sudo rsync -av /Library/Server/Web/Data/Sites/Default/ /Library/WebServer/Documents/
> sudo chgrp -R _www /Library/WebServer/Documents/ > sudo chmod -R 775 /Library/WebServer/Documents/
> sudo apachectl restart
neverhadtofight.com/macadmins2018
I used rsync to move the files. I had some permissions problems dragging and dropping the first time. Then I realized, using rsync, I had the same permissions problems, so I needed to set the correct permissions Restarted apache and it worked. Done
...Sorta
neverhadtofight.com/macadmins2018
We’re done. Sorta. We still need to discuss data security.
YES! I know that this scene was from season 1 and Worf wasn’t in security. Edit /etc/apache2/httpd.conf
# LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
# LoadModule ssl_module libexec/apache2/mod_ssl.so
# Include /private/etc/apache2/extra/httpd-ssl.conf
neverhadtofight.com/macadmins2018
This time we’re enabling SSL Edit /etc/apache2/extra/httpd-vhosts.conf
You’ll need to edit the httpd-vhosts.conf file. You’ll have to edit the ServerName and the Cert files names. You’ll also need to bring those certs that we had from the previous example and put them in there. Save and exit > sudo apachectl restart
neverhadtofight.com/macadmins2018
Restart apache and test. Done
...Really
neverhadtofight.com/macadmins2018 MAMP Apache
Ease Easy Easy-Medium
Time 45 minutes 35 minutes
What’s am I MySQL missing?
Mistakes I spent too much Didn’t copy files over with right time trying to figure permissions, had to start over. out where the .key and .crt files are when I only had .pem files from Let’s Encrypt. Just had to rename the extension and they work. neverhadtofight.com/macadmins2018
No research ahead of time Using SQLite, so I didn’t need MySQL, but if going the Apache route, I would suggest you install MySQL and PHPmyAdmin DNS
Bind vs. Unbound vs. Knot
Turn on DNS
Added a zone for domain, with multiple entries
Pointed client machine to server, confirmed it was working
neverhadtofight.com/macadmins2018
Give you a sneak peak. Comparing BIND, Unbound and Knot Bind: Super simple. Apple’s documentation made migration easy and transferred all your settings. Even better, if you don’t want to manage your settings in a text file, you can use a web interface called Webmin which will let you manage everything in a web-based GUI. Unbound and Knot I kept on hitting walls and walls and walls. I got the shortest distance with Knot. With Unbound, I at least got a bit further, but found that there were components missing from the homebrew install resulting in “command not found” errors. This led to discovering a void of support. I didn’t see many people running these services. Talk about basic DNS setup and testing, shut down, cloning and starting BIND install Get your server ready for Bind
First test your existing setup
Install XCode, launch XCode and agree to the terms and conditions
Turn off DNS in Server.app
neverhadtofight.com/macadmins2018
Apple’s guide is great. I found a couple of errors and that it wasn’t as detailed as I would like, so I expanded on it in my blog post. https://www.neverhadtofight.com/?p=5073 Download Bind
neverhadtofight.com/macadmins2018
Go to Bind’s website, click on download, expand the Bind section, click on the current stable release. Find the Unix installer, that’s the tar.gz, and click on that link. Also download a signature, too.
The reason I went into such detail is because it’s not an easy to navigate website. Uncompress and install Bind
> cd ~/Downloads
> tar xzf bind-9.12.1-P2.tar.gz
> cd ./bind-9.12.1-P2
> ./configure --infodir="/usr/share/info" --sysconfdir="/etc" --localstatedir="/var" --enable-atomic="no" --with-openssl=no --withgssapi=yes --enable-symtable=none --with-libxml2=no
> make
> sudo make install neverhadtofight.com/macadmins2018
Navigate to where Bind was downloaded. Uncompress bind Navigate into the bind directory Configure it and run the installer. You can confirm it was installed by running “man named” that pulls up the manual Create and load launch daemon �
> sudo nano /Library/LaunchDaemons/org.isc.named.plist
> sudo chown root:wheel /Library/LaunchDaemons/org.isc.named.plist > sudo launchctl load -w /Library/LaunchDaemons/org.isc.named.plist neverhadtofight.com/macadmins2018
You need to create a the Launch Daemon, do to that, you can just use nano to edit a file that doesn’t exist. When you save, it’ll save there. The full contents is in Apples documentation on page 7 https://developer.apple.com/support/macos-server/macOS-Server-Service-Migration- Guide.pdf Finally, you need to set ownership of the Launch Daemon. Settings
neverhadtofight.com/macadmins2018
Next thing you need to do is open up the configuration file to figure out what your primary zone’s file is. Settings
neverhadtofight.com/macadmins2018
Saw that it brought across the zone leobaeck.ca, and it stored the data in a file called db.leobaeck.ca Settings
> sudo nano /Library/Server/named/db.leobaeck.ca
neverhadtofight.com/macadmins2018
Opened /Library/Server/named/db.leobaeck.ca Confirmed it had all the right data I could then, in theory, edit it further to add more records Loaded DNS Success!
neverhadtofight.com/macadmins2018
Opened /Library/Server/named/db.leobaeck.ca Confirmed it had all the right data I could then, in theory, edit it further to add more records Loaded DNS Wiki
Whaaaaa?
neverhadtofight.com/macadmins2018
Wiki’s an interesting one. Apple suggests two ways of getting data out of Server.app Export as static web pages Export as a Wordpress backup. Does that make sense to anyone? I think it would make more sense to install MediaWiki and hire some high school students to copy and paste the data over. I think this one needs to be a conversation. Thoughts? DHCP
Kill DHCP on my router
Give my Mac and VM static IPs
Turn on DHCP
Basic configuration
Renew leases on a handful of devices and watch them connect to the network.
neverhadtofight.com/macadmins2018
I did this one at home, not at work. I figured inconveniencing my wife for a short while was better than the entire faculty, admin staff, and students. Once again clone my starting Server.app image. Turn on DHCP. So this is my starting point for DHCP on Server.app Gather info for DHCP
ifconfig -a
neverhadtofight.com/macadmins2018
You need to know what port you want to use, Apple suggests you use ifconfig to get info on the connection. I already know that I want to use en0 Configure DHCP
sudo nano /etc/bootpd.plist
neverhadtofight.com/macadmins2018
Enter that data under the first
sudo launchctl load -w /System/Library/LaunchDaemons/bootps.plist
launchctl print system/com.apple.bootpd
neverhadtofight.com/macadmins2018
Load it and you’re done. Worked so easy that I felt no need to look for another solution, because nothing could honestly have been more of an easy transition, and Apple’s documentation was spot on. One thing to caution. Within that documentation, there’s a few line breaks with the commands to enter in terminal. With that launch c t l command up there, apple put the line break, just after the / before bootps.plist If you just copy and paste it in, it will tell launch ctl to load EVERY .plist in the /System/Library/LaunchDaemons folder. Caching
neverhadtofight.com/macadmins2018
Caching server is probably the easiest. Apple has made it part of macOS by default now. You don’t need anything special. Just visit the Sharing Preferences Pane, enable content caching, and in the options you can choose how much space you’re willing to spare for the service. NetInstall
neverhadtofight.com/macadmins2018
Sorry, I don’t have a screenshot, but in the new version of Server, NetInstall is still available, just hidden, so no need to talk about it. It’s still there to use. There also BSDpy. I’m not sure if it will continue to be developed, but runs in a Docker container and lets you host your NBI files. Resources
Blog posts at neverhadtofight.com
Apple Server Service Migration Guide
Krypted.com
neverhadtofight.com/macadmins2018