 Mac
OS X Administration -- Getting Started
Stephen Worotynec
In May 2001, Apple introduced OS X, a new version of the Macintosh
operating system. OS X is radically different from previous versions;
it blends the Macintosh graphical user interface (GUI) with a Unix
basis -- the Mach microkernel and 4.4BSD. OS X comes in server
and client versions, and both are discussed here. The 10.2 version
of OS X is used in the article and is the third released version.
Although the Unix underpinnings are advertised by Apple, the inherent
capabilities are often hidden or difficult to enable. For a Unix
administrator to get the most function out of this system, many
features (e.g., GUI-less operation, single-user mode, firmware,
and serial console access) require explicit activation. In this
introductory article, I'll show how these tasks are accomplished.
Where's the Shell?
The terminal application is hidden in /Applications/Utilities.
To begin, drag it to your dock for easier access. Or, better yet,
have it start automatically via System Preferences/Login Items.
The OS X shells include tcsh, bash, and zsh.
What about root?
Note that the root account is not enabled by default. However,
any account in the admin group may use sudo to perform root functions.
OS X's sudo has a five-minute timer, so you needn't repeatedly
enter the password. You can also "sudo bash", for example,
to get a root shell for ongoing work.
With a shell and the ability to sudo, along with some understanding
of Unix, you'll be ready to take on the following tasks.
Aqua-less OS X
It may seem surprising, if not astonishing, to some that a Mac
may be run without a GUI. For systems acting as servers, this setup
allows for resource savings and reduces the number of running processes.
Even suspending the GUI for an intense compilation may make sense.
To turn off the Aqua GUI and set the standard login to be a text
console, comment the following out of the file that controls the
default login, /dev/ttys:
console "/System/Library/CoreServices/loginwindow.app/ \
Contents/MacOS/loginwindow" vt100 on secure \
window=/System/Library/CoreServices/WindowServer \
onoption="/usr/libexec/getty std.9600"
And uncomment:
console "/usr/libexec/getty std.9600" vt100 on secure
Subsequent logins will be to a text console only.
Starting Aqua from this situation will require setting a slightly
obscure environmental variable and starting two services:
$ sudo bash
# export __CF_USER_TEXT_ENCODING=0x0:0:0
# /System/Library/CoreServices/loginwindow.app/Contents/MacOS/ \
loginwindow;/System/Library/CoreServices/WindowServer
Rather than choosing either GUI or command line, you can also set
OS X to toggle between GUI and console. Set the System Preferences/Accounts/Login
Options to "Name and Password". This results in a login
screen with blank Name and Password fields. In the name field, enter
the following, and you will get a console login:
>console
Alternately, you can create a user with the name ">console",
and selecting that user from the available accounts in the default
login screen will drop you to a text password prompt.
The statistics will vary depending on your CPU, amount of RAM,
and applications running, but consistent resources savings and a
smaller process table are immediate benefits of this setup.
OpenBoot Firmware
The Mac hardware is based on the PowerPC chip, and contains standard
OpenBoot firmware familiar to administrators of RISC-based Unix
systems. The firmware's function and role are hidden by default,
but can be uncovered to take full advantage of their capabilities.
While booting, hold the Option-Command-O-F keys. (Yes, that's
four keys!) The system will boot into the firmware:
Apple PowerMac3, 1 2.2f1 BootROM built on 01/28/00 at 17:50:30
Copyright 1994-2000 Apple Computer, Inc.
All Rights Reserved.
Welcome to Open Firmware.
To continue booting, type "mac-boot" and press return.
To shut down, type "shut-down" and press return.
ok
0 >
The firmware can be used to set an IP address and default gateway
for diskless booting or network installation, or to boot from an alternate
device. You can also set a firmware password if desired.
Useful commands include dump-device-tree, which will display
extensive system information, and printenv and setenv,
to respectively show and set variables. These variables are also
accessible from the OS, with the command nvram -p to display
them, and nvram variable=value to set a new value.
An especially useful command enables visibility of the boot sequence.
By setting:
0 > setenv boot-args -v
you enable the display of the boot sequence, including the identification
of hardware, the mounting of drives, and startup of services.
If you support Mac end-users, you may have met the phenomenon
of the person who continually resets their system because it "isn't
booting." Enabling the verbose boot lets you see if an fsck
is occurring, or if a service isn't starting. Verbose mode
can be enabled on a one-time basis by holding the Command-v keys
while powering on.
Apple has several Open Firmware documents at:
http://bananajr6000.apple.com/OF/technotes.html
Single-User Mode
For fixing a variety of problems, especially settings in configuration
files, the use of single-user mode is an essential part of the Unix
toolkit. Mac OS X does have this feature, characterized by a minimal
OS running, without network services, and the root device mounted
in read-only mode.
There are a variety of ways to boot into single-user mode. You
can hold Command-s while booting. Or, in the firmware, issue the
command:
0 > setenv boot-args -s
From the OS, issue this command:
# nvram boot-args=s
You may find the single-user mode a bit minimal. To edit configuration
files, mount the root filesystem read/write:
# /sbin/mount -uw /
The change you are making may be in the NetInfo database, which has
not yet started (more on NetInfo later). You can start it by running:
# /sbin/SystemStarter
You can enter multi-user mode simply by typing "exit".
Serial Console Access
One of the traditional expectations of a Unix systems administrator
is the ability to log into a system via a serial console. For RISC-based
systems, this would include the ability to interact with the firmware.
Apple's current offerings include only one system with an RS-232
serial port, the rackmount Xserve.
Support for serial login is set in the startup scripts via the
configuration file /System/Library/StartupItems/SerialTerminalSupport/SerialTerminalSupport.
To enable the serial terminal, set this option (the default is true
in the OS X Server):
ENABLE_SERIAL_TERMINAL=$TRUE
If you want to enable syslog output to the serial console, set this
option (the default is false):
ENABLE_SERIAL_SYSLOG=$TRUE
When enabled, this line should be in /etc/ttys:
tty.serial "/usr/libexec/getty serial.9600" vt100 on secure
The serial.9600 reference is to an entry in /etc/gettytab:
serial.9600|serial db9 port:\
:c2#0x00004b00:i2#0x00000704:l2#0x000005cf:o2#0x00000007:\
:np:sp#9600:
You should then be able to connect a null-modem DB-9 cable and, with
a terminal or terminal emulator (set to 9600-N-1), get a prompt such
as:
Darwin/BSD (hostname) (tty.serial)
login:
For tower model G4 Macs without a serial port, there are two options.
Griffin Technologies (http://www.griffintechnology.com/) makes
an add-on card supplying a serial port, the g4port. Alternately, USB-to-serial
adapters can allow serial access. Because these adapters depend on
software drivers, they won't allow access to the firmware or
the system in single-user mode, and are not suitable for general systems
administration work.
If you do attach an adapter, it may require a special entry in
/etc/ttys, depending on how the USB adapter is identified:
tty.USB Serial "/usr/libexec/getty serial.9600" vt100 on secure
The firmware allows output to both primary and secondary devices.
Note that the serial console is named scca. To make the serial console
the sole output path:
0 > setenv input-device scca
0 > setenv output-device scca
To additionally set console messages to go to the serial port, you
can set the console-screen variable. console-screen
requires a formal device tree path, which can be acquired from the
output of devalias. For example, if devalias output
showed:
0 > devalias
scca /pci@f20000000/@d/mac-io@7/escc/ch-a
then you would issue this command:
0 > setenv console-screen /pci@f20000000/@d/mac-io@7/escc/ch-a
The preceding are all lower-level aspects of Mac OS X. Unix administrators
will also want to know about text configuration files, and how their
management differs on OS X.
Text Files versus NetInfo
Unix administrators are familiar with files such as passwd and
group, residing in the /etc directory. Although OS X has these files,
it uses an architecture called Open Directory, which by default
consults a database called NetInfo, derived from the NeXTSTEP operating
system. (The man pages with late 1980s copyrights are an interesting
tip-off.) NetInfo keeps database files in /var/db/netinfo, and can
run both locally and on a network. Three daemons are associated
with NetInfo -- nibindd, netinfod, and lookupd. lookupd caches
requests for performance improvements, among other things.
The NetInfo database can be managed with the GUI "NetInfo
Manager" in /Applications/Utilities. The Unix systems administrator
will want know about the ni* command-line utilities, including niutil,
nicl, niload, nifind, nigrep, nidump, and nireport. These utilities
act as intermediaries to the database.
To create an account, you can use a here document:
# niload passwd . << EOF
? sworotynec:*:888:20::0:0:Stephen Worotynec:/Users/sworotynec:/bin/bash
? EOF
To change a user's password, you would execute:
# nicl / -delete /Users/sworotynec passwd
nicl has the unique ability to act directly on the database,
even in single-user mode. Simply add the "-raw" option to
the command. It also has a nice shell that can be useful for administration.
Here's how to add a user to the dev group via the interactive
shell:
# nicl -raw /var/db/netinfo/local.nidb
/ > ls #show the NetInfo database
1 users
2 groups
3 machines
4 networks
5 protocols
6 rpcs
7 services
8 aliases
9 mounts
10 printers
56 locations
/ > cd groups/dev
/groups/dev/ > read .
name: dev
gid: 50
passwd: *
users:
/groups/dev/ > append . users sworotynec
/groups/dev/ > read .
name: dev
gid: 50
passwd: *
users: sworotynec
/groups/dev/ >^D
#
If commands like this leave you longing for vi and text files, you
can enable support for them via the Directory Access facility in /Applications/Utilities.
Under Services, enable "BSD Configuration files". Under
Authentication, choose custom path and add /BSD Configuration Files/Local.
This doesn't stop the default use of NetInfo. To make, for
example, /etc/hosts the primary name lookup mechanism, you must
open NetInfo Manager and browse to /locations/lookupd. There, a
property called LookupOrder will have entries such as CacheAgent,
NIAgent, and FFAgent. The ordering of these has an effect like that
of nsswitch.conf in Unix. You may want FFAgent (Flat File Agent)
ahead of NIAgent (NetInfo Agent) to have local files checked first.
The list of text files consulted is controlled by an XML document,
/Library/Preferences/DirectoryService/DSFFPlugin.plist. You can
edit this by hand, or use "Property List Editor", a utility
included with the Developer Applications CD that comes with OS X.
If you enabled BSD Configuration files, four are initially consulted:
master.passwd, group, hosts, and fstab.
In this article, I've shown some basic tools to get a Unix
admin up and running with OS X as quickly as possible. Although
they may be hidden beneath the surface, OS X has the features of
a Unix operating system.
Stephen Worotynec is a Unix System Administrator at Alias Systems,
a division of Silicon Graphics. His six years of experience have
included work on load balancing and secure Web servers. He can be
reached at: sworotynec@alias.com.
| 
