Master Image Creation Checklist

rdagel
New Contributor II

I am updating my documentation on master image creation. Just wondering
what others are doing to customize their master image. Such as:
Turning of external accounts,
Setting time machine to not offer new disks for backup
Deleting networkinterfaces plist

Rich Dagel
Senior Technology Specialist

Landor Associates
1001 Front Street
San Francisco, CA 94111
United States
415 365 3933
http://www.landor.com
Rich.Dagel at landor.com

15 REPLIES 15

tlarkin
Honored Contributor

I am currently on hold on my cell phone calling a utilities company so I am very bored and can't do anything. I am also not in my office so I don't have my complete list of notes on my image handy but I can give you a rough draft of what I do to create a master image.

1) Wipe and reload OS on a machine to create master image
2) Install desired apps I wanted bundled in the default image, and casper client
3) run any and all updates
4) configure remote management
5) create hidden admin accounts, one for casper, one for local administration, one for others who may need admin access
6) delete all local user accounts that are not hidden
7) create a very basic, limited user account that is local, for just in case scenarios
8) move all "admin only" apps to /Applications/Utilities
9) change ownership of /Applications to root:admin
10) change permissions of /Applications/Utilities to 770 so any user not in the admin group is denied access
11) In WGM create nested group and only allow apps to run from /Applications and no where else.
12) If a developer makes an app that needs to be writeable, I create a symbolic link to the file in question typically in /Users/shared so no one but admins can write to /Applications
13) Set any environment specific settings up, ie Network, DNS, BIND, etc
14) Test with a test account to make sure mobile accounts sync, then of course delete said account
15) Triple check that everything works, log ins, group policy and MCX, apps, network connection, etc
16) clear all cahces, temp files, and logs
17) create image

I am sure I am missing a few things as I do not have my notes in front of me, that is basically the idea though. I also have a few post image scripts that run that are building specific.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

milesleacy
Valued Contributor

If we're talking about a base OS image, I do very little...
1. Perform OS custom install with all selectable options turned off.
2. Run latest Mac OS Combo updater
3. Go through Setup Assistant, create primary IT admin account.
4. Turn on SSH (Remote Login) and ARD (both for admin account only).
5. Change machine name to "unmanagedclient"

That's it. Everything else is done via packages or scripts. I believe in
keeping it as modular as possible.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

milesleacy
Valued Contributor

I have yet to encounter any LKDC problems, however, they have been widely
reported and I have no reason to believe that these reports are bogus. Therefore, in the interest of eliminating potential problems, I see
destroying the LKDC as a best practice. You can do this before creating
your base image, or you can do it as an "after" script in your
configuration.
Guess which I prefer. :)

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

John_Wetter
Release Candidate Programs Tester

Miles,

Are you just doing a destroy and rebuild in one script like this?

sudo rm -rf /var/db/krb5kdc
sudo /usr/libexec/configureLocalKDC

I'm going to have to give this a try as lately we have been seeing some issues with users not being able to log in to AD even when everything is showing as green. We are running a triangle with AD-OD in part of our environment and this is a problem, so I wonder if this might be one thing to check.

-John

milesleacy
Valued Contributor

I threw the following together after reading Rich's message. This has not
been tested yet.
#!/bin/bash

##### HEADER BEGINS #####
# scr_sys_deleteLKDC.bash
#
# Created 20090121 by Miles A. Leacy IV
# miles.leacy at themacadmin.com
# Modified 20090121 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as
# this header remains intact.
#
# This script is provided "as is". The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk. The author takes no
# responsibility for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon,
# or any other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again. When you're certain it's ok, test
# twice more.
#
# This script deletes Leopard's Local KDC and preps the system to
# create a new one on first boot.
# Use as an "after" script in your Casper core configuration.
#
##### HEADER ENDS #####

systemkeychain -k $1/Library/Keychains/System.keychain -C -f

rm -fr $1/var/db/krb5kdc

defaults delete $1/System/Library/LaunchDaemons/com.apple.configureLocalKDC
Disabled

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Bukira
Contributor

I found problems with LKDC when binding clients to the OD, Destorying the LKDC worked fine, not sure if this was fixed in an os
update since i created by Base Image,

Criss

Criss Myers
Senior Customer Support Analyst (Mac Services)
Apple Certified Technical Coordinator v10.5
LIS Business Support Team
Library 301
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

Bukira
Contributor

I do pretty much the same as Thomas,

I install all Web 2.0 based apps such as firewfox, realplayer, flash plugin, shockwave plugin, google notifier, web links, adobe media player, flip4mac, as well as Keyserver client, Autobind, MSN, growl, plus system hacks such as modfied login window, logout messages, about this mac hack, delete unwanted Utilites and apps such as Applescript editor, Mail, Chess etc, relocate Apps into different folder, such as an Accessories folder, install key drivers for added hardware. Remove all network devices settings but Ethernet and set to DHCP.

Then i bind to OD and AD to test with network users, and then unbind and make a master image.

I then use Casper to install applications, hooks, updates and patches and local accounts, set the efi password, add printers, and manage the clients with WGM.

Criss

Criss Myers
Senior Customer Support Analyst (Mac Services)
Apple Certified Technical Coordinator v10.5
LIS Business Support Team
Library 301
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

tlarkin
Honored Contributor

Yup, and when you are mass imaging thousands of machines block copying one master image instead of a base image and then a bunch of separate packages is more efficient. I have a PDF that I am tossing together of the basics. Last summer when we reimaged 6,000 Macbooks I took a ton of AFP throughput graphs from our servers, both G5 desktops, G5 PPC Xserves and of course our new Intel Xserves.

AFP throughput drops tremendously when you have tons of unicasting connections that are pulling down packages at different times. Package based deployment is really nice and I love it, but when you are going to image thousands of machines at once you can chop off minutes per a machine by doing a larger block copy of a complete image.

AFP kind of sucks in that sense. I have yet to try out the multi-casting abilities of Casper.

Anyone use multi-casting with Casper?



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Bukira
Contributor

not tried multicast as its banned here, i used ARD which mutlicasts and that didnt go down well with the networks guys,

If one can set mulitcast so it doesnt upset a network then id try it

Criss Myers
Senior Customer Support Analyst (Mac Services)
Apple Certified Technical Coordinator v10.5
LIS Business Support Team
Library 301
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

tlarkin
Honored Contributor

Yeah I tried it once about 2 years ago at my previous job. Ultimately, our old Cisco guy was pretty much a hater of letting us try anything different. We found that portfast and spanning tree did not like our multicasting ways. We tried it on an unmanaged switch but didn't see any performance increases. I suspect you only see performance boosts when you are multi casting 100s of machines at a time.

I don't think we even have the space to set up 100 macbooks and image them at once. That would be a lot of data drops and patch cables in one set area.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

milesleacy
Valued Contributor

I haven't had a chance to use the Casper Multicast app from the Resource Kit
yet.
If your organization is big enough to have twitchy network guys, hopefully
its big enough to have a lab where you can have your own isolated switch on
which to run multicast sessions.

If you do have a dedicated network group, keep in mind that you're their
customer much as the end user is your customer. Request a network segment
where you *can* multicast. This is a request for technology needed to
perform your job, and it's as valid as a graphic designer requesting a
Photoshop installation. Be nice, try not to be the kind of user you dislike
dealing with, but at the same time, understand that you are requesting
something that is both possible and necessary. Don't be afraid to resort to
bribery. Donuts, Mountain Dew & beer are some generally accepted geek
bribes.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

tlarkin
Honored Contributor

hahahaha mountain dew and donuts. I used to bring in home made
meatballs (family recipe) and our old Cisco guy would snarf them up,
still woulnd't give me access to a switch. My current job my Cisco guy
is way cooler and way more laid back. He would give me a switch (if he
can spare it) to test things like this out, where as my last job the guy
was a nut job and super secretive.



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

Bukira
Contributor

well some of our network guys are super paranoid and what they dont know
scares em and they dont know macs, but the head of networks is my old
boss and mate so i can get things via him,

with remote desktop and task server (which uses mulitcast but doesnt
document that anywhere) i used an unmanaged 1gb switch and pushed
software packages out via ARD to 40 macs and it was way faster.

Can Capsers mulitcast be edited to only multicast to certain ips etc? i
don't really know mulitcast.

The macs being 1gb had no problem with mulitcast but we still have
servers on 10mb and it took them down.

We were meant to have a separate VLan for the Macs but again networks
wont do it, and seeing as we have 250macs and 5000 PC's they wont submit

Criss Myers
Senior Customer Support Analyst (Mac Services)
Apple Certified Technical Coordinator v10.5
LIS Business Support Team
Library 301
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

milesleacy
Valued Contributor

What would happen in your organization if you refused to deploy an
application that an end user needed? If someone in your organization
refuses to deliver a necessary item to you, it's an analogous situation.

If you've been as nice as you can be and followed any established policies
and/or processes involved, yet someone refuses to give you something that is
both possible and necessary to your job, I'd say that's a matter to take to
your boss and possibly theirs as well. Just be sure you've exhausted all
diplomatic possibilities before escalating the issue.
----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Not applicable

Hello,

AFP throughput drops tremendously when you have tons of unicasting connections that are pulling down packages at different times. Package based deployment is really nice and I love it, but when you are going to image thousands of machines at once you can chop off minutes per a machine by doing a larger block copy of a complete image.

AFP suffers massive penalties the more connections and more file accesses you do (DMG's are usually OK if you have good FS caches, but lots of small files will punish). If the network is set up properly multicasting can do effectively 1 to thousands of computers without too much of a problem. We blast over 17 GiB (compressed) to about 40 computers at a time and it will finish in a guaranteed 40 or so minutes (we could probably trim it down to 35 or 30 minutes if we push the data rate but you can run the risk of packet loss). Our main limiting factor is space to set up laptops with power/connectivity for NetBoot. Adding additional switches for 20+ laptops at a time is not a problem except for NetBoot (if I make a custom MC image that would work OK). Cisco switches require IGMP snooping and the querier running to handle clients joining and leaving the multicast network properly. In addition the port interfaces require igmp snooping on tcn flood to be disabled so if new clients join/connect to the port they don't get swamped with packets of multicast data, esp if you mix 10/100 and Gigabit devices. In a controlled network this should be possible (ie, private network + switches), otherwise some work will be needed to support it on the internal networks as people mention. Testing is essential, you can easily start getting hundreds of MB's a second going over multicast if you have multiple images running simultaneously which can hammer a Gig to 100 MBps connection easily when they each start going at 15+ MiB/sec.

AFP kind of sucks in that sense. I have yet to try out the multi- casting abilities of Casper. Anyone use multi-casting with Casper?

We don't use Casper for multicasting but I'd imagine a script could be made after NetBoot into Casper Imaging to accept a connection to restore a large disk image via multicast. At the moment we use multicast via asr to dump the image, then restart and join Casper afterwards. The setup usually is to configure the server with multiple multicast IP's and ports (ie, 224.x.x.31:7831, 224.x.x.32:7832) in the asr plist configuration and adjust the multicast data rates to avoid packet loss. So, probably easiest to start with a unmanaged switch (or good quality one if you plan on multiple multicasts), private network + private Gig Ethernet connection and test from there.

Philip