NetSUS - From Vanilla to Production

steven_luke
New Contributor

Hey everyone,
For anyone interested I thought I'd share my experiences going from a fresh install of NetSUS to production. Due to the lack of how-to's and going on google-sprees, I spent about a week trying to figure out how to take JAMF's NetSUS appliance and get it running to a production-like environment, so consider this a helpful "how-to install" for NetSUS 4.1.0

My environment
- Fresh install of RHEL (6.8) / CentOS 7 No web client was installed, the installer will attempt to install httpd (apache2) on the server
- Git Clone of 4.1.0 https://github.com/jamf/NetSUS.git

Steps:
1: Some prep work from command prompt,
yum install git
cd /directory/this/git/will/be/in
git clone https://github.com/jamf/NetSUS.git
2: Now to run the installer
cd NetSUS
sudo ./CreateNetSUSInstaller.sh
sudo ./NetSUSLPInstaller.run
Y for standalone install and Y to proceed
Enter in a new password when prompted
The Reposado application https://github.com/wdas/reposado will also get installed, which you will need to configure further later on for collecting the latest updates
3: If you open up the web admin console now (https://your.address/webadmin) you might notice some errors appearing on the webpage, specifically branches being created with the names of Could not save settings /var/appliance/conf/appliance.conf.xml
Fear not. This is a fix-able bug. In terminal all you need to enter in is sudo chown apache:root /var/appliance/conf/appliance.conf.xml
After entering this in, you will need to restart your server (There might be a more elegant way to refresh the page, a sudo service httpd restart did not do anything)
4: You should now be able to log into your webadmin console now and start collecting updates, with one catch. It does not include all the latest updates, specifically OS updates.
To get these updates you will need to modify the preferences.plist file which gets created in the /var/lib/reposado directory
5: Once you have navigated to the reposado directory, you will need to modify the preferences.plist file with your favorite text editor. You will need to add the following lines to the dict (I added mine after the last <string> line)

        <key>AppleCatalogURLs</key>
        <array>
                <string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
                <string>http://swscan.apple.com/content/catalogs/index-1.sucatalog</string>
                <string>http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog</string>
                <string>http://swscan.apple.com/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog</string>
                <string>http://swscan.apple.com/content/catalogs/others/index-lion-snowleopard-leopard.merged-1.sucatalog</string>
                <string>http://swscan.apple.com/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
                <string>https://swscan.apple.com/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
                <string>https://swscan.apple.com/content/catalogs/others/index-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
                <string>https://swscan.apple.com/content/catalogs/others/index-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
                <string>https://swscan.apple.com/content/catalogs/others/index-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog</string>
        </array>

6: A quick FYI. From what I can tell, the updates and all related data get stored in the /srv/SUS directory under http and metadata . I would highly encourage you to mount a second drive to the /srv/ directory or to increase your server's storage capacity. I did not do this, which ended up in me being unable to log into my NetSUS webadmin console (ssh worked though). I had to clear out those directories to be able to sign back into the webadmin console.
7: Next you will want to modify the repo_sync python file by going to line 300 and changing that line to print >> fileobj, 'ciphers = ' # use only >=128 bit SSL
This will ignore an error about HTTPS ciphers which will allow you to load the repo’s from apple

8: Almost done! Now all you need to do is to update your repo’s by running sudo python repo_sync and let your server spend the next 5+ minutes checking for updates.

If any of you have any suggestions for edits to this document or know of a better way to implement NetSUS, please let me know. I will add edits and corrections and improvements come along.

Cheers!

1 REPLY 1

MacSysAdmin
Contributor

2 - Just download the NetSUSLPInstaller.run file
5 - You are synching updates from 10.3-10.12 Do you really support all of those OS's? You really should only need the last 3. 2 if your environment is up to date.
6 - If you clear out the updates then the next time you sync it will just re download them and you will have the same problem. See above about why. 7 - You can also just add the following to the preferences.plist

<key>AdditionalCurlOptions</key> <array> <string>ciphers = "rsa_aes_128_sha,rsa_aes_256_sha,rsa_3des_sha"</string> </array>

Side Note - If you are doing a clean install of Cent or RHEL then you didn't partition the drive correctly and gave too much space to the /home partition you need to adjust that during the install and give it to root instead.