Mac OS X Server Introduction to Command-Line Administration Version 10.
KKApple Inc. © 2009 Apple Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Apple. The Apple logo is a trademark of Apple Inc., registered in the U.S. and other countries. Use of the “keyboard” Apple logo (Option-Shift-K) for commercial purposes without the prior written consent of Apple may constitute trademark infringement and unfair competition in violation of federal and state laws.
Contents 5 5 6 7 7 8 8 9 Preface: About This Guide 10 11 11 11 11 11 13 13 13 14 15 16 16 16 17 18 Chapter 1: Introduction to the Command-Line Environment 19 19 20 20 21 22 22 Chapter 2: Using the Command-Line Shell Interactively What’s in This Guide Using Onscreen Help Documentation Map Viewing PDF Guides Onscreen Printing PDF Guides Getting Documentation Updates Getting Additional Information The Command-Line Environment UNIX The Shell Accessing the Shell Local Access Remote Access Closing the
23 23 24 25 26 Chapter 3: Scripting the Command Line 27 27 27 28 30 31 32 32 33 33 Chapter 4: Connecting to Remote Computers What is a Shell Script? Monitoring and Restarting Critical Services with launchd Scheduling a Shell Script to Run at Specific Times Scheduling tasks with launchd SSH How SSH Works Generating Key Pairs for Key-Based SSH Connections Updating SSH Key Fingerprints An SSH Man-in-the-Middle Attack Controlling Access to SSH Service Connecting to a Remote Computer Using SSH Apple Remote
Preface About This Guide This guide provides a starting point for administering Mac OS X Server using command-line tools. Introduction to Command-Line Administration supplements the information in the other advanced administration guides. It provides information useful to building workflows and remote administration practices beyond the use of Server Admin and Workgroup Manager. The information in this guide isn’t specific to any particular technology, but is relevant to many server technologies.
Using Onscreen Help You can get task instructions onscreen in Help Viewer while you’re managing Snow Leopard Server. You can view help on a server, or on an administrator computer. (An administrator computer is a Mac OS X computer with Snow Leopard Server administrator software installed on it.) To get the most recent onscreen help for Mac OS X Snow Leopard Server: mm Open Server Admin or Workgroup Manager and then: ÂÂ Use the Help menu to search for a task you want to perform.
Documentation Map Snow Leopard has a suite of guides that cover management of individual services. Each service may be dependent on other services for maximum utility. The documentation map below shows some related documentation that you may need in order to fully configure your desired service to your specifications. You can get these guides in PDF format from the Mac OS X Server Resources website: http://www.apple.
Printing PDF Guides If you want to print a guide, you can take these steps to save paper and ink: ÂÂ Save ink or toner by not printing the cover page. ÂÂ Save color ink on a color printer by looking in the panes of the Print dialog for an option to print in grays or black and white. ÂÂ Reduce the bulk of the printed document and save paper by printing more than one page per sheet of paper. In the Print dialog, change Scale to 115% (155% for Getting Started).
Getting Additional Information For more information, consult these resources: ÂÂ Read Me documents—get important updates and special information. Look for them on the server discs. ÂÂ Mac OS X Server website (www.apple.com/server/macosx/)—enter the gateway to extensive product and technology information. ÂÂ Mac OS X Server Support website (www.apple.com/support/macosxserver/)—access hundreds of articles from Apple’s support organization. ÂÂ Apple Discussions website (discussions.apple.
Introduction to the Command-Line Environment 1 Use this chapter to determine when to use command-line tools and to understand the fundamentals of how to use them. A command-line interface (CLI) is an alternative to graphical applications for interacting with and controlling your computer. Mac OS X Server provides graphical applications—primarily, Server Admin and Workgroup Manager—to address common administration tasks.
The Command-Line Environment This section gives some background information about UNIX and shells. Both are important for understanding the command-line environment in Mac OSX Server. UNIX Mac OS X and Mac OS X Server are built on the foundation of the UNIX operating system. UNIX-based operating systems include BSD, GNU/Linux, AIX, and Solaris. The shared heritage of these operating systems means that many programs are compatible across this larger family with minimal changes.
Logging In from Terminal To open Terminal, click the Terminal icon in the dock or double-click the application icon in the Finder (in /Applications/Utilities/). Each window in Terminal represents another instance of a shell process. Terminal presents a prompt when it’s ready to accept a command. The prompt you see depends on your Terminal and shell preferences, but it often includes the name of the host you’re logged in to, your current working folder, your user name, and a prompt symbol.
The following processes and services aren’t running if you boot into single-user mode: ÂÂ Directory Services ÂÂ Kerberos ÂÂ syslogd ÂÂ mDNSResponder ÂÂ securityd (and many related security processes) ÂÂ Spotlight ÂÂ Any other server services (such as Mail Server, Web Server, or Wiki Server) you may have configured X11 X11 is a window manager traditionally used in UNIX-based operating systems. Although Mac OS X Server is a UNIX operating system, it doesn’t use X Windows as its window manager.
For example, to run the ls command in the current user’s home folder, you could enter the following at the command line and press Return: host:~ mariah$ ls The shell looks through the list of folders in the PATH variable until it finds a program named ls; in this case, it finds ls in /bin, and runs /bin/ls. To run a command in the current user’s home folder, precede it with the folder specifier.
Specifying Files and Folders Most commands operate on files and folders, whose locations are identified by paths. The folder names that make up a path are separated by slashes. For example, the path to the Terminal application is /Applications/Utilities/Terminal.app. Standard shortcuts used to represent specific folders are shown in the following table. They are specified relative to the current folder, and can eliminate the need to enter full paths. Shortcut Description .
Commands Requiring Root or Administrator Privileges Many commands used to manage a server must be executed by an administrator user or the root user. For example, entering: server:~ mariah$ shutdown gives you the following error: shutdown: NOT super-user This is because the shutdown command can be run only by the root user or by an administrative user with special privileges. To run commands in this "super user” mode, use the sudo command. sudo stands for “super user do.
To view a list of options and parameters you can use with the command: Enter the command without options or parameters: $ sudo serveradmin Some commands don’t have onscreen help. Using Man Pages Most command-line documentation comes in man pages. Man pages provide reference information for shell commands, tools, and high-level concepts. To access a man page entry: $ man command Replace command with the name of the command you want to find information about.
Not all commands and tools have man pages. Some tools use info pages instead, and some have no documentation at all. For more information about info pages, see “Using Info Pages” on page 18. You can also access command information using the help command, and sometimes information is displayed if you enter the command without options or parameters. Using Info Pages Some commands use info pages to display their documentation. Primarily these are software packages that come from the GNU project.
Using the Command-Line Shell Interactively 2 Use this chapter to learn about using the command-line by typing in commands. You can use the command-line environment in Mac OS X and Mac OS X Server interactively by typing a command and waiting for a result, or you can use the shell to compose scripts that run without direct interaction. This chapter discusses using the command-line environment interactively. For more information about using a particular shell interactively, see the man page for that shell.
Redirecting Input and Output From the command line, you can redirect input and output from a command to a file, or to another command. Redirect output from the command if you want to capture the results of running the command and store it in a file for later use. Similarly, redirect input from a file to the command if you want to provide the command with preset input data, instead of needing to enter that data.
Using Environment Variables The shell uses environment variables to store information, such as the name of the current user, the name of the host computer, and the default paths to any commands. Environment variables are inherited by all commands executed in the shell’s context, and some commands depend on environment variables. You can create environment variables and use them to control the behavior of a command without modifying the command itself.
Repeating Commands To repeat a command, press the Up Arrow key until you see the command, then make any modifications and press Return. Including Paths Using Drag and Drop To include a fully qualified filename or folder path in a command, you can drag the file or folder from a Finder window to the Terminal window.
Scripting the Command Line 3 Instead of entering commands and waiting for their responses, you can compose scripts that are run without direct interaction. This chapter discusses some basics of shell scripting on Mac OS X, including automation and scheduling, as well as a brief overview of what a shell script is. It does not provide information on writing shell scripts in general. For information about how to write shell scripts, see the Shell Scripting Primer on the Apple Developer Connection website.
You need to use the chmod tool to indicate to the operating system that the text file is executable (that is, its contents can be run as a program). To make a shell script executable: chmod 755 YourScriptName.sh After making the shell script executable, you can run it by entering its pathname. For example: ~/Documents/Dev/YourScriptName.sh or cd ~/Documents/Dev/ ./YourScriptName.sh For more information about using chmod, see its man page.
Note: In earlier versions of Mac OS X and Mac OS X Server, system administrators used the watchdog daemon to monitor critical services or modified the rc scripts. These are no longer supported and should be replaced with calls using launchd. In earlier versions of Mac OS X and Mac OS X Server, system administrators used the daemon to monitor critical services or modified the rc scripts. These are no longer supported and should be replaced with calls using launchd.
The first crontab entry repairs disk permissions for the MacHD volume at 18:30 every day, Monday through Friday: 30 18 * * 1-5 diskutil repairPermissions /Volumes/MacHD The second crontab entry schedules a repair volume operation to run at 23:50 every Sunday: 50 23 * * 0 diskutil repairVolume /Volumes/MacHD Scheduling tasks with launchd You can use launchd instead of cron to schedule tasks.
Connecting to Remote Computers 4 Learn about using the command-line on computers remotely. If you need to run command-line tools on remote computers, there are tools to help you. This chapter discusses some of the most commonly used tools and provides some tips for getting started.
ÂÂ The remote computer attempts to authenticate the local computer using RSA or DSA certificates. If this isn’t possible, the local computer is prompted for a local username and password. ÂÂ After successful authentication, the session begins. A remote shell, a secure file transfer, a remote command, or other action can take place through the encrypted tunnel.
To generate the identity key pair: 1 Enter the following command on the local computer: $ ssh-keygen -t dsa 2 When prompted, enter a filename in the user’s home folder to save the keys in; then enter a password and password verification. For no password, don’t enter anything when prompted. Just press Return. For example: Generating public/private dsa key pair. Enter file in which to save the key (/Users/mariah/.
A Key-Based SSH Scripting Example A cluster of servers is an ideal environment for using key-based SSH. The following Perl script is a trivial scripting example, and it shouldn’t be implemented. It demonstrates connecting over an SSH tunnel to each server defined in the variable serverList, running softwareupdate, installing available updates, and restarting each server if necessary. The script assumes that key-based SSH has been properly set up for the root user on all servers to be updated.
Be sure this is the correct key before accepting it. If possible, provide users with the encryption key through FTP, mail, or a download from the web, so they can be sure of the identity of the server. If you later see a warning message about a man-in-the-middle attack (see below) when you try to connect, it might be because the key on the remote computer no longer matches the key stored on the local computer.
Important: Removing a host key from the known_hosts file bypasses a security mechanism that would help you avoid imposters and man-in-the-middle attacks. Before you delete a host key from the known_hosts file, be sure you understand why the key on the remote computer has changed. Controlling Access to SSH Service You can use Server Admin to control which users can open a command-line connection using the ssh tool in Terminal. Users with administrator privileges can always open a connection using SSH.
Apple Remote Desktop Apple Remote Desktop is a software package that’s available separately from Mac OS X Server. Apple Remote Desktop provides a command for sending a shell script or command to client computers, which lets you easily distribute and automate shell scripts. For more information, see the “UNIX Shell Commands” section of the Apple Remote Desktop Administrator Guide. X11 X11 is the traditional windowing system of UNIX systems.
Common Command-Line Tasks 5 This chapter discusses some of the most frequently used command-line task. If you’re new to the command-line environment, it helps to understand some common scenarios in which people frequently use the shell. This section explores some of those areas and provides some guidance on getting started using the shell in these situations.
For general-purpose work, it’s easiest to deal with one of the text editors included with Mac OS X. If you want to use a graphical text editor, use TextEdit (in /Applications/); otherwise, use one of the many command-line editors provided. The three most full-featured command-line text editors included with Mac OS X are: nano Nano is a simple command-line based editor. It’s a replacement for the Pico editor, so instructions for using the Pico editor can be used with nano.
Saving Text Files for UNIX Execution When you edit text files for execution by UNIX utilities, you need to save the files properly so that they can be used (or executed) by their calling program. It’s especially important to use plain text and ensure that the privileges are correct. Using plain text Many graphical text editors, including TextEdit, save text files in a more complex format than most UNIX programs expect.
ÂÂ plutil is a command-line tool that you can use to change a property list into a format you can edit with a text editor, and then change back to its binary format. Using PlistBuddy to edit property lists The PlistBuddy command is designed to easily read and modify values in a property list. If you know the values to set or read, you can quickly make changes with PlistBuddy. PlistBuddy works on specific property list files.
There are many other options for PlistBuddy that are invoked in a similar manner. For information about PlistBuddy, see its man page. Using the defaults command to edit property lists The defaults tools works directly with the Mac OS X preferences subsystem and is used by many applications in Mac OS X to manage preferences and other settings. It can be built into shell scripts and allows you to access preferences in the multiple domains that exist on a given computer.
Moving and Copying Files You can move and copy files locally or remotely using the mv, cp, and scp commands. Moving a file or folder locally To move files or folders from one location to another on the same computer, use the mv command. The mv command moves the file or folder from its old location and puts it in the new location. For example, to move a file from your Downloads folder to a Work folder in your Documents folder: mv ~/Downloads/MyFile.txt ~/Documents/Work/MyFile.
Compressing and Uncompressing File Archives Mac OS X and Mac OS X Server use the GNU tar utility to compress and uncompress files and folders. When sending folders and multiple files between computers, it's helpful to compress them into a single archive. This saves space, allows you to transfer just one item instead of many, and makes it easier to resume in case the task is suspended for some reason.
Key Command Action J or Down Arrow Scroll down a line K or Up Arrow Scroll up a line N Find the next occurrence of a search term P Find the previous occurrence of a search term Q Quit less For more information about the less command, see its man page. Searching for Text in a File To locate a string within a file, use the grep tool. The grep tool searches the named input files for lines containing a match to the given pattern. By default, grep prints the matching lines.
6 Accessing Apple Hardware from the Command Line Learn how to access hardware-level controls like restarting, shutting down, powering up, and selecting boot options from the command line. This chapter introduces commands for shutting down or restarting a local or remote computer. Computers need to be shut down or restarted, whether locally or remotely, when installing tools or making computer repairs.
Parameter Description seconds The number of seconds before the computer starts after a power failure. This value must be a multiple of 30. Changing a Remote Computer’s Startup Disk You can change a remote computer’s startup disk using SSH.
Manipulating Open Firmware NVRAM Variables To manipulate Open Firmware NVRAM variables, use the nvram tool. If you change a value with nvram, the value is saved only if the computer cleanly restarts or shuts down. To view NVRAM variables: $ nvram -p For more information, see the nvram man page. Remotely Controlling the Xserve Front Panel You can use the ipmitool command to remotely control the front panel of an Xserve.
Appendix Command-Line Tools Specific to Mac OS X The following command line tools are unique to Mac OS X or substantially different from implementations on other UNIX platforms. See their man pages for more details. An online version of the man pages in Mac OS X and Mac OS X server is available at: http://developer.apple.com/documentation/Darwin/Reference/ManPages/ Section 1 Man Pages Man pages in section 1 refer to general command-line tools and utilities.
configureLocalKDC(1) Generate a LocalKDC CPlusTestRig(1) Runs CPlusTest unit test bundles CpMac(1) Copy files preserving metadata and forks createhomedir(1) Create and populate home directories on the local computer defaults(1) Access the Mac OS X user defaults system desdp(1) Scripting definition generator ditto(1) Copy directory hierarchies, create and extract archives dns-sd(1) Multicast DNS (mDNS) & DNS Service Discovery (DNS-SD) Test Tool drutil(1) Interact with CD/DVD burners d
javaconfig(1) Get Java configuration information javatool(1) Tool used in building older Java software projects languagesetup(1) Set the primary language latency(1) Monitors scheduling and interrupt latency launchctl(1) Interfaces with launchd ld(1) Linker locale(1) Display locale settings localedef(1) Define locale environment lookupd(1) Gather information, statistics and initiate queries to the Directory Service cache mDNS(1) Multicast DNS (mDNS) & DNS Service Discovery (DNS-SD) Test To
opendiff(1) Use FileMerge to graphically compare or merge file or directories osacompile(1) Compile AppleScripts and other OSA language scripts osadecompile(1) Display compiled AppleScripts or other OSA language scripts osalang(1) Information about installed OSA languages osascript(1) Execute AppleScripts and other OSA language scripts packagemaker(1) Installation-package creation tool passwd(1) Modify a user’s password pl(1) ASCII property list utility Extract translatable strings from
securityd(1) Security context daemon for Authorization and cryptographic operations SetFile(1) Set attributes of files and directories sips(1) Scriptable image processing system SplitForks(1) Divide a two-fork HFS file into AppleDouble format resource and data files stackshot(1) Capture user and kernel space stack traces, using a kernel stack trace facility sw_vers(1) Print Mac OS X operating system version information symstacks.
Section 4 Man Pages Man pages in section 4 refer to descriptions of special files and devices. dummynet(4) Traffic shaper, bandwidth manager and delay emulator ipfirewall(4) IP packet filter and traffic accounting random(4) Better random number generator; routines for changing generators urandom(4) Better random number generator; routines for changing generators Section 5 Man Pages Man pages in section 5 give information about file formats and conventions.
Section 7 Man Pages Man pages in section 7 are miscellaneous pages that don’t belong in any other section. See the intro(7) man page for more information about this section. sandbox(7) Overview of the sandbox facility Section 8 Man Pages Man pages in section 8 document commands that system administrators would invoke as well as daemons. See the intro(8) man page for more information about this section.
coreaudiod(8) Core Audio daemon dirhelper(8) Helper for special directory creation diskarbitrationd(8) Disk arbitration daemon diskmanagementd(8) DiskManagement.
kdcsetup(8) Kerberos -- Open Directory Single Sign On kerberosautoconfig(8) Kerberos -- Open Directory Single Sign On kext_logging(8) Verbose/logging flags for kernel extensions (kexts) in the kernel and command-line utilities kextcache(8) Create kext cache files kextd(8) Kernel extension server kextfind(8) Find kernel extensions (kexts) based on a variety of criteria and print information kextlibs(8) Find OSBundleLibraries needed by a kext kextload(8) Load kernel extensions (kexts) into the
mount_webdav(8) Mount a WebDAV filesystem msdos.util(8) DOS/Windows (FAT) file system utility natd(8) Network Address Translation daemon nbdst(8) NetBoot deferred shadow tool networksetup(8) Configuration tool for network settings in System Preferences newfs_hfs(8) Construct a new HFS Plus file system newfs_hfs(8) Construct a new HFS Plus file system notifyd(8) Notification server ntfs.
service(8) Deprecated service_helper(8) Helper program for enabling and disabling services setregion(8) Set the disc region code for a DVD drive softwareupdate(8) Software Update checks for new and updated versions of your software spindump(8) Report generation for unresponsive applications helper process for spindump(8) spindump_ symbolicator(8) Helper process for spindump(8) sso_util(8) Tool for setting up, interrogating and removing Kerberos configurations within the Apple Single Sign On env
A access administrator 16 shell 11, 12, 13 SSH service 32 user 32 accounts, authentication 29 administrator, permissions 16 Apple Remote Desktop (ARD) 33 asr tool 41 authentication Kerberos 28 SSH 28, 30 user 30 B backups 41 boot process.
info tool 18 input/output commands 19, 20 ipmitool tool 44 K Kerberos 28 key-based authentication 28, 30 known_hosts file 31, 32 L launchctl tool 24, 41 launchd daemon 24, 26 launchd vs. watchdog tools 25 less tool 40 local computer file management 39 restarting 42 login Open Directory 29 SSH 28, 30 M Mac OS X Server, launchd vs.
U uninterruptible power supply.
