Last year I wrote about my 20 minutes with OS X Leopard server. This week I had the opportunity, and the obligation, to spend a bit more time with it. Next month I'm converting an office that's currently using Windows and Exchange for an OS X-based solution. There will be a few desktops, a laptop, and an xserve. Not really a big deal for what he wants as OS X server will take care of pretty much everything and I knew that it wouldn't take me too long to catch onto it, but I wanted to take the time to figure out any quirks before I actually obtained the hardware and started billing for my time. Since the server software purchase will get absorbed in the cost of the work, and would probably save a lot of time down the road, I picked up a copy late last week and have been slowly working this week to get my old dual G5 up and running to (temporarily, at least) replace my Mandriva-based LAN server.
I've read some blog posts in the last week or so saying how Apple deviates too much from UNIX, how OS X server isn't as good for web serving as Linux, etc. Unfortunately, those posts look worse for the blogger than for the software. OS X server is no worse for web hosting (or "service" hosting) as anything else. The problem is these people probably spent a few hours or maybe a day or two at most trying to figure stuff out. And they took all their Linux "baggage" with them. Well, they're right in one thing... it is different. Very different. Is it worse? Not really... it does the same job. The tools are different, file locations are different, etc.
The server I setup has the following duties: DHCP, DNS, intranet wiki, nagios monitor, SMTP relay (for the LAN going out), POP3/IMAP (LAN-only), file sharing (samba and since we're using OS X here AFP as well), LDAP for authentication, and subversion server. The client's xserve will do most of this, except for nagios. It will also require handling a VPN, so I will be setting up mine to do the same.
There are quite a few things that are different. Server Admin is a very cool GUI tool to configure the server. For the most part, it works really really well. It was somewhat painful setting up DHCP and DNS since I couldn't import my old named zone files and such (at least not that I could find). But after an hour of mind-numbing and boring typing, it worked well enough. Setting up Apache was easy enough and Server Admin works for some basic stuff, although if you really want to do more complex things, you'll want to fiddle around in /etc/apache2/ to make changes. One word of warning: some stuff you can change and still use Server Admin and it won't get mangled. Some stuff you can't so I suggest getting the basics done in Server Admin and then not using it to manage sites (even viewing the site seems to be enough to trigger an update of the config file). In particular, setting "DAV svn" to enable the http subversion access resulted in (repeated) changes to "DAV off". Apparently Server Admin doesn't thing "svn" is a valid option here. Also, rewrite rules kept getting rewritten... with a whole lot of nothing. I use rewrite rules extensively for my mediawiki install so it ticked me off a few times when all of a sudden they stopped working. Beyond that, Server Admin works well enough for Apache (again, more basic stuff). I suppose I could be using .htaccess files for this stuff and then I wouldn't have to worry about Server Admin removing stuff on me.
Setting up subversion was pretty easy, less the rewriting noted above. This blog post was moderately helpful for anyone else interested in setting up a subversion server on OS X. Leopard is using 1.4.4, but I think I'll be upgrading that soon, which may prove interesting to see if/how it will use the new modules instead of the old ones without actually removing the old subversion setup, since it comes with OS X. Setting up ViewVC for a web view of the subversion repository was pretty straightforward as well. No real surprises there.
Nagios was more interesting. Actually, it wasn't too bad... just time consuming. The Mandriva nagios configs are.. fugly.. to put it bluntly. Too many files, too many different places to look, so I spent quite a bit of time smushing all the useful stuff into a half-dozen configs which makes it much easier to manage. I built the latest nagios and nagios plugins from source. Before that, make sure you have something like fink or macports (I use fink) installed, as well as the Xcode developer tools. Beyond that, it was pretty straightforward as well. The only problem I ran into was the check_ldap(s) plugins didn't want to work... not sure if this is due to a newer version or if it's due to Open Directory. I've disabled that plugin for now (although, strangely enough, the check_ircd plugin works now when it wasn't working on Mandriva... go figure). Oh, if you like to use the check_fping plugin, use fink to install fping but make sure you make /sw/sbin/fping suid root, otherwise the plugin running under nagios (which here runs as nagios:nagios) won't be able to use it.
MySQL was easy. Set the root password in Server Admin and imported a dump of my database. No issues there.
Mail was different, and I used Server Admin exclusively for that. Seems to have enough options and through it can handle spam filtering via spamassassin and virus scanning via clamav. I'm used to exim myself, and OS X uses postfix, so I think I'll let Server Admin handle that part. What I've done with it so far works well enough, and POP3 works. I'm thinking of seeing if I can get procmail and fetchmail running on there to grab my mail, filter it all into individual IMAP mailboxes, and just use IMAP to connect to my local server to get all my mail. Not sure if that will work very well (due to personal and work accounts being smushed into one IMAP setup), but I think that would largely be a client-side issue anyways.
The weirdest thing for me, and the one big drawback to OS X that I found, was the handling of IP aliases. I don't want to write silly route commands, I want aliases to be setup once and persist across reboots, etc. Took me a bit, but it's clumsy compared to Linux. With Mandriva, I just create new /etc/sysconfig/network-scripts/ifcfg-eth0:0 files and go to town. With OS X, you have to edit /etc/IPAliases.conf and stuff like:
and you have to reboot to enable it. Also don't forget to edit /etc/hostconfig and set "IPALIASES=-YES-" (I didn't realize I needed to do this and couldn't figure out for a few minutes why my aliases weren't coming up after a reboot). "man IPAliases.conf" is a good place to look as well. Finally, note that OS X will get, and use, the DNS name of the last defined IP alias. I have no idea why, since my computer's name is "fenris", why the shell prompt and "hostname" were giving me the name "dns", which happens to be the DNS name of the last IP defined in /etc/IPAliases.conf. However, if the name reported by hostname is important, use one of the aliases in the Network settings of System Preferences and put the IP address that belongs to the DNS name (A record, please) as the last IP alias. There's also no "eth0:0" or "eth0:1" so you can't just shut off one alias and add another on-the-fly like you can in Linux. all IPs are assigned to the associated ethernet device, so in my case if I were to do "/sbin/ifconfig en0" you'd see all five associated IP addresses.
That was probably the weirdest thing to deal with, besides file location differences.
Oh, and system-wide cron stuff. Normally I drop a script or symlink to a script in /etc/cron.daily/, but OS X uses periodic instead. It's not very different, so just create the script/symlink in /etc/periodic/daily/ instead and it will be run with the daily system jobs (i.e. I created /etc/periodic/daily/900.svn-verify to execute the daily script I run to verify the integrity of my subversion repositories). The only real difference here against cron on a Linux system is that unless you redirect output to /dev/null, the output of cron scripts gets emailed to you (well, if you provide an email address). Not so with periodic, at least not by default. I assume there must be a way to do it, but my daily output, instead of coming to my inbox, went into /var/log/daily.out instead. I don't like that since I want to have delivered to me notification that my svn repos need repair; I don't want to have to remember to look at the file. I need to look into this further... I suspect it shouldn't be too difficult, but I'm not familiar with periodic at all.
And finally, LDAP authentication. On my network, I use LDAP authentication on all the Linux workstations and vmware images just because it makes it easier on me. I've not had much luck getting OS X workstations to authenticate against my Linux-based LDAP directory, so with Open Directory on OS X server, it's quite easy to make it work with OS X workstations. I also found out it was quite easy to do with Linux as well and didn't really take much to change it (since Open Directory is based on OpenLDAP). A few minor tweaks to my /etc/ldap.conf file and I was up and running. The only thing I had to remember was that OD exports the home information as being /Users/foo, instead of /home/foo. This is easy enough to remedy, by either making /Users a symlink to /home, or moving /home to /Users. For anyone interested, my /etc/ldap.conf for Mandriva looks like this:
ldap.conf for authentication against OpenDirectory
host fenris.annvix.ca base dc=fenris,dc=annvix,dc=ca ldap version 3 scope one pam_filter objectclass=posixAccount pam_login_attribute uid pam_password crypt nss_base_passwd cn=users,dc=fenris,dc=annvix,dc=ca?one nss_base_shadow cn=users,dc=fenris,dc=annvix,dc=ca?one nss_base_group cn=groups,dc=fenris,dc=annvix,dc=ca?one
OpenDirectory home directories are /Users/foo, so create
a /Users directory and symlink appropriate /home directories
there (or rename /home to /Users)
everything else is configured the same as if using a LDAP auth source
Yeah, I have to figure out the SSL/TLS stuff in Open Directory yet. There's also some kerberos stuff in there I'm thinking of playing with to make everything single-signon. But that will come later. For my home network, this is sufficient, and it works.
The only thing left to do now is the VPN stuff, but I'll do that this weekend when I can go to my dad's and borrow his internet connection to see if it works.
Anyways, as of right now my Mandriva LAN server is temporarily off and I'm going to be using the OS X server for the next week or two, to make sure there are no surprises. That way, next month when I have to do mostly the same thing for a client, there won't be (too many) surprises. So is OS X server worse than Linux? Not really. They're both pretty much the same. Those who like GUI configs will like OS X server... the Server Admin and Workgroup Manager tools are really quite nice. For someone like me who developed Annvix without a GUI, I don't much care, and the (compared to Linux) non-standard location for files was frustrating and trying. There's obviously a lot to fiddle with yet, but the basic services are up and running which is what I need. When this thing has a few services turned off so my Mandriva server can once again resume it's duties, it'll be left around for a debugging/reference platform as it's always nicer to muck up your own stuff instead of a client's.