Radmind Manual for Mac OS X
From radmind
A special thanks goes to Ofir Gal for writing this document and his continued support of the Radmind project.
The basic idea
Radmind (remote administration daemon) is a client management system that allows you to create a specific setup on a single Mac OS X system and then be able to implement the same setup on multiple clients. Most importantly, Radmind enables you to install updates and new apps on a single Mac and then force the other Macs to inherit the same configuration. It can be set to automatically bring back systems to a pristine state every night in a college lab or as a way to distribute new system updates on demand.
Radmind supports multiple configurations so one Radmind server can handle several departments in your organization, each with its own setup and applications.
At its core, Radmind operates as a tripwire; it is able to detect differences between the server and the client to any managed file system object, e.g. files, directories, links, etc. However, Radmind goes further than just integrity checking: once a difference is detected, Radmind can optionally take action.
This is ideal for small to large businesses as well as schools and universities. Radmind not only lets you upgrade and keep all systems the same, it also lets you downgrade if you need to. Radmind is generally useful if you have three or more Macs that need to run similar or identical configurations.
You can use Radmind to combat any application or system corruption and even deliberate mis- configuration by simply running the Radmind update session. When used with checksums, Radmind also verifies the integrity of files and any damaged ones are replaced.
Radmind even works in super user mode (Command+S at startup) allowing a system administrator to repair a system that won't start properly.
Radmind can be used in conjunction with Apple Software Restore ( ASR ), NetBoot, NetInstall and Carbon Copy Cloner.
Radmind is a very powerful tool that can also delete important files. It is therefore recommended that you read this document through and only then attempt to use Radmind. It is also a good idea to experiment on test systems before deploying the setup in the real world (if such a thing exists). OS X, unlike its predecessors, installs a large number of files, and you'll want to choose which to manage in the process of your testing.
Radmind does not require a special "master" client for generating updates for other clients; any Radmind client can become the master by simply updating it with Radmind.
Radmind can be set to skip user data and other files - that is leave user documents untouched while updating the rest of the system.
Radmind can be started manually, or automated to run at startup, login, logout or at timed intervals. But before you get ahead of yourself, let's start with the basics...
Getting Started
Download and install Radmind on two computers – one will be the server, the other will be the client. It is highly recommended that any data on the clients is backed up. It’s very easy to delete users’ data with Radmind.
Setting up the server
On the server open Radmind Assistant and select Run Setup Steps from the Session menu. In the First Time Run window select I’m new and I want to setup a Radmind server.
Follow the setup procedure and when the setup is complete the Radmind Assistant will close and Open the Server Manager.
Setting up the client
On the client open Radmind Assistant and select Run Setup Steps. This time select I’m new and I want to setup a managed client.
In the following screens, enter your Radmind server address, leaving the other options at their default values. You can skip the automation options at this point and continue.
The next window lets you select the negative transcript. You can simply select the one that fits your setup best and continue. The Lab Negative transcript is designed for giving you more control over the system while the Desktop Negative transcript gives users more control over their computers, allowing them to install printer drivers for example. Note that the loadset is uploaded as empty files. This is normal for loadsets associated with negative transcripts. The assistant will prompt you to quit all other applications – this is always a good idea.
When the upload is complete go back to the server and open Server Manager. Click Refresh in the Radmind Loadsets window and select to Verify and Check in. You can safely ignore the message that the transcript is incorrect – this refers to the lack of checksums.
Follow the prompts until you end up with a negative transcript assigned to your client
Go back to the client and continue. The next step is to create the base loadset. This can take a few minutes. When the process is complete you will be prompted to upload the base loadset to the server. Depending on your configuration this can take between 20 minutes and several hours. A high speed Ethernet connection and fast Macs at both end can help a lot.
When the upload is complete go back to the server and click Refresh again in the loadsets window. Follow the prompts to add the new loadset to your setup.
Updating a new client
Assuming you have setup your server successfully you can now move on to update a new client. For this you will need a third Mac. Install Radmind and again open the Radmind Assistant. This time choose the third option – to update the client. When this is complete you should find the new client has inherited the software setup of your first client without affecting any data.
Read on to understand how to customise and get the best out of Radmind…
How Radmind works
Radmind uses a client-server setup. The server holds all the files required to make a client match a specified configuration. Such a configuration may include OS X and various applications used in your organization.
You can install the server component on any Mac running OSX 10.2 or later, or any UNIX/Linux based systems. It doesn’t have to be an OSX Server. Most main functions of Radmind, including server management, are available via the Radmind Assistant application (Mac OS X only). If you prefer you may also use the Terminal to run Radmind.
Initially, a client is used to create the base setup which is then uploaded to the server. A base setup must have at least one positive and one negative loadsets. The positive loadset contains all the managed files, while the negative is mostly a list of unmanaged items such as the /Users folder. When the setup is verified and saved on the server any other client can be configured to connect to the server and initiate a Radmind update session – effectively downloading and installing all the files required to match the first client. Files and folders in the negative loadset are left alone.
Normal client updates start by downloading the various Radmind server files that describe the required setup for that client. Radmind then scans the client’s file system for any differences between the prescribed setup and the actual files on the client. If any mismatch is found you are then prompted to perform an update which will make the client match the prescribed setup.
In principal, to create a basic working setup you need to install OSX and all your standard applications on one workstation (the source client) and then use Radmind Assistant to upload the setup to the server. Once there, any other client with Radmind installed can initiate an update, which will result in making the new client an identical clone of the source client.
You can then install additional applications on the source client and again upload the changes to the server. The other clients can then be updated to match the new setup.
Whenever Radmind updates a client it deletes any files that were not on the source and copies any missing or modified files from the server. In some ways this works much like folder synchronizers such as psync or rsync. It makes the target identical to the source as defined on the Radmind server, excluding the items contained in the negative loadset.
You use the Server Manager to determine which files end up on the clients. Radmind is able to deliver different files depending on which client is being updated. The server identifies the client by its DNS name or certificate and then send it any combination of software you specify.
In order to skip files and folders that should not be touched with each update such as the Users folder, Radmind uses the negative transcript. Example negative transcripts are included with Radmind and also on the Radmind.org site. These include user files as well as various logs and cache files that should normally be managed differently.
A finely tuned negative transcript is key to a successful Radmind installation and consequent client updates. See the next section to learn more about how it works.
Transcripts, loadsets and command files
Overview
Radmind uses three file types to store information about client configuration. These are organised in a hierarchy that allows for a very flexible setup – capable of managing a diverse organisation where each department may require a different setup.
- The Radmind server uses a single configuration file (config) to store a list of clients and their associated command files.
- Each command file contains a list of transcripts (.T)
- Each transcript contains a list of files and their attributes
More about the Radmind file hierarchy
Each transcript describes the contents of a loadset which is simply the files & folders required to deploy the transcript. A transcript called MSOffice.T for example, may contain a list of all the files installed by Microsoft Office and the loadset will contain the actual Microsoft Office files and folders.
A command file is used to bring several transcripts and their corresponding Loadsets together. One client may have a command file that includes OS X, Microsoft Office and FileMaker Pro loadsets, while another client could have a command file with the same OSX loadset, scanner drivers and Adobe Photoshop.
You can easily assign each command file you have to many clients using DNS host names and IP address ranges, allowing you to distribute different application sets to different departments for example.
When editing any Radmind files by hand, make sure you use an editor capable of handling very long lines and Unix mode linefeeds. If you use pico remember to use –w option.
Transcripts (.T)
A transcript is a plain text file containing a list of files with instructions for Radmind. A transcript for a base OS X installation contains 10,000s lines corresponding to each file system object (i.e. files, folders, etc.).
Each line in the transcript lists one system object – a file, folder, link, etc. In addition the privileges settings, the files size and modification date are also listed. The object type is denoted with a single letter where f for example stands for a regular file, d stands for a folder (directory) and h is a hard link. For a full list of object types consult the fsdiff man pages.
You may optionally include checksums to verify the integrity of files, but use of checksums is known to cause unnecessary file copying with the current version of OS X (10.2.x), which optimises some files on the fly. On the other hand, checksums may catch out some viruses and other system hacks.
When updating a client, Radmind compares the state of the clients to the transcripts listed in its command file. It then produces a transcript that describes what changes need to be made to bring the client up-to-date. This temporary transcript is also referred to as apply-able since its contents will be applied to a client.
In an apply-able transcript a + in front of a file name means it is to be copied to the client, while a – indicates that the file will be deleted. If a file appears with no +/- this means that its attributes need changing – most likely its ownership or privileges. If a managed file on a client is different it will be replaced, if it is missing Radmind will copy it to the client. If a file on the client has no match in your transcripts it will be deleted. Similarly, if a file has different privileges these will also be adjusted to match your transcripts.
This means that if a user installed an application or a printer driver they will be deleted by Radmind, but you can use the negative transcript as well as other methods to work around this if needed.
Radmind determines which files should be created, copied, deleted or modified based on your server configuration in where a command file is used to determine which transcripts to employ. The use of multiple transcripts allows greater flexibility and enables you, among other things, to add software and updates to clients quite easily.
Transcripts are normally created on a client and are then uploaded, along with their corresponding files, to the server where they can be made available to other clients.
Most Radmind client updates start by downloading the command file followed by the transcripts it contains to the client. This ensures that the client has an up-to-date version of all configuration files.
Note that the sort order of items in a transcript is crucial for smooth operation of Radmind. The Transcript Editor ensures that your transcripts are properly sorted. If you plan on using a text editor instead, make sure you understand the sort order required.
