This title is very specific and may not be everyone’s exact scenario, however, there was plenty of beneficial items in my latest exercise with Wiki data on OS X; specifically taking old 10.6 Wiki data and putting it on a new server in which the Directory information was lost.

Overview

I happened to have Wiki data from a 10.6.8 server that was saved by a simple backup routine instead of using Time Machine backups. “No Time Machine backup?” you ask. This was because this was 10.6 Server! Remember, Time Machine couldn’t stop Open Directory, so back then backups were “on the ODM, use this ‘export’ script”, and “rsync or use some other backup tool to save your data”. In 10.6 the Wiki data was saved in /Library/Collaboration so it made backup of the data very simple.

The environment that I stepped into was:

Now that 10.8 is available (and our Xserve is no longer supported because it was made prior to 2009) lets move that data to a new server, and because the only thing we need is the /Library/Collaboration folder just save that data to an storage array and scrap the server… we don’t need that anymore.

So there are two things to remember when migrating Wiki data:

1. The Directory is critical (and even more so w/ Mt Lion)
2. If you are doing a migration that needs to “upgrade” data, be sure to have a system that can still run the old OS.

What do I have to work with for this migration task? File backup of /Library/Collaboration with the original Directory system lost targeted for a machine that cannot run 10.6 to update. Not a problem, right. Apple’s kbase article on how to migrate Wiki data from a 10.6 server to Mt Lion should work… right? Not really. Depending on how you have your Wiki setup and it’s permissions (who owns the data vs. who has read and/or write capabilities) some of the Wiki groups will not come over.

Final Workflow

What I have done several times is migrate 10.6 Wiki to a new 10.6 Wiki server because I can always strip the permissions data by doing the following steps.

10.6 Server Wiki to 10.6 server

1
2
3
4
5
6
7

sudo serveradmin stop web
sudo mv /tmp/Collaboration/Groups/ /Library/Collaboration/Groups/
sudo chown -R 94:94 /Library/Collaboration/Groups/
sudo rm /Library/Collaboration/dataVersion.plist
sudo rm /Library/Collaboration/globalIndex.db
sudo rm /Library/Application Support/Apple/WikiServer/directoryIndex.db
sudo serveradmin start web

The end result is a working 10.6 Wiki server. So what about the the new hardware that cannot run 10.6.8 Server… VMware to the rescue! You can install 10.6.8 Server in VMware Fusion as it’s a Server OS (thus is compliant to Apple’s EULA). Now we can upgrade to 10.8 and move the Wiki content from the VM to the real server by following Apple’s kbase article. You would think that wouldn’t you.

Let’s review what we have and where we will go:

1. You have a VM w/ 10.6.8 Server running Wiki (which includes Open Directory Service for Authentication).
2. Downloaded and install OS X Mountain Lion
3. Software Updates for Mt Lion
4. Download and install Server.app for OS X

End result is a full functioning Wiki service… that is running on your local VM. Now I could just install VMWare on the new hardware and just be done, but Fusion is not really production worthy for this environment so that was not an option. When I tried to migrate the data following Apple’s kbase article the end result was several Wiki groups that could not be administered. What happened? The “Directory Admin” that was running in your VM has a different UUID than the “Directory Admin” running on your new Mac hardware that may either:

1. Be running as an ODM
2. May be joined to a ODM via Directory Utility.

Final solution? Thank goodness Apple updated their Kerberos to Heimdal (as discussed last year at MacTech and MacIT), because I can now connect to multiple Directories! I joined my VM of 10.8.2 running Server.app v2.2.1 to the future Directory system (AD or OD), adjusted the Wiki settings for each group, then followed Apple’s kbase step by step which can be shortly described as:

1. export wiki postgres db with the pg_dump command.
2. copy /Library/Server/Wiki/FileData from the old server to the new server
3. change permissions on the new Server for FileData sudo chown -R _teamsserver:_teamsserver & sudo chmod -R +a "www allow search"
4. On the new server dropdb the the existing db (thus loosing ALL content previously there), createdb to have a bare but ready db and then pg_restore your info from your collab.pgdump.

Lessons Learned

Wiki uses authentication, but simple usernames and passwords are not the limit to how Wiki is tied to the directory system. Wiki is now using UUID’s to identify who has read/write/owner of Wiki data. You know, this one:

1
2
3
4

sadmin@osxs1 ~> dscl /Search -read /Users/diradmin GeneratedUID
GeneratedUID: 27D18844-70C6-4BDD-BE3A-5B26A6FDEA1B

# not my real UUID.    Generated via command 'uuidgen'

Why I migrated from Wordpress to Octopress

Lets face it, this site has become stale over the winter months… but largely due to dedicating time to researching, writing, practicing for my two MacIT presentations that happened from Jan 30 - Feb 2nd. Now that I’m finished with MacIT, I need to post PDF links and Vimeo video links that I promised during my session. But as I look at my site I’ve realized that it needs something new. I’m tired of looking at the little squares that were on the top right hand corner. I’m tired of the default blue. I’m tired of Wordpress… but there are two issues:

1. What should I use as my new CMS/BLOG/BlahBlahBlah to replace Wordpress?
2. How to migrate the existing data, not loose Google search results, and keep existing features intact (such as post to Twitter once a new page is created).

Then Mid-January Gary Larizza made announcement on his site that he has started to use Octopress. This immediatly peaked my interest as Gary does some fascinating stuff with Puppet Labs and I’ve wanted to step up my chops in being a “Dev SysAdmin” (something that Ed Marczak has been preaching since 2009 (and probably longer… I just heard it first in 2009.)).

So what is Octopress? Well you can read their own website, but my short version is “a static web page generator written in Ruby”. Well crap, I don’t know Ruby. But this is what I needed to push me to learn (or at least understand a little), so be it! Other items to take into consideration is Wordpress security (static pages don’t have cross-site security holes), webserver resource (not that I really cared as I pay for my website hosting), and there is a converter from Wordpress to Octopress on GitHub (so migration should be easy, right)?!

The last item that I liked about using Octopress is that every post is written in Markdown. I don’t know Markdown, so there is another thing that I get to learn and apply at work when taking notes. Markdown has the ability to make note taking look nice, but Octopress has enhanced features so that displaying code looks GREAT!

How (a.k.a Give me your Google search result links)

Octopress has most of the directions you need to fire up an Octopress site on their Setup Documentation page. What I’m going to add are things that I learned trying to make this work.

1. If you are using another shell other than the default bash on OSX, I hope you know what you are doing.

   I have Homebrew installed on my machine for two reasons: easy install of the “fish” shell and nmap. I REALLY like fish, but what I found is getting Ruby to work correctly on OSX and fish is difficult because the default version of Ruby on OSX is 1.8.7 and that version is too old for Octopress. After several days of trying to make this work, I went back to the bash shell and started to use Smyck Color Scheme to help out with a good color scheme (I still have fish installed, just not the default shell anymore) The site I found best suited for getting Octopress installed on OSX is on panchoat.org. It takes you through using Homebrew to install the necessary items (Ruby, rbenv, etc) plus walks you through publishing your site for free on github.com as a GitHub page.

2. Octopress Plugins are available, are you sure you want to use them?

   I have a couple of additional Flickr plugins (FlickrImage and Flickr Badge) and the octolayer installed on my site because when I first re-started this page for work, it was also a traveling photography site that linked to my Flickr account with location maps for remote areas (i.e. Alaska). I found a couple of plugins that worked that allowed easy input values of Flickr picture ID’s which could then be generated as true links by some Ruby code. What I’ve found out is plugins (especially ones that use API keys) will add generation time on your local machine. If you have a hard time waiting a couple of minutes for all of your pages to be generated as Ruby code gets executed to make your life a little easier, you may need to reconsider adding additional plugins. This makes me wonder what will happen to a website that has 1000 posts of just raw text; how long will page generation take?

3. Themes that are “based” off the original may still be missing items.

   I decided to use the Darkstripes theme with the minor modifications. One thing I learned is that sometimes theme remove elements from css, which DESTORY plugins. In my case, the FlickrImage plugin required the $noise-bg variable which is on the default “classic” theme. For some reason the author of “Darkstripes” removed this, thus generated a couple of debuging-hell hours to track down what was wrong. The nice thing, when Octopress goes wrong on generating pages, it usually has a clue why within the error output.

4. Markdown. Learn it!

   If you have NEVER used Markdown, you have a small learning curve but nothing outrageous. I now have three bookmarked pages to make sure I can always find the proper way to use Markdown and Octopress Code snippets in posts.

   • Daring Fireball post on Markdown gives you standard MD to HTML items that you would want to use on your posts. Links, lists, Generic insert images, etc.
   • Octopress Basics will provide a “how to” on starting new posts within Octopress such as making sure that categories and tags are correctly inserted in the header AND know the -three- four important rake commands: rake clean, rake generate, rake preview, rake deploy.
   • Octopress Code Snippets is a great resource on the best way to insert code (like a good Dev SysAdmin, share your knowledge)! By inserting three ‘back ticks’ on one line, anything below will be formatted as code. Items that I learned, be sure you only use three (four will produce “generate” errors) and be sure to end with three ‘back ticks’. The nice thing about this is you can also format the code for the particular language that you are using with Syntax Highlighting. Use “bash” OR “ruby” on the first line after your three ‘back ticks’, and your code will be formatted in that language for easy reading. You can also embed gists from GitHub, or use “codeblock” if you need some output text just formatted differently (I used this for displaying the public SSL cert info on one of my articles).

5. Wordpress Migration

   This was the hardest part to get working. Fortunately the developer was very helpful in getting some errors resolved so I could finally download ALL of my Wordpress content converted to Markdown, zipped, and downloaded to my local machine. Without this, I would have soon gave up on Octopress.

Final Thoughts

The page generation has me concerned. When I first started cleaning up the export of my old Wordpress articles to Markdown, generation was FAST! It was nothing for me to change a word, generate, preview and see the results immediately. Now with the additional plugins, it takes a couple of minutes. I may have to rethink about my Flickr account integration. Also, I’ve archived my old website on my web hosting provider’s server just in case I need to revert back for some reason.

Also, apparently I watch too much Phineas & Ferb with my kids, and have a particular affinity for the Evil Dr. Heinz Doofenshmirtz (as the title suggests).

What is TSA Pre Check

The TSA Pre Check program is the background security checks performed by U.S. Customs and Border Protection (CBP) for their Trusted Traveler program. This “Trusted Traveler” is the key because the only people who reference TSA Pre Check is the TSA (more to follow on this). With the TSA Pre Check completed, you are allowed to use the expedited screening process that is found at select Airports. Also, your airline must participate with the program (again, more to follow on this).

Why do I want TSA Pre Check

For me it’s simple. I fly. I fly a lot! I usually travel around 80k miles/year between various airlines, with my primary airline being American Air because when I started traveling, I was frequently going to Texas and AA has a major hub in Dallas (DFW). With the recent changes in security by implementing body scanners, things became more complicated to me. I don’t like the body scanners because I never know which scanner is good and which one will melt my insides after multiple exposures. Since I fly so much, I just rather not take any chances.

For those of you who do not want to use the body scanners, there is an “Opt out” policy which allows the TSA agents to place their hands all over your body to make sure you are not carrying anything dangerous inside the airport secured area. This is a time suck! Very few people do this, therefore it seems like I’m teaching new agents every week on what they are supposed to do for their job. Also, you cannot deviate from the script. There are two questions they always ask prior to performing the “love pat”:

1. Do you have any sensitive areas
2. Do you want a private screening

If you try to help by answering these questions before you start, they usually either a) get grumpy (because a sense of humor is not required) OR b) laugh and say “Sorry, I have to do the whole thing”. I know this is not the highlight of their day, but honestly I’m just tired of the charade.

Which Airports or Airlines are participating

It’s important to know that TSA Pre Check is available only if the airport AND the airline participate. This is because the airport is the entity who assigns a specifically area for TSA Pre Check approved individuals AND the way they know you are OK is they use a barcode scanner on your ticket (or e-ticket like using Apple’s Passbook app on iOS 6) as been supplied by the airline. You can find a list of Airlines (then their associated airports) at: http://www.tsa.gov/field-collection/field-section/392 OR at CBP site: http://www.globalentry.gov/tsa.html

What is the signup process

The process can be simplistically portrayed as Global Entry does with their “four easy steps”, or you can read TSA’s directions at tsa.gov. But the thing you need to know it takes time.

If you have never done a security background check, it’s a pain in the ass. First everything is online, there are no real support telephone numbers that you can call if you have questions. Oh, there are numbers for the different CBP offices, but unless you are trying to schedule your interview at that office they will most likely not be able to help.

To sign up, you need to give your information to the U.S. Customs and Border Protection (CBP) “GOES” (Global Online Enrollment System) website at: Global Online Enrollment System and Register for a new account. Once you have an account you have to select the program that you want to participate. CBP has multiple programs as they were the first entity to start doing security background checks for the Department of Homeland Security (DHS) prior to TSA using them for flights. Be sure to select “Global Entry” membership. Hint, it costs $100. Also, don’t choose anything that is international because most likely it’s the wrong program and the interview locations are only available on the Canadian or Mexican boarders. Fill in your information included what items of identification you will be using to verify yourself.

Once the initial information has been collected, wait for a couple of days-weeks and you’ll be notified that your application has been accepted and you need to perform an interview. When you are ready for your interview, be sure to bring the acceptance letter (I printed to PDF and had it on my phone), your identification documentation such as valid passport or permanent resident card, documents providing evidence of residency such as a driver’s license. So really three things:

• Application Letter
• Passport
• Driver’s License

The interview is very simple, and just like other background security interviews. You listen/read/collect information that they feel is important, they ask you the same questions that you filled out on the form to verify accuracy, then finally the interview is over as long as you don’t have any questions. It took about 15-20 mins. Once complete your agent may or may not give your our “Trusted Traveler” ID number. THIS NUMBER IS IMPORTANT. You should also get a confirmation email that requires you to re-login to the GOES website which will have the same ID. You will copy/paste this ID to all the airlines that you use as they will apply this code to the scan portion of your paper ticket (or QR code for iOS 6′s Passbook). It’s the fact that the ID is printed on your barcode that will allow you go use the TSA Pre Check security gates.

What is the first time Airport Experience

I was able to just use my TSA Pre Check status for the first time today. I had to find the TSA Pre Check security area (for IAD that is on the main level where you check your bags at the airlines, then find the “middle” of the airport… don’t go downstairs to regular security). Once I arrived at the beginning of the cue security line, I scanned my Passbook QR code to verify I could use the line (e.g. my Trusted Traveler ID was confirmed) and they ask a couple of questions (“Are you traveling internationally”?) to see if I get “Randomly selected” for additional screening. At the end of the cue line, I scanned my code again and handed my Government ID to verify my flight information. I removed by belt, shoes, laptop, and toiletries as usual, walked through a metal detector ONLY, then grabbed my things at then end of the x-ray machine conveyor belt. I did all of this, alone. Nobody else was in the security line. I had all four TSA agents adoring eyes focused on me and I was done with airport security in less than five minutes. I’m flying like it’s the year 2000!

Imaginary FAQ

Q1) Any tips when filling out the online form. A1) I’d have to be honest, it was a long time since I filled out the form and guess what… I did the wrong one first. My process started in June of 2012, but I picked the wrong form that was for international. Because if this (and my work schedule conflicting not allowing me to give the proper attention) I sat in limbo for about four months. The one thing I do recommend is be sure to have a passport. It’s a great way for identification and it makes things easy.

Q2) How long did it take from start to finish? A2) Excluding my dumb error, three months. Completing the paperwork was quick. Communication was timely, getting an interview was horrible. The “first available appointment” was Jan 10 2013. Yes. I have my TSA Pre Check completed prior to my official appointment date. I found this out because I had some spare time at IAD and I just wanted to find out where the interview offices were. While talking to the agent to verify location and process, he slipped that they sometimes allow walk-ins on Saturday from 10-2. That is what I did. Now, the Saturday agent wasn’t happy that I walked in, but they attended my needs anyways. Just be sure to have all three items required for an interview as listed above.

Thursday January 31, 2013 11:55am – 12:40pm

Discussion Topic

With the release of OS X Mountain Lion 10.8, Apple has introduced new elements that allow its users to better control the security (and privacy) of their favorite operating system. As System Administrators, new challenges have emerged to ensure the environment that we manage is safe and secure, plus have the ability to document our efforts.

Presenting with Steve Leebove, Owner, MacRescue

For my fifth year in a row, I’ll be presenting at Macworld|MacIT conference in January of 2013! I’ll be presenting on two topics this year:

Thursday Jan 31st, from 10:20am – 11:05am

IT801: What has changed with Mountain Lion Server

Discussion Topic

This is your session to find out about OS X Mountain Lion server! Find out what is different after services moved from Server Admin to Server.app. Which Services are new, and which ones have disappeared!

I hope to expand on items that I have already written about on this site, to hopefully a new audience that is getting ready to update their servers to Mt Lion. Change will happen, its always better when you are prepared.

Thursday Jan 31st, from 11:55am – 12:40pm

IT814: Mountain Lion Security for The System Administrator

Discussion Topic

With the release of OS X Mountain Lion 10.8, Apple has introduced new elements that allow it’s users to better control the security (and privacy) of their favorite operating system. As System Administrators, new challenges have emerged to ensure the environment that we manage is safe and secure, plus have the ability to document our efforts.

This one I’m really excited about. We’ll be discussing what Apple has done in terms of security on OS X, and how this helps system administrators, along with what can you do to control these elements! Also, I’ll be presenting for the first time with long time colleague Steve Leebove of MacResecue. If you have any specific questions that you want me to cover, please comment now. I’ll be working on my slides starting the first of December.