Chef resources and recipes for managing and provisioning macOS.
- Chef 18
- macOS 12 Monterey
- macOS 13 Ventura
- macOS 14 Sonoma
A Chef cookbook used to provision macOS
Home Page: https://supermarket.chef.io/cookbooks/macos
License: MIT License
Chef resources and recipes for managing and provisioning macOS.
Based off these lines
it sounds like support for additional hypervisors would be a welcome PR?
Currently, the macos cookbook matching off of the ['hardware']['machine_model']
fact which will work on the default Parallels and VMware setup but not so much if the user overrides the model. Lots of admins override the model for testing purposes, mostly for Apple Device Enrollment Program tests.
Instead of relying on the machine model to accurately represent the machine is a VM we could use the ['cpu']['flags']
output to look for vmm
which is an accurate way to determine if the machine is a VM in VMWare Fusion, Parallels, VirtualBox or physical.
This is a more generic approach that matches the method name
We could use the ['ohai hardware']['boot_rom_version']
to accurately grab the VM type for VMWare Fusion & Virtualbox then shell out to system profiler to get the SPEthernetDataType
key to validation on Parallels. See the IT-CPE PR for reference.
Thoughts? I personally prefer Option 1 but could see why you might want to know what hypervisor the machine is running.
References:
On Mojave, up until recently the xcode recipe was working and i managed to install XCoe 10.0 on my systems.
But chef-client runs started to fail recently:
Recipe: macos::disable_software_updates
* plist[disable automatic software update downloads] action set (up to date)
* plist[disable automatic software update check] action set (up to date)
* execute[disable software updates using commandline utility] action run (skipped due to not_if)
Recipe: macos::xcode
* execute[Disable Gatekeeper] action run
- execute ["spctl", "--master-disable"]
* xcode[10.0] action install_gem
================================================================================
Error executing action `install_gem` on resource 'xcode[10.0]'
================================================================================
NoMethodError
-------------
undefined method `tr' for nil:NilClass
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/macos/libraries/command_line_tools.rb:15:in `initialize'
/var/chef/cache/cookbooks/macos/resources/xcode.rb:9:in `new'
/var/chef/cache/cookbooks/macos/resources/xcode.rb:9:in `block in class_from_file'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/macos/recipes/xcode.rb
6: xcode node['macos']['xcode']['version']
7:
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/macos/recipes/xcode.rb:6:in `from_file'
xcode("10.0") do
action [:install_gem, :install_xcode, :install_simulators]
default_guard_interpreter :default
declared_type :xcode
cookbook_name "macos"
recipe_name "xcode"
end
System Info:
------------
chef_version=14.5.33
platform=mac_os_x
platform_version=10.14.1
ruby=ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin15]
program_name=/usr/local/bin/chef-client
executable=/opt/chef/bin/chef-client
Running handlers:
[2018-11-06T09:39:38+01:00] ERROR: Running exception handlers
Running handlers complete
[2018-11-06T09:39:38+01:00] ERROR: Exception handlers complete
Chef Client failed. 1 resources updated in 29 seconds
[2018-11-06T09:39:38+01:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2018-11-06T09:39:38+01:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2018-11-06T09:39:38+01:00] FATAL: NoMethodError: xcode[10.0] (macos::xcode line 6) had an error: NoMethodError: undefined method `tr' for nil:NilClass
I thought it was linked to the release of XCode 10.1 so i forced tho this last version in my attributes file:
default['macos']['xcode']['version'] = '10.1'
But it didn't help.
It would be nice if the values of XCODE_INSTALL_USER and XCODE_INSTALL_PASSWORD could be set via attributes. For example I would like to use chef-vault instead of data bags but the xcode resource currently requires a data bag.
I would like to be able to do something like this in my recipe:
include_recipe ‘chef-vault’
vault = chef_vault_item(:credentials, ‘apple_id’)
node.set['macos'][‘apple_id’][‘user’] = vault[‘user’]
node.set['macos'][‘apple_id’][‘password’] = vault[‘password’]
include_recipe 'macos::xcode'
It is fine if you default them to the data bag values but it would be nice with an option to override the default values if you want to use chef-vault for example.
When using the 'machine_name' resource to set the hostname, an error message is received. This exceptions is also thrown if I explicitly specify the hostname attribute.
Chef::Exceptions::ValidationFailed: Property hostname must be one of: String! You passed nil.
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/gma-macos-mojave/recipes/default.rb:15:in `from_file'
machine_name("gma-mojave") do
action [:set]
default_guard_interpreter :default
declared_type :machine_name
cookbook_name "gma-macos-mojave"
recipe_name "default"
hostname "gma-mojave"
end
System Info:
------------
chef_version=14.9.13
platform=mac_os_x
platform_version=10.14
ruby=ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-darwin16]
program_name=/usr/local/bin/chef-client
executable=/opt/chef/bin/chef-client
Running handlers:
[2019-01-27T19:08:28-06:00] ERROR: Running exception handlers
Running handlers complete
[2019-01-27T19:08:28-06:00] ERROR: Exception handlers complete
Chef Client failed. 1 resources updated in 10 seconds
[2019-01-27T19:08:28-06:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2019-01-27T19:08:28-06:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2019-01-27T19:08:28-06:00] FATAL: Chef::Exceptions::ValidationFailed: machine_name[gma-mojave] (gma-macos-mojave::default line 15) had an error: Chef::Exceptions::ValidationFailed: Property hostname must be one of: String! You passed nil.
Failed cookbook quality testing file metric on public Supermarket.
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
================================================================================
Error executing action `create` on resource 'macos_user[create admin user randall and enable automatic login]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
execute[add user randall] (/tmp/kitchen/cache/cookbooks/macos/resources/macos_user.rb line 48) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '255'
---- Begin output of ["/usr/sbin/sysadminctl", "-addUser", "randall", "", "-password", "correct-horse-battery-staple", "-admin"] ----
STDOUT:
STDERR: 2018-01-25 11:17:50.480 sysadminctl[880:5142] Failed to authenticate with SystemAdministration framework.
---- End output of ["/usr/sbin/sysadminctl", "-addUser", "randall", "", "-password", "correct-horse-battery-staple", "-admin"] ----
Ran ["/usr/sbin/sysadminctl", "-addUser", "randall", "", "-password", "correct-horse-battery-staple", "-admin"] returned 255
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/macos_test/recipes/new_users.rb
1: macos_user 'create admin user randall and enable automatic login' do
2: username 'randall'
3: password 'correct-horse-battery-staple'
4: autologin true
5: admin true
6: end
7:
When you create a macos_user
using the resource from this cookbook, the actual user creation may well fail, but Chef seems to think it has succeeded anyway because the command has run.
For example, if you have configuration to create a user, but the password does not meet the requirements, the command fails. However Chef reports back green and continues with the run.
This is problematic as it lead me to debugging the wrong step of my cookbook, the step after which depended on the success of the previous user creation.
An example error message when the password does not meet requirements:
2019-05-02 13:40:31.419 sysadminctl[2801:17519] New account password error. (5402)
Looking in the debug logs of a chef-client run:
* execute[add user auser] action run[2019-05-02T13:36:07+01:00] INFO: Processing execute[add user auser] action run (/var/chef/cache/cookbooks/macos/resources/macos_user.rb line 79)
[execute] 2019-05-02 13:36:08.057 sysadminctl[2180:14017] New account password error. (5402)
[2019-05-02T13:36:08+01:00] INFO: execute[add user auser] ran successfully
- execute ["/usr/sbin/sysadminctl", "-adminUser", "admin", "-adminPassword", "redacted", "-addUser", "auser", "-fullName", "Another User", "-password", "redacted", ""]
If you run manually the problem is probably a return code of 0
as shown below:
IMAC4:~ admin$ sudo /usr/sbin/sysadminctl -adminUser admin -adminPassword redacted -addUser auser -fullName "Another User" -password "redacted"
2019-05-02 13:40:31.419 sysadminctl[2801:17519] New account password error. (5402)
IMAC4:~ admin$ echo $?
0
A good way to recreate is to use green
in a password because it defies the consecutive character rule apple have. I guess this only applies when you have no set a custom password policy.
Would there be any way to add validation to the resource after an account is created?
Usage of theard
resource in macOS Mojave results in the following message from macOS:
Warning: macOS 10.14 and later only allows control if Screen Sharing is enabled through System Preferences.
Additionally, there have been several reports that, when connecting to a VM or metal over VNC, observing works but controlling does not.
Intermittent failure when testing the macos_user
resource where the admin user does not get added to the test group or admins group.
2018-03-15T03:35:03.2319760Z ∅ new macOS users: User randall (2 failed)
2018-03-15T03:35:03.2341210Z ✔ User randall should exist
2018-03-15T03:35:03.2362240Z ✔ User randall uid should eq 503
2018-03-15T03:35:03.2383270Z ✔ User randall gid should eq 20
2018-03-15T03:35:03.2404190Z ✔ User randall home should eq "/Users/randall"
2018-03-15T03:35:03.2425240Z ∅ User randall groups should include "alpha"
2018-03-15T03:35:03.2446510Z expected ["staff", "everyone", "localaccounts", "_lpoperator"] to include "alpha"
2018-03-15T03:35:03.2467740Z ✔ User randall groups should include "staff"
2018-03-15T03:35:03.2488700Z ∅ User randall groups should include "admin"
2018-03-15T03:35:03.2509330Z expected ["staff", "everyone", "localaccounts", "_lpoperator"] to include "admin"
This one is tough to reproduce and will likely require a fairly deep investigation.
macos-cookbook has a resource called macos_user, used for creating users in a macos environment. It needs documentation.
The security command is the command line interface to keychains and Security framework.
Installing certificates via a new resource is helpful. Currently this can only be done via an execute block with the following:
security import ./somecert.p12 -P secretPassword
There are several other features that the security command is capable of and can be seen in the following documentation
The xcode resource fails to install the xcode-install
gem when the command line tools are not installed. We need to check for their existence and install them if missing.
* chef_gem[xcode-install] action install
================================================================================
Error executing action `install` on resource 'chef_gem[xcode-install]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '1'
---- Begin output of /opt/chef/embedded/bin/gem install xcode-install -q --no-rdoc --no-ri -v "2.3.1" --source=https://www.rubygems.org --no-document --no-user-install ----
STDOUT: Successfully installed claide-1.0.2
Successfully installed slack-notifier-2.3.2
Successfully installed atomos-0.1.2
Successfully installed CFPropertyList-2.3.6
Successfully installed colored2-3.1.2
Successfully installed nanaimo-0.2.3
Successfully installed xcodeproj-1.5.6
Successfully installed rouge-2.0.7
Successfully installed xcpretty-0.2.8
Successfully installed terminal-notifier-1.8.0
Successfully installed terminal-table-1.8.0
Successfully installed public_suffix-2.0.5
Successfully installed word_wrap-1.0.0
Successfully installed tty-screen-0.6.4
Successfully installed tty-cursor-0.5.0
Successfully installed tty-spinner-0.8.0
Successfully installed babosa-1.0.2
Successfully installed colored-1.2
Successfully installed commander-fastlane-4.4.6
Building native extensions. This could take a while...
STDERR: ERROR: Error installing xcode-install:
ERROR: Failed to build gem native extension.
current directory: /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/unf_ext-0.0.7.5/ext/unf_ext
/opt/chef/embedded/bin/ruby -r ./siteconf20180317-1387-v2qc6l.rb extconf.rb
checking for -lstdc++... *** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers. Check the mkmf.log file for more details. You may
need configuration options.
Provided configuration options:
--with-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/opt/chef/embedded/bin/$(RUBY_BASE_NAME)
--with-static-libstdc++
--without-static-libstdc++
--with-stdc++lib
--without-stdc++lib
/opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:468:in `try_do': The compiler failed to generate an executable file. (RuntimeError)
You have to install development tools first.
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:553:in `try_link0'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:568:in `try_link'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:786:in `try_func'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:1013:in `block in have_library'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:956:in `block in checking_for'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:351:in `block (2 levels) in postpone'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:321:in `open'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:351:in `block in postpone'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:321:in `open'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:347:in `postpone'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:955:in `checking_for'
from /opt/chef/embedded/lib/ruby/2.4.0/mkmf.rb:1008:in `have_library'
from extconf.rb:6:in `<main>'
To see why this extension failed to compile, please check the mkmf.log which can be found here:
/opt/chef/embedded/lib/ruby/gems/2.4.0/extensions/x86_64-darwin-14/2.4.0/unf_ext-0.0.7.5/mkmf.log
extconf failed, exit code 1
Gem files will remain installed in /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/unf_ext-0.0.7.5 for inspection.
Results logged to /opt/chef/embedded/lib/ruby/gems/2.4.0/extensions/x86_64-darwin-14/2.4.0/unf_ext-0.0.7.5/gem_make.out
---- End output of /opt/chef/embedded/bin/gem install xcode-install -q --no-rdoc --no-ri -v "2.3.1" --source=https://www.rubygems.org --no-document --no-user-install ----
Ran /opt/chef/embedded/bin/gem install xcode-install -q --no-rdoc --no-ri -v "2.3.1" --source=https://www.rubygems.org --no-document --no-user-install returned 1
Failed cookbook quality contributing file metric on public Supermarket
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
This execute block in the xcode resource takes more than 1 hour to complete on my machine (with ~14 Mbit/s bandwidth):
action :install_xcode do
execute "install Xcode #{new_resource.version}" do
environment DEVELOPER_CREDENTIALS
command XCVersion.install_xcode(new_resource.version)
not_if { Xcode.installed?(new_resource.version) }
end
end
So it fails with:
ERROR: xcode[9.2] (macos::xcode line 1) had an error: Mixlib::ShellOut::CommandTimeout: execute[install Xcode 9.2] (/tmp/kitchen/cache/cookbooks/macos/resources/xcode.rb line 27) had an error: Mixlib::ShellOut::CommandTimeout: Command timed out after 3600s:
Command exceeded allowed execution time, process terminated
---- Begin output of /opt/chef/embedded/bin/xcversion install '9.2' ----
STDOUT:
###################################################################### 97.7%######## 100.0%
---- End output of /opt/chef/embedded/bin/xcversion install '9.2' ----
It looks like it was very close to completion within the time limit though.
Is it possible to extend the timeout property of the execute block (maybe 2 hours is a better timeout limit)?
I think it is fair to assume that a 5GB download + installation will exceed 1 hour for a lot of people.
Add CHANGELOG.md file to repo with release notes for different versions. Makes it easier to see changes in chef supermarket as well as in the repo here without having to go through commits.
I would love the ability to import profiles that where generated from either "Apple Configurator 2" or "Profile Manager"
via a cookbook with files/wifi_network.mobileconfig
directory '/tmp' do
action :create
end
cookbook_file '/tmp/wifi_network.mobileconfig' do
source 'wifi_network.mobileconfig'
action :create
end
execute 'import_wifi' do
command '/usr/bin/profiles -I -F /tmp/wifi_network.mobileconfig'
action :run
end
Implement the -T option mentioned below so Apps can access imported key.
The certificate resource could have a applications property that can take in an array of specified applications.
import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase] [options...]
Import one or more items from inputfile into a keychain. If keychain isn't provided, items will
be imported into the user's default keychain.
Options:
-k keychain Specify keychain into which item(s) will be imported.
-t type Specify the type of items to import. Possible types are cert, pub, priv, ses-sion, session,
sion, cert, and agg. Pub, priv, and session refer to keys; agg is one of the
aggregate types (pkcs12 and PEM sequence). The command can often figure out what
item_type an item contains based in the filename and/or item_format.
-f format Specify the format of the exported data. Possible formats are openssl, bsafe,
raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can
often figure out what format an item is in based in the filename and/or
item_type.
-w Specify that private keys are wrapped and must be unwrapped on import.
-x Specify that private keys are non-extractable after being imported.
-P passphrase Specify the unwrapping passphrase immediately. The default is to obtain a secure
passphrase via GUI.
-a attrName attrValue
Specify optional extended attribute name and value. Can be used multiple times.
This is only valid when importing keys.
-A Allow any application to access the imported key without warning (insecure, not
recommended!)
-T appPath Specify an application which may access the imported key (multiple -T options
are allowed)
There have been a few reports that the Feedback Assistant app is occasionally intrusive and causes problems with certain types of software tests that use AppleScript/GUI. I propose we add an attribute to remove the application altogether (or disable the server that launches the app). SIP does need to be disabled in order to remove the app, and I'm pretty sure this daemon is installed via software updates and/or enrolling in the developer seed with the macos beta package.
default['macos']['disable_feedback_assistant'] = boolean
The macos_user resource should have a property that specifies what group(s) the macos_user belongs to.
Currently adding a user to a group requires the usage of the macos_user resource, followed by the Chef core group resource.
macos_user 'create admin user ' do
username 'johnd'
fullname 'John Doe'
password 'password'
admin true
action :create
end
group 'groups for some action ' do
group_name 'csi'
members 'johnd'
action :create
end
sysadminctl adduser has fullName as an option. This can be helpful when specifying a more verbose name other than username.
sysadminctl -deleteUser [-secure || -keepHome] -newPassword -oldPassword [-passwordHint ] -resetPasswordFor -newPassword [-passwordHint ] -addUser [-fullName ] [-UID ] [-password ] [-hint ] [-home ] [-admin] [-picture ]
Im looking at how best to manage our mac fleet and this cookbook provides some great resources to start with. I have some use cases I'm struggling the figure out.
I've noticed that if the user exists, then the user is skipped over. This works nicely for onboarding with minimal disruption, but not for managing user accounts.
The example here is that I may want to rotate the admin passwords regularly, without affecting the user's standard account.
Our initial accounts like all macs, are created as admin under the user's name. We would like to be able to downgrade that user to standard, when another admin account exists of course. This doesn't currently look possible from my testing.
I may well be missing something and there could be other ways to manage users in a more mac friendly way?
But basically I'd like to be able to converge to a known state with chef, based on what I've configured for a machine. In the two examples, this doesn't seem possible.
This may work better as two separate issues?
Thinking about how to manage password changes seems complicated and would require the admin to maintain the configuration powering said change.
* macos_user[add administrative account] action create
* execute[add user admin] action run (skipped due to not_if)
* plist[set true to DidSeeSiriSetup] action set (up to date)
* plist[set true to DidSeeCloudSetup] action set (up to date)
* plist[set 10.13.3 to LastSeenCloudProductVersion] action set (up to date)
* plist[set user "admin" to login automatically] action set
- convert "com.apple.loginwindow.plist" to binary
* execute[/usr/bin/plutil, -convert, binary1, /Library/Preferences/com.apple.loginwindow.plist] action run
- execute ["/usr/bin/plutil", "-convert", "binary1", "/Library/Preferences/com.apple.loginwindow.plist"]
* file[/etc/kcpassword] action create (up to date)
Running handlers:
First chef run should have reached a converged state.
Resources updated in a second chef-client run:
- macos_user[add administrative account]
[2018-02-15T13:27:13-08:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process terminated by signal 9 (KILL)
[2018-02-15T13:27:13-08:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process terminated by signal 9 (KILL)
This actually appears to be related to #15, and may have been resolved preemptively. It is unclear at this point if this is due to a race condition, is an issue within the macos_user
resource, or is an issue with the plist
resource itself.
The plist resource is not correctly modifying several settings in multiple macOS versions, including (but possibly not limited to):
Preparing files for transfer
Preparing dna.json
Resolving cookbook dependencies with Berkshelf 6.3.1...
Removing non-cookbook files before transfer
Preparing validation.pem
Preparing client.rb
-----> Chef Omnibus installation detected (install only if missing)
Transferring files to <default-apex-macos-10116>
Starting Chef Client, version 13.5.3
resolving cookbooks for run list: ["macos::keep_awake", "macos::disable_software_updates", "macos_test::new_users", "macos_test::preferences"]
Synchronizing Cookbooks:
- macos_test (1.0.0)
- macos (0.10.0)
- homebrew (4.2.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 22 resources
Recipe: macos::keep_awake
* plist[disable Power Nap] action set (up to date)
* plist[enable automatic restart on power loss] action set (up to date)
* plist[set display sleep timer to zero] action set (up to date)
* plist[enable wake from sleep via network] action set (up to date)
* plist[set system sleep timer to zero] action set (up to date)
* plist[disable screensaver] action set (up to date)
* systemsetup[Set amount of idle time until computer sleeps to never] action set (up to date)
* systemsetup[set amount of idle time until display sleeps to never] action set (up to date)
* systemsetup[set amount of idle time until hard disk sleeps to never] action set (up to date)
* systemsetup[set remote apple events to on] action set (up to date)
* systemsetup[disable the power button from being able to sleep the computer.] action set (up to date)
* systemsetup[set the number of seconds after which the computer will start up after a power failure to zero.] action set (up to date)
* systemsetup[set restart on freeze to on] action set (up to date)
* systemsetup[set network time server to time.windows.com] action set (up to date)
* systemsetup[set current time zone to America/Los_Angeles] action set (up to date)
Recipe: macos::disable_software_updates
* plist[disable automatic software update check] action set (up to date)
* plist[disable automatic software update downloads] action set
- add "AutomaticDownload" to com.apple.SoftwareUpdate.plist
- create disable automatic software update downloads
- set entry to "AutomaticDownload"
- set "AutomaticDownload" to false at com.apple.SoftwareUpdate.plist
- create disable automatic software update downloads
- set value to false
* execute[/usr/libexec/PlistBuddy -c 'Add :AutomaticDownload bool' /Library/Preferences/com.apple.SoftwareUpdate.plist] action run
- execute /usr/libexec/PlistBuddy -c 'Add :AutomaticDownload bool' /Library/Preferences/com.apple.SoftwareUpdate.plist
* execute[/usr/libexec/PlistBuddy -c 'Set :AutomaticDownload false' /Library/Preferences/com.apple.SoftwareUpdate.plist] action run
- execute /usr/libexec/PlistBuddy -c 'Set :AutomaticDownload false' /Library/Preferences/com.apple.SoftwareUpdate.plist
Recipe: macos_test::new_users
* macos_user[create admin user randall and enable automatic login] action create
* execute[add user randall] action run (skipped due to not_if)
* plist[set true to DidSeeSiriSetup] action set (up to date)
* plist[set true to DidSeeCloudSetup] action set (up to date)
* plist[set 10.11.6 to LastSeenCloudProductVersion] action set (up to date)
* plist[set user "randall" to login automatically] action set
- convert "com.apple.loginwindow.plist" to binary
* execute[/usr/bin/plutil -convert binary1 /Library/Preferences/com.apple.loginwindow.plist] action run
- execute /usr/bin/plutil -convert binary1 /Library/Preferences/com.apple.loginwindow.plist
* file[/etc/kcpassword] action create (up to date)
* macos_user[create non-admin user johnny] action create
* execute[add user johnny] action run (skipped due to not_if)
(up to date)
Recipe: macos_test::preferences
* plist[show hidden files] action set
- convert "com.apple.finder.plist" to binary
* execute[/usr/bin/plutil -convert binary1 /Users/vagrant/Library/Preferences/com.apple.finder.plist] action run
- execute /usr/bin/plutil -convert binary1 /Users/vagrant/Library/Preferences/com.apple.finder.plist
* plist[put the Dock on the left side] action set (up to date)
* plist[disable window animations and Get Info animations] action set (up to date)
Running handlers:
Running handlers complete
Chef Client finished, 8/33 resources updated in 11 seconds
Finished converging <default-apex-macos-10116> (0m15.83s).```
New plists can now be created with the plist
resource, but if a user plist is created, the permissions need to be modified using the builtin file
resource. The plist
resource should have owner
and mode
properties. Usage would look like so:
plist 'show hidden files' do
path '/Users/vagrant/Library/Preferences/com.apple.finder.plist'
entry 'AppleShowAllFiles'
value true
owner 'vagrant'
mode 0o700
end
Spotlight resource assumes that the metadata server is running and hasn't been disabled with launchctl unload
.
This requires a workaround of adding a launchd
resource to start it and a small delay block to allow for it to finish spinning up before the spotlight
resource is called:
launchd 'metadata server' do
path '/System/Library/LaunchDaemons/com.apple.metadata.mds.plist'
action :enable
end
ruby_block 'wait for metadata server spin-up' do
block { sleep 2 }
end
spotlight '/'
================================================================================
Error executing action `create` on resource 'macos_user[create admin user randall and enable automatic login]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
execute[add user randall] (/tmp/kitchen/cache/cookbooks/macos/resources/macos_user.rb line 48) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '255'
---- Begin output of ["/usr/sbin/sysadminctl", "-addUser", "randall", "", "-password", "correct-horse-battery-staple", "-admin"] ----
STDOUT:
STDERR: 2018-01-25 11:17:50.480 sysadminctl[880:5142] Failed to authenticate with SystemAdministration framework.
---- End output of ["/usr/sbin/sysadminctl", "-addUser", "randall", "", "-password", "correct-horse-battery-staple", "-admin"] ----
Ran ["/usr/sbin/sysadminctl", "-addUser", "randall", "", "-password", "correct-horse-battery-staple", "-admin"] returned 255
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/macos_test/recipes/new_users.rb
1: macos_user 'create admin user randall and enable automatic login' do
2: username 'randall'
3: password 'correct-horse-battery-staple'
4: autologin true
5: admin true
6: end
7:
Expose the --url
flag for xcversion install
as a property of the xcode
resource.
This allows installation of Xcode from a custom file path or URL (e.g. CDN, storage account) reducing the dependency on developer.apple.com, and removing the need for setting Apple ID secrets.
Apple outlines the steps to do this using the dscl
command in the Hide a user account in macOS support article.
The helper for xcversion fails if Chef is installed in another place, this is common if you're running using chefdk/chef-workstation.
Certain wotkflows work off of the 'latest' stable version of Xcode. It would be nice to be able to specify 'latest' for the version property.
macOS-cookbook currently only has support from el-capitan to high-sierra.
Mojave is just around the corner and it would be a good idea to start having support for it.
Due to changes in the output of softwareupdate —list
, Xcode Command Line Tools are not being installed for Catalina.
- execute [“softwareupdate”, “—install”, “No Command Lines Tools available from Software Update Catalog!’]
The following screensaver plist modification would only work on 10.12 but not 10.13
plist 'disable screensaver' do
path "/Users/#{node['macos']['admin_user']}/Library/Preferences/ByHost/com.apple.screensaver.#{hardware_uuid}.plist"
entry 'idleTime'
value 0
end
In 10.13, the only key available in screensaver.plist is tokenRemovalAction.
In 10.12, the only keys available were askForPassword, askForPasswordDelay, and tokenRemovalAction, so setting idleTime would not have worked either.
Setting these using
defaults write com.apple.screensaver askForPassword -bool TRUE
does a write to the plist file, but does not actually result in ANY observable difference.
abc@defg:~$defaults read com.apple.screensaver
{
askForPassword = 1;
tokenRemovalAction = 0;
}
2018-03-15T00:09:55.9858670Z found more than one group with the same name, please use `groups` resource�[0m```
During a kitchen converge
, the iOS simulator installation will sometimes cause a crash in the net-ssh gem:
2018-02-12T19:13:32.6031260Z * execute[install Xcode 8.2.1] action run
2018-02-12T19:13:32.6047250Z - execute /opt/chef/embedded/bin/xcversion install '8.2.1'
2018-02-12T19:13:32.6079890Z
2018-02-12T19:13:34.8773880Z * xcode[8.2.1] action install_simulators[2018-02-12T11:13:34-08:00] WARN: iOS Simulator list not populated yet
2018-02-12T19:13:34.8789810Z [2018-02-12T11:13:34-08:00] WARN: iOS Simulator list not populated yet
2018-02-12T19:13:48.7091180Z
2018-02-12T19:15:42.5665420Z /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/buffered_io.rb:102:in `send': closed stream (IOError)
2018-02-12T19:15:42.5682040Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/buffered_io.rb:102:in `send_pending'
2018-02-12T19:15:42.5698340Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:271:in `block in ev_do_handle_events'
2018-02-12T19:15:42.5714540Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:270:in `each'
2018-02-12T19:15:42.5731160Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:270:in `ev_do_handle_events'
2018-02-12T19:15:42.5747520Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/event_loop.rb:110:in `ev_select_and_postprocess'
2018-02-12T19:15:42.5764620Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/event_loop.rb:29:in `process'
2018-02-12T19:15:42.5780760Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:216:in `process'
2018-02-12T19:15:42.5796890Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:178:in `block in loop'
2018-02-12T19:15:42.5812960Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:178:in `loop'
2018-02-12T19:15:42.5829040Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:178:in `loop'
2018-02-12T19:15:42.5845080Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/net-ssh-4.1.0/lib/net/ssh/connection/session.rb:124:in `close'
2018-02-12T19:15:42.5861160Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/test-kitchen-1.19.2/lib/kitchen/transport/ssh.rb:121:in `close'
2018-02-12T19:15:42.5877290Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/test-kitchen-1.19.2/lib/kitchen/transport/ssh.rb:98:in `cleanup!'
2018-02-12T19:15:42.5893410Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/test-kitchen-1.19.2/lib/kitchen/instance.rb:294:in `cleanup!'
2018-02-12T19:15:42.5909550Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/test-kitchen-1.19.2/lib/kitchen/command.rb:205:in `run_action_in_thread'
2018-02-12T19:15:42.5925830Z from /opt/chefdk/embedded/lib/ruby/gems/2.4.0/gems/test-kitchen-1.19.2/lib/kitchen/command.rb:169:in `block (2 levels) in run_action'
Some mention of this issue in the wild - net-ssh/net-ssh#493 and test-kitchen/test-kitchen#1184
Xcode resource should be able to install at a given path, e.g.
xcode '9.4' do
path '/Applications/My_Xcode.app'
ios_simulators %w(11 10)
end
Currently downstream cookbooks need to do their own handling post-install if a non-default path is needed.
Most recent build of the macos_cookbook
reveals the following
Deprecated features used!
Resource homebrew_cask has been loaded from a cookbook. The resource homebrew_cask is now included in Chef and will take precedence over the existing cookbook resource in the next major release of Chef (15.0, April 2019). You may be able to remove this cookbook dependency from your runlist if you do not use other recipes/resources/libraries from the cookbook. Alternatively there may be a newer version of this cookbook without the homebrew_cask resource. at 1 location:
- /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.3.37/lib/chef/log.rb:51:in `caller_location'
See https://docs.chef.io/deprecations_map_collision.html for further details.
Resource homebrew_tap has been loaded from a cookbook. The resource homebrew_tap is now included in Chef and will take precedence over the existing cookbook resource in the next major release of Chef (15.0, April 2019). You may be able to remove this cookbook dependency from your runlist if you do not use other recipes/resources/libraries from the cookbook. Alternatively there may be a newer version of this cookbook without the homebrew_tap resource. at 1 location:
- /opt/chef/embedded/lib/ruby/gems/2.5.0/gems/chef-14.3.37/lib/chef/log.rb:51:in `caller_location'
See https://docs.chef.io/deprecations_map_collision.html for further details.
This failure is actually pretty strange. We haven't seen this one before - thinking it may be a race condition caused by consecutive calls to systemsetup
.
2018-03-15T00:14:10.7204340Z * system_preference[set the time zone] action set
2018-03-15T00:14:10.7222670Z - set timezone to America/Los_Angeles
2018-03-15T00:14:10.7243320Z - update set the time zone
2018-03-15T00:14:10.7264620Z - set setting to "America/Los_Angeles" (was "US/Pacific")
2018-03-15T00:14:10.7632670Z * execute[/usr/sbin/systemsetup, -settimezone, America/Los_Angeles] action run
2018-03-15T00:14:10.7654920Z - execute ["/usr/sbin/systemsetup", "-settimezone", "America/Los_Angeles"]
2018-03-15T00:14:10.7673130Z
2018-03-15T00:14:10.8070420Z * system_preference[enable remote login] action set (up to date)
2018-03-15T00:14:10.9046440Z * defaults[com.apple.screensaver] action run (skipped due to not_if)
2018-03-15T00:14:10.9461160Z
2018-03-15T00:14:10.9476060Z Running handlers:
2018-03-15T00:14:10.9491080Z First chef run should have reached a converged state.
2018-03-15T00:14:10.9509050Z Resources updated in a second chef-client run:
2018-03-15T00:14:10.9529780Z - system_preference[set the time zone]
Re: machine_name
resource: one thing to keep in mind is that we don't have the same sort of logic that exists when you set a machine name using System Preferences > Sharing. In other words, LocalHostName
cannot contain particular characters (whereas ComputerName
and HostName
can contain any characters).
Per the comment in the machine_name
resource:
# We cannot set the LocalHostName here because it does not conform to
# the DNS standards outlined in RFC 1034 (section 3.5)
We need to implement unit tests and corresponding logic for the translation of something like New_10.13.2_WashingMachine
to New-10132-WashingMachine
. This is what System Preferences does to make sure the LocalHostName
meets RFC 1034
When using a macOS Vagrant base box running 10.14.5, and attempting to install Xcode 10.2 and Xcode 10.2.1 using the newest version of macOS cookbook (3.0.1), the Xcode installation hangs, does not complete the installation, and eventually times out.
Could not find a writable folder for the contents of "Xcode_10.2.xip". Try moving it to a writable folder
Apple has changed and/or deprecated links the macos-cookbook
is using.
In certificates, the learn more about security
link is broken.
In keychain, the learn more about security
link is broken.
In plist, the links for defaults
, plutil
, and PlistBuddy
are all broken.
In spotlight, the learn more about spotlight
link is broken.
For example, if the setting in System Preferences is changed from 0 to 300 (5 minutes), the screensaver_dsiabled?
method still returns true. Regex pattern needs to be updated/fixed.
Using the macos_user
resource to delete an existing user does not work.
As per the macos_user
readme
:delete
Delete a user specified by the macos_user username property.
I try to delete the previously created johnny account by doing the following
macos_user 'delete johnny' do
username 'johnny'
action :delete
end
and unfortunately get
* macos_user[delete johnny] action delete
================================================================================
Error executing action `delete` on resource 'macos_user[delete johnny]'
================================================================================
Chef::Exceptions::ValidationFailed
----------------------------------
name is a required property
There are also no integration tests that test for user deletion either.
This error occurs occasionally during the unattended bootstrap process:
ard[activate and configure remote management] (lab_core::remote_management line 16) had an error: Mixlib::ShellOut::ShellCommandFailed: execute[/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart] (/var/chef/cache/cookbooks/macos/resources/ard.rb line 72) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '2'
---- Begin output of /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -access -on -privs -all ----
STDOUT: Starting...
Setting allow all users to YES.
STDERR: <dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
2018-03-17 01:29:30.569 defaults[1335:9723] Could not write domain /Library/Preferences/com.apple.RemoteManagement; exiting
Could not update RemoteManagement perference file with new allowAccessFor setting. at /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart line 1073.
---- End output of /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -access -on -privs -all ----
Ran /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -allUsers -access -on -privs -all returned 2
2018-03-15T00:09:55.9858670Z found more than one group with the same name, please use `groups` resource�[0m```
Attempting to install Xcode on a Sierra system using the Xcode resource fails with the error:
gem_package[xcode-install] action install
================================================================================
Error executing action `install` on resource 'gem_package[xcode-install]'
================================================================================
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '1'
---- Begin output of /usr/bin/gem install xcode-install -q --no-rdoc --no-ri -v "2.3.1" --source=https://www.rubygems.org --no-document
It appears that the gem jwt
can no longer be installed on native Sierra Ruby (ruby 2.0.0p648):
STDERR: ERROR: Error installing xcode-install:
jwt requires Ruby version >= 2.1.
It appears that the iOS 10 simulators are no longer available from Apple, but the Xcode recipe is trying to install them anyway:
* xcode[9] action install_simulators[2017-10-21T12:06:17-07:00] INFO: Processing xcode[9] action install_simulators (macos::xcode line 1) 2017-10-21T19:11:04.7928550Z
parallels-pvm: [2017-10-21T12:06:22-07:00] FATAL: iOS 10 Simulator no longer available from Apple! 2017-10-21T19:11:04.7945450Z
parallels-pvm: [2017-10-21T12:06:22-07:00] INFO: Running queued delayed notifications before re-raising exception
This occurred both when the xcode.rb
recipe was used:
include recipe 'macos::xcode'
and when the xcode
resource was alone:
xcode '9'
More investigation should be done to see why the Xcode resource is attempting to install simulators by default.
xcode
resource fails to install Xcode on Chef 15 due to gmkdir
missing.
STDERR: ERROR: Error installing xcode-install: ERROR: Failed to build gem native extension.
Running handlers:
2205
[2019-07-08T12:12:40-07:00] ERROR: Running exception handlers
2206
Running handlers complete
2207
[2019-07-08T12:12:40-07:00] ERROR: Exception handlers complete
2208
Chef Infra Client failed. 224 resources updated in 11 minutes 59 seconds
2209
[2019-07-08T12:12:40-07:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
2210
[2019-07-08T12:12:40-07:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
2211
[2019-07-08T12:12:40-07:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: xcode[install Xcode 9.4.1] (apex_automation::xcode line 6) had an error: Mixlib::ShellOut::ShellCommandFailed: chef_gem[xcode-install] (/tmp/kitchen/cache/cookbooks/macos/resources/xcode.rb line 12) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
2212
---- Begin output of /opt/chef/embedded/bin/gem install xcode-install -q --no-document -v "2.5.0" --source=https://www.rubygems.org --no-document --no-user-install ----
2213
STDOUT: Successfully installed claide-1.0.2
2214
Successfully installed slack-notifier-2.3.2
2215
Successfully installed atomos-0.1.3
2216
Successfully installed CFPropertyList-3.0.0
2217
Successfully installed colored2-3.1.2
2218
Successfully installed nanaimo-0.2.6
2219
Successfully installed xcodeproj-1.10.0
2220
Successfully installed rouge-2.0.7
2221
Successfully installed xcpretty-0.3.0
2222
Successfully installed terminal-notifier-2.0.0
2223
Successfully installed terminal-table-1.8.0
2224
Successfully installed public_suffix-2.0.5
2225
Successfully installed multipart-post-2.0.0
2226
Successfully installed word_wrap-1.0.0
2227
Successfully installed tty-cursor-0.7.0
2228
Successfully installed tty-spinner-0.9.1
2229
Successfully installed babosa-1.0.2
2230
Successfully installed colored-1.2
2231
Successfully installed commander-fastlane-4.4.6
2232
Successfully installed excon-0.64.0
2233
Building native extensions. This could take a while...
2234
STDERR: ERROR: Error installing xcode-install:
2235
ERROR: Failed to build gem native extension.
2236
2237
current directory: /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/unf_ext-0.0.7.6/ext/unf_ext
2238
/opt/chef/embedded/bin/ruby -I /opt/chef/embedded/lib/ruby/site_ruby/2.6.0 -r ./siteconf20190708-27933-15k8xci.rb extconf.rb
2239
checking for -lstdc++... yes
2240
creating Makefile
2241
2242
current directory: /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/unf_ext-0.0.7.6/ext/unf_ext
2243
make "DESTDIR=" clean
2244
2245
current directory: /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/unf_ext-0.0.7.6/ext/unf_ext
2246
make "DESTDIR="
2247
compiling unf.cc
2248
linking shared-object unf_ext.bundle
2249
2250
current directory: /opt/chef/embedded/lib/ruby/gems/2.6.0/gems/unf_ext-0.0.7.6/ext/unf_ext
2251
make "DESTDIR=" install
2252
make: /usr/local/bin/gmkdir: No such file or directory
2253
make: *** [.sitearchdir.time] Error 1
2254
2255
make install failed, exit code 2
Related to AB#3477094
Looks like we might be assuming that the xcode-install
gem is installed when checking for updates.
* xcode[install Xcode 9.2] action setup
* chef_gem[xcode-install] action install (up to date)
* execute[update available Xcode versions] action run
================================================================================
Error executing action `run` on resource 'execute[update available Xcode versions]'
================================================================================
Errno::ENOENT
-------------
No such file or directory - /opt/chef/embedded/bin/xcversion
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/macos/resources/xcode.rb
20: execute 'update available Xcode versions' do
21: environment DEVELOPER_CREDENTIALS
22: command XCVersion.update
23: end
24: end
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.