Everybody Staze…

My favorite XKCD, probably ever.

We run an iCal Server at work, and the mandate has been handed down that everyone needs to be subscribed to a “Vacation Calendar” that a couple people in the building maintain (my boss, the head of Operations, and the Dean’s assistant). For the most part, this has been really easy. We just created a “Vacation” user, and subscribed people to it’s calendar on the server with iCal. However, we have a couple PC users in the building that use Outlook, and Outlook wants an ICS file to subscribe to… not a directory. It seems like iCal Server is supposed to (or at least version 1 did) give the client a combined ICS file if you just hit the directory of the user’s calendar without specifying anything else. This doesn’t appear to work though.

So, as a work around, I wrote up a very simple shell script that concatenates all the ics files for the vacation user into one ICS.

#!/bin/sh

#This users caldav directory. Something like:
#/Library/Calendar/calendars/__uids__/7E/1B/7E1B373E-8F22-469F-8BDF-5C3ECB996156/calendar
INPUT=""
TEMP="/tmp/temp.ics"
#Where you want the combined ics file to go. Should be a web hosted directory if you expect to have clients subscribe to it. Something like:
#OUTPUT="/Library/WebServer/Documents/vacation.ics"
OUTPUT=""
echo "BEGIN:VCALENDAR
PRODID:-//Vacation Merge//example.com//
VERSION:2.0
X-WR-CALNAME:Vacation Calendar" > $TEMP

cat $INPUT/*.ics | grep -v "BEGIN:VCALENDAR" | grep -v "END:VCALENDAR" >> $TEMP

echo "END:VCALENDAR" >> $TEMP

tr -d '\r' < $TEMP > $OUTPUT

The big points here are, while you can just do `cat *.ics > /some/place/merged.ics` the “BEGIN:VCALENDAR” and “END:VCALENDAR” are still in there, which end up at the start and stop of each of the events in the calendar. Calendar software will stop reading once it hits one of those “END:VCALENDAR”… so the `grep -v` just removes those, and we add an end at the very end, just as we added a begin at the start.

The last line is to add unix line endings… because for some reason, this script is producing DOS line endings. *shrugs* Probably just the beginning block that has the wrong line endings. Anyway, it works.

That pretty much does it. It’s very simple. I have it run with cron every hour.

Good luck.

Splunk is pretty damn cool. And since Splunk 4, it’s been much easier to set up and run. And since my environment at work produces a lot less than 500MB/day of logs, I can safely use the free version of splunk. But, this has a downside. You don’t get user authentication (there’s other stuff you don’t get, but the big one to me is user auth).

So, the obvious solution is to proxy Splunk behind apache and have apache do the user authentication. There’s some good info about doing this online, but it seems none of it is complete for what I was trying to do.

So, here’s what I had to do. First, the relevant chunk in the apache config (if you’re doing this over https, you may want to add “SSLProxyEngine On” before the mod_rewrite section):

<VirtualHost *:80>
	ServerName server.example.com:80
	ProxyPass /splunk http://127.0.0.1:8000/splunk
	ProxyPassReverse /splunk http://127.0.0.1:8000/splunk
	<IfModule mod_rewrite.c>
		RewriteEngine On
		RewriteRule ^/(static.*) /splunk/$1 [P]
	</IfModule>
</VirtualHost>

So, on my server, I’d go to https://server.example.com/splunk to visit my splunk page. The rewrite rule is there to fix what seems like a bug in the “jobs” page for splunk, that doesn’t seem to obey the “root_endpoint” set below.

The second part of this is to set a few things in the web.conf.

In my case, since this is running on a Mac, these go in a file in /Applications/splunk/etc/system/local/web.conf

root_endpoint = /splunk
tools.proxy.on = True
updateCheckerBaseURL = 0

The first basically says “everything is in the /splunk subdirectory”. The Second I’d assume says “Splunk is being proxy’d”, and the Third is something I had to add to fix a weird issue I was seeing after doing all of this. Once I’d proxy’d it, every time I would open a new session to Splunk, I would see the “Checking for Updates” and then the “Agreement” page, which the continue button wouldn’t point back to http://server.example.com/splunk but just http://server.example.com/. So, That third line basically disables the update check. It’s kind of silly anyway since I keep an eye on the splunk.com webpage to check for updates.

As for securing splunk beyond proxy’ing it, I just set up a realm in Server Admin that locks down the /splunk location. Pretty easy.

Good luck. Splunk is pretty cool, and makes it dead simple to track down issues, get statistics, etc. I’m still not really proficient with it, but I hope over time I’ll learn more of what I can do with it.

So, I’m a Sys Admin. I spend all day running down problems, and when I’m not doing that, I’m usually working on bigger problems that are multi-day/week/month issues. And when I’m not doing that, I’m playing with something cool that’ll give us a better user experience, show us data we haven’t seen, etc. Add to this, we basically have no money (we’re State Higher Ed). So, the answer for testing issues is, obviously, virtualization (since we can’t afford to have test machines sitting around).

Now, VMware and Parallels both support Virtualizing OS X Server on Apple Hardware. They do not, however, support Virtualizing OS X Client, since Apple’s EULA specifically says “You can’t do that”.

So, being a Sys Admin, and not taking anything at face value, you look around online, and find various ways around this. Yes, it’s breaking EULA. But, I am running this on Apple Hardware, and we have broken machines sitting in a closet not running any OS. So, far as I’m concerned, it evens out. Obviously this wouldn’t hold up in court, but seriously Apple. The EULA should be something like: “You can virtualize OS X Client on Apple Xserve hardware” or something like that. Make the end user pay for it, but don’t make us hack software to make it work.

Anyway, the big thing that made me create this post is… VMware Fusion 3.0 changed things a bit. This info is still online except one minor tidbit. You HAVE to use physical media when doing the install. Don’t ask me why, you just do.

As for the rest of the info… I leave it to the readers. As for fixing the EULA… Please, Apple… Please.

UPDATE: The issue with VMware and physical media seems to be that VMware is convinced it should be attached to the VMware tools disk image to install that. If there was some way to get around that, it should be easy enough to boot off an image. Because once I had it installed, and unmounted the VMWare Tools “disk”, the OS X installer image immediately mounted. *shrugs* Oh well… I got it installed.

UPDATE 2: So a big reason for this was testing. After I got a normal 10.5 client installed, I created a second VMware disk, and restored our lab image onto it. It’s actually pretty cool to have this. Means I can finally test some things that normally would require a separate machine. So again, please Apple, fix the EULA. At the very least, work with VMware to allow Mac OS X Server (and client ideally) to run on vSphere. Hell, sell some Dongle for $10k. Or hell, get them to port vSphere to the Mac, so you can put a couple Xserves in a vSphere cluster, and they’ll take care of running the Mac OS instances. I want to be able to virtualize OS X on vSphere without jumping through hoops.

Just a quick note. Wordpress 2.9.2 came out today, and I found that since my server upgrade, the core auto-update/upgrade feature wasn’t working. It wanted me to have FTP access.

Turns out that the website folder itself (in my case, since I host on a Mac, a folder within /Library/WebServer/Documents) wasn’t owned by www. Once I chowned that to www, the auto-upgrade worked perfectly.

Everything else was already owned by www… so, just make sure, the folder wordpress resides in is also owned by the web user (the user httpd runs as).

Good luck! And remember, Happiness is only a chown away.