A mini Mac Solution - O'Reilly Media

Listen Print Discuss

A mini Mac Solution
Pages: 1, 2

The Software

Although we knew that Mac OS X is a fairly complete BSD system (modulo the fact that the "games" are missing), we weren't sure how many packages we would need to locate and install in order to match our current environment.

We knew that Mac OS X includes the Apache (HTTP) server; we were delighted to discover that most Apache modules are built and ready to "turn on." We were also pleased to learn that Mac OS X also includes ready-to-run copies of other well-regarded server applications:

BIND (DNS)
Cyrus (IMAP, POP3, etc.)
Postfix (SMTP)

That said, this was not a trivial upgrade. We needed to install (or upgrade) and configure several other packages (Berkeley DB, MediaWiki, Movable Type, MySQL, Perl, Procmail, Ruby on Rails, SpamAssassin, TWiki, and more), but we weren't too concerned by this. Besides, it gave us an opportunity to bring our versions up to date.

The Network

Like many small sites, we have needed to support a number of machines on a single IP address. So, we had a NAT-based router, but it was a mass-market product with sharply limited capabilities. To support the migration, we needed something a bit more serious.

Based on some expert advice, we upgraded to a Linksys RV042 router. This unit has a second WAN port, which can also be configured to provide a second, "DMZ" LAN. It can also do port forwarding to multiple machines and perform a number of other nifty tricks.

The enhanced port forwarding let us move (and test) individual services one at a time, eliminating the need for an "all or nothing" move. The dual-WAN capability helped us migrate smoothly to a new ISP. (We could respond to both IP addresses, so there was no loss of connectivity due to DNS changes.)

Name service (BIND) configuration was complicated by the fact that we act as our own DNS primary server, support several DNS domains, and use NAT on our LAN. As a result, we run "split DNS," providing different information (on each domain) for the LAN (us) and the WAN (everyone else).

To ease the maintenance burden, we use a shell script to generate the configuration files. Some simple naming conventions allow us to keep track of the files. For example, generated files live in /var/named/[lw]an_1. Similarly, our named.conf equivalents are named /etc/named.d/nc_[lw]an_1.

User Accounts

The normal OSX techniques for handling user accounts aren't really meant to handle dozens of users. Nor do they understand that you might want to have users who only access the machine via POP3. (Why provide shell accounts to folks who will never use them?) Fortunately, NetInfo Manager is quite willing to configure/reconfigure these sorts of accounts.

To provide a bit of "security through obscurity," we gave our shell users different "Short Names" than their email addresses imply. We also added distinctive prefixes (e.g., Xp, Xs) to the "Full Names" of external users. This causes those names to sort to the end of assorted display lists, with the added feature of identifying account types.

Email

We had gotten reasonably used to administering Sendmail, but we never grew all that fond of it. Even with the aid of m4(1) macros, the configuration was too baroque for comfort. So, we were quite willing to give Postfix a try. Besides, it was already installed!

Although there was certainly a learning curve, we found that Postfix does everything we need, uses entirely comprehensible control files, has quite comprehensible documentation, and provides excellent (if somewhat voluminous) logging. In addition, the modular design of Postfix allows us to track its activities very closely.

When we first configured Postfix, we were rather appalled by the volume of its logfiles and the impact it had on the mini's interactive performance. However, some logfile analysis revealed that 99 percent of the log messages (and most of the activity) was generated by email to invalid recipients (nonexistent addresses).

Fortunately, these messages can be filtered out by a properly configured "front end" server. So, we set up a spare machine (B&W Power Mac G3) to perform the function of "email toaster." Its logs are huge, but we don't care, and the mini can easily deal with the remaining 1 percent of the influx.

We did, however, need to work around a bug in lookupd(8). Apparently, our intensive use of Postfix exercises a memory leak. So, once an hour, a cron(8) job does a killall -HUP lookupd. This keeps the daemon from periodically paralyzing the system.

Finally, Postfix made it easy for us to install Procmail and SpamAssassin support for all email accounts. This lets us filter out the majority of spam before our users ever see it, although we retain all filtered spam for a week as a safety net for our users. This "spam dump" also provides a handy source of debugging and tuning information.

The Web

As previously discussed, Mac OS X comes with a complete Apache implementation, but it is initially configured to support the fairly simple "Personal Web Sharing." After fiddling a bit with file locations and configuration settings, however, we were able to get all of our old web pages working. The big win here is that most of the major Apache extensions (e.g., mod_Perl, php4) are already installed; just turn on the appropriate configuration variables and restart web services.

Overall

The migration took us a month, working evenings and weekends around other projects (such as our "real" jobs). There was some cleanup necessary after that, in large part due to configuration bobbles and over-zealous spam filtering.

Still, we're quite pleased with the results. Most of the mistakes we made were due to our own misunderstandings while climbing several new learning curves. The system itself, as well as the WWW, provided plenty of hints, clues, and assistance. The pain level wasn't much more than a FreeBSD upgrade would have caused and our next system upgrade should be very easy.

We couldn't have done this three years ago, when we first started to discuss the idea. We didn't know enough about Mac OS X and it hadn't reached its current level of maturity. Besides, giving up on FreeBSD wasn't an easy choice.

Looking back, however, we're convinced we made the right decision. The mini is running smoothly. The front-end email toaster has experienced a few hiccups, but we've been tuning it. And, finally, it's extremely satisfying to have consistency among all of the machines on the local net.

Useful Resources

Apple tends to incorporate mature, popular, and well-supported Open Source software in its releases. We tend to look for these attributes as well. Consequently, there is seldom any shortage of online documentation, mailing lists, etc.

In many cases, there are books as well. Here are some books we found useful in our migration:

Rich Morin, Vicki Brown are long-time users of both Mac OS and Unix. For obvious reasons, they find Mac OS X to be totally delightful.

Return to MacDevCenter.com.

Comment on this article
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 13 of 13.

Beware Software Update
2007-02-27 10:00:38 bwh1248 [Reply | View]

Now that you have fully tricked out your MacOSX client install, please keep in mind that running Software Update now needs to be done with extreme caution. Apple loves to push out new versions of the underlying software components, like Apache, and replace configuration files and other things you may have changed to get things working just the way you like. So make sure you keep good backups, and be prepared to use them after applying new MacOSX updates.

Thanks for the helpful article, by the way!

Mini (or any Mac as a server
2007-02-23 17:11:35 jeffW [Reply | View]

Client or server (the difference is minimal, unless you insist on GUI admin tools), mac is the best platform.

For OUTSTANDING instructions on how to actually get all this running and working well, look at

http://switch.richard5.net

or his new site

http://diymacserver.com

for instructions on compiling, security, etc.

(not my site, and I am not paid to promote it...)

It all works very well for my server.

Just Buy Tenon.
2007-02-15 16:46:14 enicar [Reply | View]

For less than the cost of your mini you could have gotten the Tenon ( www.tenon.com ) iTools/Post.Office deal w/ a yr. of support and had a very easy to setup and use Apache 2.x, eMail, and DNS services.

Been using Tenon server products since the OS8/WebTen days w/ excellent support and minimal problems.

Just Buy Tenon.
2007-02-15 21:56:44 rdm [Reply | View]

Tenon makes fine software products; I'm glad they are solving your problems. However, their software has to be run on some kind of hardware platform. If we spent our funds on software, we would still need to come up with hardware to run it on. So, this is not a feasible trade-off.

More generally, alternatives such as Post.Office and Mac OS X Server all share the same problem: they're not Mac OS X. We use vanilla Mac OS X on all of our other machines; running it on our server means that we only have one set of OS vagaries to learn and remember. We find this to be a compelling advantage.

Freemacblog.com Server Series Videos
2007-02-15 08:46:42 rkm28 [Reply | View]

At Freemacblog.com we've created a series of video tutorials on how to setup your Mac as a server. We have videos on how to configure Apache for multiple domains, how to install PHP and MySQL, etc. A mail server video is on the way. Might be interested to some readers of this article:

http://www.freemacblog.com/category/server-video-series/

Time is money
2007-02-14 12:28:20 dark13star [Reply | View]

I have to agree with the poster who recommends buying server. I understand that you may want to do this for the challenge, but you cite the cost of Server as the reason. I migrated from Linux to OS X server back on 10.2 for a similar setup and the time it saves me is well worth the cost. When I had to migrate to a new machine (10.4 doesn't support G3), it took me less than a day to build the new server and swap it in.

Just buy Server !
2007-02-14 02:24:04 andrewrennard [Reply | View]

That was an interesting article, but really - if your time is valuable why not just pay that (relatively little) extra and buy a copy of OS X server ? Most of the things you had to configure manually have a nice GUI control on Server - plus Server has some very nice monitoring tool too.

Just buy Server !
2007-02-16 08:48:11 RvA [Reply | View]

The tools are not great at all. They fail in many way's. If you use DNS you have to do thing by hand to do it correct. If you use Web, Rules and other things will be changed when you save them. Like upper and lowercase letters.

The only thing what was valuable is the user and file Manager.
But it was a waste of money. I use it now, because I have to test things. But will never buy one.

Just buy Server !
2007-02-14 13:49:21 curtian4 [Reply | View]

Doesn't Mac OS X Server prevent itself from running on a Mac Mini? Maybe that was for the G4 version, but it was at least partly why I don't run it on my Mac mini server. Maybe there's a way to hack it to work?

Just buy Server !
2007-03-01 13:29:32 kevin.allen@mindspring.com [Reply | View]

Server runs just fine on my Mini G4 with no changes or hacks at all.

Just buy Server !
2007-02-16 08:41:52 RvA [Reply | View]

It runs perfect on a mac mini.

No problems

Nice Mini Article
2007-02-14 01:10:50 RvA [Reply | View]

Thanks, but for me about the most interesting part I would like to know more of is the user setup.
Can you, please tell us more how to do this with netInfo, and the step of how you did that?

Thanks

Nice Mini Article
2007-02-14 09:43:35 rdm [Reply | View]

We'd be happy to do s detailed follow-up article, if there's sufficient interest. This would also allow us to report on emerging problems, etc.