In this tutorial I will cover how to setup an Munki environment with client SSL authentication. Hosting the munki data and web server in docker and using a osx machine for populating data using Autopkgr. Most guides out there use Chef or Puppet to push client configuration but I wanted to focus on docker and have the possibility to move between solutions depending on situation and current infrastructure.
Prerequisites
- Mac Computer.
- VMWare Fusion or Virtualbox.
- Docker Toolbox.
- Virtual Docker.
- Virtual OSX Client and Server.
Create certificates and Docker containers.
In this lab I’m using self-signed certificates but when you plan for a production solution you should go with certificates from an Provider.
During the signing proccess you need to fill in County Code, State, City, Organization, Common Name, Department and e-mail just remember the password as it will be used in the convert process.
Create a lab catalog and clone docker-munki-ssl repo.
mkdir -p ~/munki-lab
cd ~/munki-lab
git clone git@github.com:ustwo/docker-munki-ssl.git
Create a Certificate Authority root
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
Self-sign Client crt
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Convert Client Key and crt to PEM
openssl x509 -in client.crt -out client-munki.crt.pem -outform PEM
openssl rsa -in client.key -out client-munki.key.pem -outform PEM
Create the Server Key and CRT
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
Build the munki container
docker build -t munki-ssl .
Create a Data Container:
docker run -d --name munki-data --entrypoint /bin/echo munki-ssl Data-only container for munki-ssl
Start the munki-ssl container
docker run -d --name munki-ssl --volumes-from munki-data -p 443:443 -h munki-ssl munki-ssl
What about data in your repo?
It’s high time to fill your repo with data, in my lab I used smb share to share the munki-data container then I used Autopkgr and MunkiAdmin to fill it. It will not be covered in this guide but google will help your out.
Munki Client setup
Transfer client-munki.crt.pem and client-munki.key.pem to your client.
scp client-munki.* admin@client.example.com:/tmp
The ssh to your client machine and continue the setup.
Place certs in Managed Install folder
sudo mkdir -p /Library/Managed\ Installs/certs
sudo chmod 0700 /Library/Managed\ Installs/certs
sudo cp /tmp/client-munki.crt.pem /Library/Managed\ Installs/certs/client-munki.crt.pem
sudo cp /tmp/client-munki.key.pem /Library/Managed\ Installs/certs/client-munki.key.pem
sudo chmod 0600 /Library/Managed\ Installs/certs/client-munki*
sudo chown root:wheel /Library/Managed\ Installs/certs/client-munki*
Change the ManagedInstalls.plist defaults:
sudo defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL "https://munki.example.com/repo"
sudo defaults write /Library/Preferences/ManagedInstalls ClientCertificatePath "/Library/Managed Installs/certs/client-munki.crt.pem"
sudo defaults write /Library/Preferences/ManagedInstalls ClientKeyPath "/Library/Managed Installs/certs/client-munki.key.pem"
sudo defaults write /Library/Preferences/ManagedInstalls UseClientCertificate -bool TRUE
Test out the client:
sudo /usr/local/munki/managedsoftwareupdate -vvv --checkonly