SWY's technical notes

Relevant mostly to OS X admins

AutoPkg and Jenkins under one admin account

Munki is awesome for updating software on macs.  But it can be better, as it first requires an admin to know there’s something to update, and to get that update, (sometimes altering the installer so it works properly), and import it to munki.  In a better world, systems will see that an update has been released and automagically bring it into munki. That better world exists, and it’s brought to us via 2 tools: AutoPKG and Jenkins.

AutoPkg can automatically check for, download and import software updates into munki. It is well documented in the wiki: I won’t be able to rewrite it better, so I direct you there.

Jenkins main purpose is to automatically test software builds, but it is also useful for automated tasks- think launchd on steroids, with easier reporting than you’d get from writing your own launchd scripts. It is also decently documented- a great starting point being the PDF and video by Greg Neagle at MacSysAdmin 2013

What’s not well documented is how to integrate them together.  Your munki+autopkg+jenkins machine (presuming they’re one and the same) will already have an admin user, where you’ve been managing the munki repository.  The Jenkins .pkg instaler will install a new Jenkins user for you, with a low uid.

I wanted to manage my autopkg jobs via my existing admin user account.  That causes a problem for Jenkins, as it won’t be able to see the recipes imported to my admin account- they write to /Users/admin/Library/AutoPkg/RecipeRepos.  My first step was to set ACLs to allow Jenkins to see that path:

chmod +a "jenkins allow read,list,readattr,execute,readextattr,readsecurity" /Users/admin/Library
chmod +a "jenkins allow read,list,write,readattr,execute,readextattr,readsecurity" /Users/admin/Library/Preferences
chmod -R +a "jenkins allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" /Users/admin/Library/AutoPkg

Second was to set up the Jenkins jobs to run the desired recipes. I set a job per munki entry, running a shell command such as

/usr/local/bin/autopkg run Spotify.munki 
--search-dir /Users/admin/Library/AutoPkg/RecipeRepos/com.github.autopkg.recipes/
--override-dir /Users/admin/Library/AutoPkg/RecipeOverrides

I also added a simlink from my “real” AutoPkg plist (/Users/admin/Library/com.github.autopkg.plist) to the parallel place in the Jenkins directory, so Jenkins runs will read the configuration of the admin account.  It’s important to make sure this plist in the admin account directory maintains the following ACL.  If you add a repo or otherwise change the file and alter the ACL, Jenkins runs will break.

chmod +a "jenkins allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown" /Users/mdm01admin/Library/Preferences/com.github.autopkg.plist

On test runs on Jenkins, this gives the builds as desired.  I can now create and edit overrides as admin, save them in the expected spot, and have Jenkins run them.

Update: 2014/01/20:  Since blogging this, I’ve decided that for the sole purpose of running autopkg and reporting results, Jenkins is overkill.  Instead, I’ve migrated from the method above to Sean Kaiser’s autopkg-wrapper script, a simpler bash script + launchd to execute it. One of the fun things about IT is that there are usually many ways to accomplish a task, and we all get to choose what the optimal route is.


3 responses to “AutoPkg and Jenkins under one admin account

  1. mikael December 15, 2013 at 9:22 am

    Or you could make Jenkins to run as your admin user:

    On Mac OS X, the way I enabled Jenkins to pull from my (private) Github repo is:

    First, ensure that your user owns the Jenkins directory

    sudo chown -R me:me /Users/Shared/Jenkins
    Then edit the LaunchDaemon plist for Jenkins (at /Library/LaunchDaemons/org.jenkins-ci.plist) so that your user is the GroupName and the UserName:


    Then reload Jenkins:

    sudo launchctl unload -w /Library/LaunchDaemons/org.jenkins-ci.plist
    sudo launchctl load -w /Library/LaunchDaemons/org.jenkins-ci.plist
    Then Jenkins, since it’s running as you, has access to your ~/.ssh directory which has your keys.

  2. Pingback: You Oughta Check Out AutoPkg: Links | Managing OS X

  3. Pingback: Staying Up-To-Date on OS X - Mavericks - shawnkdev.ch

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: