NetSUSLP Server 4.0.0 is now available

Steven_Strand
New Contributor II
New Contributor II

We have put out a new version of the NetSUS Server. The source has been updated on GitHub and it is also available as both an OVA and an installer.

Added features:
- Renamed to NetBoot/SUS/LP (NetSUSLP) for reference to LDAP Proxy.
- Added El Capitan support for SUS.
- Added firewall functionality with port managing for running NetSUSLP services by
using app armor.
- Added ability to disabled WebAdmin interface.
- Added LDAP Proxy functionality with the use of slapd.
- Added GAWK installation for WebAdmin on Ubuntu operating systems.
- Added functionality to only enable services as needed.
- Added functionality to update Ubuntu apt-get repository to prevent failures on
service installation.
- Added certificate page to allow tomcat or slapd certificates, and configured an
installation to use a self-signed certificate.
- Changed NetBoot page to enable SMB for uploading a NetBoot file, and then disable it
when it is not in use.
- OVA updated to use 2GB of memory and hard drive space increased to use 300 GB of
hard drive space.

https://github.com/jamf/NetSUS/blob/master/README.md

Documentation can be found at:
http://content.jamfcloud.com/NetBootSUSLPServerUserGuide_v4.0.0.pdf

29 REPLIES 29

mattware
Contributor

Yay! Glad to hear this. Hold my beer, diving into the docs now.

roiegat
Contributor III

Great job! I also noticed that SSH was on by default now...makes it easier to connect and work on it.

mattware
Contributor

Well that was underwhelming. I was hoping for more information on the LDAP proxy as I wasn't able to get a successful login in my environment. If anyone else has better luck that me with it, I'd love to hear about the config that worked for you.

jubei
New Contributor II

The bigger question is does this LDAP proxy work with JAMF Cloud? Our biggest hold back of going to the JAMF cloud is exposing LDAP externally. I am assuming this would step into that role but I want to be sure before getting too excited.

Steven_Strand
New Contributor II
New Contributor II

Mattware, what issues are you running into trying to set up your environment. I didn't go into a lot of detail on the environment because of the different LDAP server types, I was able to test it with Microsoft Active Directory and see it work. So if you need more information on setting it up in Casper let me know.

Jubei as to whether or not it would work with JAMF Cloud, depending on how you are using it, it should handle some of those issues by allowing you to put this proxy server with internal and external networks so it can talk to the LDAP Server which is the internal network and offer a channel on the external network. So it may or may not fit your needs but it does allow some more options.

Steve

jubei
New Contributor II

@Steven.Strand Thx. I assumed that it could have two legs - 1 internal, 1 DMZ - but JAMF doesn't specify that in the instructions. MobileIron provides a similar appliance that you use to proxy LDAP requests to the MI cloud and I would love to leverage this for the JSS.

kentmj
New Contributor III

So if you have a 3.0 appliance and want to move to 4.0, is there some guidance? I don't manage the server end of things and will have to provide some info to that team. Thanks.

JPDyson
Valued Contributor

Interesting results so far.

Installed this OVA in our lab, added our proxy URL to the reposado prefs file, created a branch, did a sync - no other configuration changes. It seems like I've got a fairly complete catalog, but deprecated items are not deprecated, and current items ARE deprecated. Also, I have an entry at the top of the catalog listed as "may be incomplete".

So... not a great start.

Edit: Tried the sync a couple more times, deprecated items issue seemed to clear up, but I can't bulk-enable the updates. Selectively enabling some seems to work, but there are obviously too many to do this one at a time. Believe the catalog entry for some update is corrupted and causing the bulk enable to fail.

dmw3
Contributor III

@kentmj Updated from 3.02 to 4.0 without any issues, just ran NetSUSLP_4.0.0.run and it updated over the top of the previous version.

So far all looks good.

kentmj
New Contributor III

@dmw3 - we have the appliance version, not the installed version.

Steven_Strand
New Contributor II
New Contributor II

@kentmj All you have to do is ssh into your appliance, then you can run the .run file which will effectively upgrade your NetSUS Appliance.

Steve

mattware
Contributor

@Steven.Strand I'm attempting in Active Directory, running on 2008R2. I can get what I think is the correct details added but the various logins (domainusername, username@domain, username) don't seem to work and I'm not sure what it's expecting. I suppose there is probably a log for the LDAP proxy somewhere, right?

The other thing that may just be a lack of understanding on my part, is the difference between exposed distinguished name and the real distinguished name. I tried doing some research on differences and to look for examples that might help me get somewhere in my environment, but a google search for exposed distinguished name results in almost no actual results.

Steven_Strand
New Contributor II
New Contributor II

@mattware So the exposed distinguished name would be the distinguished name that you would give to connect to access the LDAP Proxy. The exposed distinguished name could be literally anything you want.
DC=anything,DC=anything

The real distinguished name is the actual distinguished name that the LDAP Server sets up to use. This is the one that the LDAP Proxy uses to connect to the LDAP Server and is by far the most important one as it needs to be correct.

As to configuring your LDAP Proxy in the JSS you need to configure your connection manually as it is no longer a Microsoft Active Directory Server. It is now a proxy. So you configure it manually. The settings will be very similar to the bindings you would have had without the proxy with one very big difference. All of your bindings and Distinguished names are now using the exposed distinguished name, not the real distinguished name. So for example, in the JSS your Distinguished Username would be: CN=Administrator,CN=Users,DC=anything,DC=anything.

Hopefully this helps explain things a little.

Steve

thomasC
Contributor

@Steven.Strand trying to install on Dell hardware running RHEL 6.6. and it seems network interfaces other than eth0 have issues. Is NetSUS looking for eth0? Ran this on a test VM without issue but the VM is using eth0. Changing the interface name and device name on hardware has not worked...for me anyway.

Kedgar
Contributor

For software updates, does this provide anything above what Reposado/Margarita can do on it's own? I know this is based upon Reposado... I'd love to see an easier/better way to manage that tool.

L3nny5
New Contributor III

Hello,

I just set up the new NetSUS appliance from scratch (with OVA). Unfortunately I have the problem when I want to select new updates to add to distribution, that my selection doesn't get saved. After hitting "apply" it just deselects everything i selected.

Using reposado on the command line to select updates for distribution works just fine.

What could it be?

EDIT: In only happens for deselecting and if I use "Select All". If I just select 5-10 Updates it works fine. But only for adding updates to distribution. Not for deselecting.

EDIT2: Interesting fact: If I filter by year and only select all updates from 2015 and hit apply it works fine. If I do this year by year I get all updates activated. Seems like adding all updates at once seems to be to much for the applicance?!?

EDIT3: OK. Only works fine down to updates from 2012. Updates from 2011 and older can't be assigned to the branch list.

mattware
Contributor

@mpi-emae That's been a problem with the Netsus for the last couple versions. It's a php settings that needs to be changed to allow the Select All button to work. See here: https://github.com/jamf/NetSUS/pull/64

L3nny5
New Contributor III

@mattware Thanks! That did the job!

dwandro92
Contributor III

@Kedgar,

The last time I checked, the official Margarita webapp does not include OotB requirements for authentication. Anyone who knows the URL of the web console has full control over the SUS, unless additional configuration is performed.

As for Reposado, the NetSUSLP does not really improve manageability of branches - I still perform a lot of my work via the CLI. However, the web console does allow you to view the description of each update in a much more practical fashion.

ddbaughm
New Contributor

found that the application is dropping the DN during the conversion from Exposed DN to Real DN. Anyone else having this issue.

249a53c2057b446d92d4fea504b6cd32

rmcdonald
New Contributor III

Can't login with default accounts to setup. Is this no longer webadmin?

My bad: The first splash page that loaded mentioned that account and so I assumed it was the account for shell access. Found the right account in the readme guide. Thanks.

dan-snelson
Valued Contributor II

@rmcdonald Whenever I can't login via the GUI, it's because the hard drive is full.

Can you access it via SSH and purge?

sudo /var/lib/reposado/repoutil --purge-product all-deprecated

asegura
Contributor

@rmcdonald I had the same issue and discovered that the NetSuS harddrive was full. Check to see how much free space you have left.

rmcdonald
New Contributor III

I'm having issues connecting to the SUS. Not sure if it's the URL or what. I'm just using Casper Management settings for SUS and applying via Network Segments in the network organization section using the base URL with port 80.

The netboot is visible but AppStore just says it cannot connect to the SUS.

Update: Okay so for anyone else looking for a resolution it seems that in my particular case (OS X 10.11.x client) I had to use the default writes command to get it to find the SUS. Just adding the web address in Casper management doesn't seem to take even though that worked fine when pointing it to my xserve.

The command I used was

sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://sus.mycompany.corp/content/catalogs/others/index-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1_<branch_name>.sucatalog

Replacing the website with my own base url and the name of the branch I created. Although, when using the SUS settings in JSS I didn't use that URL I just put the base URL (http://sus.mycompany.corp) and used port 80. Perhaps that was where I was mistaken? Any who, if anyone else has thoughts I'd be happy to hear. Otherwise I guess I'll just have to push the command out via policy.

itupshot
Contributor II

Hi folks, does the server need to be on the same subnet as the machines it will be netbooting and serving updates for? It doesn't specifically say so in the instructions, but I thought I'd ask.

Will it be OK on a different subnet with a FQDN? In my environment, all servers are on a different subnet from our client machines.

mpermann
Valued Contributor II

@itupshot I think I've read that if you're Netbooting across subnets that you need to have IP helpers setup on your network gear to facilitate Netbooting. I don't think that is the case for the software update portion of things though. Hopefully someone else can confirm.

John_Wetter
Release Candidate Programs Tester

That's correct, for Netboot (no matter whether you're using Apple's, the NetSUS, or something else) it needs to either be on the same subnet or IP Helpers need to be put in place to allow the service advertisement to cross subnets. The IP Helper is pretty standard for these kinds of services, much like PXE on the Windows side of the world.

itupshot
Contributor II

@mpermann @john_wetter Thank you for your replies.

It won't be a big deal to put it on the same subnet, but I figured I'd ask since we have a servers' subnet. Some of our servers straddle multiple subnets (multiple NICs) so, I could set this one up that way too: one NIC on the servers' subnet, and the second NIC on the clients' subnet.

Thank you again!

eob455
New Contributor II

Anyone getting an error when importing the appliance into ESX 6?

The OVF Package requires unsupported hardware
Details: Line 25: Unsupported hardware family 'virtualbox-2.2'.

Fixed: Had to extract the ova file with 7-Zip and edit the ovf file to say vmx-11 where it says virtualbox-2.2. I could then import the ovf file directly without repackaging into ova.