Home

Awesome

Munki-Do

Munki-Do enables the manipulation of Munki packages via the web. Munki-Do is an altered version of MunkiWebAdmin (v1) from Greg Neagle.

Some existing functionality from MunkiWebAdmin has been retained:

  1. Manifests: create/delete manifests, and manage the contents of manifests.
  2. Catalogs: view the contents of catalogs, view pkginfo file contents in tabular form.

New functionality has been added:

  1. Add multiple packages to a new or existing catalog
  2. Remove multiple packages from a catalog
  3. Move packages to a new or existing catalog
  4. Delete packages and their associated pkginfo files
  5. Delete orphaned packages (those without corresponding pkginfo files)
  6. Download packages directly from the Munki Repo for ad-hoc installation
  7. Works with git-enabled Munki repositories
  8. Can be set to create new git branches for each update, based on logged in user.

Some of the original functionality of MunkiWebAdmin has been removed from Munki-Do, such as reporting tools. For reporting tools, I recommend:

Munki-Do was forked from Steve Kueng's forked development of MunkiWebAdmin:

The function to manipulate pkginfo files utilises munkitools (specifically, the makecatalogs command). This has been tested on an Ubuntu 14.04 VM, but you will need to ensure that your nginx user has write permissions to your munki repo. Use of group permissions is recommended.

The code which enables movement of packages between catalogs is a derivation of code from Munki-Trello by Graham Gilbert: https://github.com/grahamgilbert/munki-trello

Docker

I encourage the use of Munki-Do as a Docker container. I have personally never attempted to install it natively.

This git repository contains all the necessary files to run a Docker container. The following environment variables can be set in a docker run command:

Example:

docker run -d --restart=always --name munki-do \
    -p 8000:8000 \
    -v /var/www/html/munki_repo:/munki_repo \
    -v /home/myhome/munki-do-db:/munki-do-db \
    -e DOCKER_MUNKIDO_GIT_PATH="/usr/bin/git" \
    -e DOCKER_MUNKIDO_GIT_BRANCHING="yes" \
    -e DOCKER_MUNKIDO_GIT_IGNORE_PKGS="yes" \
    -e DOCKER_MUNKIDO_MANIFEST_RESTRICTION_KEY="restriction" \
    grahamrpugh/munki-do

You must set up a directory on your local host for the Django database, which stores user information. This is specified in your docker run command as in the above example.

Quick setup for testing

docker-machine-munki-do-start.sh is a single shell script designed to get Munki-Do running in a test environment. You need to have Docker Toolbox installed to use this, and you will need to edit the paths to your munki_repo directory:

If you set the GITLAB_DATA variable in docker-machine-munki-do-start.sh, Gitlab is setup on the resulting Docker Machine, so you can test Munki-Do's Git capabilities on a local git repository. Note that if you choose to do this, you must set up the munki_repo repository in the Gitlab UI as follows:

For more information on using the Docker-Gitlab container, see https://github.com/sameersbn/docker-gitlab

User permissions

The default admin account has username ("admin") and password ("password").

The Admin console can be used to set users with discrete permissions on the Packages, Catalogs and Manifests sections. The relevant permissions are:

User permissionWhat it allows
catalogs | catalogs | Can view catalogsViewing Catalogs Index - this must be set for all users
manifests | manifests | Can view manifestsViewing Manifests Index - this must be set for all users
manifests | manifests | Can add manifestsAdd new manifests
manifests | manifests | Can change manifestsEdit manifests
manifests | manifests | Can delete manifestsDelete manifests
pkgs | pkgs | Can view packagesViewing Packages Index - this must be set for all users
pkgs | pkgs | Can change pkgsEdit pkginfo files - i.e. add/remove catalog array entries
pkgs | pkgs | Can delete pkgsDelete pkginfo files and packages from the repository

Superusers (including the 'admin' account) automatically have all permissions. Users given 'staff' rights can access the admin console.

Restricting manifest editing rights

You may wish to restrict the right to edit certain manifests to certain users in your organisation. For example, you may wish to allow the editing of individual client manifests, but prevent editing of certain "core" manifests that affect a large number of machines. Alternatively, you may have different manifests for different organisational units, and may wish to only allow members of those units to edit their own manifests.

Munki-Do can be configured to restrict manifest editing based on Django group membership. To enable this feature, set MANIFEST_RESTRICTION_KEY in settings.py or with the Docker DOCKER_MUNKIDO_MANIFEST_RESTRICTION_KEY environment variable. Normally, "restriction" will suffice.

Any group created in Munki-Do's Django admin interface can be used, as can 'staff' and 'superuser'. If you enter a group name which doesn't exist, only superusers will be able to edit that manifest. Superusers can edit any manifest.

Munki-with-Git

Munki-Do is now enabled for Git. If you set the GIT_PATH path in settings.py or with the DOCKER_MUNKIDO_GIT_PATH Docker environment variable, any changes made to the manifests or pkginfo files will attempt to be committed to the git repository. By default, these are committed to the current branch, which is not determined by Munki-Do. See Git Branching below to change this behaviour.

To enable git in your repository, follow the instructions here: https://github.com/munki/munki/wiki/Munki-With-Git

You can put the pkgs folder in .gitignore, but you must allow the catalogs, manifests and pkgsinfo folders to be updated.

The GIT_IGNORE_PKGS key in settings.py or the DOCKER_MUNKIDO_GIT_IGNORE_PKGS Docker environment variable allows you to ignore the pkgs directory, in the case that you have set git to ignore this folder. This is a common scenario due to the large file sizes stored in the pkgs folder.

If GIT_IGNORE_PKGS is enabled, Munki-Do will simply delete the files in the pkgs folder, rather than using git rm and committing the changes to a git repository.

Git Branching

Git branching is now available. This is enabled in settings.py by setting GIT_BRANCHING to 'yes' (or with the DOCKER_MUNKIDO_GIT_BRANCHING Docker environment variable.

By default, Munki-Do does not determine the branch of your repository. You could choose to work on an "unstable" branch and use another means to push to a master branch (e.g. manual intervention by a superuser, or a cron job).

With Git branching enabled, any commit made by a user creates a new branch in the repo named username_DDMMYYhhmmss and pushes the changes to that branch. The server then checks out the default branch (normally 'master') to maintain a consistent view for all users and avoid checkout competition.

Note: no commit notification is built into Munki-Do. You should configure your Git repository to provide notifications when new commits are pushed. I recommend using Slack for these notifications.

An administrator with rights to the repo then can check and merge (or reject) the user's branch into the master branch.

A button is made available for users to update their view (this issues a 'git pull' command).

When a new manifest is created, pushing to git is delayed until a change is made to that manifest. This avoids the Munki-Do user's view returning to the master branch, which doesn't yet contain the new manifest. The active branch in the server remains set to the newly created branch until the new manifest is edited and saved, at which time it is committed to the new branch and the master branch is checked out.

If both GIT_IGNORE_PKGS and GIT_BRANCHING are enabled, then since changes are made to a new git branch and are not "live" on the production branch, it is important that the contents of the pkgs folder are not deleted at the time of commit. The act of deleting contents from the pkgs folder then becomes manual, to be done by the administrator performing git merges. To facilitate this, use the "Manage Orphaned Packages" link, which lists all files in the pkgs folder which are not referenced in a pkginfo file (and which are therefore irrelevant to the munki repository). These packages can then be selected and deleted using the UI. At present this link is only available to users that are marked as "Staff" in the admin panel.

To Do

Munki-Do is still a work in progress, so use in production at your own risk. I welcome the raising of issues, and pull requests...

Possible new features: