This resulted a ping dump with over 30 000 "samples" which weren't that useful as such. So I wrote a little PHP script to parse the ping output. The script (which is now part of MTK) generates a CSV file with the first column being the timestamp and the second the ICMP ECHO delay. When I run Gnuplot on it, I get something that looks like this:

Which is actually pretty cool. I can see right away that during the 24 hours, the delay has never increased over 0.7 ms. There's also an interesting gap around 0.2 ms.

pingraph also has another "mode" of operation. If the number of samples is small (<= 100), then it tells Keynote to draw the graph:

I found that anything above 100 data points chokes osascript.

Anyways, in a serious environment you'd probably have Nagios or some other nice tool to do this for you, but for my purposes this was good enough. Some day I'll try to add a simple method to filter the data set to specific timeframes...

tell application "Remote Desktop"
    set theIp to Internet address of selection
    set defaultUser to current user of selection
    set theUser to text returned of (display dialog "" default answer defaultUser)
    tell application "Terminal"
        activate
            do script "ssh -l " & quoted form of theUser & " " & theIp
        end tell
end tell

Save that as a script with AppleScript Editor named "Open SSH connection" under ~/Library/Scripts/Applications/Remote Desktop and now you have way to do just that straight from the menu bar.

this makes it much more useful. Thanks to Robbie for the hint!

After spending hours in the network closet, systematically unplugging each device to see if it had any effect on the issue, I finally found it - it was a printer who's Bonjour name was "Mörkö". The problem disappeared after renaming it to "Morko". So I filed a bug report.

It turned out Apple saw this as a security issue and so they took it very seriously and I'm happy to report that it's been resolved in 10.6.4:

I think this might be the first time one of my bug reports has actually been fixed. It was really nice to see Apple take this as seriously as they did and it actually motivated me to keep reporting bugs in the future (I had kinda given up on that after all those "known issues"). Of course, having your and your fledgling company's name mentioned on apple.com never hurts either (even though probably 9 people in the world actually read the detailed contents of Security Updates). :-)

Surprisingly, it's not available through MacPorts or Fink and compiling it from source has been rather tricky in the past. Through some experimentation I found that the CVS version works better on 10.6 and was even able to build a universal binary of it. We've been running this version for months now on a Mac mini and an old Nokia phone.

You can download the installer from here. In addition to the application it also includes launchd jobs for bearerbox and smsbox. Check /etc/kannel.conf before loading them in. The full Kannel documentation is available here.

I've only been able to test this with 10.6, let me know if you have problems on 10.5. One day I hope to find time to write a more detailed article on how to set this up...

The first was created in 2007, the second in 2009. I would assume the latter is more relevant. On page 10 of that document we find the following statement:

Expanding a Volume
You can use the command line to expand (add space to) an existing volume from
the available space on the RAID set that hosts it.
Expanding a volume doesn’t affect data already on the volume
To expand a volume:
Open Terminal and enter the following command:
$ sudo raidutil modify volume --expand -n volume -s size
where volume is the name of the volume as shown by
the raidutil list volumeinfo command and size is the amount of space you want to add to the volume.

Having been tasked with reorganizing some storage in a late 2008 Xserve, I thought this is perfect - I can resize my volumes without having to format/restore the whole server. In the worst case scenario, maybe having to restore the boot partition, but that's fine. So, boot up the installer, Utilities > Terminal, and:

# raidutil modify volume --expand -n R1V2 -s 1.6TB
Unsupported by this version of the hardware/firmware.

Whatever. You kinda get used to this sorta crap dealing with Apple's servers. Of course, they don't have to explain to my users why the server upgrade's gonna take 3x more time than planned. This is the reason you should never give any time estimate on how long an upgrade will take - this gig just went from a few hours to an entire day, just due to this tiny detail.

Maybe they'll fix this some day (or just withdraw the instructions), I don't know, but it's something to be aware of, for sure.

At first this looked a bit like the proxy bug, but since this isn't about delegates, but actual user accounts (and since running proxyclean didn't find any errors) I turned my attention to Open Directory. Luckily, iCal Server 2 comes with actually helpful logging, even at Information log level, just:

    tail -f /var/log/caldavd/error.log

and you'll be able to see exactly how caldavd is talking to OD. Looking at that I was able to determine that OD was actually returning all the right search results (when the user was typing a name of the attendee). But even when OD returned just 1 record, iCal would still show 2. Then I remembered seeing a button iCal > Preferences > Advanced called "Clear Attendee Cache"

"Yes! The attendee cache! Sounds like just the thing!" - I yelled, only to find the button no longer there, in 10.6:

Well, let's make that "button" ourselves. Fire up Remote Desktop, select the ailing machines, Click "Send UNIX command" (as the currently logged in user), and:

    killall -m '^iCal$'
    mv ~/Library/Caches/com.apple.iCal ~/.Trash/
    open /Applications/iCal.app/

And voilà! Problem solved!

• Enable PLAIN authentication for IMAP, POP and SMTP. This isn't such a big issue if you're using SSL. Some Nokia's might actually do CRAM-MD5 off the bat, but sooner or later you will run into a user who can't log in.

• Enable "SMTPS" support in Postfix. "SMTPS", on port 465, was a "brilliant" Microsoft idea to start using port 465 for secured SMTP connections after they apparently couldn't get Outlook 2000 to work with port 25. They just missed the fact that 465 had already been assigned to another protocol by IANA. What's fine for Microsoft's fine for Nokia, unfortunately, changing the mail client on a mobile is a bit more difficult than moving your poor Outlook user to Thunderbird, so:

  sudo nano -B +30 /etc/postfix/master.cf
  <uncomment lines 30-33> and save
  sudo postfix reload
  

And also don't forget to forward tcp/465 to your mail server in your firewall.

1. Create your self-signed cert in Server Admin, sans passphrase
2. Have it signed by a Certificate Authority
3. Import the signed cert, verify that all works.

Great. Now you want to install Rumpus and the WFM and use SSL for that too. First, let's try to just paste the PEM file:

# cat /etc/certificates/mycert.key.pem
-----BEGIN RSA PRIVATE KEY-----
<OUTPUT REMOVED FOR BREVITY>
-----END RSA PRIVATE KEY-----

Paste that into stunnel... and:

Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: error stack: 906A068 : error:0906A068:PEM routines:PEM_do_header:bad password read
Mar 25 18:50:17 mail [0x0-0x24024].com.maxum.rumpus[3144]: 2010.03.25 18:50:17 LOG3[3704:2694202624]: SSL_CTX_use_RSAPrivateKey_file: 906406D: error:0906406D:PEM routines:DEF_CALLBACK:problems getting password

Yeww. Hmm. Looks like I have to strip the passphrase. Weird, I didn't give one, but... mmkay, no biggie:

# openssl rsa -in /etc/certificates/mycert.key.pem -out mykey.nopass.key
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for /etc/certificates/mycert.key.pem:<enter>
3808:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-30/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters

Well, like I said - THERE IS NO PASSPHRASE!!!

Wait, 10.6 put something in the System Keychain... ah, there it is. Maybe I should export the key from there. Launch KA, select the key, File > Export, and:

Wtf? No, wait, "it was a bug, Dave". Keychain Access doesn't have permissions to export anything from the System keychain. Ah, yes, I remember now:

$ sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access

... export the key and. Ah, thank you!

Ok, that was weird... But wait a minute - this is PKCS format, I can't use this! Back to Terminal:

$ openssl pkcs12 -in mycert.p12 -out mycert.pem -nodes
Enter Import Password:<enter>
MAC verified OK

And finally I have something to use with Rumpus.

If 10.6 Server is "simpler than ever" then I can't wait for 10.7! How the hell is a "typical" OS X Server admin (a graphic designer who shares his time between the Wacom and the server closet) supposed to know all this crap? This is exactly the kind of set up a typical design firm would run - 10.6 for collaboration, file sharing and backup and Rumpus for client access.

... I guess they just never use SSL.

It's the third startup I've been involved in, but this one is very different. This one will actually fly. After a month and a half, we know it can. The biggest difference is that for the first time, we have actual employees and the company is our only source of income. This not only motivates you, but also allows you to focus much better.

I'll probably age six years this year, but I must say, even when things are really tough, and with some weeks constantly re-defining the meaning of mental anguish, there are moments when I feel truly happy. Career-wise, this has been major downgrade - I make about half the paycheck compared to last year, it will be a long time until I get to see anything nearly as cool as I did working for TV Tools and every day I run into problems that have nothing to with my ACSA certification...

But I'm happy.

I'm happy because finally I have the opportunity to test out all those ideas about how a company should function, to have the freedom to decide what I make and what I sell. To have total ownership of what I create and to be able to share it with whoever I please. I'm happy to have the freedom to blame no-one but myself if things don't go as they should. And I'm happy to work in a place where everyone else has that same freedom. To do great work, to take risks, to make a difference and to have fun.

Speaking of creating, I actually do a fair bit of R&D (after all, that's what it says on my business card) at mcare (we've even developed some hardware, more on that later). I've decided to open source everything that might be useful to other people in this field. The first project is MTK - a collection of scripts for OS X and hardware testing. Our service engineers sometimes ask me to write tests and they all end up in MTK.

Perhaps the biggest thing we will release is Servo - a complete rewrite of the service management system I made for Humac back in 2007. I'm currently working on the API for that and hope to be releasing something in the coming months. Our other company, Mekanisti owns the rights to that and for a brief period we even tried to make it into a product - until we realised the value for us will always be in using, not selling the tool. More engineers than salesmen, I guess...

And to anyone who at some point in their life has to choose between going indie and taking a lucrative job offer - do the first thing that comes to your mind... ;-)

Anyways, if you're in the Helsinki area and looking for fast, friendly and professional service for your Mac, iPod or Apple accessory, please drop by!

It's like it's afraid of the impending Force Quit that happened shortly after.

You can modify the .dist files, but here's an alternative approach:

• Create a 50 GB sparse image, name the volume "Final Cut Studio 3"
• Enable permissions on the "Final Cut Studio 3" volume

• Mount all the FCS discs, install the main package using installer:

  installer -verbose -pkg /Volumes/Final\ Cut\ Studio\ Install/Installer/FinalCutStudio.mpkg -taret /Volumes/Final\ Cut\ Studio\ 3
  

Running the first phase through installer allows us to skip entering the license info.

• Run all the remaining installers from the individual discs, i.e. "Audio Content 1", "DVD Studio Pro Content", "Motion Content 1". In the installer click "Change Install Location..." and select the "Final Cut Studio 3" volume.
• Create a new compressed disk image from the "Final Cut Studio 3" volume, scan for restore (only necessary if you want to do a block restore, see below).

Now you have a complete FCS install as a single disk image, ready to be restored with asr. I've only tested this with fresh systems so YMMV, but the idea is straigtforward - we just copy all the files that come with FCS to their correct locations.

Since a default FCS installation is about 14 times the size of a minimal Snow Leopard install (!) it might make sense (save time) to first lay down FCS with a block copy (i.e. erasing the target first) and then restore the OS with a file copy. I tried this and it actually worked! With this method, a complete install of Final Cut Studio 2 clocks in at just under 12 minutes.

On an unrelated note, a minimal 10.6 install restores in 80 seconds over 1Gb Ethernet (onto a Mac Pro, using RAID 6 on the server). Probably less time most Windows PC's take to boot up. :-P

/**
 * Check Finnish social security number
 * @return true if correct, false if incorrect, -1 if malformed
 */
function checkSsn(ssn)
{
  ssn = ssn.toLowerCase();
  m = ssn.match(/(\d{6})-(\d{3})(\w){1}/);

  if (!m) {
    return -1;
  }

  c = Array(); base = 35;
  n = parseInt(m[1] + m[2], 10) % 31;

  for (i = 0; i < base; i++)  {
    e = parseInt(i, 10).toString(base);
    if ('gioq'.indexOf(e) < 0) {
      c.push(e);
    }
  }

  return (c[n] == m[3]);

}

The idea is the last character in the SSN is essentially a verification code derived from all the numbers in the SSN. The specs are from the Finnish Population Register Center but unfortunately they only seem to be available in Finnish.

Yeah, that's what I thought too. This happens every time I tried to create a NetRestore image using Apple's System Image Utility. Clicking "OK" just brings the same dialog back after some time.

This reminds me of how a customer brought me his PowerBook with the classic "Document was not saved" dialog in Excel 2004, with only one button - "OK". "No, it's not OK", he said. :-)

I ran into this after deleting the 1.5.1 shortcut from the Desktop. Going to the .app download page just opened the .jnlp launching the app, but the shortcut was gone. Command-clicking the app in the dock just selected the java executable. This trick forces the client to re-download and also create the .app on the desktop.

Anyways, the script's been fixed now. No need to update the actual widget since that acts simply as the UI. Enjoy! ;-)

Symbolic link not allowed or link target not accessible /Volumes/data/SoftwareUpdate/html/index.sucatalog

This will probably only happen if you remove the original swupd datastore. The fix is to clear out all the index files:

serveradmin stop softwareupdate
rm -rf /Volumes/data/SoftwareUpdate/html/index*
serveradmin start softwareupdate

IIRC, this wasn't necessary in 10.5, but I might be wrong...

The imaging starts automatically when a volume is mounted. Should also work with multiple DVD drives. The images are bzip compressed (UDBZ, need 10.4 or later to open) and are named after the volume name. It ejects the media once the imaging has completed.

Should work with 10.5 or later (uses PyObjC).

To use it, just modify config.yaml. Multiple sources and destinations can be defined under their own "name". Anonymous connections haven't been tested, but should be in the form ":@server/path".

$ python relay.py 
-- checking default
<- getting Untitled_2.wmv
-> sending Untitled_2.wmv

The skiplist is stored in $CWD/.skiplist. Remove it to do a full transfer. The files are always relayed through the local machine (not sent from server to server) which is not terribly efficient but sometimes the only option. Folders are not trasfered - they throw an exception and are skipped on the next run.