Updating Munki Tools - munki/munki GitHub Wiki
Options for updating Munki tools on client machines
Use AutoPkg and run the munkitools6.munki recipe.
Make sure "munkitools" and optionally "munkitools_app_usage" are in managed_installs in an manifest your clients will use.
The Munki tools are distributed as a distribution package, which contains multiple component packages. This enables several things for the Munki admin:
- Admins can choose to install only a subset of the Munki tools; for example, they can choose to not install the Munki admin tools (makecatalogs, makepkginfo, munkiimport) on most client machines (though doing so is probably not worth the effort).
- If you have customized or replaced the launchd jobs used by Munki, you can upgrade to newer tools without having your changes overwritten, by choosing not to install the launchd jobs that are included with the munkitools pkg.
- You can elect to not import/install Munki's embedded Python and use a different Python install you manage.
- In many cases, you can update the Munki tools silently in the background without needing a restart. As long as the launchd subpackage has not changed, no reboot is required.
All of these require installing only a subset of the packages included in the distribution package. There are a few approaches to accomplishing that:
-
Using installer's ChoiceChangesXML files and Munki's support for embedding them into pkginfo. You could, for example, use the following installer_choices_xml to install only the core tools, Python, and Managed Software Center.app; skipping the install of the admin tools, the app_usage tools and the launchd plists:
<key>installer_choices_xml</key> <array> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>core</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>admin</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>app</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>launchd</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>app_usage</string> </dict> <dict> <key>attributeSetting</key> <integer>1</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>python</string> </dict> <dict> <key>attributeSetting</key> <integer>0</integer> <key>choiceAttribute</key> <string>selected</string> <key>choiceIdentifier</key> <string>no_python</string> </dict> </array>
-
Editing the Distribution file inside the munkitools distribution pkg -- this would have a similar effect as the previous approach, but could be used outside of Munki -- for example, if installing the tools via ARD or manually.
An easier approach is to extract the component pkgs from the distribution pkg, and then import each component pkg seperately.
You can create pkginfo items for munki-core, munki-admin, munki-app, munki-launchd, munki-app_usage and munki-python and use Munki's dependency relationships to ensure everything needed gets installed and that reboots are enforced only when necessary.
munki-python | unattended_install: True | |
munki-launchd | RestartAction: RequireRestart | |
munki-core | unattended_install: True | requires: munki-python, munki-launchd |
munki-app | unattended_install: True | requires: munki-core |
munki-admin | unattended_install: True | requires: munki-core |
munki-app_usage | unattended_install: True | requires: munki-core |
If a managed_installs in a manifest specified only "munki-app", munki-app, munki-core, munki-launchd and munki-python would be installed. For future updates, as long as munki-launchd hasn't changed, the updates would happen as unattended installs. If a future update included an updated munki-launchd, the unattended_install would be invalidated, and a reboot would be needed, meaning the update would either wait until all users were logged out, or for a user to initiate the update via Managed Software Center.
Extracting the component packages from the distribution package might look like:
#### Expand the distribution package
$ pkgutil --expand munkitools-4.0.1.3899.pkg munkitools_pkg
$ cd munkitools_pkg
$ ls
Distribution munkitools_core-4.0.1.3899.pkg
munkitools_admin-4.0.1.3899.pkg munkitools_launchd-3.0.3265.pkg
munkitools_app-5.1.0.3899.pkg munkitools_no_python-4.0.1.3899.pkg
munkitools_app_usage-4.0.1.3899.pkg munkitools_python-3.7.4.pkg
#### Convert the expanded subpackages back to flat packages
$ pkgutil --flatten munkitools_admin-4.0.1.3899.pkg ../munkitools_admin-4.0.1.3899.pkg
$ pkgutil --flatten munkitools_app-5.1.0.3899.pkg ../munkitools_app-5.1.0.3899.pkg
$ pkgutil --flatten munkitools_app_usage-4.0.1.3899.pkg ../munkitools_app_usage-4.0.1.3899.pkg
$ pkgutil --flatten munkitools_core-4.0.1.3899.pkg ../munkitools_core-4.0.1.3899.pkg
$ pkgutil --flatten munkitools_launchd-3.0.3265.pkg ../munkitools_launchd-3.0.3265.pkg
#### odds are you don't actually want the no_python pkg, but listed here for completeness ####
$ pkgutil --flatten munkitools_no_python-4.0.1.3899.pkg ../munkitools_no_python-4.0.1.3899.pkg
$ pkgutil --flatten munkitools_python-3.7.4.pkg ../munkitools_python-3.7.4.pkg
$ cd ..
$ ls munkitools_*.pkg
munkitools_admin-4.0.1.3899.pkg munkitools_launchd-3.0.3265.pkg
munkitools_app-5.1.0.3899.pkg munkitools_no_python-4.0.1.3899.pkg
munkitools_app_usage-4.0.1.3899.pkg munkitools_python-3.7.4.pkg
munkitools_core-4.0.1.3899.pkg
#### Import the extracted subpackages we want
$ munkiimport munkitools_admin-4.0.1.3899.pkg
$ munkiimport munkitools_app-5.1.0.3899.pkg
$ munkiimport munkitools_app_usage-4.0.1.3899.pkg
$ munkiimport munkitools_core-4.0.1.3899.pkg
$ munkiimport munkitools_launchd-3.0.3265.pkg
$ munkiimport munkitools_python-3.7.4.pkg
The easiest approach is to use AutoPkg: https://github.com/autopkg/autopkg
Once you've installed the Munkitools recipes (hint: autopkg repo-add recipes
) you can simply do
autopkg run munkitools6.munki
to import the Munki 6 tools into your Munki repo. This recipe does the hard/tedious work of extracting the component packages and importing them with the correct interdependencies.
Component | Identifier | Notes |
---|---|---|
Munki core tools | com.googlecode.munki.core | Munki's core code and command-line tools |
Munki admin tools | com.googlecode.munki.admin | Munki's command-line administration tools |
Managed Software Center | com.googlecode.munki.app | Munki's user-facing GUI apps and supporting files. |
Munki launchd agents | com.googlecode.munki.launchd | Munki's LaunchDaemons and LaunchAgents. Requires a restart. |
Munki app usage monitoring tool | com.googlecode.munki.app_usage | Munki app usage monitoring tool and launchdaemon. If installed Munki can use data collected by this tool to automatically remove unused software. |
Munki embedded Python | com.googlecode.munki.python | Munki's own Python 3 interpreter. |
These component choices can be also seen if you choose to customize a manual install:
These techniques should allow for quicker and more seamless updates to Munki tools for your client machines, as in many cases you can update the Munki tools with no user action required.