Online references
|
|
In this table are the commands for apache, bind and certbot via brew as in https://getgrav.org/blog/macos-mojave-apache-multiple-php-versions.
The previous Apple server software needs to be completely uninstalled!
In this guide the commands are in green. Text to be changed or entered are in light blue.
|
Common pitfalls, problems, useful commands
|
- After a brew upgrade some services may not work. One difficult to diagnose problem may be the firewall settings in MacOSX. It blocks by default incoming connections on
unsigned bin's and executables need to be added in the list in the System Preferences Firewall settings. Also note that just putting there the /usr/local/bin/executable will
not work since brew puts aliasses (links) there. Follow the link to the real bin. Same for /usr/local/sbin .
- After a "brew upgrade" the output may display an error that an old directory could not be removed and a sudo command is displayed. In reality the "brew upgrade" did not
complete, so execute that sudo command and repeat "brew upgrade" and displayed error - sudo commands until nothing is being done anymore by that command.
- Somehow launchd has a different or incomplete PATH environment. Caused certbot renew to initially fail.
- if you need to log out another user:
- ps awwwwux | grep loginwindow
- kill the pid of that user with:
- sudo kill -9 [pid]
- Support files can be found HERE.
- SSH plus Screensharing
- ssh -p 22 -N -L 5999:localhost:5900 user@example.net
- vnc://localhost:5999
- Starting/stopping remote desktop. The commands in this article https://support.apple.com/en-us/HT201710 work
with Apple Remote Desktop 3.2 and later. Here are commands that you can use:
- Restart the ARD Agent and helper:
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent
- Turn on Remote Desktop Sharing, allow access for all users, and enable the menu extra:
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts
-setmenuextra -menuextra yes
- Turn on Remote Desktop Sharing, allow access for specified users:
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers
- You must use the -configure, -access, and -privs options in a separate command to specify the set of users and their access privileges. For example, this command is for
users with the short names "teacher" and “student." It gives them access to observe (but not control) the computer, and to send text messages:
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users teacher,student -access -on -privs -ControlObserve
-ObserveOnly -TextMessages
- Unlike other kickstart options, you can’t combine the allowAccessFor options with other kickstart options. You must use it as in the last two samples above. You might have
to call kickstart more than once to finish a computer’s setup. Remove access privileges for specified users ("student" in this example):
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users student -access -off
- Disable ARD Agent and remove access privileges for all users:
- sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
- Shell need to change from bash to zsh now:
- The default interactive shell is now zsh. To update your account to use zsh, please run `chsh -s /bin/zsh`. For more details, please visit https://support.apple.com/kb/HT208050.
- restart terminal
|
XCODE and BBEdit - command line tools
|
Apple's command line tools need to be installed, XCode is not needed.
If needed to re-install command tools do this command first:
- sudo rm -rf /Library/Developer/CommandLineTools
Install BBEdit from https://www.barebones.com/products/bbedit/index.html
Start BBEdit and set up its command line tools under the BBEdit menu.
|
BREW
|
Setup:
- ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
- brew install openldap libiconv
For more information see: https://docs.brew.sh/FAQ |
Maintenance:
To upgrade all installed programs to newest version:
- brew update
- brew upgrade
- brew cleanup
- brew services list
- sudo brew services restart --all
|
Debugging:
Check version and installation:
- brew doctor
- brew --version
If needed to correct permissions:
- sudo chown -R "$USER":admin /usr/local
- sudo chown -R "$USER":admin /Library/Caches/Homebrew
If brew directories are not in the path:
- echo 'export PATH="/usr/local/sbin:$PATH"' >> ~/.zshrc
|
APACHE
|
Setup:
- brew install httpd
- sudo brew services start httpd
|
Maintenance:
To restart httpd:
- sudo brew services restart httpd
- sudo apachectl stop
- sudo apachectl -k restart
|
Debugging:
In a separate windo show dynamically the tail of the error and access logfile:
- tail -n 200 -f /usr/local/var/log/httpd/error_log
- tail -n 200 -f /usr/local/var/log/httpd/access_log
If install has problems because of previous versions:
- sudo apachectl stop
- sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
Check if deamon is running:
To get setup paths:
Test conf files, must be with sudo to test certificates:
- sudo apachectl configtest
|
HTTPD config edits including HTTP2 and vhosts
|
HTTPD config basic edits:
- bbedit /usr/local/etc/httpd/httpd.conf
- Listen 8080 => Listen 80
- enable ==> LoadModule deflate_module lib/httpd/modules/mod_deflate.so
- enable ==> LoadModule rewrite_module lib/httpd/modules/mod_rewrite.so
- ServerAdmin admin@domain.net
- #ServerName www.example.com:8080 ==> ServerName localhost:80
- enable ==> Include /usr/local/etc/httpd/extra/httpd-autoindex.conf
|
HTTPD config edits to enable http2
- bbedit /usr/local/etc/httpd/httpd.conf
- disable ===> #LoadModule mpm_prefork_module lib/httpd/modules/mod_mpm_prefork.so
- enable ===> LoadModule mpm_event_module lib/httpd/modules/mod_mpm_event.so
- enable ===> LoadModule http2_module lib/httpd/modules/mod_http2.so
- add ===> Protocols h2 h2c http/1.1
|
Small edit to enable full filename display in case of directory index:
- bbedit /usr/local/etc/httpd/extra/httpd-autoindex.conf
add NameWidth=* to the line IndexOptions FancyIndexing HTMLTable VersionSort
- ===> IndexOptions FancyIndexing HTMLTable VersionSort NameWidth=*
|
HTTPD config edits enable vhosts:
- bbedit /usr/local/etc/httpd/httpd.conf
- enable ==> LoadModule vhost_alias_module lib/httpd/modules/mod_vhost_alias.so
- enable ==> Include /usr/local/etc/httpd/extra/httpd-vhosts.conf
and for vhosts including a catch directory. The catch directory is the default webroot where all requests go to if there is not a specific webroot for that (sub)domain defined.
Therefore, it must be the first in the list. Here an example for example.com edit:
- bbedit /usr/local/etc/httpd/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/usr/local/var/www"
ServerName catch.example.com
</VirtualHost>
<Directory "/usr/local/var/www">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<VirtualHost *:80>
DocumentRoot "/Users/example/Sites"
ServerName example.com
ServerAlias www.example.com
</VirtualHost>
<Directory "/Users/example/Sites">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
|
HTML default header
|
Web pages header:
<!DOCTYPE html>
<html>
<head>
<title>title</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=0.25, maximum-scale=4.0, user-scalable=yes">
<meta name="description" content="title">
<meta name="author" content="Cees de Laat">
</head>
<body style="font-family: Helvetica,Arial,sans-serif;" text="#ffffff" bgcolor="#000000" link="#ffcc66" alink="#ff9900" vlink="#ffff66">
|
Let's Encrypt - certbot
|
- sudo install -d -o $(whoami) -g admin /usr/local/Frameworks
- brew install certbot
|
HTTPD edits:
- bbedit /usr/local/etc/httpd/httpd.conf
Uncomment:
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
add at the end:
<IfModule mod_ssl.c>
Listen 443
</IfModule>
Include /usr/local/etc/httpd/extra/httpd-vhosts-le-ssl.conf
|
The vhost and vhost-le-ssl edits:
The idea is that all requests that get through on port 80 or with incorrect url's/domain names or with http://catch.example.com end up in:
and all requests that come in via https and correct domain names go to the correct webroots of those domains.
For that purpose a rewrite rule takes care of redirection. This is in httpd-vhosts.conf
I use the following domain construction for example.com:
- catch example.com
- catches all (sub)domains for which no other webroot is defined is
- example.com
- this goes to the normal webroot of the domain example.com
- www.example.com
- also goes to the normal webroot of the domain example.com
- sub1.example.com
- a subdomain of example.com with its own webroot
in httpd-vhosts.conf:
- bbedit /usr/local/etc/httpd/extra/httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/usr/local/var/www"
ServerName catch.example.com
</VirtualHost>
<Directory "/usr/local/var/www">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<VirtualHost *:80>
DocumentRoot "/usr/local/var/www"
ServerName example.com
ServerAlias www.example.com
ServerAlias sub1.example.com
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Note that the Directory directive for example and sub1 is moved to the httpd-vhosts-le-ssl.conf file. This ensures that if that file does not get processed, those webroots are not
exposed.
and create/edit httpd-vhosts-le-ssl.conf:
- bbedit /usr/local/etc/httpd/extra/httpd-vhosts-le-ssl.conf
<VirtualHost *:443>
DocumentRoot "/usr/local/var/www"
ServerName catch.example.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/Users/example/Sites"
ServerName example.com
ServerAlias www.example.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<Directory "/Users/example/Sites">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<VirtualHost *:443>
DocumentRoot "/Users/sub1example/Sites"
ServerName sub1.example.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
<Directory "/Users/sub1example/Sites">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
|
To request the certificates:
or if one first wants to do a number of test runs for debugging:
- sudo certbot --apache --staging
for after successful testing forcing a full new certificate:
- sudo certbot --apache --force-renewal
|
for production:
For automatic renewal, see:
However, the plist in the above solution does not work because somehow the PATH variable of the running deamon is not correct. Therefore we make our own script that sets the path
and then invokes certbot renew, and then we use a LaunchDeamon to periodically invoke the script. For renewal we have to make a shell script and a launchd plist.
create file /usr/local/etc/certbot-renew.sh :
- bbedit /usr/local/etc/certbot-renew.sh
and put in:
#!/bin/zsh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
sudo certbot renew
Make it executable:
- chmod +x /usr/local/etc/certbot-renew.sh
create plist:
- bbedit /Library/LaunchDaemons/com.letsencrypt.renew.plist
put in that file the xml below here:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.letsencrypt.renew</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/etc/certbot-renew.sh</string>
</array>
<key>StandardErrorPath</key>
<string>/tmp/com.letsencrypt.renew.stderr</string>
<key>StandardOutPath</key>
<string>/tmp/com.letsencrypt.renew.stdout</string>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>4</integer>
<key>Minute</key>
<integer>56</integer>
</dict>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
- sudo chmod 644 /Library/LaunchDaemons/com.letsencrypt.renew.plist
- sudo chown root:admin /Library/LaunchDaemons/com.letsencrypt.renew.plist
- sudo launchctl load /Library/LaunchDaemons/com.letsencrypt.renew.plist
- sudo launchctl list | grep -i letsencrypt
If test runs are needed:
- sudo certbot renew --dry-run
If pre, post or deploy scripts are needed, those go here:
- /private/etc/letsencrypt/renewal-hooks
|
Debugging:
- tail -f -n 40 /tmp/com.letsencrypt.renew.stderr
- tail -f -n 40 /tmp/com.letsencrypt.renew.stdout
- sudo tail -f -n 400 /var/log/letsencrypt/letsencrypt.log
To list the certificates:
- sudo certbot certificates
Some more debugging:
The configuration file is at: /etc/letsencrypt/renewal/
|
Named and bind
|
Setup:
Edit the conf file:
- bbedit /usr/local/etc/named.conf
And create the zone files in:
Start bind:
- sudo brew services start bind
|
Maintenance:
- sudo brew services restart bind
- sudo brew services stop bind
|
Debugging:
First set up a separate window with tail of logging:
- tail -f -n 40 /usr/local/var/log/named/named.log
Some checks:
- rndc -k /usr/local/etc/rndc.key -p 54 status
- named-checkconf -z /usr/local/etc/named.conf
- host -t ns example.com
|
Zone file specials:
example.net. 10800 IN SOA ns1.example.net. xxx.example.net. (
2019090801
21600
900
1209600
3600)
10800 IN NS ns1.example.net.
10800 IN NS ns2.example.net.
10800 IN NS ns3.example.net.
10800 IN A 111.111.111.111
10800 IN MX 10 smtp.example.net.
10800 IN TXT "v=spf1 +mx -all"
10800 IN CAA 128 issue "letsencrypt.org"
|
Network Performance tools
|
See:
brew install iperf iperf3 nuttcp bwctl owamp |
iperf
Server:
Client:
- iperf -i 4 -t 1000 -N -w 5M -l 1M -c [servername]
|
iperf3
Server:
Client:
- iperf3 -i 4 -t 1000 -N -w 5M -l 1M -c [servername]
|
nuttcp
On the server:
Client:
This runs a 10 second test, only on ipv4 |
SSH on a different port number
|
This procedure and port numbers come from:
Procedure:
- sudo vi /etc/services
- Change the port number in:
- ssh 22/udp # SSH Remote Login Protocol
- ssh 22/tcp # SSH Remote Login Protocol
- sudo vi /etc/ssh/ssh_config
- uncomment the following: Port 22
and change that port number in the desired one.
- Restart the ssh daemon.
- sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
- sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
SSH tunnel for e.g. VNC. Here we assume ssh over port 12345. After this tunnel setup one can ust vnc to 127.0.0.1:5901 to reach the other machine:
- ssh -p 12345 -v -L 5901:127.0.0.1:5900 destination
|
PHP
|
Note: DOES NOT WORK BECAUSE OF mod_mpm_event.so incompatible caching regimes!
|
To enable PHP in Apache add the following to httpd.conf and restart Apache:
LoadModule php7_module /usr/local/opt/php/lib/httpd/modules/libphp7.so
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
Finally, check DirectoryIndex includes index.php
- bbedit DirectoryIndex index.php index.html
The php.ini and php-fpm.ini file can be found in:
/usr/local/etc/php/7.3/
To have launchd start php now and restart at login:
Or, if you don't want/need a background service you can just run:
|
MacMini Setup (for SC/webcam/demo)
|
- Users & Groups
- SNE-Admin
- SNE-demo
- Login Options
- Power settings
- restart after power fail
- prevent display sleep
- awake with net access
- start up 8h00 in the morning
- Desktop & Screen Saver
- Sharing
- Screen Sharing
- File Sharing
- Remote login
- Security
- turn off screen lock
- enable location services
- no filevault
- Date & Time
- automatic time adjustment
- Display Menu.app and WebCamMonitor App
- MenuMeters
- BBEdit
- Deskpicture SNE logo
- Team Viewer Setup
- EvoCam Setup
- Evocam5 download
- serial ES56-MUDX-9LD6-BRAG
- Note:
- EvoCam 4 crashes now and then but does recording fine!
- EvoCam 5 is more stable but gives unusable recordings!
- note that sometimes the high res recording looks like taken at low res!
Make sure to open first the small and then the big window.
- Settings
-
- Preferences
- web server port nr 10456
- Log Web Server access
- auto-open docs from previous session at startup
- make sure the low res is in the back.
- Finder Cam1.settings on desktop put in dock and set Open at login
Cam1.evocamsettings
- 320 * 180
- 384 * 216
- 480 * 270
- font size 12
- framerate 15
- quality normal normal
- fontsize 9
- Cam2.evocamsettings
- 1280 * 720
- framerate 15
- quality normal normal
- Other resolutions 16*9
- 256 * 144 -> YouTube 144p
- 426 * 240
- 640 * 360 -> nHD
- 768 * 432
- 800 * 450
- 848 * 480
- 896 * 504
- 960 * 540 -> qHD
- 1024 * 576
- 1152 * 648
- 1280 * 720 -> HD
- 1366 * 768 -> WXGA
- 1600 * 900 -> HD+
- 1920 * 1080 -> Full HD
- 2000 * 1125
- 2048 * 1152
- 2304 * 1296
- 2560 * 1440 -> QHD
- 2880 * 1620
- 3200 * 1800 -> QHD+
- 3520 * 1980
- 3840 * 2160 -> 4K UHD
- 4096 * 2304 -> Full 4K UHD
- 4480 * 2520
- 5120 * 2880 -> 5K UHD
- 5760 * 3240
- 6400 * 3600
- 7040 * 3960
- 7680 * 4320 -> 8K UHD
- 15360 * 8640 -> 16K
- NOTE: the low resolution serve must start first, then the high resolution, otherwise video is low quality.
|
TimeMachine
|
Setup
Here are TimeMachine cli commands to start up, stop, get info, etc. The info comes from:
https://www.macworld.com/article/2033804/control-time-machine-from-the-command-line.html
The basics of the tmutil command can be found by typing
The man page tells you what you can do with this command. For example, to turn Time Machine on or off, you can run these commands:
- sudo tmutil enable
- sudo tmutil disable
To get the status of anything going on or progressing:
If you want to run a Time Machine backup right away, on a Mac that either has Time Machine disabled, or, say, just before updating to a new version of OS X, you can run this
command:
This is the same as choosing Back Up Now from the Time Machine menu in the menu bar at the top of your screen. And if you ever want to stop a backup, just run this:
Save disk space on your laptop Since your laptop isn’t always connected to its backup disk, Time Machine retains “local snapshots,” or files that it will copy to your backup disk
the next time it is available. However, these local snapshots take up space, and you may want to turn this feature off if you don’t have much room on your hard disk. You can turn
off (Running this command will also delete any local snapshots.) and on with the following commands:
- sudo tmutil disablelocal
- sudo tmutil enablelocal
You can exclude certain files and folders from your Time Machine backups from the Time Machine pane in System Preferences. Naturally, you can also do this from the command line,
too. Run this command:
- sudo tmutil addexclusion <path of folder/file to exclude>
The tmutil addexclusion command has an interesting property: it's sticky. When you use this command, the item you exclude remains in the Time Machine exclusion list even if you
move it, which is not the case when you exclude items from the Time Machine preference pane. If you use the above command with the -p flag, then it will not be sticky, and will be
the same as an exclusion you add from the Time Machine preference pane.
If you’re managing a remote Mac, such as a server, you may want to change Time Machine settings for that computer. You can start by finding where Time Machine backups are stored.
Run this command:
To change the destination, you can use two commands. First, remove the current destination like this:
- tmutil removedestination ......
In place of ..... , type in the text string returned by the destinationinfo command. Then run this command to set up a new destination disk:
- tmutil setdestination volume_name
Replace volume_name with the name of the disk or volume you want to use. You can add multiple destinations as well, since Time Machine can rotate its backups on several disks or
volumes. See man tmutil for more on setting up multiple backup destinations. (You can now do this without the command line too, see “How to create redundant Time Machine backups.”)
Time Machine saves a lot of backups: one per hour for the past 24 hours; one a day for the past week; and one a week before that. You can get a list of all the backups on your Time
Machine disk with this command:
The tmutil command offers many other options, such as the ability to inherit destinations, perform detailed comparisons of backups, restore items and much more. See man tmutil to
find out all that you can do. |
Debugging
This procedure is to correct errors like: “Time Machine completed a verification of your backups. To improve reliability, Time Machine must create a new backup for you.”. It may or
may not work. The procedures come from:
http://www.garth.org/archives/2011,08,27,169,fix-time-machine-sparsebundle-nas-based-backup-errors.html
The steps:
- sudo chflags -R nouchg <the backup bundle>
- sudo hdiutil attach -nomount -noverify -noautofsck <the backup bundle>
- sudo tail -f /var/log/fsck_hfs.log
- sudo fsck_hfs -drfy -c 4294967296 /dev/diskXs2
or take for cacjhe 3221225472 or 2147483648 or 1073741824
If you get a message in the fsck_hfs.log along the lines of " RebuildBTree – record x in node y is not r" then try:
- fsck_hfs -p /dev/diskXs2
- fsck_hfs -drfy -c 4294967296 /dev/diskXs2
To scan for bad blocks:
- /sbin/fsck_hfs -S /dev/diskXs2
When succeeded:
- hdiutil detach /dev/diskXs2
When complete, you need to edit an plist file within the sparsebundle that records the state of the backup. On the top level of the sparsebundle find a file called
"com.apple.TimeMachine.MachineID.plist".
- bbedit <the backup bundle>/com.apple.TimeMachine.MachineID.plist
Remove these two nodes:
<key>RecoveryBackupDeclinedDate</key>
<date>{whatever-the-date}</date>
Finally you want to change:
<key>VerificationState</key>
<integer>2</integer>
to
<key>VerificationState</key>
<integer>0</integer>
Now Time Machine can give it another go. After the (long) verification step, backups should proceed once again.
To find log file entries:
- log show --predicate 'subsystem == "com.apple.TimeMachine"' --info | grep 'upd: (' | cut -c 1-19,140-999
|
How to solve calendar problems
|
|
How to solve the error: "Apple Calendar Can’t Save Event to Exchange":
See: https://michaelkummer.com/tech/apple/macos-calendar-exchange/
- Quit Calendar application (Command + Q)
- Quit Apple Mail
- Open Activity Monitor (through Spotlight or Launchpad)
- Search for “Calendar” and quit all the relevant processes
- Open Finder and navigate to ~/Library/Calendars
- Double-check Activity Monitor to make sure no Calendar-related processes are running
- Delete cache files
- Relaunch Calendar
|
How this page is made
|
|
|
|
