How to set up a local Software Update Server using Mac OS X Server 10.5.x/10.6.x
![One of the greatest bandwidth-saving features of Mac OS X Server is the Software Update Server, which caches Apple software updates locally. The trick is getting the local computers to look at the local SUS instead of Apple’s servers. The “official” way to do this is to modify the Software Update preferences on the client machines; however, this method has several drawbacks. First, you might not have administrative control over all of the client machines (e.g. on the public portion of your network). Second, once you modify the SU prefs on a client, it will always look for the private IP of your SUS server—so your client machines won’t be able to update if they’re taken out of the office. Third, there’s no way, short of a registry hack, to make this modification on Windows clients.
The configuration below requires no changes on the client machines, so it's perfect for public-access situations where you may not have administrative control over the computers on the network, but you want to keep software update traffic off of your internet connection. It won’t affect anyone’s ability to run Software Update when not in the office. I've incorporated the fantastic tip from Jan Uschok that enables a 10.5.x Server to serve updates for 10.6.x clients, so you won’t lose any SUS functionality by sticking with your old Xserve G5.
Finally, I wrote a shell script that enables your SUS to serve updates for Apple's Windows software. Not Microsoft updates, but Apple’s Windows software—iTunes, QuickTime, Safari, etc.—so Windows clients on your network will pull Apple software from your local SUS as well.
Server Setup (for 10.5 and 10.6)
1. Set up Mac OS X Server, and enable the Software Update, Web, and DNS services. Configure the Software Update service to automatically download and automatically enable all new updates. If you want to serve Apple Windows software updates, disable the "Delete outdated software updates" option.
2. Be sure your Mac OS X Server resolves the Apple software update servers correctly (i.e. not to itself); otherwise, you'll never get any new updates in the Software Update service. There are two ways to accomplish this: either put an external DNS server first in the list in your server's network configuration, OR add the following lines to the /etc/hosts file on your server:
17.250.248.93 swquery.apple.com
17.250.248.95 swscan.apple.com
63.97.94.66 swcdn.apple.com
(those IP addresses are valid as of 02-Feb-2010; you might "dig" each host just to be sure you use the right addresses)
DNS Configuration (for 10.5 and 10.6)
If your router is capable of DNS redirects, and your network clients use the router for DNS lookups (typical setup for SOHO networks), create DNS redirects on the router for swscan.apple.com, swcdn.apple.com, and swquery.apple.com that point to the private IP of your Mac OS X Server, and then skip to step 7 below. Otherwise…
3. Be sure all the network clients are using your Mac OS X Server for DNS; otherwise, they'll always hit Apple's update server instead of yours. The easiest way to accomplish this is to list your server's local IP as the primary DNS in your DHCP server settings. Your DHCP services may be provided by your server, or by your internet router, so this exercise is left to the reader.
4. In the DNS service, add a master zone named swscan.apple.com. (with the trailing dot!).
5. Create an A (machine) record that maps swscan.apple.com. (with the trailing dot!) to the IP of your Mac OS X Server.
6. Repeat steps 4 and 5 for swcdn.apple.com. and swquery.apple.com.
SUS Configuration (for 10.5 only)
7. Open a terminal window.
8. Create the required directory for 10.5.x/10.6.x catalogs:
# sudo mkdir /usr/share/swupd/html/content/catalogs/others/
9. Create a symbolic link for the 10.4.x update catalog:
# sudo ln -s /usr/share/swupd/html/content/catalogs/index.sucatalog /usr/share/swupd/html/content/catalogs/index-1.sucatalog
10. Add a symbolic link for the swupd directory to the default webserver directory:
# sudo ln -s /usr/share/swupd/html/content /Library/WebServer/Documents/content
11. (Optional) Add a symbolic link for statistics engine:
# sudo ln -s /usr/share/swupd/cgi-bin/SoftwareUpdateServerStats /Library/WebServer/Documents/WebObjects/SoftwareUpdatesStats
12. Create the /usr/share/swupd/html/content/meta/mirror-config-1.plist file:
# sudo touch /usr/share/swupd/html/content/meta/mirror-config-1.plist
13. Edit /usr/share/swupd/html/content/meta/mirror-config-1.plist and make it read as follows:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PrimaryCatalog</key>
<string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
<key>CatalogsList</key>
<array>
<string>http://swscan.apple.com/content/catalogs/index.sucatalog</string>
<string>http://swscan.apple.com/content/catalogs/others/index-leopard.merged-1.sucatalog</string>
<string>http://swscan.apple.com/content/catalogs/others/index-leopard-snowleopard.merged-1.sucatalog</string>
</array>
</dict>
</plist>
14. Edit /etc/swupd/swupd.plist and find the metaIndexURL key. Change the string value to read as follows:
<key>metaIndexURL</key>
<string>http://127.0.0.1:8088/content/meta/mirror-config-1.plist</string>
15. Restart your server.
16. Be sure the DNS, Web, and Software Update services are running, and check the Software Update error log to be sure nothing is amiss.
It will take awhile for the server to download all of the software updates from Apple's servers (several GB of data!), and the Software Update service won't create the local catalog files until everything is downloaded. Once everything's ready, run Software Update on a network client. You should be able to tell by the download speed whether or not it's pulling the updates from your local server, but you can always check the Software Update and/or Webserver logs to verify.
Webserver Configuration (for 10.6 only)
Add a symbolic link for the swupd directory to the default webserver directory. This, in conjunction with the DNS redirects, will eliminate the need for any client configuration. Clients will “think” they’re connecting to Apple’s SUS, when they’re really connecting to yours:
# sudo ln -s /var/db/swupd/html/content /Library/WebServer/Documents/content
Enabling Apple Windows SUS (for 10.5 and 10.6)
To enable software updates for Apple's Windows software, create a text file with your favorite text editor and paste the following script into it:
#!/bin/sh
# Uncomment the appropriate “base” line below:
# for Mac OS X Server 10.5
base=/usr/share/swupd/html/content
# for Mac OS X Server 10.6
#base=/var/db/swupd/html/content
web=http://swscan.apple.com/content
cd $base/catalogs/others
mv index-windows.merged-1.sucatalog index-windows.merged-1.sucatalog.previous
echo Fetching the latest catalog file...
curl -O http://swscan.apple.com/content/catalogs/others/index-windows.merged-1.sucatalog
for pkg in `grep WINDOWS index-windows.merged-1.sucatalog | cut -f9 -d'/'`
do
files=`grep $pkg index-windows.merged-1.sucatalog | grep downloads | cut -f2 -d'>' | cut -f1 -d'<' | cut -c32-200`
for file in $files
do
if [ ! -f $base/$file ]
then
echo Fetching $base/$file
curl -# --create-dirs $web/$file -o $base/$file
fi
done
done
chmod -R 755 $base/downloads
Save the file as DownloadWindowsUpdates.sh (or whatever you want to call it).
In a Terminal window, cd to the the folder where you just saved the script, and type:
# chmod 700 DownloadWindowsUpdates.sh
# sudo ./DownloadWindowsUpdates.sh
The script will go to town. Once it has finished running, Windows clients on your network should be able to run Apple Software Update and pull updates from your server just like the Mac clients. Note that you'll have to run the DownloadWindowsUpdates.sh script every now and then to keep the Windows packages up-to-date, so you might want to schedule it to run daily or weekly using launchd or cron.
If your script downloads the Apple Windows software updates but then they disappear, be sure you’ve disabled the "Delete outdated software updates" option in the Software Update setup in Server Admin. Otherwise, the SUS process will always “clean up” (i.e. remove) the Windows software updates.](Mac_OS_X_Server_-_Local_SUS_files/shapeimage_2.png)
