Little T in the Cog Xserve G5 OS X Howto

Installing OS X on an Xserve G5 and updating it for the modern world

Note:

** I no longer own this server - I've migrated over to the Bakery so won't be updating this document any more **

Note 2:

This document has been updated to use newer OpenSSL, PHP 5.5 and fix the Shell Shock bug. The Original using PHP 5.3 can be found here This is what I've had to do to get OS X Leopard installed onto my Xserve G5 and what I've done since to make it a bit more internet worthy in the modern world now that Apple has stopped pushing out updates. I'm mostly documenting this here so I'll know what to do again if I ever need to reinstall :-)

Why OS X and not Linux? Basically because I had problems getting Debian installed on this box due to the lack of graphics card - there is a method of doing the install through the serial port but I couldn't get it working (I think due to having the incorrect serial cable - I needed a null modem one). Anyway, I had a 10 client license copy of OS X Server 10.5 sitting on a shelf so I thought I'd give it a whirl. I was pleasantly surprised to find it actually a pretty capable server built on the usual Open Source offerings - Apache, PHP, Postfix, OpenLDAP etc.

The Install

My Xserve is headless, that is doesn't have a graphics card, so firstly I needed to work out how to install OS X onto it without a monitor. Luckily this is actually pretty easy to do as long as you have access to a DHCP server and know how to read the logs (as you'll need to know what address the server gets allocated when it boots). Firstly, make sure the server is connected to the network using the first ethernet port and then power on the server and insert the OS X Server DVD. Make a note of the serial number and the MAC address written on the back of the server and log into your DHCP server and look for which IP address that MAC has been given. Once you know the IP address you can open up Screen Sharing on your client (assuming it's a Mac, you can probably use any VNC client on Windows/Linux) by going to Finder -> Go -> Connect to Server and typing VNC://<IP address> into the box. Leave the username blank and put the serial number in as the password. You should now be looking at the install screen for OS X server! The install should be pretty straight forward from this point (I ended up setting up a mirror RAID using two 2TB disks as I want bulk offsite storage).

After Install Tweaks

Congratulations! You now have OS X installed on you Xserve. Once you've set up a user and the machine reboots you no longer need to connect using the serial number as a password (in fact if I recall correctly it stops working once you have a user set up), rather you now use your user. What to set up next really depends on what you want to do with your new server - in my case I wanted to host an ownCloud install so I could use my own Dropbox like client but know that the files were sitting on a machine of my own that the NSA weren't rifling through and also act as a general rsync target for my home NAS and my brother's NAS at work for offsite backups.

SNMP

I set up SNMP monitoring so that I can use nagios to check on things such as load, disk usage and the status of the RAID array (it's no good having redundant disks if you don't know when one has failed!) and also cacti graphs. I edited /etc/snmp/snmpd.conf with the correct community string and than started it by running
sudo launchctl load -w /System/Library/LaunchDaemons/org.net-snmp.snmpd.plist

Updating System Software

Apple has long since stopped pushing out updates to Leopard but that doesn't mean we can't still use it for productive work. The aim is to update all world facing features so that they are safe to put in front of the unwashed masses on the internet. To compile and install most of the software listed here you'll need to install the developer tools, either from the OS X install DVD or downloaded from Apple.

Bash

The Bourne Again Shell (bash) shipped with Leopard is a pretty old version now and is susceptible to the Shell Shock bug which is bad news if you want to run any cgi-bin scripts on your web server. Luckily someone has posted instructions on how to fix it on Debian Lenny and as OS X Leopard uses the same version of bash the script posted there can be used with a tweak or two. I've uploaded a script that will upgrade the version of bash on Leopard to version 3.2.52 3.2.56 3.2.57 which includes the fix for the Shell Shock bug. Download the script from here and chmod +x it to make it executable, then simply run it and it will download bash 3.2, all the patches, compile it and install it to /bin/bash and symlink /bin/sh to the new version. Note that this overwrites your old bash so if you want to keep a copy for some reason copy /bin/bash to someplace safe *before* running the script. Once the script finishes simply log out and back in again and you'll be using the patched version.

OpenSSL

The version of openssl used by OS X 10.5 is pretty old now, and although it doesn't suffer from the heartbleed bug it also doesn't provide some of the newer TLS versions (notably 1.2) so it is a good idea to update it anyway. If you're not planning on using SSL (https) on your website you can skip this step. As of writing the latest OpenSSL version was 1.0.1i, obviously use the newest version available from OpenSSL. This will install the libraries to /usr/local/ssl/ so it won't interfere with the system version of OpenSSL.
mkdir ~/Downloads/src
cd ~/Downloads/src
curl -O https://www.openssl.org/source/openssl-1.0.1i.tar.gz
tar -zxvf openssl-1.0.1i.tar.gz
cd openssl-1.0.1i
./config shared
make
sudo make install

Apache Web Server

Apple uses the famous Apache web server on OS X Server when you enable the "Web" service inside Server Admin. Unfortunately the version that ships with Leopard is a bit out of date now and so a fresh install of the latest version is needed. Firstly get the latest version of the Apache source code for 2.2 from apache.org. The latest as of this writing is 2.2.29 (obviously change the mirror and version depending on where you are and what the latest 2.2.x version is):

Using OpenSSL installed above (recomended)

Using the newer version of OpenSSL compiled and installed above you can use TLS 1.1 and 1.2 in mod_ssl. We need to download a newer version of APR (the Apache Portable Runtime) to use the newer version of OpenSSL and compile that with Apache.
curl -O http://www.eng.lsu.edu/mirrors/apache/httpd/httpd-2.2.29.tar.gz
curl -O http://www.eng.lsu.edu/mirrors/apache/apr/apr-1.5.1.tar.gz
curl -O http://www.eng.lsu.edu/mirrors/apache/apr/apr-util-1.5.4.tar.gz
tar -zxvf httpd-2.2.29.tar.gz
cd httpd-2.2.29/srclib/
rm -rf apr
rm -rf apr-util
tar -zxvf ../../apr-1.5.1.tar.gz
tar -zxvf ../../apr-util-1.5.4.tar.gz
ln -s apr-1.5.1 apr
ln -s apr-util-1.5.4 apr-util
cd ../
./configure --enable-layout=Darwin \
	--enable-mods-shared=all \
	--enable-ssl \
	--with-ssl=/usr/local/ssl \
	--enable-ssl-staticlib-deps \
	--enable-mods-static=ssl \
	--with-included-apr
make
sudo make install

Using system provided OpenSSL

Using the system provided OpenSSL library we can't use TLS 1.2 which is a newer, more secure algorithm in mod_ssl.
curl -O http://www.eng.lsu.edu/mirrors/apache/httpd/httpd-2.2.29.tar.gz
tar -zxvf httpd-2.2.29.tar.gz
cd httpd-2.2.29/
./configure --enable-layout=Darwin --enable-mods-shared=all --enable-ssl
make
sudo make install
The --enable-layout=Darwin will install apache into the correct location for OS X so you can still use the Server Admin graphical configuration tool. Once installed you need to restart it to get it to use the new binaries - you can either stop then start the web service using the graphical admin tool or run "sudo apachectl restart" from the terminal.

PHP

OS X Leopard Server ships with php version 5.2 which is a bit long in the tooth now. Some webapps (like ownCloud) require at least version 5.3 so this needs to be upgraded. You will also most probably need to install a bunch of dependencies if you want to compile in some php modules. In my case I needed support for GD, International and mcrypt for ownCloud, and some of these muodules have their own dependencies as well (for example GD needs libjpeg). In my case I needed the following dependencies for ownCloud:

ICU (international):

curl -O http://download.icu-project.org/files/icu4c/51.2/icu4c-51_2-src.tgz
tar -zxvf icu4c-51_2-src.tgz
cd icu/source
./configure
make
sudo make install
libjpeg (needed for GD):
curl -O http://www.ijg.org/files/jpegsrc.v9.tar.gz
tar -zxvf jpegsrc.v9.tar.gz
cd jpeg-9
./configure
make
sudo make install
mcrypt Go to http://sourceforge.net/projects/mcrypt/files/Libmcrypt/2.5.8/ and download libmcrypt, then
tar -jxvf libmcrypt-2.5.8.tar.bz2
cd libmcrypt-2.5.8
./configure
make
sudo make install
MySQL headers and includes (php won't compile with MySQL support without these) download the tarball from http://www.opensource.apple.com/darwinsource/other/MySQL-45.binaries.tar.gz, then extract and copy the headers and client libraries:
tar -zxvf MySQL-45.binaries.tar.gz
cd MySQL-45.binaries
tar -zxvf MySQL-45.root.tar.gz
sudo rsync -av usr/include/ /usr/include/
sudo rsync -av usr/lib/ /usr/lib/
Finally you're ready to compile PHP.

PHP 5.5:
The way I do it is to install the new version into /usr/local/php5/ so that you can always roll back to the original if needed. If you don't think you'll roll back then you can drop the '--prefix=/usr/local/php5' statement from the configure line below and replace it with '--enable-layout=Darwin'. Be sure to make a copy of /usr/libexec/apache/libphp5.so if you think you might need to roll back to php 5.2 as the install will overwrite that apache module.

curl -o php-5.5.17.tar.gz -L http://nz2.php.net/get/php-5.5.17.tar.gz/from/this/mirror
tar -zxvf php-5.5.17.tar.gz
cd php-5.5.17
./configure '--prefix=/usr/local/php5' \
	'--with-apxs2=/usr/sbin/apxs' \
	'--with-ldap=/usr' \
	'--with-kerberos=/usr' \
	'--enable-cli' \
	'--with-zlib-dir=/usr' \
	'--enable-exif' \
	'--enable-ftp' \
	'--enable-mbstring' \
	'--enable-mbregex' \
	'--enable-sockets' \
	'--with-iodbc=/usr' \
	'--with-curl=/usr' \
	'--with-config-file-path=/etc/php5' \
	'--sysconfdir=/private/etc' \
	'--with-mysql-sock=/var/mysql' \
	'--with-mysqli=/usr/bin/mysql_config' \
	'--with-mysql=/usr' \
	'--with-openssl=/usr/local/ssl' \
	'--with-xmlrpc' \
	'--with-xsl=/usr' \
	'--without-pear' \
	'--with-gd' \
	'--with-mcrypt' \
	'--with-jpeg-dir=/usr/local/lib' \
	'--with-png-dir=/usr/X11R6' \
	'--with-freetype-dir=/usr/X11R6' \
	'--with-xpm-dir=/usr/X11R6' \
	'--enable-intl' \
	'--with-icu-dir=/usr/local' \
	'--enable-zip' \
	'--with-config-file-scan-dir=/etc/php5/conf' \
	'--with-pdo-mysql' \
	'--enable-opcache'
There is an issue with the order of linking as the system library path (/usr/lib) is linked against before the OpenSSL version we installed above (/usr/local/ssl) so linking fails. To fix this open up Makefile and swap the order of the included libs around so that MH_BUNDLED_FLAGS comes later in the order. In the Makefile find the section that reads:
libs/libphp$(PHP_MAJOR_VERSION).bundle: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS)
        $(CC) $(MH_BUNDLE_FLAGS) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) \
	$(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so
And change it to read:
libs/libphp$(PHP_MAJOR_VERSION).bundle: $(PHP_GLOBAL_OBJS) $(PHP_SAPI_OBJS)
        $(CC) $(CFLAGS_CLEAN) $(EXTRA_CFLAGS) $(LDFLAGS) $(EXTRA_LDFLAGS) $(PHP_GLOBAL_OBJS:.lo=.o) $(PHP_SAPI_OBJS:.lo=.o) \
	$(PHP_FRAMEWORKS) $(EXTRA_LIBS) $(ZEND_EXTRA_LIBS) $(MH_BUNDLE_FLAGS) -o $@ && cp $@ libs/libphp$(PHP_MAJOR_VERSION).so
Note that MH_BUNDLE_FLAGS is now at the end of the linking line. Then continue on with the compilation and instalation:
make
sudo make install
Be warned that the "make" stage can take a very long time to complete. Once make is complete the "sudo make install" will install php5 in /usr/local/php5/ so if you need command line programs to also use php5 you can move /usr/bin/php out of the way and symlink the new version there:
sudo mv /usr/bin/php /usr/bin/php52
sudo ln -s /usr/local/php5/bin/php /usr/bin/php
Once all is compiled and in place you need to create the directory /etc/php5 to put you php.ini file in and also create a directory for any addons needed in /etc/php5/conf. This is all that's needed to run ownCloud - the version of MySQL included with Leopard server is pretty old now (5.0) but is still sufficient for most purposes, but if you do want to upgrade follow the directions below.

Optional Extra: Enable opcache

ownCloud (and a lot of php code) is a lot happier with some form of PHP caching so we use the built in opcache for this purpose. Create a config file to turn it on:
cat <<EOF > /etc/php5/conf/opcache.ini 
zend_extension=opcache.so
opcache.memory_consumption=128
opcache.fast_shutdown=1
opcache.enable_cli=1
EOF

Checking Apache and PHP versions

An easy way to see if this whole exercise has worked is to put a simple info.php file into your web site root - assuming you've still got the default site set up on OS X Server you can achieve this by editing /Library/WebServer/Documents/info.php and removing the comment line from in front of phpinfo(); so the file looks like:
<?php
// You can use Server Admin to enable the Apache PHP module; it's disabled by default.
// You can uncomment the phpinfo() directive below to provide a default PHP info page
// but note that this displays information about your host's configuration.
phpinfo();
?>
Then load it by going to http://<server IP>/info.php - if all is working you will get a complete list of all the option enabled in PHP along with some apache information.

ClamAV Antivirus

Apple uses the great open source antivirus engine ClamAV for doing malicious software scanning. You only really need this if you're running email or file and print services on your server. While upgrading to the latest version isn't strictly necessary (as you will still get definition updates) it is still good to work with the latest version considering how easy it is to update and it will still work perfectly with Server Admin (so will start when starting mail etc). Firstly go to clamav.net and grab the latest source download, then configure, make and install it:
$ tar -zxvf clamav-0.98.4.tar.gz
$ cd clamav-0.98.4
$ ./configure '--prefix=/' \
	'--exec-prefix=/usr' \
	'--bindir=/usr/bin' \
	'--sbindir=/usr/sbin' \
	'--libexecdir=/usr/libexec' \
	'--datadir=/usr/share/clamav' \
	'--sysconfdir=/private/etc' \
	'--sharedstatedir=/private/var/clamav/share' \
	'--localstatedir=/private/var/clamav/state' \
	'--disable-dependency-tracking' \
	'--libdir=/usr/lib/clamav' \
	'--includedir=/usr/share/clamav/include' \
	'--oldincludedir=/usr/share/clamav/include' \
	'--infodir=/usr/share/clamav/info' \
	'--mandir=/usr/share/man' \
	'--with-dbdir=/private/var/clamav' \
	'--disable-shared' \
	'--with-user=_clamav' \
	'--with-group=_clamav' \
	'--with-gnu-ld' \
	'--enable-static' \
	'--enable-ltdl-convenience'
	'--with-openssl=/usr/local/ssl'
$ make
$ sudo make install
That's it! You should now have the latest ClamAV installed. To start using it simply start email, or load it from the shell:i
$ sudo launchctl load /System/Library/LaunchDaemons/org.clamav.clamd.plist
$ sudo launchctl load -w /System/Library/LaunchDaemons/org.clamav.freshclam.plist
Check the freshclam log (/var/log/freshclam.log) and you should see the new version being loaded.

MySQL 5.5

This isn't strictly needed as most things still work with MySQL 5.0, but if you do want to upgrade the version installed the intructions are as follows:
# get cmake and mount the DMG (CMake 3.3.2 is the last one available for OS X 10.5):
curl -O http://www.cmake.org/files/v3.3/cmake-3.3.2-Darwin-universal.dmg
sudo hdiutil attach cmake-3.3.2-Darwin-universal.dmg
# aggree to license, then copy to /Applications:
sudo cp -R /Volumes/cmake-3.3.2-Darwin-universal/CMake.app /Applications/

# After installing, symlink the cmake binary to a directory in PATH:
sudo ln -s /Applications/CMake.app/Contents/bin/cmake /usr/local/bin/cmake

# get mysql source code:
curl -O ftp://mysql.inspire.net.nz/mysql/Downloads/MySQL-5.5/mysql-5.5.43.tar.gz

# untar and configure:
tar -zxvf mysql-5.5.43.tar.gz
cd mysql-5.5.43
cmake -DBUILD_CONFIG=mysql_release
# the "-DBUILD_CONFIG" option on that line builds MySQL with the most common options as recommended by Oracle. To check 
# what config options were set by running that command you can run:
cmake . -L
# make
make
# install
sudo make install

# Edit /etc/my.cnf and comment out skip-locking (as root) as it isn't an option in 5.5:
sudo su -
sed -i '' 's/^skip-locking/#skip-locking/' /etc/my.cnf

# still as root, initialise the database
chown -R _mysql:admin /usr/local/mysql/
chmod +x scripts/mysql_install_db
scripts/mysql_install_db --user=_mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data

# opitonal: test all is working
# as root:
/usr/local/mysql/bin/mysqld --socket=/usr/local/mysql/mysql.sock --user=mysql --port=3307 --datadir=/usr/local/mysql/data --pid-file=/var/run/mysql.pid
# in another shell on same host:
/usr/local/mysql/bin/mysql -S /usr/local/mysql/mysql.sock

# Change launchd to use the new mysql install - still as root:
# back up the current plist file:
cp /System/Library/LaunchDaemons/org.mysql.mysqld.plist /var/root/

# stop mysql
launchctl unload /System/Library/LaunchDaemons/org.mysql.mysqld.plist

# change the binary path and data dir
sed -i '' 's/\/libexec/\/local\/mysql\/bin/' /System/Library/LaunchDaemons/org.mysql.mysqld.plist
sed -i '' 's/--datadir=\/var\/mysql/--datadir=\/usr\/local\/mysql\/data/' /System/Library/LaunchDaemons/org.mysql.mysqld.plist

# Restart mysql with the new settings
launchctl load -w /System/Library/LaunchDaemons/org.mysql.mysqld.plist

# set root password
mysql -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('somepassword')"
mysql -e "SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('somepassword')"
This install still uses the same /etc/my.cnf as the original install so any changes needed should be made there.