MacAD.UK is just a few weeks away, and I’m rather excited about the whole thing. I will be speaking on the second day about Practical CI/CD workflows for Mac Admins - a topic that I’ve wanted to speak about for quite some time. And of course I am hoping we will all be able to go for the now traditional curry one evening (I’m sure we can all agree, curry is the height of British cuisine).
Earlier this year I was diagnosed with testicular cancer. I’m one of the lucky ones, I caught it early, was fortunate enough to have excellent treatment and am now in remission. Testicular cancer is the most common form of cancer in men under 40 years old - chances are either you will get it or you will know someone who will.
This year, I’m raising money for Movember. I’ve already raised an amazing amount mostly due to the generosity of the Apple admin community. I’ve had to raise my target several times until I went big and set it at $10,000. I blasted though that before November even started, so thank you to everyone who donated!
If you haven’t donated yet, and also think testicular cancer is a bit shit, please find your way to donating either on the Movember site proper or on Facebook (who will very kindly eat the currency conversion fees if you don’t want to donate in USD).
A CloudFront Distribution so your clients will pull from an AWS endpoint near them
A Lambda@Edge function that will set up basic authentication
A Munki repo is a basic web server. But you still need to worry about setting up one or more servers, patching those servers, scaling them around the world if you have clients in more than one country.
Amazon Web Services has crazy high levels of up time - more than we could ever manage ourselves. CloudFront powers some of the world’s busiest websites without breaking a sweat, so it can handle your Munki repo without any trouble.
So it makes sense to offload the running of these services so we can get on with our day.
Over time, you may notice your Sal install getting slower and slower - this will happen faster the more devices you have checking in. You may even see rediciulous amounts of disk space being used - maybe even 1Gb per hour. This can all be solved by tweaking some simple matinenance settings on your Postgres server.
Before we crack on with how to stop this from happening, it will be useful to know how Postgres handles deleted data.
Take the following table (this is a represenation of the facts table in Sal):
When a device checks into Sal, rather than asking the database what facts are stored for the machine, iterating over each one, working out which ones have values that need updating, working out which ones are missing, and working out which ones need to be removed, Sal instructs tha database to delete all of the facts for that device, and then to save the new ones. What could potentially be 1000 operations becomes two, which is much faster.
You would expect Postgres to delete the rows out of the database at this point. Unfortunately that isn’t what happens. What actually happens is Postgres marks the row as able to be deleted. There are various good reasons for this outlined in the documentation which I won’t go into here, but when an application like Sal is updating and deleting data constantly, the disk usage can skyrocket.
As time goes on, these empty tuples will mount up. This is where the database’s maintenance tasks come in. They are supposed to come along and vaccuum the tables, removing these dead tuples.
So what can we do?
But unfortunately the defaults are basically useless. I am not going to go in depth about why I chose the following settings - I learned a lot from this post and adjusted their recommendations to meet our needs. My Postgres server is Amazon’s RDS, so the settings are entered in the Parameter Group for the database. If you are running a bare metal install, you will be editing the Postgres configuration. I have added a few notes about why we chose the value we did next to the setting. Our general goal was to have maintenance performed more frequently, so it would take less time as it will have less work to do during each run, and to give the maintenance worker as much resources as possible so it would complete as quickly as possible.
It’s been three long months since I gave a talk with Brett, my lovely coworker at MacAd.UK, so it’s time to give some talks on the side of the pond which I currently reside.
Firstly I will be at MacDevOps:YVR on June 7th - 8th, where I will be joined by fellow beer snob Wes Whetstone where we will be talking about Crypt and probably talking about beer in the bar afterwards.