Carafe is a (fancy) wrapper for Homebrew. It is designed to be run as root; it drops privileges to the currently logged-in user so it can be safely executed by management tools such as Munki or Jamf.
- Bootstrapping engineering machines with a set of Homebrew formulae.
- Enforcing minimum formulae versions to address security vulnerabilities, only for formulae that are already installed.
- For a full example of using Carafe with Munki, see the examples directory.
In addition to the basic Homebrew functionality, Carafe provides a few additional features:
You can specify a minimum version of a formula that should be installed. If the installed version is lower than the specified minimum version, Carafe will automatically upgrade it to the latest version.
/opt/macadmins/bin/carafe check <formula> --min-version=<version>Carafe can check whether a formula is installed and whether it meets a minimum version. Use --skip-not-installed to ignore formulae that are not installed; this is useful when you only want to enforce minimum versions for installed formulae.
/opt/macadmins/bin/carafe check <formula> [--min-version=<version>] [--skip-not-installed]Munki expects an exit code of 0 to indicate that installation is required, and 1 to indicate that no action is needed when using installcheck_script. With --munki-installcheck, carafe check exits 0 if the formula is not installed or fails the --min-version check, and 1 if it is installed and meets the requirement.
/opt/macadmins/bin/carafe check <formula> [--min-version=<version>] [--skip-not-installed] --munki-installcheckThese commands support the same options as the brew command. The commands are:
cleanupinfoinstalltapuninstalluntapupgrade
Carafe was designed and tested for 1:1 deployments. No testing has been done for shared deployments like instructional labs, and it's possible there will be issues in those scenarios.
![@github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=64&v=4){kind=small}