Difference between revisions of "Talk:OCS Inventory Tools"
(Future RPM) |
|||
| Line 103: | Line 103: | ||
charlie said just make it ([http://bugs.contribs.org/show_bug.cgi?id=3464 as you now do]), so lets close opened bugs | charlie said just make it ([http://bugs.contribs.org/show_bug.cgi?id=3464 as you now do]), so lets close opened bugs | ||
| + | |||
| + | == Future RPM == | ||
| + | |||
| + | ===Next RPM version=== | ||
| + | Quick sumarry of what will change on the next release... This is just suggestions, let's discuss about it! | ||
| + | ====New Apache template==== | ||
| + | As suggested by Stefen: | ||
| + | |||
| + | Content of '''''/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCACertificateFile''''' | ||
| + | |||
| + | # OCS Inventory NG Certificate | ||
| + | { | ||
| + | if (-f '/home/e-smith/ssl.crt/cacert.pem') | ||
| + | { $OUT = "SSLCACertificateFile /home/e-smith/ssl.crt/cacert.pem"; } | ||
| + | else | ||
| + | { $OUT = "# File /home/e-smith/ssl.crt/cacert.pem not present, deployment will not be possible"; } | ||
| + | } | ||
| + | |||
| + | ====Specification File==== | ||
| + | I suggest adding following code in the '''''.spec''''' file in the '''%post''' section | ||
| + | if [ ! -e /home/e-smith/ssl.crt/cacert.pem ]; then | ||
| + | cp /home/e-smith/ssl.crt/$SRVNAME.$DOMAIN.crt /home/e-smith/ssl.crt/cacert.pem | ||
| + | fi | ||
| + | ''$SRVNAME'' and ''$DOMAIN'' are already gathered with following code in the '''''.spec''''' file: | ||
| + | DOMAIN=$(/sbin/e-smith/db configuration get DomainName) | ||
| + | SRVNAME=$(/sbin/e-smith/db configuration get SystemName) | ||
| + | |||
| + | This way, if the certificate doesn't exist, it's "generated" by the RPM install and uses SME's one. This method should be safe... | ||
| + | |||
| + | Users can try using this one, and if it don't work, they can follow up your instructions with Shad's CACERT howto and replace the existing file! | ||
| + | |||
| + | By the way, I had some problem using the certificate untill I fixed DNS issues (I use NO-IP and this free service don't allow wildcards!) | ||
| + | |||
| + | This ends with some errors in Apache log file: | ||
| + | [warn] RSA server certificate CommonName (CN) `servername.mydomain.no-ip.com' does NOT match server name!? | ||
| + | Here's how I fixed my problem: | ||
| + | config setprop modSSL CommonName mydomain.no-ip.com # It would be www.mydomain.no-ip.com if NO-IP had allowed wildcards like dyndns services) | ||
| + | expand-template /home/e-smith/ssl.crt/crt 2> /dev/null | ||
| + | signal-event domain-modify | ||
| + | signal-event email-update | ||
| + | |||
| + | |||
| + | Cool34000 | ||
| + | ---- | ||
Revision as of 16:24, 7 November 2007
rename page
to describe the functions provides
Inventory and Deployment ?
ipdiscover bug
We need to confirm that ipdiscover works when the smeserver is the forced client.
I Tried the following:
ipdiscover eth0 10
Here's what I got on my server:
<IPDISCOVER> <H>192.168.0.100<M>00:xx:xx:xx:xx:xx</M><N>pc-00100.mydomain.com</N></H> <H>192.168.0.253<M>00:xx:xx:xx:xx:xx</M><N>pc-00253.mydomain.com</N></H> <H>192.168.0.254<M>00:xx:xx:xx:xx:xx</M><N>pc-00254.mydomain.com</N></H> </IPDISCOVER>
Sounds like it's working for me... But IpDiscover discovers nothing when launched by SME OCS' Agent. There must be a problem here!
Windows Agent don't have this problem...
Cool34000
deployment howto
Draft steps for deployment, it works !!
SSL Certificates Installed a SSL certificate eg. http://wiki.contribs.org/Custom_CA_Certificate below fixes the ssl errors as per http://alufis35.uv.es/OCS-Inventory-Package-Deployment.html this is common, it could be automated, but should we be trusted, probably not ?
wget http://www.cacert.org/certs/root.crt cp root.crt /home/e-smith/ssl.crt/cacert.pem add fragment to httpd.conf { #/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCACertificateFile if (-f '/home/e-smith/ssl.crt/cacert.pem') { $OUT = "SSLCACertificateFile /home/e-smith/ssl.crt/cacert.pem"; } }
copy cacert.pem to the client ocs folder
deploying => Activate => activate package complains that the directory and info files don't exist, Just ignore the activate error, the files are visible from clients deployed a file, optional, run a client update, it should show as notified in ocs
in => Package activation when you delete a package, ocs complains, but it deletes the files anyway, document later
links http://alufis35.uv.es/OCS-Deployment-Tips-and-tricks.html
stephen
Thank you so much for your help Stefen.
I'm so happy that deployment works!!! That's really great news!
A solution was also given on the forum: http://forums.contribs.org/index.php?topic=37359.msg178135#msg178135
It looks easier (no need of CACert). What do you think of the other solution?
Cool34
copying the existing .crt didn't work for me, try both ways and find out what works for you, using the existing cert would be simpler, the windows ocs update command produces a good log file in the ocs directory showing any SSL errors
setting up a CA Certificate doesn't take long and is 'a good idea'
stephen
I'm just looking for the better way to integrate it to the new RPM. So I want to integrate it as far as I can... But not too much!
Yes, using existing cert would be easier, but maybe having a seperate cert could be better. Should we let this choice to the end-user? I guess yes...
=> Add your proposed 35SSL10SSLCACertificateFile in the RPM
=> Add to OCS' deployment section that cacert.pem must be created and propose both methods if they both work.
=> Add detailled documentation for deployment
=> Maybe add a script to create the cacert automatically, so that the end-user can create it in one shot after the RPM install...
Do you agree?
Cool34000
ParserDetails.ini
http://bugs.contribs.org/show_bug.cgi?id=3525#c2
charlie said just make it (as you now do), so lets close opened bugs
Future RPM
Next RPM version
Quick sumarry of what will change on the next release... This is just suggestions, let's discuss about it!
New Apache template
As suggested by Stefen:
Content of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCACertificateFile
# OCS Inventory NG Certificate
{
if (-f '/home/e-smith/ssl.crt/cacert.pem')
{ $OUT = "SSLCACertificateFile /home/e-smith/ssl.crt/cacert.pem"; }
else
{ $OUT = "# File /home/e-smith/ssl.crt/cacert.pem not present, deployment will not be possible"; }
}
Specification File
I suggest adding following code in the .spec file in the %post section
if [ ! -e /home/e-smith/ssl.crt/cacert.pem ]; then cp /home/e-smith/ssl.crt/$SRVNAME.$DOMAIN.crt /home/e-smith/ssl.crt/cacert.pem fi
$SRVNAME and $DOMAIN are already gathered with following code in the .spec file:
DOMAIN=$(/sbin/e-smith/db configuration get DomainName) SRVNAME=$(/sbin/e-smith/db configuration get SystemName)
This way, if the certificate doesn't exist, it's "generated" by the RPM install and uses SME's one. This method should be safe...
Users can try using this one, and if it don't work, they can follow up your instructions with Shad's CACERT howto and replace the existing file!
By the way, I had some problem using the certificate untill I fixed DNS issues (I use NO-IP and this free service don't allow wildcards!)
This ends with some errors in Apache log file:
[warn] RSA server certificate CommonName (CN) `servername.mydomain.no-ip.com' does NOT match server name!?
Here's how I fixed my problem:
config setprop modSSL CommonName mydomain.no-ip.com # It would be www.mydomain.no-ip.com if NO-IP had allowed wildcards like dyndns services) expand-template /home/e-smith/ssl.crt/crt 2> /dev/null signal-event domain-modify signal-event email-update
Cool34000
