Opsi

From SME Server
Revision as of 21:32, 31 December 2013 by TrevorB (talk | contribs) (→‎Install)
Jump to navigation Jump to search


Warning.png Warning:
This howto is based upon limited testing. YMMV


PythonIcon.png Skill level: Advanced
The instructions on this page may require deviations from standard procedures. A good understanding of linux and Koozali SME Server is recommended.


Description

Opsi (open pc server integration) is an open source Client Management System for Windows clients.

Key features:

  • Automatic OS installation (unattended or image based)
  • Automatic software distribution and patch management
  • Hardware and software inventories
  • License management

Install

  Warning:
This howto is for SME8 only!


  Note:
  • Before you start installing, be sure to have set your workgroup, domain name and dns-servers properly!
  • Also, you cannot have the tftp server contrib installed (or manual install of either) on the same machine.


Creating necessary repositories

First we need to create the opsi repository:

/sbin/e-smith/db yum_repositories set opsi4 repository \
Name 'CentOS $releasever - $basearch - opsi4.0' \
BaseURL 'http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/CentOS_CentOS-5/' \
EnableGroups no \
GPGCheck no \
GPGKey http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/CentOS_CentOS-5/repodata/repomd.xml.key \
Visible no \
status disabled

We also want to add the DAG repository for the needed python-rrdtool package (and sadly also a LOAD of other dependencies that come with python-rrdtool):

/sbin/e-smith/db yum_repositories set dag repository \
Name 'Dag - EL5' \
BaseURL 'http://apt.sw.be/redhat/el5/en/$basearch/dag' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt \
Visible no \
Exclude freetype,htop,iptraf,rsync,syslinux \
status disabled

Then to activate the newly added repositories:

signal-event yum-modify
yum makecache
Installing the packages

Installing the necessary Opsi packages.

yum install opsi-depotserver opsi-configed --enablerepo=opsi4,dag
/etc/init.d/opsiconfd restart
/etc/init.d/opsipxeconfd restart
yum install p7zip p7zip-plugins cabextract --enablerepo=opsi4
yum update --enablerepo=opsi4
Manual code change

An manual adjustment to the code needs to be made for Opsi to work on SME.

nano /usr/lib/python2.4/site-packages/OPSI/Backend/BackendManager.py

Search for the following line:

elif (DISTRIBUTOR.lower().find('redhat') != -1) or (DISTRIBUTOR.lower().find('centos') != -1) or (DISTRIBUTOR.lower().find('scientificsl') != -1):

And replace it with:

elif (DISTRIBUTOR.lower().find('redhat') != -1) or (DISTRIBUTOR.lower().find('centos') != -1) or (DISTRIBUTOR.lower().find('scientificsl') != -1) or (DISTRIBUTOR.lower().find('sme') != -1):
Opsi init

Some initialization for Opsi.

opsi-setup --init-current-config
opsi-setup --set-rights
/etc/init.d/opsiconfd restart
/etc/init.d/opsipxeconfd restart
Set pcpatch password

Make a note of the password you are setting, you might need it later.

opsi-admin -d task setPcpatchPassword
Java config

Add a symbolic link for the installed java runtime environment:

ln -s /usr/lib/jvm/java-1.6.0-sun-1.6.0/jre/bin/java /usr/bin/java

Check the java version, this sould now return a result

java -version
User config

Opsi normally uses separately created users for administration, but for SME we use the default admin account. Add the admin account to the opsiadmin group so it can use the Opsi administration commands.

usermod -a -G opsiadmin admin

It is not neccesary to add the root account to the pcpatch group, root is allowed to do anything. If you want a separate user to be able to build opsi packages (opsi-makeproductfile), install packages (opsi-packagemanager) or manually edit configuration files, it would have to be added to the 'pcpatch' group.

#usermod -a -G pcpatch <some_user>
Opsi-atftpd config

Add a sysconfig file for atftpd.

nano /etc/sysconfig/atftpd

Add the following content to this file:

ATFTPD_OPTIONS="--daemon --user atftp --group atftp --logfile /var/log/atftp/atftp.log /tftpboot"


Create an atftpd startscript:

nano /etc/rc.d/init.d/atftpd

Add the following content to this file:

#!/bin/sh
#
# atftp Advanced Trivial File Transfer Protocol
#
# chkconfig:   - 90 20
# description: atftp stands for Advanced Trivial File \
#     Transfer Protocol. atftp is intended for serving boot files to \
#     large clusters. It is multi-threaded and support multicast \
#     (RFC2090 and PXE), allowing faster boot of hundreds of machine simultaneously.


### BEGIN INIT INFO
# Provides: tftp
# Required-Start: $network
# Required-Stop: $network
# Should-Start: 2 3 4 5
# Should-Stop: 0 1 6
# Default-Start: 
# Default-Stop: 
# Short-Description: Advanced Trivial File Transfer Protocol
# Description:  atftp stands for Advanced Trivial File
#	Transfer Protocol. atftp is intended for serving boot files to
#	large clusters. It is multi-threaded and support multicast
#	(RFC2090 and PXE), allowing faster boot of hundreds of machine
#	simultaneously.
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

exec="/usr/sbin/atftpd"
prog="atftpd"

[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog

lockfile=/var/lock/subsys/$prog

start() {
	[ -x $exec ] || exit 5
	echo -n $"Starting $prog: "
	# if not running, start it up here, usually something like "daemon $exec"
	daemon $exec $ATFTPD_OPTIONS
	retval=$?
	echo
	[ $retval -eq 0 ] && touch $lockfile
	return $retval
}

stop() {
	echo -n $"Stopping $prog: "
	killproc $prog
	retval=$?
	echo
	[ $retval -eq 0 ] && rm -f $lockfile
	return $retval
}

restart() {
	stop
	start
}

reload() {
	restart
}

force_reload() {
	restart
}

rh_status() {
	status $prog
}

rh_status_q() {
	rh_status >/dev/null 2>&1
}


case "$1" in
	start)
		rh_status_q && exit 0
		$1
		;;
	stop)
		rh_status_q || exit 0
		$1
		;;
	restart)
		$1
		;;
	reload)
		rh_status_q || exit 7
		$1
		;;
	force-reload)
		force_reload
		;;
	status)
		rh_status
		;;
	condrestart|try-restart)
		rh_status_q || exit 0
		restart
		;;
	*)
		echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
		exit 2
esac
exit $?

Set the proper rights for this script.

chmod 755 /etc/rc.d/init.d/atftpd

Start atftpd

/etc/rc.d/init.d/atftpd start
Automatic startup at boot

Configure automatic opsiconfd startup at boot:

chmod 755 /etc/rc.d/init.d/opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc7.d/S98opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc6.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc2.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc1.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc0.d/K02opsiconfd

Configure automatic opsipxeconfd startup at boot:

chmod 755 /etc/rc.d/init.d/opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc7.d/S98opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc6.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc2.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc1.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc0.d/K02opsipxeconfd

Configure automatic atftpd startup at boot:

ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc7.d/S98opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc6.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc2.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc1.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc0.d/K02opsi-atftpd
Configure samba shares

Add a template fragment for the opsi samba network shares:

mkdir -p /etc/e-smith/templates-custom/etc/smb.conf
nano /etc/e-smith/templates-custom/etc/smb.conf/51opsi_shares

Add the following content to this file:

[opt_pcbin]
        available = yes
        comment = opsi depot share
        path = /opt/pcbin
        oplocks = no
        level2 oplocks = no
        writeable = yes
        invalid users = root

[opsi_config]
        available = yes
        comment = opsi config share
        path = /var/lib/opsi/config
        writeable = yes
        invalid users = root

[opsi_workbench]
        available = yes
        comment = opsi workbench
        path = /home/opsiproducts
        writeable = yes
        invalid users = root
        create mask = 0660
        directory mask = 0770

Expand the template:

expand-template /etc/samba/smb.conf

Restart samba services:

/etc/rc7.d/S91smb restart

Notes

Internal Error on agent deploy

When you get an 'internal error' on trying to install an agent on a workstation from the commandline with the opsi-deploy-client-agent command, you probably have the bad version of winexe, so you'll need to get the newer version from UIB:

cd /opt/pcbin/install/opsi-client-agent/
mv winexe winexe.OLD
wget http://download.uib.de/opsi3.4/winexe
chmod --reference ./winexe.OLD winexe
chown --reference ./winexe.OLD winexe
Windows firewall exceptions

On windows machines you need to enable the "File and printer sharing" exception for the windows firewall. On occasion it could also be necessary (after some Windows update) to re-add the 'opsiclientd-control-port' TCP-port: 4441 or add the opsiclientd (usually in: C:\Program Files\opsi.org\opsi-client-agent\opsiclientd.exe) to the Windows Firewall exceptions for "On Demand" installations to work.