Talk:OCS Inventory Tools

From SME Server
Revision as of 16:24, 7 November 2007 by Cool34000 (talk | contribs) (Future RPM)
Jump to navigation Jump to search

rename page

to describe the functions provides

Inventory and Deployment ?


ipdiscover bug

We need to confirm that ipdiscover works when the smeserver is the forced client.

I Tried the following:

ipdiscover eth0 10
Important.png Note:
Usage : ipdiscover [iface name] [latency in ms]


Here's what I got on my server:

<IPDISCOVER>
<H>192.168.0.100<M>00:xx:xx:xx:xx:xx</M><N>pc-00100.mydomain.com</N></H>
<H>192.168.0.253<M>00:xx:xx:xx:xx:xx</M><N>pc-00253.mydomain.com</N></H>
<H>192.168.0.254<M>00:xx:xx:xx:xx:xx</M><N>pc-00254.mydomain.com</N></H>
</IPDISCOVER>

Sounds like it's working for me... But IpDiscover discovers nothing when launched by SME OCS' Agent. There must be a problem here!

Windows Agent don't have this problem...


Cool34000


deployment howto

Draft steps for deployment, it works !!

SSL Certificates
Installed a SSL certificate eg. http://wiki.contribs.org/Custom_CA_Certificate

below fixes the ssl errors as per http://alufis35.uv.es/OCS-Inventory-Package-Deployment.html
this is common, it could be automated, but should we be trusted, probably not ?
wget http://www.cacert.org/certs/root.crt
cp root.crt /home/e-smith/ssl.crt/cacert.pem
add fragment to httpd.conf
{
   #/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCACertificateFile
   if (-f '/home/e-smith/ssl.crt/cacert.pem')
   { $OUT = "SSLCACertificateFile /home/e-smith/ssl.crt/cacert.pem"; }
} 
copy cacert.pem to the client ocs folder
deploying => Activate => activate package
complains that the directory and info files don't exist,
Just ignore the activate error, the files are visible from clients
 
deployed a file, optional, run a client update, it should show as notified in ocs
in => Package activation
when you delete a package, ocs complains, but it deletes the files anyway, document later


links
http://alufis35.uv.es/OCS-Deployment-Tips-and-tricks.html

stephen


Thank you so much for your help Stefen.

I'm so happy that deployment works!!! That's really great news!


A solution was also given on the forum: http://forums.contribs.org/index.php?topic=37359.msg178135#msg178135

It looks easier (no need of CACert). What do you think of the other solution?


Cool34


copying the existing .crt didn't work for me, try both ways and find out what works for you, using the existing cert would be simpler, the windows ocs update command produces a good log file in the ocs directory showing any SSL errors

setting up a CA Certificate doesn't take long and is 'a good idea'

stephen


I'm just looking for the better way to integrate it to the new RPM. So I want to integrate it as far as I can... But not too much!

Yes, using existing cert would be easier, but maybe having a seperate cert could be better. Should we let this choice to the end-user? I guess yes...

=> Add your proposed 35SSL10SSLCACertificateFile in the RPM

=> Add to OCS' deployment section that cacert.pem must be created and propose both methods if they both work.

=> Add detailled documentation for deployment

=> Maybe add a script to create the cacert automatically, so that the end-user can create it in one shot after the RPM install...

Do you agree?


Cool34000


ParserDetails.ini

http://bugs.contribs.org/show_bug.cgi?id=3525#c2

charlie said just make it (as you now do), so lets close opened bugs

Future RPM

Next RPM version

Quick sumarry of what will change on the next release... This is just suggestions, let's discuss about it!

New Apache template

As suggested by Stefen:

Content of /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCACertificateFile

# OCS Inventory NG Certificate
{
    if (-f '/home/e-smith/ssl.crt/cacert.pem')
      { $OUT = "SSLCACertificateFile /home/e-smith/ssl.crt/cacert.pem"; }
    else
      { $OUT = "# File /home/e-smith/ssl.crt/cacert.pem not present, deployment will not be possible"; }
}

Specification File

I suggest adding following code in the .spec file in the %post section

if [ ! -e /home/e-smith/ssl.crt/cacert.pem ]; then
  cp /home/e-smith/ssl.crt/$SRVNAME.$DOMAIN.crt /home/e-smith/ssl.crt/cacert.pem
fi

$SRVNAME and $DOMAIN are already gathered with following code in the .spec file:

DOMAIN=$(/sbin/e-smith/db configuration get DomainName)
SRVNAME=$(/sbin/e-smith/db configuration get SystemName)

This way, if the certificate doesn't exist, it's "generated" by the RPM install and uses SME's one. This method should be safe...

Users can try using this one, and if it don't work, they can follow up your instructions with Shad's CACERT howto and replace the existing file!

By the way, I had some problem using the certificate untill I fixed DNS issues (I use NO-IP and this free service don't allow wildcards!)

This ends with some errors in Apache log file:

[warn] RSA server certificate CommonName (CN) `servername.mydomain.no-ip.com' does NOT match server name!?

Here's how I fixed my problem:

config setprop modSSL CommonName mydomain.no-ip.com     # It would be www.mydomain.no-ip.com if NO-IP had allowed wildcards like dyndns services)
expand-template /home/e-smith/ssl.crt/crt 2> /dev/null
signal-event domain-modify
signal-event email-update


Cool34000