167
edits
Changes
Jump to navigation
Jump to search
Created page with "{{Languages|Opsi}} {{Warning box| This howto is based upon limited testing. YMMV}} {{Level|Advanced}} === Description === [http://www.opsi.org Opsi] (open pc server integrati..."
{{Languages|Opsi}}
{{Warning box| This howto is based upon limited testing. YMMV}}
{{Level|Advanced}}
=== Description ===
[http://www.opsi.org Opsi] (open pc server integration) is an open source Client Management System for Windows clients.
Key features:
* Automatic OS installation (unattended or image based)
* Automatic software distribution and patch management
* Hardware and software inventories
* License management
=== Install ===
{{Warning box|This howto is for SME8 only!}}
{{Note box|<tt></tt>
* Before you start installing, be sure to have set your workgroup, domain name and dns-servers properly!
* Also, you cannot have the [[Tftp_server | tftp server]] or [[Atftp_server | atftp server]] contrib installed (or manual install of either) on the same machine.}}
===== Creating necessary repositories =====
First we need to create the opsi repository:
/sbin/e-smith/db yum_repositories set opsi4 repository \
Name 'CentOS $releasever - $basearch - opsi4.0' \
BaseURL 'http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/CentOS_CentOS-5/' \
EnableGroups no \
GPGCheck no \
GPGKey http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/CentOS_CentOS-5/repodata/repomd.xml.key \
Visible no \
status disabled
We also want to add the DAG repository for the needed python-rrdtool package (and sadly also a LOAD of other dependencies that come with python-rrdtool):
/sbin/e-smith/db yum_repositories set dag repository \
Name 'Dag - EL5' \
BaseURL 'http://apt.sw.be/redhat/el5/en/$basearch/dag' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt \
Visible no \
Exclude freetype,htop,iptraf,rsync,syslinux \
status disabled
Then to activate the newly added repositories:
signal-event yum-modify
yum makecache
===== Installing the packages =====
Installing the necessary Opsi packages.
yum install opsi-depotserver opsi-configed --enablerepo=opsi4,dag
/etc/init.d/opsiconfd restart
/etc/init.d/opsipxeconfd restart
yum install p7zip p7zip-plugins cabextract --enablerepo=opsi4
yum update --enablerepo=opsi4
===== Manual code change =====
An manual adjustment to the code needs to be made for Opsi to work on SME.
nano /usr/lib/python2.4/site-packages/OPSI/Backend/BackendManager.py
Search for the following line:
elif (DISTRIBUTOR.lower().find('redhat') != -1) or (DISTRIBUTOR.lower().find('centos') != -1) or (DISTRIBUTOR.lower().find('scientificsl') != -1):
And replace it with:
elif (DISTRIBUTOR.lower().find('redhat') != -1) or (DISTRIBUTOR.lower().find('centos') != -1) or (DISTRIBUTOR.lower().find('scientificsl') != -1) or (DISTRIBUTOR.lower().find('sme') != -1):
===== Opsi init =====
Some initialization for Opsi.
opsi-setup --init-current-config
opsi-setup --set-rights
/etc/init.d/opsiconfd restart
/etc/init.d/opsipxeconfd restart
===== Set pcpatch password =====
Make a note of the password you are setting, you might need it later.
opsi-admin -d task setPcpatchPassword
===== Java config =====
Add a symbolic link for the installed java runtime environment:
ln -s /usr/lib/jvm/java-1.6.0-sun-1.6.0/jre/bin/java /usr/bin/java
Check the java version, this sould now return a result
java -version
===== User config =====
Opsi normally uses separately created users for administration, but for SME we use the default admin account. Add the admin account to the opsiadmin group so it can use the Opsi administration commands.
usermod -a -G opsiadmin admin
It is not neccesary to add the root account to the pcpatch group, root is allowed to do anything. If you want a separate user to be able to build opsi packages (opsi-makeproductfile), install packages (opsi-packagemanager) or manually edit configuration files, it would have to be added to the 'pcpatch' group.
#usermod -a -G pcpatch <some_user>
===== Opsi-atftpd config =====
Add a sysconfig file for atftpd.
nano /etc/sysconfig/atftpd
Add the following content to this file:
ATFTPD_OPTIONS="--daemon --user atftp --group atftp --logfile /var/log/atftp/atftp.log /tftpboot"
Create an atftpd startscript:
nano /etc/rc.d/init.d/atftpd
Add the following content to this file:
#!/bin/sh
#
# atftp Advanced Trivial File Transfer Protocol
#
# chkconfig: - 90 20
# description: atftp stands for Advanced Trivial File \
# Transfer Protocol. atftp is intended for serving boot files to \
# large clusters. It is multi-threaded and support multicast \
# (RFC2090 and PXE), allowing faster boot of hundreds of machine simultaneously.
### BEGIN INIT INFO
# Provides: tftp
# Required-Start: $network
# Required-Stop: $network
# Should-Start: 2 3 4 5
# Should-Stop: 0 1 6
# Default-Start:
# Default-Stop:
# Short-Description: Advanced Trivial File Transfer Protocol
# Description: atftp stands for Advanced Trivial File
# Transfer Protocol. atftp is intended for serving boot files to
# large clusters. It is multi-threaded and support multicast
# (RFC2090 and PXE), allowing faster boot of hundreds of machine
# simultaneously.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/sbin/atftpd"
prog="atftpd"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
start() {
[ -x $exec ] || exit 5
echo -n $"Starting $prog: "
# if not running, start it up here, usually something like "daemon $exec"
daemon $exec $ATFTPD_OPTIONS
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
Set the proper rights for this script.
chmod 755 /etc/rc.d/init.d/atftpd
Start atftpd
/etc/rc.d/init.d/atftpd start
===== Automatic startup at boot =====
Configure automatic opsiconfd startup at boot:
chmod 755 /etc/rc.d/init.d/opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc7.d/S98opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc6.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc2.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc1.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc0.d/K02opsiconfd
Configure automatic opsipxeconfd startup at boot:
chmod 755 /etc/rc.d/init.d/opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc7.d/S98opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc6.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc2.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc1.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc0.d/K02opsipxeconfd
Configure automatic atftpd startup at boot:
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc7.d/S98opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc6.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc2.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc1.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc0.d/K02opsi-atftpd
===== Configure samba shares =====
Add a template fragment for the opsi samba network shares:
mkdir -p /etc/e-smith/templates-custom/etc/smb.conf
nano /etc/e-smith/templates-custom/etc/smb.conf/51opsi_shares
Add the following content to this file:
[opt_pcbin]
available = yes
comment = opsi depot share
path = /opt/pcbin
oplocks = no
level2 oplocks = no
writeable = yes
invalid users = root
[opsi_config]
available = yes
comment = opsi config share
path = /var/lib/opsi/config
writeable = yes
invalid users = root
[opsi_workbench]
available = yes
comment = opsi workbench
path = /home/opsiproducts
writeable = yes
invalid users = root
create mask = 0660
directory mask = 0770
Expand the template:
expand-template /etc/samba/smb.conf
Restart samba services:
/etc/rc7.d/S91smb restart
=== Notes ===
===== Internal Error on agent deploy =====
When you get an 'internal error' on trying to install an agent on a workstation from the commandline with the <tt>opsi-deploy-client-agent</tt> command, you probably have the bad version of winexe, so you'll need to get the newer version from UIB:
cd /opt/pcbin/install/opsi-client-agent/
mv winexe winexe.OLD
wget http://download.uib.de/opsi3.4/winexe
chmod --reference ./winexe.OLD winexe
chown --reference ./winexe.OLD winexe
===== Windows firewall exceptions =====
On windows machines you need to enable the "File and printer sharing" exception for the windows firewall. On occasion it could also be necessary (after some Windows update) to re-add the 'opsiclientd-control-port' TCP-port: 4441 or add the opsiclientd (usually in: <tt>C:\Program Files\opsi.org\opsi-client-agent\opsiclientd.exe</tt>) to the Windows Firewall exceptions for "On Demand" installations to work.
----
[[Category:Howto]]
{{Warning box| This howto is based upon limited testing. YMMV}}
{{Level|Advanced}}
=== Description ===
[http://www.opsi.org Opsi] (open pc server integration) is an open source Client Management System for Windows clients.
Key features:
* Automatic OS installation (unattended or image based)
* Automatic software distribution and patch management
* Hardware and software inventories
* License management
=== Install ===
{{Warning box|This howto is for SME8 only!}}
{{Note box|<tt></tt>
* Before you start installing, be sure to have set your workgroup, domain name and dns-servers properly!
* Also, you cannot have the [[Tftp_server | tftp server]] or [[Atftp_server | atftp server]] contrib installed (or manual install of either) on the same machine.}}
===== Creating necessary repositories =====
First we need to create the opsi repository:
/sbin/e-smith/db yum_repositories set opsi4 repository \
Name 'CentOS $releasever - $basearch - opsi4.0' \
BaseURL 'http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/CentOS_CentOS-5/' \
EnableGroups no \
GPGCheck no \
GPGKey http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/CentOS_CentOS-5/repodata/repomd.xml.key \
Visible no \
status disabled
We also want to add the DAG repository for the needed python-rrdtool package (and sadly also a LOAD of other dependencies that come with python-rrdtool):
/sbin/e-smith/db yum_repositories set dag repository \
Name 'Dag - EL5' \
BaseURL 'http://apt.sw.be/redhat/el5/en/$basearch/dag' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt \
Visible no \
Exclude freetype,htop,iptraf,rsync,syslinux \
status disabled
Then to activate the newly added repositories:
signal-event yum-modify
yum makecache
===== Installing the packages =====
Installing the necessary Opsi packages.
yum install opsi-depotserver opsi-configed --enablerepo=opsi4,dag
/etc/init.d/opsiconfd restart
/etc/init.d/opsipxeconfd restart
yum install p7zip p7zip-plugins cabextract --enablerepo=opsi4
yum update --enablerepo=opsi4
===== Manual code change =====
An manual adjustment to the code needs to be made for Opsi to work on SME.
nano /usr/lib/python2.4/site-packages/OPSI/Backend/BackendManager.py
Search for the following line:
elif (DISTRIBUTOR.lower().find('redhat') != -1) or (DISTRIBUTOR.lower().find('centos') != -1) or (DISTRIBUTOR.lower().find('scientificsl') != -1):
And replace it with:
elif (DISTRIBUTOR.lower().find('redhat') != -1) or (DISTRIBUTOR.lower().find('centos') != -1) or (DISTRIBUTOR.lower().find('scientificsl') != -1) or (DISTRIBUTOR.lower().find('sme') != -1):
===== Opsi init =====
Some initialization for Opsi.
opsi-setup --init-current-config
opsi-setup --set-rights
/etc/init.d/opsiconfd restart
/etc/init.d/opsipxeconfd restart
===== Set pcpatch password =====
Make a note of the password you are setting, you might need it later.
opsi-admin -d task setPcpatchPassword
===== Java config =====
Add a symbolic link for the installed java runtime environment:
ln -s /usr/lib/jvm/java-1.6.0-sun-1.6.0/jre/bin/java /usr/bin/java
Check the java version, this sould now return a result
java -version
===== User config =====
Opsi normally uses separately created users for administration, but for SME we use the default admin account. Add the admin account to the opsiadmin group so it can use the Opsi administration commands.
usermod -a -G opsiadmin admin
It is not neccesary to add the root account to the pcpatch group, root is allowed to do anything. If you want a separate user to be able to build opsi packages (opsi-makeproductfile), install packages (opsi-packagemanager) or manually edit configuration files, it would have to be added to the 'pcpatch' group.
#usermod -a -G pcpatch <some_user>
===== Opsi-atftpd config =====
Add a sysconfig file for atftpd.
nano /etc/sysconfig/atftpd
Add the following content to this file:
ATFTPD_OPTIONS="--daemon --user atftp --group atftp --logfile /var/log/atftp/atftp.log /tftpboot"
Create an atftpd startscript:
nano /etc/rc.d/init.d/atftpd
Add the following content to this file:
#!/bin/sh
#
# atftp Advanced Trivial File Transfer Protocol
#
# chkconfig: - 90 20
# description: atftp stands for Advanced Trivial File \
# Transfer Protocol. atftp is intended for serving boot files to \
# large clusters. It is multi-threaded and support multicast \
# (RFC2090 and PXE), allowing faster boot of hundreds of machine simultaneously.
### BEGIN INIT INFO
# Provides: tftp
# Required-Start: $network
# Required-Stop: $network
# Should-Start: 2 3 4 5
# Should-Stop: 0 1 6
# Default-Start:
# Default-Stop:
# Short-Description: Advanced Trivial File Transfer Protocol
# Description: atftp stands for Advanced Trivial File
# Transfer Protocol. atftp is intended for serving boot files to
# large clusters. It is multi-threaded and support multicast
# (RFC2090 and PXE), allowing faster boot of hundreds of machine
# simultaneously.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
exec="/usr/sbin/atftpd"
prog="atftpd"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
start() {
[ -x $exec ] || exit 5
echo -n $"Starting $prog: "
# if not running, start it up here, usually something like "daemon $exec"
daemon $exec $ATFTPD_OPTIONS
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
Set the proper rights for this script.
chmod 755 /etc/rc.d/init.d/atftpd
Start atftpd
/etc/rc.d/init.d/atftpd start
===== Automatic startup at boot =====
Configure automatic opsiconfd startup at boot:
chmod 755 /etc/rc.d/init.d/opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc7.d/S98opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc6.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc2.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc1.d/K02opsiconfd
ln -s /etc/rc.d/init.d/opsiconfd /etc/rc.d/rc0.d/K02opsiconfd
Configure automatic opsipxeconfd startup at boot:
chmod 755 /etc/rc.d/init.d/opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc7.d/S98opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc6.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc2.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc1.d/K02opsipxeconfd
ln -s /etc/rc.d/init.d/opsipxeconfd /etc/rc.d/rc0.d/K02opsipxeconfd
Configure automatic atftpd startup at boot:
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc7.d/S98opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc6.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc2.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc1.d/K02opsi-atftpd
ln -s /etc/rc.d/init.d/atftpd /etc/rc.d/rc0.d/K02opsi-atftpd
===== Configure samba shares =====
Add a template fragment for the opsi samba network shares:
mkdir -p /etc/e-smith/templates-custom/etc/smb.conf
nano /etc/e-smith/templates-custom/etc/smb.conf/51opsi_shares
Add the following content to this file:
[opt_pcbin]
available = yes
comment = opsi depot share
path = /opt/pcbin
oplocks = no
level2 oplocks = no
writeable = yes
invalid users = root
[opsi_config]
available = yes
comment = opsi config share
path = /var/lib/opsi/config
writeable = yes
invalid users = root
[opsi_workbench]
available = yes
comment = opsi workbench
path = /home/opsiproducts
writeable = yes
invalid users = root
create mask = 0660
directory mask = 0770
Expand the template:
expand-template /etc/samba/smb.conf
Restart samba services:
/etc/rc7.d/S91smb restart
=== Notes ===
===== Internal Error on agent deploy =====
When you get an 'internal error' on trying to install an agent on a workstation from the commandline with the <tt>opsi-deploy-client-agent</tt> command, you probably have the bad version of winexe, so you'll need to get the newer version from UIB:
cd /opt/pcbin/install/opsi-client-agent/
mv winexe winexe.OLD
wget http://download.uib.de/opsi3.4/winexe
chmod --reference ./winexe.OLD winexe
chown --reference ./winexe.OLD winexe
===== Windows firewall exceptions =====
On windows machines you need to enable the "File and printer sharing" exception for the windows firewall. On occasion it could also be necessary (after some Windows update) to re-add the 'opsiclientd-control-port' TCP-port: 4441 or add the opsiclientd (usually in: <tt>C:\Program Files\opsi.org\opsi-client-agent\opsiclientd.exe</tt>) to the Windows Firewall exceptions for "On Demand" installations to work.
----
[[Category:Howto]]