Lead Image © alexutemov, 123RF.com

Lead Image © alexutemov, 123RF.com

Linux and Windows client management with opsi

Serial Production

Article from ADMIN 37/2017
By
Optimization, rationalization, and cost reduction are just as much a part of the IT administrator's everyday life as reliability and security issues. Opsi simplifies automated software installation in large computer networks.

Over the last 10 years, software developer uib [1] has developed a sophisticated client management environment named opsi (open PC server integration) [2]; it is currently available in version 4. The core components of opsi are free software under the AGPLv3 license.

Gone are the days of the sneaker network, where the administrator ran from PC to PC to install new software and updates. The Opsi client management environment for Linux and Windows clients is based on a Linux server. This management tool supports the automated installation of operating systems, software, and software components, updates, and patches.

The environment can also be used to inventory hardware and software components, thereby killing two birds with one stone. Opsi also supports license management in conjunction with co-funded projects. The Linux-based opsi server can be run on any of the following operating systems: Debian, Ubuntu, CentOS, openSUSE, SUSE Linux Enterprise Server, Univention Corporate Server, and Red Hat Enterprise Linux.

All You Need to Know

These extensive functions are realized by means of a typical client-server architecture: Whereas the opsi server is responsible for managing the environment and administrative features, opsi-client-agent is used on the PC side. The agent must be installed on each client. If an opsi agent is installed on a client, it references the server configuration information – after the boot process, but before a user logs in – to check whether an update or other components needs to be installed on the client. If this action is required, the opsi-script installation program is launched. Opsi stores the necessary scripts and software packages in a file share and automatically performs the installation and configuration.

Full software automation on the client side means eliminating the need for interaction. This is what opsi-script does by offering various options:

  • Launching existing setup programs with parameters in silent or unattended mode.
  • Interactively controlling the setup program with the free AutoIt tools.
  • Recording the actions of the standard setup and handling the necessary interactions through the opsi-script opsi installer.

Which of these options you choose is ultimately a question of your own preferences and the individual circumstances. A combination of options is usually the most effective approach.

Automatic operating system installation is handled via PXE and launched by the opsi-bootimage tool, which helps prepare for the installation. To run this, you need to turn to the opsi management interface. Opsi supports the current Windows versions 7 to 10 (32- and 64-bit), the corresponding Microsoft servers (2008 R2 to 2012 R2), and common Linux systems. For an unattended setup, opsi uses the automatic hardware detection of the respective setup program.

Opsi is controlled through a simple interface, known as the opsi configuration editor, which is available as a Java program and as a Web Start applet. In distributed environments, the editor supports cross-site client management, multiple client selection, and concurrent processing. Administration is simplified by creating client groups (Figure 1). Opsi also has flexible tools for package creation and product lifecycle management. The environment can thus handle different versions of the same software components.

Figure 1: The Java-based opsi configuration editor lets admins create client groups and specify filters to restrict the view.

The opsi management interface communicates via an opsi web service with other tools, in particular with the agents. The communication can be logged to text files or into a MySQL database. The opsi server and the software packages stored there are protected against unauthorized access. Software and hardware components are inventoried in the management interface, and the data can be passed to a configuration management database (CMDB) as needed.

Startup

If you want to get to know opsi, you have two options: Set up a full server environment on a Linux server or rely on a virtual machine environment for evaluation purposes. The opsi team provides a corresponding test environment for VMware Player.

The fastest and easiest way relies on a VM-based installation. Because the computing speed requirements are fairly low, the opsi server can be installed easily as a VM. The developers have set up appropriate machines for ESX, VMware, and VirtualBox. The current opsi ServerVM is available for download [3].

A VMware Player installation is sufficient for the use of the VMware-based virtual machine. Because the deployed virtual machine was created under Linux, minor adjustments to the opsidemo.vmx configuration file may be necessary if you want to run it on any other operating system.

The installation wizard will guide you through the necessary settings, such as the opsi server name, the company name, the network-specific settings, and the admin and root passwords. After a restart, you log in to the web interface as adminuser with the password specified during the setup.

As an example, I'll look at the installation of opsi on a Debian 8.0 system. Keep in mind that the opsi server requires at least 16GB of space in the /var/lib/opsi directory. Opsi requires the components installed in Listing 1 (line 1). If you want to use MySQL as the backend for the inventory data or license management, you also need a database server installation (line 2). As the next step (line 3), check the entries for the opsi server in your /etc/hosts file.

Listing 1

opsi Installation

01 $ aptitude install wget lsof host python-mechanize p7zip-full cabextract openbsd-inetd pigz samba samba-common smbclient cifs-utils samba-doc
02 $ aptitude install mysql-server
03 $ getent hosts $(hostname -f)
04 192.168.1.1 server.domain.tld server
05
06 deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0 ./
07 $ wget -O - http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0/Release.key | apt-key add -
08 $ apt-key list
09 ...
10
11 $ aptitude update
12 $ aptitude safe-upgrade
13 $ aptitude remove tftpd
14 $ update-inetd --remove tftpd
15 $ aptitude install opsi-atftpd
16 $ aptitude install opsi-depotserver
17 $ aptitude install opsi-configed

If necessary, correct the name resolution in /etc/hosts, then enter the opsi repository in the /etc/apt/sources.list.d/opsi.list file. The corresponding entry for Debian Jessie is shown in line 6. To import the signature of the repository, run the command in line 7, then check whether the import was successful (line 8). For the actual opsi install, run the commands in lines 11 through 17.

When you run these commands, you will be prompted for the TFTP home directory and asked to create an SSL certificate. During setup, you even need to agree to patch the Samba configuration file smb.conf, and you need to assign a password to the pcpatch user. Should you see any warnings during installation that /etc/opsi/modules was not found, you can safely ignore them. The opsi system is now set up.

The environment has a convenient management interface in the form of opsi-configed, which is available as a standalone Java application and as a Java applet. You can call the applet with the default browser using the URL https://opsi-server:4447/configed/ . Alternatively, launch the opsi config editor, for which the Java runtime environment (JRE) must be installed on the server. The configuration editor is one of the opsi-adminutils, which can be installed locally on clients.

If you want to start opsi on openSUSE, Red Hat Enterprise Linux, a CentOS server, or a Univention Corporate Server, check out the very detailed descriptions in the developer documentation section. The documentation is excellent, by the way, and is available for download in the form of epub and PDF documents.

Installing Windows Agents

In the enterprise, Windows operating systems still dominate the world of desktop computers. Maintaining these machines is thus one of opsi's key tasks. For the maintenance environment to be able to add existing Windows clients to the system, the agent must be installed on them, and you have various ways to do this.

To install the agent on individual computers, use the client agent, which resides in the \\opsi-Server\opsi_depot share, from which you then launch the opsi-client-agent\service_setup.cmd script with the necessary administrative rights. The client reboots after the install.

The opsi-deploy-client-agent agent deployment script makes the installation more convenient by distributing the opsi agents directly from the server to the various clients, which means some prerequisites on the client side:

  • a share (c$)
  • an admin share (admin$)
  • an administrative account

One further requirement needs to be met: On the opsi server side, you need the winexe [4] program. A statically linked winexe version 0.90 is included in the agent. However, you need a winexe version 1.0 (or newer) for a version of Windows more recent than Windows 7. The deploy script generates the client on the server, copies the required installation files and configuration information to the client, and starts the installation.

Conveniently, the opsi-deploy-client-agent script can work through a whole list of clients. To do this, either pass in the client as a parameter or parse a file with the client list using the -f option. One client per line is listed in this file. The clients can be specified by IP address, hostname, or FQDN. You will find the opsi-deploy-client-agent script in the /var/lib/opsi/depot/opsi-client-agent directory. You must run it with root privileges.

Opsi also supports inventorying with hwaudit and swaudit from the configuration editor. Open the client list and go to the Product configuration tab. Click on hwaudit in the Requested Action column. Then open the Setup menu. Repeat these steps for swaudit in the Requested Action column. After relaunching the client, hwaudit and swaudit are installed and will proceed to determine the hardware and software information in the future and send it to the opsi server.

You can use hwinvent for hardware inventory. Again, this function must be set up in the configuration editor. To do this, open the Netboot products tab, change to Pending Action and choose hwinvent . The hardware inventory is enabled with the setup action. Again, a client reboot is necessary to apply the settings.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=