Linux and Windows client management with opsi
Serial Production
Over the last 10 years, software developer uib [1] has developed a sophisticated client management environment named opsi (open PC server integration) [2]; it is currently available in version 4. The core components of opsi are free software under the AGPLv3 license.
Gone are the days of the sneaker network, where the administrator ran from PC to PC to install new software and updates. The Opsi client management environment for Linux and Windows clients is based on a Linux server. This management tool supports the automated installation of operating systems, software, and software components, updates, and patches.
The environment can also be used to inventory hardware and software components, thereby killing two birds with one stone. Opsi also supports license management in conjunction with co-funded projects. The Linux-based opsi server can be run on any of the following operating systems: Debian, Ubuntu, CentOS, openSUSE, SUSE Linux Enterprise Server, Univention Corporate Server, and Red Hat Enterprise Linux.
All You Need to Know
These extensive functions are realized by means of a typical client-server architecture: Whereas the opsi server is responsible for managing the environment and administrative features, opsi-client-agent
is used on the PC side. The agent must be installed on each client. If an opsi agent is installed on a client, it references the server configuration information – after the boot process, but before a user logs in – to check whether an update or other components needs to be installed on the client. If this action is required, the opsi-script
installation program is launched. Opsi stores the necessary scripts and software packages in a file share and automatically performs the installation and configuration.
Full software automation on the client side means eliminating the need for interaction. This is what opsi-script
does by offering various options:
- Launching existing setup programs with parameters in silent or unattended mode.
- Interactively controlling the setup program with the free AutoIt tools.
- Recording the actions of the standard setup and handling the necessary interactions through the
opsi-script
opsi installer.
Which of these options you choose is ultimately a question of your own preferences and the individual circumstances. A combination of options is usually the most effective approach.
Automatic operating system installation is handled via PXE and launched by the opsi-bootimage
tool, which helps prepare for the installation. To run this, you need to turn to the opsi management interface. Opsi supports the current Windows versions 7 to 10 (32- and 64-bit), the corresponding Microsoft servers (2008 R2 to 2012 R2), and common Linux systems. For an unattended setup, opsi uses the automatic hardware detection of the respective setup program.
Opsi is controlled through a simple interface, known as the opsi configuration editor, which is available as a Java program and as a Web Start applet. In distributed environments, the editor supports cross-site client management, multiple client selection, and concurrent processing. Administration is simplified by creating client groups (Figure 1). Opsi also has flexible tools for package creation and product lifecycle management. The environment can thus handle different versions of the same software components.
The opsi management interface communicates via an opsi web service with other tools, in particular with the agents. The communication can be logged to text files or into a MySQL database. The opsi server and the software packages stored there are protected against unauthorized access. Software and hardware components are inventoried in the management interface, and the data can be passed to a configuration management database (CMDB) as needed.
Startup
If you want to get to know opsi, you have two options: Set up a full server environment on a Linux server or rely on a virtual machine environment for evaluation purposes. The opsi team provides a corresponding test environment for VMware Player.
The fastest and easiest way relies on a VM-based installation. Because the computing speed requirements are fairly low, the opsi server can be installed easily as a VM. The developers have set up appropriate machines for ESX, VMware, and VirtualBox. The current opsi ServerVM is available for download [3].
A VMware Player installation is sufficient for the use of the VMware-based virtual machine. Because the deployed virtual machine was created under Linux, minor adjustments to the opsidemo.vmx
configuration file may be necessary if you want to run it on any other operating system.
The installation wizard will guide you through the necessary settings, such as the opsi server name, the company name, the network-specific settings, and the admin and root passwords. After a restart, you log in to the web interface as adminuser with the password specified during the setup.
As an example, I'll look at the installation of opsi on a Debian 8.0 system. Keep in mind that the opsi server requires at least 16GB of space in the /var/lib/opsi
directory. Opsi requires the components installed in Listing 1 (line 1). If you want to use MySQL as the backend for the inventory data or license management, you also need a database server installation (line 2). As the next step (line 3), check the entries for the opsi server in your /etc/hosts
file.
Listing 1
opsi Installation
01 $ aptitude install wget lsof host python-mechanize p7zip-full cabextract openbsd-inetd pigz samba samba-common smbclient cifs-utils samba-doc 02 $ aptitude install mysql-server 03 $ getent hosts $(hostname -f) 04 192.168.1.1 server.domain.tld server 05 06 deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0 ./ 07 $ wget -O - http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0/Release.key | apt-key add - 08 $ apt-key list 09 ... 10 11 $ aptitude update 12 $ aptitude safe-upgrade 13 $ aptitude remove tftpd 14 $ update-inetd --remove tftpd 15 $ aptitude install opsi-atftpd 16 $ aptitude install opsi-depotserver 17 $ aptitude install opsi-configed
If necessary, correct the name resolution in /etc/hosts
, then enter the opsi repository in the /etc/apt/sources.list.d/opsi.list
file. The corresponding entry for Debian Jessie is shown in line 6. To import the signature of the repository, run the command in line 7, then check whether the import was successful (line 8). For the actual opsi install, run the commands in lines 11 through 17.
When you run these commands, you will be prompted for the TFTP home directory and asked to create an SSL certificate. During setup, you even need to agree to patch the Samba configuration file smb.conf
, and you need to assign a password to the pcpatch
user. Should you see any warnings during installation that /etc/opsi/modules
was not found, you can safely ignore them. The opsi system is now set up.
The environment has a convenient management interface in the form of opsi-configed
, which is available as a standalone Java application and as a Java applet. You can call the applet with the default browser using the URL https://opsi-server:4447/configed/
. Alternatively, launch the opsi config editor, for which the Java runtime environment (JRE) must be installed on the server. The configuration editor is one of the opsi-adminutils
, which can be installed locally on clients.
If you want to start opsi on openSUSE, Red Hat Enterprise Linux, a CentOS server, or a Univention Corporate Server, check out the very detailed descriptions in the developer documentation section. The documentation is excellent, by the way, and is available for download in the form of epub and PDF documents.
Installing Windows Agents
In the enterprise, Windows operating systems still dominate the world of desktop computers. Maintaining these machines is thus one of opsi's key tasks. For the maintenance environment to be able to add existing Windows clients to the system, the agent must be installed on them, and you have various ways to do this.
To install the agent on individual computers, use the client agent, which resides in the \\opsi-Server\opsi_depot
share, from which you then launch the opsi-client-agent\service_setup.cmd
script with the necessary administrative rights. The client reboots after the install.
The opsi-deploy-client-agent
agent deployment script makes the installation more convenient by distributing the opsi agents directly from the server to the various clients, which means some prerequisites on the client side:
- a share (
c$
) - an admin share (
admin$
) - an administrative account
One further requirement needs to be met: On the opsi server side, you need the winexe [4] program. A statically linked winexe version 0.90 is included in the agent. However, you need a winexe version 1.0 (or newer) for a version of Windows more recent than Windows 7. The deploy script generates the client on the server, copies the required installation files and configuration information to the client, and starts the installation.
Conveniently, the opsi-deploy-client-agent
script can work through a whole list of clients. To do this, either pass in the client as a parameter or parse a file with the client list using the -f
option. One client per line is listed in this file. The clients can be specified by IP address, hostname, or FQDN. You will find the opsi-deploy-client-agent
script in the /var/lib/opsi/depot/opsi-client-agent
directory. You must run it with root privileges.
Opsi also supports inventorying with hwaudit
and swaudit
from the configuration editor. Open the client list and go to the Product configuration
tab. Click on hwaudit
in the Requested Action
column. Then open the Setup
menu. Repeat these steps for swaudit
in the Requested Action
column. After relaunching the client, hwaudit
and swaudit
are installed and will proceed to determine the hardware and software information in the future and send it to the opsi server.
You can use hwinvent
for hardware inventory. Again, this function must be set up in the configuration editor. To do this, open the Netboot products
tab, change to Pending Action
and choose hwinvent
. The hardware inventory is enabled with the setup
action. Again, a client reboot is necessary to apply the settings.
Buy this article as PDF
(incl. VAT)