Management Software Installation with opsi Lead image: Lead Image © alexutemov, 123RF.com
Lead Image © alexutemov, 123RF.com
 

Linux and Windows client management with opsi

Serial Production

Optimization, rationalization, and cost reduction are just as much a part of the IT administrator's everyday life as reliability and security issues. Opsi simplifies automated software installation in large computer networks. By Dr. Holger Reibold

Over the last 10 years, software developer uib [1] has developed a sophisticated client management environment named opsi (open PC server integration) [2]; it is currently available in version 4. The core components of opsi are free software under the AGPLv3 license.

Gone are the days of the sneaker network, where the administrator ran from PC to PC to install new software and updates. The Opsi client management environment for Linux and Windows clients is based on a Linux server. This management tool supports the automated installation of operating systems, software, and software components, updates, and patches.

The environment can also be used to inventory hardware and software components, thereby killing two birds with one stone. Opsi also supports license management in conjunction with co-funded projects. The Linux-based opsi server can be run on any of the following operating systems: Debian, Ubuntu, CentOS, openSUSE, SUSE Linux Enterprise Server, Univention Corporate Server, and Red Hat Enterprise Linux.

All You Need to Know

These extensive functions are realized by means of a typical client-server architecture: Whereas the opsi server is responsible for managing the environment and administrative features, opsi-client-agent is used on the PC side. The agent must be installed on each client. If an opsi agent is installed on a client, it references the server configuration information – after the boot process, but before a user logs in – to check whether an update or other components needs to be installed on the client. If this action is required, the opsi-script installation program is launched. Opsi stores the necessary scripts and software packages in a file share and automatically performs the installation and configuration.

Full software automation on the client side means eliminating the need for interaction. This is what opsi-script does by offering various options:

Which of these options you choose is ultimately a question of your own preferences and the individual circumstances. A combination of options is usually the most effective approach.

Automatic operating system installation is handled via PXE and launched by the opsi-bootimage tool, which helps prepare for the installation. To run this, you need to turn to the opsi management interface. Opsi supports the current Windows versions 7 to 10 (32- and 64-bit), the corresponding Microsoft servers (2008 R2 to 2012 R2), and common Linux systems. For an unattended setup, opsi uses the automatic hardware detection of the respective setup program.

Opsi is controlled through a simple interface, known as the opsi configuration editor, which is available as a Java program and as a Web Start applet. In distributed environments, the editor supports cross-site client management, multiple client selection, and concurrent processing. Administration is simplified by creating client groups (Figure 1). Opsi also has flexible tools for package creation and product lifecycle management. The environment can thus handle different versions of the same software components.

The Java-based opsi configuration editor lets admins create client groups and specify filters to restrict the view.
Figure 1: The Java-based opsi configuration editor lets admins create client groups and specify filters to restrict the view.

The opsi management interface communicates via an opsi web service with other tools, in particular with the agents. The communication can be logged to text files or into a MySQL database. The opsi server and the software packages stored there are protected against unauthorized access. Software and hardware components are inventoried in the management interface, and the data can be passed to a configuration management database (CMDB) as needed.

Startup

If you want to get to know opsi, you have two options: Set up a full server environment on a Linux server or rely on a virtual machine environment for evaluation purposes. The opsi team provides a corresponding test environment for VMware Player.

The fastest and easiest way relies on a VM-based installation. Because the computing speed requirements are fairly low, the opsi server can be installed easily as a VM. The developers have set up appropriate machines for ESX, VMware, and VirtualBox. The current opsi ServerVM is available for download [3].

A VMware Player installation is sufficient for the use of the VMware-based virtual machine. Because the deployed virtual machine was created under Linux, minor adjustments to the opsidemo.vmx configuration file may be necessary if you want to run it on any other operating system.

The installation wizard will guide you through the necessary settings, such as the opsi server name, the company name, the network-specific settings, and the admin and root passwords. After a restart, you log in to the web interface as adminuser with the password specified during the setup.

As an example, I'll look at the installation of opsi on a Debian 8.0 system. Keep in mind that the opsi server requires at least 16GB of space in the /var/lib/opsi directory. Opsi requires the components installed in Listing 1 (line 1). If you want to use MySQL as the backend for the inventory data or license management, you also need a database server installation (line 2). As the next step (line 3), check the entries for the opsi server in your /etc/hosts file.

Listing 1: opsi Installation

01 $ aptitude install wget lsof host python-mechanize p7zip-full cabextract openbsd-inetd pigz samba samba-common smbclient cifs-utils samba-doc
02 $ aptitude install mysql-server
03 $ getent hosts $(hostname -f)
04 192.168.1.1 server.domain.tld server
05
06 deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0 ./
07 $ wget -O - http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0/Release.key | apt-key add -
08 $ apt-key list
09 ...
10
11 $ aptitude update
12 $ aptitude safe-upgrade
13 $ aptitude remove tftpd
14 $ update-inetd --remove tftpd
15 $ aptitude install opsi-atftpd
16 $ aptitude install opsi-depotserver
17 $ aptitude install opsi-configed

If necessary, correct the name resolution in /etc/hosts, then enter the opsi repository in the /etc/apt/sources.list.d/opsi.list file. The corresponding entry for Debian Jessie is shown in line 6. To import the signature of the repository, run the command in line 7, then check whether the import was successful (line 8). For the actual opsi install, run the commands in lines 11 through 17.

When you run these commands, you will be prompted for the TFTP home directory and asked to create an SSL certificate. During setup, you even need to agree to patch the Samba configuration file smb.conf, and you need to assign a password to the pcpatch user. Should you see any warnings during installation that /etc/opsi/modules was not found, you can safely ignore them. The opsi system is now set up.

The environment has a convenient management interface in the form of opsi-configed, which is available as a standalone Java application and as a Java applet. You can call the applet with the default browser using the URL https://opsi-server:4447/configed/. Alternatively, launch the opsi config editor, for which the Java runtime environment (JRE) must be installed on the server. The configuration editor is one of the opsi-adminutils, which can be installed locally on clients.

If you want to start opsi on openSUSE, Red Hat Enterprise Linux, a CentOS server, or a Univention Corporate Server, check out the very detailed descriptions in the developer documentation section. The documentation is excellent, by the way, and is available for download in the form of epub and PDF documents.

Installing Windows Agents

In the enterprise, Windows operating systems still dominate the world of desktop computers. Maintaining these machines is thus one of opsi's key tasks. For the maintenance environment to be able to add existing Windows clients to the system, the agent must be installed on them, and you have various ways to do this.

To install the agent on individual computers, use the client agent, which resides in the \\opsi-Server\opsi_depot share, from which you then launch the opsi-client-agent\service_setup.cmd script with the necessary administrative rights. The client reboots after the install.

The opsi-deploy-client-agent agent deployment script makes the installation more convenient by distributing the opsi agents directly from the server to the various clients, which means some prerequisites on the client side:

One further requirement needs to be met: On the opsi server side, you need the winexe [4] program. A statically linked winexe version 0.90 is included in the agent. However, you need a winexe version 1.0 (or newer) for a version of Windows more recent than Windows 7. The deploy script generates the client on the server, copies the required installation files and configuration information to the client, and starts the installation.

Conveniently, the opsi-deploy-client-agent script can work through a whole list of clients. To do this, either pass in the client as a parameter or parse a file with the client list using the -f option. One client per line is listed in this file. The clients can be specified by IP address, hostname, or FQDN. You will find the opsi-deploy-client-agent script in the /var/lib/opsi/depot/opsi-client-agent directory. You must run it with root privileges.

Opsi also supports inventorying with hwaudit and swaudit from the configuration editor. Open the client list and go to the Product configuration tab. Click on hwaudit in the Requested Action column. Then open the Setup menu. Repeat these steps for swaudit in the Requested Action column. After relaunching the client, hwaudit and swaudit are installed and will proceed to determine the hardware and software information in the future and send it to the opsi server.

You can use hwinvent for hardware inventory. Again, this function must be set up in the configuration editor. To do this, open the Netboot products tab, change to Pending Action and choose hwinvent. The hardware inventory is enabled with the setup action. Again, a client reboot is necessary to apply the settings.

Installing Windows Operating Systems

Another practical opsi function is the remote deployment of Windows operating systems. The only requirement: The computers must have network cards with network boot support so that PXE can be used to load boot images via the network. For testing purposes, you can test this functionality with a special VMware appliance [5]. Installing real Windows clients is a little more complicated, because you will usually need to integrate additional drivers.

To integrate the client with the opsi server, you again need the configuration editor. When you get there, press OpsiClient | Create new opsi client and enter the IP name, the domain name, an optional description, the IP address, and the hardware (MAC) address (Figure 2). You can create the client with the opsi-admin console tool in the form:

opsi-admin -d method host_createOpsiClient [opsiHostKey] [description] [note] [hardware address] [IP address] [inventory number] [one-time password] [generated]
If you are creating a new opsi client manually, you need to specify the relevant information.
Figure 2: If you are creating a new opsi client manually, you need to specify the relevant information.

For example:

opsi-admin -d method host_create OpsiClient testclient.domain.local "null" "Testclient" "" 00:0c:29:12:34:56 192.168.0.5

You can see all the opsi clients that have been set up in the Clients tab. Opsi lets you configure actions such as Wake-on-LAN or event triggers (Figure 3) for each client.

Opsi supports various client actions, such as Wake-on-LAN, event triggers, and messages.
Figure 3: Opsi supports various client actions, such as Wake-on-LAN, event triggers, and messages.

Opsi provides the opsi-client-bootcd script, which is another function for creating opsi clients. Download the latest image [6], burn it to a CD, and boot to the new client. The setup wizard guides you through the few necessary settings. The last step is to select the operating system to be installed. The script deals with everything else.

The download packages provided by opsi (e.g., win7-x64, win2012-r2, win81-x64, and win10-x64) support Windows operating systems. However, the developers only provide these as a framework that includes the files for automating the installation of the operating system. The Windows operating system components are not included. You need original Windows installation files for the automatic installation of a Windows operating system. Copy them to the opsi server (possibly using the license management tool and along with the Windows license key).

Extensions

One of the most interesting opsi features is its extensibility. The base system already provides impressive functionality, but thanks to the modular architecture, it can be expanded with various extensions through co-funded projects. Extensions are initially billable and are sold against a flat-rate percentage of the development costs. The extensions are then released as soon as the development costs are refinanced through sales. The current status of co-funding of individual extensions is listed online [7]. Currently, the following extensions are available:

Conclusions

Opsi has already achieved a high degree of maturity in the present version, and according to the developers, they are continuously pushing the work forward. Development is especially dependent on the funding of other functions. Also the speed and order of other modules depends on specific customer orders. The provider is currently working on performance enhancements for large-scale opsi installations, which will be achieved by redesigning the web services. Additionally, work on an Active Directory Connector is in progress. Thus, you can look forward to future versions and extensions. Opsi is definitely recommended for IT administrators.