Linux and Windows client management with opsi
Serial Production
Over the last 10 years, software developer uib [1] has developed a sophisticated client management environment named opsi (open PC server integration) [2]; it is currently available in version 4. The core components of opsi are free software under the AGPLv3 license.
Gone are the days of the sneaker network, where the administrator ran from PC to PC to install new software and updates. The Opsi client management environment for Linux and Windows clients is based on a Linux server. This management tool supports the automated installation of operating systems, software, and software components, updates, and patches.
The environment can also be used to inventory hardware and software components, thereby killing two birds with one stone. Opsi also supports license management in conjunction with co-funded projects. The Linux-based opsi server can be run on any of the following operating systems: Debian, Ubuntu, CentOS, openSUSE, SUSE Linux Enterprise Server, Univention Corporate Server, and Red Hat Enterprise Linux.
All You Need to Know
These extensive functions are realized by means of a typical client-server architecture: Whereas the opsi server is responsible for managing the environment and administrative features, opsi-client-agent
is used on the PC side. The agent must be installed on each client. If an opsi agent is installed on a client, it references the server configuration information – after the boot process, but before a user logs in – to check whether an update or other components needs to be installed on the client. If this action is required, the opsi-script
installation program is launched. Opsi stores the necessary scripts and software packages in a file share and automatically performs the installation and configuration.
Full software automation on the client side means eliminating the need for interaction. This is what opsi-script
does by offering various options:
- Launching existing setup programs with parameters in silent or unattended mode.
- Interactively controlling the setup program with the free AutoIt tools.
- Recording the actions of the standard setup and handling the necessary interactions through the
opsi-script
opsi installer.
Which of these options you choose is ultimately a question of your own preferences and the individual circumstances. A combination of options is usually the most effective approach.
Automatic operating system installation is handled via PXE and launched by the opsi-bootimage
tool, which helps prepare for the installation. To run this, you need to turn to the opsi management interface. Opsi supports the current Windows versions 7 to 10 (32- and 64-bit), the corresponding Microsoft servers (2008 R2 to 2012 R2), and common Linux systems. For an unattended setup, opsi uses the automatic hardware detection of the respective setup program.
Opsi is controlled through a simple interface, known as the opsi configuration editor, which is available as a Java program and as a Web Start applet. In distributed environments, the editor supports cross-site client management, multiple client selection, and concurrent processing. Administration is simplified by creating client groups (Figure 1). Opsi also has flexible tools for package creation and product lifecycle management. The environment can thus handle different versions of the same software components.
The opsi management interface communicates via an opsi web service with other tools, in particular with the agents. The communication can be logged to text files or into a MySQL database. The opsi server and the software packages stored there are protected against unauthorized access. Software and hardware components are inventoried in the management interface, and the data can be passed to a configuration management database (CMDB) as needed.
Startup
If you want to get to know opsi, you have two options: Set up a full server environment on a Linux server or rely on a virtual machine environment for evaluation purposes. The opsi team provides a corresponding test environment for VMware Player.
The fastest and easiest way relies on a VM-based installation. Because the computing speed requirements are fairly low, the opsi server can be installed easily as a VM. The developers have set up appropriate machines for ESX, VMware, and VirtualBox. The current opsi ServerVM is available for download [3].
A VMware Player installation is sufficient for the use of the VMware-based virtual machine. Because the deployed virtual machine was created under Linux, minor adjustments to the opsidemo.vmx
configuration file may be necessary if you want to run it on any other operating system.
The installation wizard will guide you through the necessary settings, such as the opsi server name, the company name, the network-specific settings, and the admin and root passwords. After a restart, you log in to the web interface as adminuser with the password specified during the setup.
As an example, I'll look at the installation of opsi on a Debian 8.0 system. Keep in mind that the opsi server requires at least 16GB of space in the /var/lib/opsi
directory. Opsi requires the components installed in Listing 1 (line 1). If you want to use MySQL as the backend for the inventory data or license management, you also need a database server installation (line 2). As the next step (line 3), check the entries for the opsi server in your /etc/hosts
file.
Listing 1: opsi Installation
01 $ aptitude install wget lsof host python-mechanize p7zip-full cabextract openbsd-inetd pigz samba samba-common smbclient cifs-utils samba-doc 02 $ aptitude install mysql-server 03 $ getent hosts $(hostname -f) 04 192.168.1.1 server.domain.tld server 05 06 deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0 ./ 07 $ wget -O - http://download.opensuse.org/repositories/home:/uibmz:/opsi:/opsi40/Debian_8.0/Release.key | apt-key add - 08 $ apt-key list 09 ... 10 11 $ aptitude update 12 $ aptitude safe-upgrade 13 $ aptitude remove tftpd 14 $ update-inetd --remove tftpd 15 $ aptitude install opsi-atftpd 16 $ aptitude install opsi-depotserver 17 $ aptitude install opsi-configed
If necessary, correct the name resolution in /etc/hosts
, then enter the opsi repository in the /etc/apt/sources.list.d/opsi.list
file. The corresponding entry for Debian Jessie is shown in line 6. To import the signature of the repository, run the command in line 7, then check whether the import was successful (line 8). For the actual opsi install, run the commands in lines 11 through 17.
When you run these commands, you will be prompted for the TFTP home directory and asked to create an SSL certificate. During setup, you even need to agree to patch the Samba configuration file smb.conf
, and you need to assign a password to the pcpatch user. Should you see any warnings during installation that /etc/opsi/modules
was not found, you can safely ignore them. The opsi system is now set up.
The environment has a convenient management interface in the form of opsi-configed
, which is available as a standalone Java application and as a Java applet. You can call the applet with the default browser using the URL https://opsi-server:4447/configed/. Alternatively, launch the opsi config editor, for which the Java runtime environment (JRE) must be installed on the server. The configuration editor is one of the opsi-adminutils
, which can be installed locally on clients.
If you want to start opsi on openSUSE, Red Hat Enterprise Linux, a CentOS server, or a Univention Corporate Server, check out the very detailed descriptions in the developer documentation section. The documentation is excellent, by the way, and is available for download in the form of epub and PDF documents.
Installing Windows Agents
In the enterprise, Windows operating systems still dominate the world of desktop computers. Maintaining these machines is thus one of opsi's key tasks. For the maintenance environment to be able to add existing Windows clients to the system, the agent must be installed on them, and you have various ways to do this.
To install the agent on individual computers, use the client agent, which resides in the \\opsi-Server\opsi_depot
share, from which you then launch the opsi-client-agent\service_setup.cmd
script with the necessary administrative rights. The client reboots after the install.
The opsi-deploy-client-agent
agent deployment script makes the installation more convenient by distributing the opsi agents directly from the server to the various clients, which means some prerequisites on the client side:
- a share (
c$
) - an admin share (
admin$
) - an administrative account
One further requirement needs to be met: On the opsi server side, you need the winexe [4] program. A statically linked winexe version 0.90 is included in the agent. However, you need a winexe version 1.0 (or newer) for a version of Windows more recent than Windows 7. The deploy script generates the client on the server, copies the required installation files and configuration information to the client, and starts the installation.
Conveniently, the opsi-deploy-client-agent
script can work through a whole list of clients. To do this, either pass in the client as a parameter or parse a file with the client list using the -f
option. One client per line is listed in this file. The clients can be specified by IP address, hostname, or FQDN. You will find the opsi-deploy-client-agent
script in the /var/lib/opsi/depot/opsi-client-agent
directory. You must run it with root privileges.
Opsi also supports inventorying with hwaudit
and swaudit
from the configuration editor. Open the client list and go to the Product configuration tab. Click on hwaudit in the Requested Action column. Then open the Setup menu. Repeat these steps for swaudit in the Requested Action column. After relaunching the client, hwaudit
and swaudit
are installed and will proceed to determine the hardware and software information in the future and send it to the opsi server.
You can use hwinvent
for hardware inventory. Again, this function must be set up in the configuration editor. To do this, open the Netboot products tab, change to Pending Action and choose hwinvent. The hardware inventory is enabled with the setup action. Again, a client reboot is necessary to apply the settings.
Installing Windows Operating Systems
Another practical opsi function is the remote deployment of Windows operating systems. The only requirement: The computers must have network cards with network boot support so that PXE can be used to load boot images via the network. For testing purposes, you can test this functionality with a special VMware appliance [5]. Installing real Windows clients is a little more complicated, because you will usually need to integrate additional drivers.
To integrate the client with the opsi server, you again need the configuration editor. When you get there, press OpsiClient | Create new opsi client and enter the IP name, the domain name, an optional description, the IP address, and the hardware (MAC) address (Figure 2). You can create the client with the opsi-admin
console tool in the form:
opsi-admin -d method host_createOpsiClient [opsiHostKey] [description] [note] [hardware address] [IP address] [inventory number] [one-time password] [generated]
For example:
opsi-admin -d method host_create OpsiClient testclient.domain.local "null" "Testclient" "" 00:0c:29:12:34:56 192.168.0.5
You can see all the opsi clients that have been set up in the Clients tab. Opsi lets you configure actions such as Wake-on-LAN or event triggers (Figure 3) for each client.
Opsi provides the opsi-client-bootcd
script, which is another function for creating opsi clients. Download the latest image [6], burn it to a CD, and boot to the new client. The setup wizard guides you through the few necessary settings. The last step is to select the operating system to be installed. The script deals with everything else.
The download packages provided by opsi (e.g., win7-x64
, win2012-r2
, win81-x64
, and win10-x64
) support Windows operating systems. However, the developers only provide these as a framework that includes the files for automating the installation of the operating system. The Windows operating system components are not included. You need original Windows installation files for the automatic installation of a Windows operating system. Copy them to the opsi server (possibly using the license management tool and along with the Windows license key).
Extensions
One of the most interesting opsi features is its extensibility. The base system already provides impressive functionality, but thanks to the modular architecture, it can be expanded with various extensions through co-funded projects. Extensions are initially billable and are sold against a flat-rate percentage of the development costs. The extensions are then released as soon as the development costs are refinanced through sales. The current status of co-funding of individual extensions is listed online [7]. Currently, the following extensions are available:
- WIM-Capture: Reads all installed software, hotfixes, and configurations from an existing Windows computer and stores the data as a WIM (Windows imaging format) file. This file can serve as a basis for further installations.
- Scalability 1: Distributes the central opsi process across multiple processors and allows scaling to some 10,000 clients and many sites. Opsi reaches its limits in large installations with more than 3,000 clients across multiple locations. This module is made possible by several virtual opsi installations that are managed in a common back end. The implementation of a solution without virtualization is in progress and will then be adopted in this extension.
- Local Image Backup: Allows quick and easy creation of client environments. A backup is created, which can then be installed centrally (e.g., ideal for training computers).
- Nagios Connector: Lets you monitor your opsi installation with Nagios or a descendant of Nagios, such as Icinga. The module can keep an eye on the opsi server, clients, and software rollouts.
- WAN Extension: Allows the integration of distributed clients for which no depot server is available (e.g., for home offices and field staff). If you need to install software on the client, this is provisioned in the background via HTTPS and WebDAV. Requires the use of the MySQL back end.
- License Management: Supports the management of commercial licenses for all non-free software products. The extension provides the managed licenses to the software distribution tool. The module also stores the details about which license was assigned to which device and how many licenses are still available. The ability to link this to software inventory and reporting is interesting.
- UEFI/GPT Support: Supports the integration of UEFI/GPT devices. Newer hardware, especially, may use a UEFI BIOS. This is true not only of servers and PC hardware, but also of tablets.
- Linux-Support: Lets you launch a Linux installation just as easily as a Windows installation. The codebase of the Linux and Windows agents is identical. The extension supports all major Linux distributions.
- MySQL-Backend: Uses the MySQL back end. The default back end in opsi is file-based and primarily stores relevant information in text files. For performance reasons, you should use the MySQL backend for installations with more than 300 clients.
Conclusions
Opsi has already achieved a high degree of maturity in the present version, and according to the developers, they are continuously pushing the work forward. Development is especially dependent on the funding of other functions. Also the speed and order of other modules depends on specific customer orders. The provider is currently working on performance enhancements for large-scale opsi installations, which will be achieved by redesigning the web services. Additionally, work on an Active Directory Connector is in progress. Thus, you can look forward to future versions and extensions. Opsi is definitely recommended for IT administrators.