opsi-server Basic installation

VMware

If you have a server running VMware or VMware player, it only takes a few mouse clicks to install a base 'opsi-server':

ESXi-Server

Virtualbox

General

The VMware player is free of charge and available for all common operating systems at vmware.com. Usually it can be installed without any problems, as long as the resources of the host computer (especially memory) meet the needs of running software systems in parallel.

The first step is to choose the preferred language:

The opsi-server needs to be connected to the Internet to work properly. The script 1stboot.py will automatically start at the first boot in order to configure the opsi-server network settings. If something goes wrong while running '1stboot.py', then you may run 1stboot.py again from the command line.

The log file of 1stboot.py is located at /var/lib/1stboot/1stboot.log.

Fill in the configuration information for your network and answer the questions.

In the following, you will be asked for:

After the program '1stboot.py' finishes, the virtual machine will be rebooted.

After the reboot, or after completing the network configuration, login as 'adminuser' with your password.

The graphical user interface of the opsi-server should have already started (a lightweight window manager is used). A "Firefox" browser window appears at startup, and displays this document and further information.

If you get a message that there is no network connection, this might be caused by the special configuration of the virtual appliance. Before trying other options, you should reboot the server again. (i.e. use the shutdown button in the GUI)

If the network was correctly configured in the previous steps, then you should be able to remotely access the opsi-server, for example:

In the following sections, some commands have to be entered into a command line interface. It may be the easiest way to work through these instructions.

The commands are input into a window called a "terminal window". Here are examples that explain how to access a terminal window:

We recommend cutting and pasting commands from this handbook directly into the opsi-server terminal window (most applications support cut and paste).

Example snippets from configuration files are formatted like this:

Example snippets for commands that you have to execute are formatted like this:

Angle brackets '< >' mark abstract names. When entering commands, please replace the '<abstract name>' with a real name.
For example: The file share, where opsi places the software packages, may abstractly be noted as '<opsi-depot-share>'. If the real file share is /var/lib/opsi/depot, then you have to replace the abstract name by this exact string. The location of the package '<opsi-depot-share>/ooffice' becomes /var/lib/opsi/depot/ooffice. .

If the network configuration is correct, and the computer is connected to the Internet, then you can access any website using the browser in the start window.

If not everything is working, then you have to open a terminal window (maybe this is not yet possible from a remote connection, only from the server GUI) and then perform the necessary network connection checks and fixes.

You can re-enter the network configuration by entering this command in the terminal window:

A reboot is forced with the command:

If the network connection works, then you can install opsi packages or update them, and configure the environment for the first installation test. If you want to use the virtual machine (and not install the opsi-server directly to your host system), then skip to Update and Configuration of the opsi-server.

To update your opsi-server you need to double click the Icon 'Update OS' on the desktop. To do this please enter the current password for the adminuser and confirm if necessary.

If necessary for your Internet access, adapt the file /etc/apt/apt.conf to your network circumstances (enter correct proxy or comment / delete line). You can edit these using the program any text editor for example, 'midnight commander':

By performing a double click the Icon 'First package installation' the minimal opsi-products will be installed. To do this please enter the current password for the adminuser. This automatically fetches the current opsi packages, including templates for OS deployments, from the opsi repositories and installs them on the server.

For more information see Importing the minimal opsi products.

You can start the management interface by double clicking on the icon 'Opsi Configuration Editor'. For a description of the management interface check Installation of the management interface opsi-configed.

You have a running opsi server now, i.e. the opsi application itself is fully configured.

You can now proceed with:

First, make sure that the opsi-server has a valid DNS hostname. To do this, either check the entries in the /etc/hosts file or enter the following command:

The result should look like this for example:

The output on your system should show the server’s IP address to which the opsi clients connect later on. It’s followed by the associated hostname, and the third field contains an optional alias (here: server), under which the computer can also be reached.

The file may look different on your distribution. If it contains only entries for 127.0.0.1 or localhost, edit the file /etc/hosts in the text editor of your choice. For the opsi-server, enter at least the IP address and the full host name, optionally an alias.

opsi-QuickInstall can be found on our servers under the following link: https://download.uib.de/opsi4.2/stable/quickinstall/

Download the zip file to your computer and unpack it, for example using this command on the shell:

Alternatively unpack the archive via the file manager of your graphical desktop environment (right click / Unpack here). You can install opsi QuickInstall wither with a graphical user interface or via the command line. The next two sections explain both ways.

The installation may take a few minutes. When it’s finished, opsi QuickInstall will tell you if it was successful. If you see the message success, then your opsi-server is configured and ready for operation. You can now start with the installation of opsi products.

If you see a dialog like in If the installation fails, please check the log files for error messages. instead, please check the log files for error messages. You can find the logs in the two files /var/log/opsi-quick-install-l-opsi-server.log and /tmp/opsi_quickinstall.log.

The directory nogui contains the program opsi_quick_install_project, which supports the following parameters:

opsi QuickInstall works under the following distributions (names according to the output of the lsb_release command or according to the file os-release, since QuickInstall itself uses these names):

To activate mysql_native_password for the root user, the following steps are necessary:

Necessary preparations:

The installation of opsi is possible on a server with the roles 'master', 'backup', 'slave' or 'member'. For the installation on a 'member' you need to read Hints about installing opsi on an UCS server with the role 'member'!

The following documentation describes an installation on a 'master' with Samba 4.

The classic installation with the user 'pcpatch' in the primary group 'pcpatch' cannot be adhered to with UCS. Samba 4 has the same fundamental restrictions as Active-Directory, so groups with the same name as a user are not allowed. For this reason the configuration file /etc/opsi/opsi.conf has been introduced for UCS 3. This file controls how the group used for the Samba shares will be named. Since UCS 3 the group name 'pcpatch' will be renamed to 'opsifileadmins' with this file. This means that users that need rights for opsi (opsi package builders for example) should not be members of the group 'pcpatch' but must be members of the group 'opsifileadmins'. This peculiarity applies only to UCS and is different to other distributions and different to the next chapters in the opsi-documentation. With UCS the user 'pcpatch' is created as a full domain user. For more information about this new configuration file please refer to the opsi-manual.

Univention UCS 4.4:

Univention UCS 5.0:

For installation the following commands must be entered next:

Single server setup:

Manual setup:

If the role of the target system different than 'master' or 'backup' then we have to run the opsi4ucs Join-Script:

A link to the management interface can be found at the URL https://<servername>:4447.

To use the opsi configuration editor the user has to be a member of the group opsiadmin. The group membership can be edited by using Univention-Admin. The user Administrator will automatically be added to this group during the opsi installation.

Finally, in UDM, for the 'opsi_depot'-share we have to set the following option under Advanced Settings → Advanced Samba Settings: 'follow symlinks' must be set to 'yes'. The same should be done for the 'opsi_depot_rw'-share, so the driver integration will run without problems. If the directory /var/lib/opsi/depot is located on an extra partition or hard disk then the option for wide links should be set to 'yes'.

To make sure that opsi is running with the proper settings restart opsi by entering the following commands:

Please be advised that samba 4 will not be automatically restarted, since it is a important service on which other software may depend. You have to restart it manually. After restarting samba there may be a slight delay before the new shares are accessible.

Because there is no direct connection between the Univention LDAP and the opsi-backend all Clients have to be created twice. First in the Univention-LDAP using UDM and then in opsi including all system information (in particular the MAC address). Deleting a LDAP client in Univention will not delete the client in opsi and vice versa. This problem is further discussed in Synchronising data from LDAP to opsi.

Since opsi was installed on an existing server we assume that the network configuration is correct.
Continue with the installation by skipping forward to configuration.

Installing opsi on a server with the role 'member' is possible.

After an installation you need to make sure that the user that will be used to access the depot exists in the current domain. Check the host parameter clientconfig.depot.user for this. Let’s assume that the domain is backstage, then the value has to be backstage\pcpatch. If it is memberserver\pcpatch then it has to be changed.

Setting the password for the user pcpatch through opsi-admin fails because of the missing AD write access of a 'member' server. To change the password you have to do so additionally on a server with write access - a 'master', 'backup' or 'slave'.

If the PXE-Boot should be used for OS installations the DHCP-service on the relevant UCS-System has to be reconfigured. There are two characteristics which differentiate UCS from other supported distributions.

To implement these settings, a policy must be created in the UCS system. This policy interacts with the existing policies, and has to be implemented appropriately. If opsi was installed on an UCS test system without existing policies, check if the DHCP-service is installed. If the DHCP-service is already installed the easiest way to create the policy is in the UMC-webinterface (Univention Management Console) of the UCS-server. To do this choose the category "Domain" and underneath the module DHCP-server. Next you have to choose the service (in a testing system you will usually find only one entry). In the following view choose the menuitem policies. The policy we need is a DHCP-Boot policy. In the policy configuration choose cn=default-settings as default entry (there should be only one entry) and choose 'edit'. Under basic settings - DHCP-boot enter for the bootserver option the IP address of the opsi-server and enter for the boot-filename option pxelinux.0.

Optionally, these settings can be done at the console with the udm command. You can find more information about this in the UCS-documentation.

In an opsi4ucs installation Windows clients have to be created in the UDM first and then they have to be created in opsi-configed. Changes to the client in UDM will not be passed on to opsi. For example if a client’s MAC address changes in LDAP and in opsi a netboot-product is set to setup, the boot configuration would be provided with an incorrect MAC address.

The solution for this is the extension 'opsi-directory-connector'. Please consult the manual for more information.