Important files on the opsi server

Common configuration files in /etc

/etc/hosts

The IP number and IP name of the clients can be entered here (additional names are aliases, and comments start with the "#" character).

Opsi needs the 'fully qualified hostname' (i.e. including the domain) and this can come from /etc/hosts as well from the 'DNS'.

Example:

192.168.2.106  dplaptop.uib.local  dplaptop  # this opsi-server
192.168.2.153  schleppi.uib.local
192.168.2.178  test_pc1.uib.local # Test-PC PXE-bootprom

The output of:

getent hosts $(hostname -f)

should be similar to:

192.168.1.1 server.domain.tld server

If the result does not look like this (e.g. contains '127.0.0.1' or 'localhost'), you must first correct your /etc/hosts or name resolution.

/etc/group

Two groups must exist here: 'pcpatch' and 'opsiadmin'. All users who are dealing with package management should be member of the group 'pcpatch'. All users who want to use the opsiconfd web service, e.g. via opsi-configed, must be in the 'opsiadmin' group.

/etc/opsi/backends/

Configuration files for the used backends.

/etc/opsi/backendManager/

acl.conf
Configuration of the access rights to the opsi methods. This allows access rights for the basic methods of the web service to be restricted to certain users and certain attributes.
dispatch.conf
Configuration of which of the backends configured under /etc/opsi/backends/ should be used for what.
extend.d/
Directory for backend extensions. So here are for example the scripts that map the opsi 3 methods to the opsi 4 methods.

/etc/opsi/hwaudit/*

Since opsi version 3.2

Here you will find the configuration files for the hardware inventory.

Translations are located in the locales directory.

The mapping between WMI classes (for Windows) or shell programs (for Linux) and the opsi data storage is configured in the file opsihwaudit.conf.

/etc/opsi/opsi.conf

Since opsi version 4.0.2-2

General opsi settings.

Example:

[groups]
fileadmingroup = pcpatch

Background: The classic installation variant with the user: pcpatch with the primary group: pcpatch does not work with Samba 4. Since Samba 4 is subject to the basic restrictions of Active Directory, groups with the same name as users (as is usual in Unix/Linux) are no longer allowed. For this reason, a new configuration file has been introduced: /etc/opsi/opsi.conf, which controls how the group is determined for Samba access to the shares. In the case of Samba 4 installations, the group name pcpatch is now renamed via this file and is now called opsifileadmins. This means that the users which must have access rights to the shares of opsi (opsi-packagers) under Samba 4 cannot become a member of the pcpatch group, but must be a member of the opsifileadmins group.

/etc/opsi/modules

Since opsi version 3.4

This file is signed by uib gmbh for the activation of non-free features. If this file is changed, it loses its validity. Without this file, only the free features are available.

Directory /etc/opsi/modules.d/

Since opsi version 4.1

Directory reserved for future usage.

Directory /etc/opsi/modules.d/

Since opsi 4.1.

Directory for future use.

/etc/opsi/opsiconfd.conf

Since opsi version 3.0

Configuration file for the opsiconfd service in which settings such as ports, interfaces and logging are specified.

/etc/opsi/opsiconfd.pem

Since opsi version 3.0

Configuration file for the opsiconfd service in which the ssl certificate is stored.

/etc/opsi/opsipxeconfd.conf

Configuration file for the opsipxeconfd service, which is responsible for writing the startup files for the Linux bootimage. Directories, defaults and log levels can be configured here.

/etc/opsi/opsi-package-updater.conf

Configuration file for the opsi-package-updater. See also Tool: opsi-package-updater

Boot files

Boot files in /tftpboot/linux

pxelinux.0
Boot file that is loaded in the first step by the PXE boot.
install and miniroot.gz
Installation bootimage, which is transferred via tftp to the client during reinstallation.

Boot files in /tftpboot/linux/pxelinux.cfg

01-<mac adress> or <IP-address-in-hex>
Files with the hardware address of the client and the prefix 01- can be found on the 'opsi-server' as client-specific boot files. Usually they are created via 'opsipxeconfd' as named pipes and should initiate a reinstallation of the client.
default
The file default is loaded if there are no client-specific files. If this file is loaded, the client then continues to a local boot.
install
Information for the boot of the installation bootimage, which is written from 'opsipxeconfd' into the named pipe.

Files in /var/lib/opsi

/var/lib/opsi/depot

This directory is exported (read-only) as the Samba share 'opsi_depot'. In old opsi installations this directory was /opt/pcbin/install. If this directory still exists, a symlink references it to /var/lib/opsi/depot.

/var/lib/opsi/ntfs-images

This is the default directory where the partition images are stored, that are used with the netboot product 'opsi-clonezilla'.

/var/lib/opsi/repository

This is the place where 'Produkt-Pakete' are saved, which are loaded by the calls of the opsi-package-updater to the server.

This is also the place where 'Produkt-Pakete' are saved, which are installed by the calls of the opsi-package-manager if it is called with the option -d.

/var/lib/opsi/workbench

This is the location used to create your own packages.

Other directories

The remaining directories in /var/lib/opsi (config and audit) are directories of the 'file-Backend', which is described in the following chapter.

Files of the file backend

/etc/opsi/pckeys

The client-specific 'opsi-host-Schlüssels' and also the server key are stored here.

Example:

schleppi.uib.local:fdc2493ace4b372fd39dbba3fcd62182
laptop.uib.local:c397c280fc2d3db81d39b4a4329b5f65
pcbon13.uib.local:61149ef590469f765a1be6cfbacbf491

/etc/opsi/passwd

The passwords encrypted with the server key (e.g. for pcpatch) are stored here.

Overview of /var/lib/opsi

The files of the file backend of opsi 4 can by default be found in /var/lib/opsi/config/. The following diagram gives an overview of the directory structure:

/var/lib/opsi-|
              |-depot				opsi_depot share
              |-repository			opsi package repository used by opsi-package-updater and opsi-package-manager
              |-audit				inventory files
              !-config/-|				config share
                        |-clientgroups.ini	client groups
                        |-config.ini		Host Parameters (Global Defaults)
                        |-clients/   		<pcname.ini> files
                        |-products/		product control files
                        !-depots		depot description files

	+audit/
		global.<Type> (generic hard-, and software information)
		<FQDN>.<Type> (host specific hard-, and software information)

	clientgroups.ini (contains the hostgroups)

	+clients/
		<FQDN>.ini (client configuration information)
	config.ini (contains the host specific host parameters)

	+depots/
		<FQDN>.ini (Information of the depots)

	+products/
		<ID>_<ProdVer>-<PackVer>.<Type> (Information about the products)

	+templates/
		pcproto.ini (template for new clients)
		<FQDN>.ini (template for specific new clients)

Editing these files is strongly discouraged!

Configuration files in detail

The following chapters explain the structure of the different configuration files of the file backend.

./clientgroups.ini

This file contains information about the client groups.

[<GroupId>]
<HostId> = 1 #active
<HostId> = 0 #non-active

./config.ini

Here you will find the default values of the server configuration as shown in 'opsi-configed' in the 'host parameters' tab.

./clients/<FQDN>.ini

The client-specific configurations are stored in this file. The information is combined with the values from <depot-id>.ini, whereby the settings from <FQDN>.ini take precedence.

These files are structured as follows:

The 'info' section contains all information directly related to the client, for example the description:

[info]
description = <String>
created = <Date> #format: 'YYYY-MM-DD HH:MM:SS'
lastseen = <Date> #format: 'YYYY-MM-DD HH:MM:SS'
inventorynumber = <String>
notes = <String>
hardwareaddress = <MAC> #format: 'hh:hh:hh:hh:hh:hh'
ipaddress = <IP> #format: 'nnn.nnn.nnn.nnn'
onetimepassword = <String>

The following section stores the current status of the products on the client. If there are no entries, 'not_installed: none' is assumed.

[<Type>_product_states] #'LocalbootProduct', or 'NetbootProduct'
<ProductId> = <InstallationStatus>:<ActionRequest>

More detailed information can be found in the sections belonging to the respective products:

[<ProductId>-state]
producttype = <Type> #'LocalbootProduct', or 'NetbootProduct'
actionprogress = <String>
productversion = <ProdVer>
packageversion = <PackVer>
modificationtime = <Date> #format: 'YYYY-MM-DD HH:MM:SS'
lastaction = <ActionRequest>
actionresult = <ActionResult>
targetconfiguration = <InstallationStatus>

/var/lib/opsi/config/templates

This is the location of the file pcproto.ini, which is the standard template for creating new client ini-files and has the same structure. If specific clients should be given different information, you can save a <FQDN>.ini in this directory.

/var/lib/opsi/config/depots/

Here you will find the files of the 'opsi-depotserver', which are also saved with <depot-id>.ini. Among other things, the connection to the depot is stored here.

[depotshare]
remoteurl = smb://<NetBiosName>/<Path>
localurl = file://<Path>

[depotserver]
notes = <String>
network = <IP>
description = <String>
hardwareaddress = <MAC>
ipaddress = <IP>
inventorynumber = <String>

[repository]
remoteurl = webdavs://<FQDN>:<Port>/<Path>
localurl = file://<Path>
maxbandwidth = <Integer> #in Bytes

Here you will also find information on which opsi products, in which version, and with which property defaults are installed on the depot.

Product control files in /var/lib/opsi/config/products/

The product control files contain the metadata of the products, e.g. name, properties and their default values, dependencies …

The control files correspond to the control files that are created when creating opsi products in the directory <product name>/OPSI/control.

The control files consist of the following sections:

Section [Package]
Description of the package version and packages required for the installation of the package on an opsi-depotserver.
Section [Product]
Description of the product.
Section(s) [ProductProperty]
(optional)
Description of editable product properties.
Section(s) [ProductDependency]
(optional)
Description of product dependencies.

Example:

[Package]
version: 1
depends:

[Product]
type: localboot
id: thunderbird
name: Mozilla Thunderbird
description: Mail client by Mozilla.org
advice:
version: 2.0.0.4
priority: 0
licenseRequired: False
productClasses: Mailclient
setupScript: thunderbird.ins
uninstallScript:
updateScript:
alwaysScript:
onceScript:

[ProductProperty]
name: enigmail
description: Install encryption plug-in for GnuPG
values: on, off
default: off

[ProductDependency]
action: setup
requiredProduct: mshotfix
requiredStatus: installed
requirementType: before

[Package]-'Version'
is for different package versions from the same product version. This helps to, for instance, distinguish packages with the same product version but with a different 'opsi-script' script.
[Package]-'depends'
Specifies a package required for installation on an opsi-depotserver. Specific versions can be configured by specifying the version in parenthesis after the package name. One of the following operators must precede the version within the parenthesis: =, <, ⇐, >, >=.
[Package]-'Incremental'
This is an obsolete, setting that has no effect, which has not been set in new packages since opsi 4.1. You can remove this entry.
[Product]-'type'
Specifies the product type as localboot or netboot.
[Product]-'Id'
Is a unique identifier for the product, independent of the version.
[Product]-'name'
Is the full name of the product.
[Product]-'Description'
Is an additional description of the product, which is for example shown in 'opsi-configed' under 'Description'.
[Product]-'Advice'
is an additional description, for the handling of the product (usually), which is shown in 'opsi-configed' under 'Note'.
[Product]-'version'
Is the version of the packaged software.
[Product]-'Priority'
Influences the installation sequence, in combination with the product dependencies.
[Product]-'productClasses'
Is not currently used (nor is it displayed).
[ProductProperty]-'type'
Type of the property: (unicode/boolean)
[ProductProperty]-'name':
Name of the property.
[ProductProperty]- 'multivalue'
Can this property contain a list of values. (True/False)
[ProductProperty]- 'editable'
Can this property be freely edited (or can only a value from a predefined list be selected). (True / False)
[ProductProperty]-'description':
Description of the property (tooltip in 'opsi-configed').
[ProductProperty]-'values' :
List of possible, allowed values. If empty, the value is freely editable.
[ProductProperty]-'default' :
Default value of the property.
[ProductDependency]-'Action' :
For which action of the product you are currently creating, should the dependency apply (setup, uninstall …).
[ProductDependency]-'Requiredproduct':
Product-id (identifier) of the product to which a dependency exists.
[ProductDependency]-'Required action':
You can either request an action or (see below) a status. Actions could be: setup, uninstall, update …
[ProductDependency]-'Required installation status':
The required status of the product, which the dependency entry refers to. Typically this is 'installed', which results in setting this dependency product to setup, if it is not installed on the client yet.
[ProductDependency]-'Requirement type':
Installation order. If the product to which a dependency exists must be installed before the current product can be installed, then this is set to 'before'. If it has to be installed after the current product, this is set to 'after'. If the order is irrelevant, nothing has to be entered here.

Inventory data /var/lib/opsi/audit

This is the location of the inventory data for hardware (*.hw) and software (*.sw).

opsi programs and libraries

Programs in /usr/bin

opsipxeconfd
Opsi daemon, which manages the files in the tftp area of the server that are necessary for the PXE boot of the clients.
opsi-admin
Command line interface to the opsi python library.
opsiconfd
Opsi daemon that provides the opsi methods as a webservice and much more.
opsiconfd-guard
Opsi daemon that monitors whether the 'opsiconfd' is running and restarts it if necessary.
opsi-configed
Command to start the opsi management interface.
opsi-convert
Script for converting between different backends.
opsi-makepackage
Script for packing the opsi-package (opsi-product)
opsi-newprod
Script for creating a new product.
opsi-package-manager
Script to install and uninstall opsi packages on an opsi server.
opsi-setup
Program for various basic settings.

opsi log files

The opsi log files have the following format:

[Loglevel] Timestamp Message
The log levels are:
0 = nothing      (absolute nothing)
1 = essential    ("we always need to know")
2 = critical     (unexpected errors that may cause a program abort)
3 = error        (Errors that will not abort the running program)
4 = warning      (you should have a look at this)
5 = notice       (Important statements to the program flow)
6 = info         (Additional Infos)
7 = debug        (important debug messages)
8 = debug2       (a lot more debug information and data)
9 = confidential (passwords and other security relevant data)

/var/log/opsi/bootimage

Here you can find the log files of the bootimage from the clients. These files are created as <fqdn>.log.

If the bootimage can not connect to the web service, the log file can be found on the client under /tmp/log. In such a case, there are two ways to get the log file from the client:

You have a network connection to the client
Then you can use SCP to get the file from /tmp/log. For Windows you can use for example WinSCP.
You have no network connection to the client
Then a USB stick can help:
- Log in as root with password 'linux123'
- Insert the USB stick and wait a few seconds
- Check with sfdisk -l which device the stick is
- mount
- copy
- unmount

An example session:

#sfdisk -l
Disk /dev/sda: 30401 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sda1   *      0+  30401-  30402- 244197528+   7  HPFS/NTFS
/dev/sda2          0       -       0          0    0  Empty
/dev/sda3          0       -       0          0    0  Empty
/dev/sda4          0       -       0          0    0  Empty

Disk /dev/sdb: 1017 cylinders, 33 heads, 61 sectors/track
Units = cylinders of 1030656 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdb1          0+   1016    1017-   1023580    b  W95 FAT32
/dev/sdb2          0       -       0          0    0  Empty
/dev/sdb3          0       -       0          0    0  Empty
/dev/sdb4          0       -       0          0    0  Empty
# mount /dev/sdb1 /mnt
# cp /tmp/log /mnt
#umount /mnt

/var/log/opsi/clientconnect

This is the location of the log files of the 'opsi-client-agent' running on the clients.
This is C:\opsi.org\log\opsiclientd.log on the client.

/var/log/opsi/instlog

This is the location of log files of the 'opsi-script' scripts executed on the clients.
The originals are on the client at C:\opsi.org\log\opsiscript.log

/var/log/opsi/opsiconfd

This is the location of log files of 'opsiconfd' itself as well as log files of the clients.
The files are created as <IP address>.log and if configured in /etc/opsi/opsiconfd.conf, symbolic links for these are created as <fqdn>.log.

/var/log/opsi/opsipxeconfd.log

Log file the 'opsipxeconfd'
which manages the files in the tftp area of the server that are necessary for the PXE boot of the clients.

/var/log/opsi/package.log

Log file of opsi-package-manager.

/var/log/opsi/opsi-package-updater.log

Log file of opsi-package-updater.

tftp log in /var/log/syslog

The log entries of tftpd can be found in /var/log/syslog.

c:\opsi.org\log\opsi_loginblocker.log

Log file of 'opsi-Loginblocker'

c:\opsi.org\log\opsiclientd.log

Log file of 'opsiclientd'.
This file is copied to the server at /var/log/opsi/clientconnect/<fqdn>.log when finished.

c:\opsi.org\log\opsi-script.log

Log file of 'opsi-script'.
This file is copied to the server at /var/log/opsi/instlog/<fqdn.log> when finished.