Installation on Debian/Ubuntu
This chapter describes the package-based installation of an opsi server on Debian and Ubuntu systems.
Proxy Settings
For the installation process, it’s important to ensure that you have Internet access via HTTP/HTTPS.
If you need to access through an HTTP proxy, it’s recommended to set the proxy settings at a system-wide level using environment variables. These should be entered into the /etc/environment file.
| Keep in mind that the names of these environment variables consist only of lowercase letters. |
-
http_proxy: Configures the proxy for HTTP connections. It requires the full URL, including if authentication is needed:
http_proxy=http://<user>:<password>@<proxy-address>:<port> -
https_proxy: Similar tohttp_proxybut for HTTPS connections:
https_proxy=https://<proxy-address>:<port> -
no_proxy: Lists addresses that should bypass the proxy. Use commas to separate multiple addresses:
no_proxy=127.0.0.1,localhost,mydomain.example,hostname.domain.com:8080
Remember these rules for addresses:-
Only use lowercase letters.
-
Include IP addresses only for direct access via IPs, as no name resolution occurs for exceptions.
-
CIDR notation for IP address ranges (like
192.168.0.0/24) is not supported. -
Always include exceptions for
localhostand127.0.0.1. -
Wildcards and regular expressions are not supported.
-
Treat each name as a suffix, so
domain.comapplies to all hostnames ending indomain.com. -
Optionally, add a specific port after a colon for each address to confine the exception to that port.
-
Here’s an example for setting up the /etc/environment file:
http_proxy=http://10.1.1.1:8080
https_proxy=https://10.1.1.1:8080
no_proxy=127.0.0.1,localhost,company.tldTo apply the changes to the currently running shell, execute the following commands:
set -a; source /etc/environment; set +a
For Suse distributions, the NO_PROXY parameter in the /etc/sysconfig/proxy file needs to be adjusted. Set NO_PROXY=127.0.0.1,localhost,company.tld as appropriate.
|
If the access to opsiconfd is channeled through a proxy, the service requests will appear to originate from the IP address of the proxy. As a result, all functionalities that rely on the client’s IP address, such as networks, admin-networks, update-ip, or max-session-per-ip, might not operate correctly. To address this, you can define trusted proxy addresses using the trusted-proxies parameter. When a connection comes from a trusted proxy, the server will look at the X-Forwarded-For header to ascertain the real IP address of the client.
Example:
admin-networks=[192.168.10.0/24]
trusted-proxies=[192.178.16.27]Configuring Repositories
First, install the following packages:
sudo apt --yes install host apt-transport-https software-properties-common curl gpgMake sure that the directory /usr/local/share/keyrings exists:
sudo mkdir -p /usr/local/share/keyringsAdd the Grafana repository:
REPO_URL=https://apt.grafana.com
REPO_KEY=/usr/local/share/keyrings/grafana.gpg
curl -fsSL ${REPO_URL}/gpg.key | gpg --dearmor | sudo tee ${REPO_KEY} > /dev/null
sudo echo "deb [signed-by=${REPO_KEY}] ${REPO_URL} stable main" | sudo tee /etc/apt/sources.list.d/grafana.listAdd the opsi repository that matches your distribution:
Debian 12, Bookworm:
REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_12
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/nullDebian 11, Bullseye:
REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_11
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/nullDebian 10, Buster:
REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_10
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/nullUbuntu 22.04 LTS, Jammy Jellyfish:
REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/xUbuntu_22.04
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/nullUbuntu 20.04 LTS, Focal Fossa:
REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/xUbuntu_20.04
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/nullTo verify whether the GnuPG key import was successful, you can execute the following command:
gpg --show-keys /usr/local/share/keyrings/opsi-obs.gpg 2>/dev/nullIn the output of the command you should see lines similar to the following:
pub rsa2048 2017-09-30 [SC] [expires: 2025-11-19]
2E98F7B5A5B2C8FE7F609705D1F933E6D8361F81
uid home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>Installing the Packages
Install the package opsi-server-full:
sudo apt update
sudo apt --yes install opsi-server-full
As an alternative to the opsi-server-full package, you can install either opsi-server or opsi-server-expert. These packages differ in their dependencies and are tailored for scenarios where you prefer to run MySQL, Redis, or Grafana on separate servers. While opsi-server and opsi-server-expert provide more flexibility, they are best suited for experienced Linux administrators.
|
| Make sure that your firewall and SELinux configurations permit connections on ports 69/UDP (TFTP) and both 4447/TCP and 4441/TCP (opsi). Further information on SELinux can be found at SELinux. |
The opsi server is now set up and ready for the next steps.