Installation on Debian/Ubuntu

This chapter describes the package-based installation of an opsi server on Debian and Ubuntu systems.

Proxy Settings

For the installation process, it’s important to ensure that you have Internet access via HTTP/HTTPS.

If you need to access through an HTTP proxy, it’s recommended to set the proxy settings at a system-wide level using environment variables. These should be entered into the /etc/environment file.

Keep in mind that the names of these environment variables consist only of lowercase letters.
  • http_proxy: Configures the proxy for HTTP connections. It requires the full URL, including if authentication is needed:
    http_proxy=http://<user>:<password>@<proxy-address>:<port>

  • https_proxy: Similar to http_proxy but for HTTPS connections:
    https_proxy=https://<proxy-address>:<port>

  • no_proxy: Lists addresses that should bypass the proxy. Use commas to separate multiple addresses:
    no_proxy=127.0.0.1,localhost,mydomain.example,hostname.domain.com:8080
    Remember these rules for addresses:

    • Only use lowercase letters.

    • Include IP addresses only for direct access via IPs, as no name resolution occurs for exceptions.

    • CIDR notation for IP address ranges (like 192.168.0.0/24) is not supported.

    • Always include exceptions for localhost and 127.0.0.1.

    • Wildcards and regular expressions are not supported.

    • Treat each name as a suffix, so domain.com applies to all hostnames ending in domain.com.

    • Optionally, add a specific port after a colon for each address to confine the exception to that port.

Here’s an example for setting up the /etc/environment file:

http_proxy=http://10.1.1.1:8080
https_proxy=https://10.1.1.1:8080
no_proxy=127.0.0.1,localhost,company.tld

To apply the changes to the currently running shell, execute the following commands:

set -a; source /etc/environment; set +a
For Suse distributions, the NO_PROXY parameter in the /etc/sysconfig/proxy file needs to be adjusted. Set NO_PROXY=127.0.0.1,localhost,company.tld as appropriate.

If the access to opsiconfd is channeled through a proxy, the service requests will appear to originate from the IP address of the proxy. As a result, all functionalities that rely on the client’s IP address, such as networks, admin-networks, update-ip, or max-session-per-ip, might not operate correctly. To address this, you can define trusted proxy addresses using the trusted-proxies parameter. When a connection comes from a trusted proxy, the server will look at the X-Forwarded-For header to ascertain the real IP address of the client.

Example:

admin-networks=[192.168.10.0/24]
trusted-proxies=[192.178.16.27]

Configuring Repositories

First, install the following packages:

sudo apt --yes install host apt-transport-https software-properties-common curl gpg

Make sure that the directory /usr/local/share/keyrings exists:

sudo mkdir -p /usr/local/share/keyrings

Add the Grafana repository:

REPO_URL=https://apt.grafana.com
REPO_KEY=/usr/local/share/keyrings/grafana.gpg
curl -fsSL ${REPO_URL}/gpg.key | gpg --dearmor | sudo tee ${REPO_KEY} > /dev/null
sudo echo "deb [signed-by=${REPO_KEY}] ${REPO_URL} stable main" | sudo tee /etc/apt/sources.list.d/grafana.list

Add the opsi repository that matches your distribution:

Debian 12, Bookworm:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_12
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

Debian 11, Bullseye:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_11
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

Debian 10, Buster:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Debian_10
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

Ubuntu 24.04 LTS, Noble Numbat:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/xUbuntu_24.04
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

Ubuntu 22.04 LTS, Jammy Jellyfish:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/xUbuntu_22.04
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

Ubuntu 20.04 LTS, Focal Fossa:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/xUbuntu_20.04
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

To verify whether the GnuPG key import was successful, you can execute the following command:

gpg --show-keys /usr/local/share/keyrings/opsi-obs.gpg 2>/dev/null

In the output of the command you should see lines similar to the following:

pub   rsa2048 2017-09-30 [SC] [expires: 2025-11-19]
      2E98F7B5A5B2C8FE7F609705D1F933E6D8361F81
uid           home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>

Installing the Packages

Install the package opsi-server-full:

sudo apt update
sudo apt --yes install opsi-server-full
As an alternative to the opsi-server-full package, you can install either opsi-server or opsi-server-expert. These packages differ in their dependencies and are tailored for scenarios where you prefer to run MySQL, Redis, or Grafana on separate servers. While opsi-server and opsi-server-expert provide more flexibility, they are best suited for experienced Linux administrators.
Make sure that your firewall and SELinux configurations permit connections on ports 69/UDP (TFTP) and both 4447/TCP and 4441/TCP (opsi). Further information on SELinux can be found at SELinux.

The opsi server is now set up and ready for the next steps.