Network Configuration

The opsi server is compatible with both IPv4 and IPv6 protocols.

The server typically operates with a dual-stack configuration, meaning it uses IPv4 and IPv6 addresses/routes simultaneously within the network. This dual capability facilitates communication between devices and services that support both IPv4 and IPv6.

Used Protocols and Ports

The opsi server requires internet access through HTTP and HTTPS, particularly for accessing package repositories of the underlying Linux distribution (such as https://download.opensuse.org/) and the opsi packages (https://opsipackages.43.opsi.org/), as well as for accessing Grafana addons and similar services.

If you are using a proxy server, please refer to the section Proxy Configuration for more information.

The opsi server and its services also rely on the following network protocols and ports:

  • 53/tcp+udp: For DNS queries.

  • 4447/tcp: Used for accessing the opsi config server and the opsi package sources of the depot server.

  • 445/tcp or 22/tcp: Different protocols and ports for deploying the opsi-deploy-client-agent, depending on the client’s operating system. Windows clients need access via the CIFS protocol (445/tcp), while Linux and macOS clients require SSH access (22/tcp).

  • 4441/tcp: Depending on the HostControl configuration (refer to section The hostcontrol.conf File), the opsi server communicates with the client agent over 4441/tcp.

  • 4447/tcp: This is the standard port for the central opsi service opsiconfd (see chapter opsiconfd Service). All clients, depot servers, and admin devices need access to this port.

  • 445/tcp: For accessing the opsi depot server via Samba/CIFS (refer to chapter Samba). This is not required if the depot server is accessed via WebDAV.

For Netboot services using TFTP, access to additional ports is necessary (see chapter TFTP Server). Additionally, to enable SSH access to the opsi server, incoming connections on 22/tcp must be permitted.

Proxy Configuration

If you need to access through an HTTP proxy, it’s recommended to set the proxy settings at a system-wide level using environment variables. These should be entered into the /etc/environment file.

Keep in mind that the names of these environment variables consist only of lowercase letters.
  • http_proxy: Configures the proxy for HTTP connections. It requires the full URL, including if authentication is needed:
    http_proxy=http://<user>:<password>@<proxy-address>:<port>

  • https_proxy: Similar to http_proxy but for HTTPS connections:
    https_proxy=https://<proxy-address>:<port>

  • no_proxy: Lists addresses that should bypass the proxy. Use commas to separate multiple addresses:
    no_proxy=127.0.0.1,localhost,mydomain.example,hostname.domain.com:8080
    Remember these rules for addresses:

    • Only use lowercase letters.

    • Include IP addresses only for direct access via IPs, as no name resolution occurs for exceptions.

    • CIDR notation for IP address ranges (like 192.168.0.0/24) is not supported.

    • Always include exceptions for localhost and 127.0.0.1.

    • Wildcards and regular expressions are not supported.

    • Treat each name as a suffix, so domain.com applies to all hostnames ending in domain.com.

    • Optionally, add a specific port after a colon for each address to confine the exception to that port.

Here’s an example for setting up the /etc/environment file:

http_proxy=http://10.1.1.1:8080
https_proxy=https://10.1.1.1:8080
no_proxy=127.0.0.1,localhost,company.tld

To apply the changes to the currently running shell, execute the following commands:

set -a; source /etc/environment; set +a
For Suse distributions, the NO_PROXY parameter in the /etc/sysconfig/proxy file needs to be adjusted. Set NO_PROXY=127.0.0.1,localhost,company.tld as appropriate.

If the access to opsiconfd is channeled through a proxy, the service requests will appear to originate from the IP address of the proxy. As a result, all functionalities that rely on the client’s IP address, such as networks, admin-networks, update-ip, or max-session-per-ip, might not operate correctly. To address this, you can define trusted proxy addresses using the trusted-proxies parameter. When a connection comes from a trusted proxy, the server will look at the X-Forwarded-For header to ascertain the real IP address of the client.

Example:

admin-networks=[192.168.10.0/24]
trusted-proxies=[192.178.16.27]