Installation on UCS

On Univention Corporate Server (UCS), there are two methods to install the opsi server:

Both approaches result in a fully functional opsi server, but they should not be used simultaneously on the same server. Consider which installation method is most suitable for your environment before proceeding. If you choose to install opsi through the Univention App Center, be aware that updates may take longer to become available. Additionally, upgrading to a new UCS version (like moving from 4.4 to 5.0) is contingent on the availability of all installed apps for the new version. If you opt for installation via the uib repositories, you’ll receive updates more promptly.

Installation via the App Center

In the Univention App Center catalog, you can find opsi for UCS version 5.0. During installation, the package manager will automatically add additional packages, including opsi-tftpd-hpa and univention-mariadb.

In a UCS environment, the first opsi server configures an existing MariaDB server to function as the backend. Any subsequent opsi config servers in the same environment are registered as opsi depot servers. If an opsi config server is already present in the UCS environment during installation, the opsi-package-updater tool will be configured to source its packages from this server.

Manual Installation

Before proceeding with the manual installation of the opsi server on Univention Corporate Server, ensure the following prerequisites are met.

Preparations

  • Ensure Samba is installed and configured. For UCS servers that are members of an AD domain, univention-samba should be installed. This package configures Samba as a member server without domain controller functionality. Alternatively, univention-samba4 sets up Samba as an AD domain controller.

  • MariaDB server installation and configuration are required. Install univention-mariadb for this purpose. Since UCS 4.3, univention-mysql has been a meta package that installs the MariaDB server.

  • If the UCS computer is also to be used as a DHCP server, configure the DHCP daemon before installing opsi and start the service.

Installation of the opsi server is feasible on servers with various UCS roles, including Primary Directory Node, Backup Directory Node, Replica Directory Node, and Managed Node.

If the opsi server is not being installed on a Primary Directory Node, but rather on a computer with a different UCS system role, it is crucial that the UCS server first joins the domain.

The configuration file /etc/opsi/opsi.conf specifies the group for Samba access to the shares; this group is named opsifileadmins. To grant access rights to the opsi shares (for users who create opsi packages), all relevant users must be members of the opsifileadmins group.

Configurng Repositories

Make sure that the directory /usr/local/share/keyrings exists:

sudo mkdir -p /usr/local/share/keyrings

Add the Grafana repository:

REPO_URL=https://apt.grafana.com
REPO_KEY=/usr/local/share/keyrings/grafana.gpg
curl -fsSL ${REPO_URL}/gpg.key | gpg --dearmor | sudo tee ${REPO_KEY} > /dev/null
sudo echo "deb [signed-by=${REPO_KEY}] ${REPO_URL} stable main" | sudo tee /etc/apt/sources.list.d/grafana.list

Add the opsi repository that matches your distribution:

Univention UCS 5.0:

REPO_URL=https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.3:/stable/Univention_5.0/
REPO_KEY=/usr/local/share/keyrings/opsi-obs.gpg
sudo echo "deb [signed-by=$REPO_KEY] $REPO_URL/ /" | sudo tee /etc/apt/sources.list.d/opsi.list
curl -fsSL $REPO_URL/Release.key | gpg --dearmor | sudo tee $REPO_KEY > /dev/null

To confirm the successful import of the GnuPG key, you can use the following command:

gpg --show-keys /usr/local/share/keyrings/opsi-obs.gpg 2>/dev/null

In the output, you should see lines similar to the following, among others:

pub   rsa2048 2017-09-30 [SC] [expires: 2025-11-19]
      2E98F7B5A5B2C8FE7F609705D1F933E6D8361F81
uid           home:uibmz:opsi OBS Project <home:uibmz:opsi@build.opensuse.org>

Installing the Packages

Install the package opsi-server-full:

sudo univention-install opsi-server-full

If the opsi server is to be installed on a UCS system with a role other than the Primary Directory Node, it’s necessary to execute the command univention-run-join-scripts as an additional step.

For users to access the opsi-configed management interface, they must be members of the opsiadmin group. During the installation process, the Administrator user is automatically added to this group. To add other accounts, use the User management module in UMC, specifically the Groups tab.

As an alternative to the opsi-server-full package, you can install either opsi-server or opsi-server-expert. These packages differ in their dependencies and are tailored for scenarios where you prefer to run MySQL, Redis, or Grafana on separate servers. While opsi-server and opsi-server-expert provide more flexibility, they are best suited for experienced Linux administrators.
Make sure that your firewall and SELinux configurations permit connections on ports 69/UDP (TFTP) and both 4447/TCP and 4441/TCP (opsi). Further information on SELinux can be found at SELinux.

The opsi server is now set up and ready for the next steps.