====== CentOS release 6.3 ====== These are my personal notes for installing OPSI on a CentOS 6.3 server, and may be of help to others.\\ Of course I also used the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]].\\ For installing the CentOS-6.3-x86_64-bin-DVD1.iso was used, because LiveCD iso's do not include minimal install options. It might still be possible, to do a minimal install with a LiveCD, but I was too lazy to find out. So this is about a minimal install, without any additional packages. ===== Preparation ===== In the DHCP server on the network we use the mac address of the OPSI server to set a static lease. We also set extra options for the DHCP server, which should reflect your own network setup: //dhcp-boot=linux/pxelinux.0,opsi.anarchy.lan,10.0.0.97//\\ With a different DHCP server you will have to look for the correct commands.\\ The static lease looks a bit like this (with DD-WRT):\\ {{http://www.gcecad-service.nl/images/opsi1.JPG}}\\ I use [[http://www.spacewalkproject.org/|Spacewalk]] to manage my CentOS servers, so installation of packages and updates is done via Spacewalk. That is why the yum commands may be incorrect, I did not use them myself, and am making them up. In the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]] is mentioned how to add the OPSI repository.\\ After installing CentOS we turn on the network by editing: /etc/sysconfig/network-scripts/ifcfg-eth0\\ //ONBOOT="no"// should become //ONBOOT="yes"//\\ After saving this file, we restart the network with this command: ///etc/init.d/network restart//\\ Now the CentOS server gets the IP address which was set in the DHCP server. This saves a lot of trouble, no messing with resolv.conf and //hostname -f// returns the correct hostname. ===== First part of installation ===== We first install xinetd and samba, then we start their services and make sure they start again when rebooting the server:\\ yum install xinetd samba /etc/init.d/smb start /etc/init.d/nmb start /etc/init.d/xinetd start chkconfig smb on chkconfig nmb on chkconfig xinetd on As you can see, mysql is not installed, but I do not have a license for the mysql-module, so we are going to use the file backend and do not need mysql. It might also be easier to configure if you do not have much experience.\\ Now we install the OPSI packages:\\ yum install p7zip p7zip-plugins cabextract yum install opsi-depotserver opsi-configed This is shamelessly copied from the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]]:\\ /etc/init.d/opsiconfd restart /etc/init.d/opsipxeconfd restart opsi-setup --auto-configure-samba chkconfig opsiconfd on chkconfig opsipxeconfd on /etc/init.d/smb restart /etc/init.d/nmb restart ===== Iptables configuration ===== To make OPSI work correctly we have to open some ports on the firewall. I can never remember the iptables commands, and with Spacewalk I deployed the following to: /etc/sysconfig/network/iptables: //(In my case, after clean installation of Centos 6.3 the path of the file is not the same. On my machine the file is located at: /etc/sysconf/iptables)//\\ # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 4441 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 4447 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT We then restart iptables: ///etc/init.d/iptables restart//\\ TCP port 22 is used by SSH. UDP port 69 is used by the TFTP server.\\ UDP ports 137, 137 and TCP ports 139 and 445 are used by Samba.\\ TCP ports 4441 and 4447 are of course used by OPSI.\\ ===== OPSI configuration ===== Now we are going to edit the opsi configuration files:\\ This is /etc/opsi/backendManager/dispatch.conf:\\ backend_.* : file, opsipxeconfd host_.* : file, opsipxeconfd productOnClient_.* : file, opsipxeconfd configState_.* : file, opsipxeconfd .* : file /etc/opsi/opsiconfd.conf has only been edited minimally. I think I only edited 'update ip'. Comments removed for readability:\\ [global] backend config dir = /etc/opsi/backends dispatch config file = /etc/opsi/backendManager/dispatch.conf extension config dir = /etc/opsi/backendManager/extend.d acl file = /etc/opsi/backendManager/acl.conf admin networks = 0.0.0.0/0 message bus = no multiprocessing = no pid file = /var/run/opsiconfd/opsiconfd.pid log file = /var/log/opsi/opsiconfd/%m.log symlink logs = yes log level = 5 log format = [%l] [%D] %M (%F|%N) max execution statistics = 250 monitoring user = monitoring [service] interface = 0.0.0.0 http port = 0 https port = 4447 ssl server cert = /etc/opsi/opsiconfd.pem ssl server key = /etc/opsi/opsiconfd.pem [session] session name = OPSISID verify ip = no update ip = yes max inactive interval = 120 max authentication failures = 5 [directories] / = /usr/share/opsiconfd/static (noauth) configed = /usr/lib/configed (noauth) The same is valid for /etc/opsi/backends/hostcontrol.conf but this file is entirely standard:\\ # -*- coding: utf-8 -*- module = 'HostControl' config = { "opsiclientdPort": 4441, "hostRpcTimeout": 15, "resolveHostAddress": False, "maxConnections": 50, "broadcastAddresses": ["255.255.255.255"] ===== Second part of installation ===== Now we fire off the next part of commands:\\ opsi-setup --init-current-config opsi-setup --set-rights /etc/init.d/opsiconfd restart /etc/init.d/opsipxeconfd restart To set the password of the pcpatch user, we use this command:\\ opsi-admin -d task setPcpatchPassword Then we create the adminuser, set the linux password and the samba password:\\ useradd -m -s /bin/bash adminuser passwd adminuser smbpasswd -a adminuser We also add the adminuser to the opsiadmin and pcpatch group - at least if I am not mistaken:\\ usermod -aG opsiadmin adminuser usermod -aG pcpatch adminuser You can check your work with these commands:\\ cat /etc/passwd cat /etc/group Ok, now we are finally getting to the good stuff, letting OPSI install the rest of the packages:\\ opsi-product-updater -i -vv This is going to take some time if you do not have a fast internet connection. In the meantime you could check out the [[http://forum.opsi.org/|OPSI Forum]].\\ ===== Troubleshooting Samba and TFTP ===== I opened https://opsi.anarchy.lan:4447/configed in my browser, but somehow the Java runtime on my client did not work correctly. After updating I could finally use the OPSI webinterface.\\ My Samba share was not working, so I tried this: opsi-setup --auto-configure-samba opsi-setup --set-rights /etc/init.d/opsiconfd restart /etc/init.d/opsipxeconfd restart /etc/init.d/smb restart /etc/init.d/nmb restart That did not help, and to make a long story short: SELinux was blocking access.\\ yum install setroubleshoot-server At least now SELinux alerts show up in /var/log/messages.\\ To enable exporting of samba shares we use this command:\\ setsebool -P samba_export_all_rw on Now we can use the samba shares! Doesn't that feel good, making SELinux work instead of just disabling it?\\ Well, this also happened a lot with the TFTP server, when serving netboot products. :-(\\ After a SELinux alert I used these commands:\\ cd /root cat /var/log/audit/audit.log | audit2allow -l -v -m local > opsi-tftp.te checkmodule -M -m -o opsi-tftp.mod opsi-tftp.te semodule_package -o opsi-tftp.pp -m opsi-tftp.mod semodule -v -i opsi-tftp.pp Well, each time you recieve a SELinux alert you have to use these commands. And of course, to make it easier, you overwrite your last opsi-tftp.te, so you have to make a backup and merge the differences. A lot of Whisky later I ended up with this opsi-tftp.te file:\\ module opsi-tftp 1.0; require { type smbd_t; type var_lib_t; class file getattr; type tftpd_t; type usr_t; type tftpdir_t; class fifo_file { read getattr open }; class file { read getattr open }; class lnk_file { read getattr }; class capability { dac_read_search dac_override }; } #============= tftpd_t ============== allow tftpd_t self:capability { dac_read_search dac_override }; allow tftpd_t tftpdir_t:fifo_file { read getattr open }; allow tftpd_t usr_t:file { read getattr open }; If you copy this to your OPSI server, you would only have to use the above commands from 'checkmodule'.\\ The setsebool command to fix the samba shares was whining about userIds or something. So I changed the UID of the opsiconfd and pcpatch account. Most distributions have no problems with system accounts with an UID below 1000, but with CentOS this is still limited to 500. This is not really necessary, but I'm trying to fix any strange messages I recieve. This thing is supposed to go into production.\\ usermod -u 450 opsiconfd usermod -u 451 pcpatch groupmod -g 450 pcpatch groupmod -g 451 opsiadmin ===== Troubleshooting OPSI ===== When OPSI is having problems you could read the logfiles, but before you do, use these commands:\\ opsi-setup --init-current-config opsi-setup --auto-configure-samba opsi-setup --set-rights /etc/init.d/opsiconfd restart /etc/init.d/opsipxeconfd restart Most problems can be fixed this way. If this fails, then read the logfiles and try to find the problem.\\ When copying files from other systems, be sure to run //opsi-setup --set-rights//!\\ ===== Conclusion ===== If I have transcribed my notes correctly you now have a working OPSI server!\\ If not, it isn't my fault! ;-)\\ \\ I was talking with the nice people at uib.de, and it seems the mysql backend can be used for hardware and software audit purposes, without a license. When I find the time I will expand this entry to include the mysql configuration. ==== Change to mysql for inventory ==== That's right and we recommend to use the mysql-Database for inventory-functions. To change from file-backend to mysql for the inventory data, you must at first install the mysql-server. If you don't have done before, you can use the following commands: yum install mysql-server /etc/init.d/mysqld start mysql_secure_installation chkconfig mysqld on No you can run opsi-setup to configure your mysql-database (create a opsi database, create opsi user, set privileges and patch backend-configuration file from opsi.) For the next step you need the root password, that you have set with the command: mysql_secure_installation: opsi-setup --configure-mysql Now you must configure the opsi-Dispatcher to use mysql for Hard- and Software Inventory (You should set the licensemanagement to mysql-server too. If you don't use opsi-licensemanagement, this entries doing nothing. For this modification edit the file: /etc/opsi/backendManager/dispatch.conf The important entries are the following: backend_.* : file, **mysql**, opsipxeconfd\\ ...\\ license.* : **mysql**\\ softwareLicense.* : **mysql**\\ audit.* : **mysql**\\ ...\\ After a new init-current-config and a webservice-restart your Inventory-data should be written in mysql: opsi-setup --init-current-config /etc/init.d/opsiconfd restart /etc/init.d/opsipxeconfd restart **Finally your right, to use mysql for the Inventorydata, you don't need a valid license.**