This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
userspace:centos_6.3 [2013/02/06 17:03] SisterOfMercy created |
userspace:centos_6.3 [2021/08/23 08:37] (current) |
||
---|---|---|---|
Line 3: | Line 3: | ||
These are my personal notes for installing OPSI on a CentOS 6.3 server, and may be of help to others.\\ | These are my personal notes for installing OPSI on a CentOS 6.3 server, and may be of help to others.\\ | ||
Of course I also used the [[http:// | Of course I also used the [[http:// | ||
- | For installing the CentOS-6.3-x86_64-bin-DVD1.iso was used, because LiveCD iso's do not include minimal install options. It might still be possible, to do a minimal install with a LiveCD, but I was unable | + | For installing the CentOS-6.3-x86_64-bin-DVD1.iso was used, because LiveCD iso's do not include minimal install options. It might still be possible, to do a minimal install with a LiveCD, but I was too lazy to find out. |
So this is about a minimal install, without any additional packages. | So this is about a minimal install, without any additional packages. | ||
+ | |||
+ | ===== Preparation ===== | ||
In the DHCP server on the network we use the mac address of the OPSI server to set a static lease. | In the DHCP server on the network we use the mac address of the OPSI server to set a static lease. | ||
Line 10: | Line 12: | ||
// | // | ||
With a different DHCP server you will have to look for the correct commands.\\ | With a different DHCP server you will have to look for the correct commands.\\ | ||
- | (insert | + | The static lease looks a bit like this (with DD-WRT): |
+ | {{http:// | ||
I use [[http:// | I use [[http:// | ||
- | After installing CentOS we turn on the network by editing: / | + | After installing CentOS we turn on the network by editing: / |
// | // | ||
- | After saving this file, we restart the network with this command: /// | + | After saving this file, we restart the network with this command: /// |
Now the CentOS server gets the IP address which was set in the DHCP server. This saves a lot of trouble, no messing with resolv.conf and //hostname -f// returns the correct hostname. | Now the CentOS server gets the IP address which was set in the DHCP server. This saves a lot of trouble, no messing with resolv.conf and //hostname -f// returns the correct hostname. | ||
+ | |||
+ | ===== First part of installation ===== | ||
We first install xinetd and samba, then we start their services and make sure they start again when rebooting the server:\\ | We first install xinetd and samba, then we start their services and make sure they start again when rebooting the server:\\ | ||
- | //yum install xinetd samba\\ | + | <code winst> |
- | / | + | yum install xinetd samba |
- | / | + | / |
- | / | + | / |
- | chkconfig smb on\\ | + | / |
- | chkconfig nmb on\\ | + | chkconfig smb on |
- | chkconfig xinetd on// | + | chkconfig nmb on |
+ | chkconfig xinetd on | ||
+ | </code> | ||
As you can see, mysql is not installed, but I do not have a license for the mysql-module, | As you can see, mysql is not installed, but I do not have a license for the mysql-module, | ||
- | //yum install p7zip p7zip-plugins cabextract// | + | Now we install the OPSI packages: |
+ | <code winst> | ||
+ | yum install p7zip p7zip-plugins cabextract | ||
+ | yum install opsi-depotserver opsi-configed | ||
+ | </ | ||
+ | |||
+ | This is shamelessly copied from the [[http:// | ||
+ | <code winst> | ||
+ | / | ||
+ | / | ||
+ | opsi-setup --auto-configure-samba | ||
+ | chkconfig opsiconfd on | ||
+ | chkconfig opsipxeconfd on | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== Iptables configuration ===== | ||
+ | |||
+ | To make OPSI work correctly we have to open some ports on the firewall. I can never remember the iptables commands, and with Spacewalk I deployed the following to: / | ||
+ | |||
+ | //(In my case, after clean installation of Centos 6.3 the path of the file is not the same. On my machine the file is located at: / | ||
+ | <code winst> | ||
+ | # Firewall configuration written by system-config-firewall | ||
+ | # Manual customization of this file is not recommended. | ||
+ | *filter | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | -A INPUT -m state --state ESTABLISHED, | ||
+ | -A INPUT -p icmp -j ACCEPT | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 4441 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 4447 -j ACCEPT | ||
+ | -A INPUT -j REJECT --reject-with icmp-host-prohibited | ||
+ | -A FORWARD -j REJECT --reject-with icmp-host-prohibited | ||
+ | COMMIT | ||
+ | </ | ||
+ | We then restart iptables: /// | ||
+ | |||
+ | TCP port 22 is used by SSH. UDP port 69 is used by the TFTP server.\\ | ||
+ | UDP ports 137, 137 and TCP ports 139 and 445 are used by Samba.\\ | ||
+ | TCP ports 4441 and 4447 are of course used by OPSI.\\ | ||
+ | |||
+ | ===== OPSI configuration ===== | ||
+ | Now we are going to edit the opsi configuration files:\\ | ||
+ | This is / | ||
+ | <code winst> | ||
+ | backend_.* | ||
+ | host_.* | ||
+ | productOnClient_.* : file, opsipxeconfd | ||
+ | configState_.* | ||
+ | .* : file | ||
+ | </ | ||
+ | / | ||
+ | <code winst> | ||
+ | [global] | ||
+ | backend config dir = / | ||
+ | dispatch config file = / | ||
+ | extension config dir = / | ||
+ | acl file = / | ||
+ | admin networks = 0.0.0.0/0 | ||
+ | message bus = no | ||
+ | multiprocessing = no | ||
+ | pid file = / | ||
+ | log file = / | ||
+ | symlink logs = yes | ||
+ | log level = 5 | ||
+ | log format = [%l] [%D] %M (%F|%N) | ||
+ | max execution statistics = 250 | ||
+ | monitoring user = monitoring | ||
+ | |||
+ | [service] | ||
+ | interface = 0.0.0.0 | ||
+ | http port = 0 | ||
+ | https port = 4447 | ||
+ | ssl server cert = / | ||
+ | ssl server key = / | ||
+ | |||
+ | [session] | ||
+ | session name = OPSISID | ||
+ | verify ip = no | ||
+ | update ip = yes | ||
+ | max inactive interval = 120 | ||
+ | max authentication failures = 5 | ||
+ | |||
+ | [directories] | ||
+ | / = / | ||
+ | configed = / | ||
+ | </ | ||
+ | The same is valid for / | ||
+ | <code winst> | ||
+ | # -*- coding: utf-8 -*- | ||
+ | |||
+ | module = ' | ||
+ | config = { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | </ | ||
+ | |||
+ | ===== Second part of installation ===== | ||
+ | |||
+ | Now we fire off the next part of commands: | ||
+ | <code winst> | ||
+ | opsi-setup --init-current-config | ||
+ | opsi-setup --set-rights | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | To set the password of the pcpatch user, we use this command: | ||
+ | <code winst> | ||
+ | opsi-admin -d task setPcpatchPassword | ||
+ | </ | ||
+ | Then we create the adminuser, set the linux password and the samba password: | ||
+ | <code winst> | ||
+ | useradd -m -s /bin/bash adminuser | ||
+ | passwd adminuser | ||
+ | smbpasswd -a adminuser | ||
+ | </ | ||
+ | We also add the adminuser to the opsiadmin and pcpatch group - at least if I am not mistaken: | ||
+ | <code winst> | ||
+ | usermod -aG opsiadmin adminuser | ||
+ | usermod -aG pcpatch adminuser | ||
+ | </ | ||
+ | You can check your work with these commands: | ||
+ | <code winst> | ||
+ | cat / | ||
+ | cat / | ||
+ | </ | ||
+ | |||
+ | Ok, now we are finally getting to the good stuff, letting OPSI install the rest of the packages: | ||
+ | <code winst> | ||
+ | opsi-product-updater -i -vv | ||
+ | </ | ||
+ | This is going to take some time if you do not have a fast internet connection. In the meantime you could check out the [[http:// | ||
+ | |||
+ | ===== Troubleshooting Samba and TFTP ===== | ||
+ | |||
+ | I opened https:// | ||
+ | My Samba share was not working, so I tried this: | ||
+ | <code winst> | ||
+ | opsi-setup --auto-configure-samba | ||
+ | opsi-setup --set-rights | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | That did not help, and to make a long story short: SELinux was blocking access.\\ | ||
+ | <code winst> | ||
+ | yum install setroubleshoot-server | ||
+ | </ | ||
+ | At least now SELinux alerts show up in / | ||
+ | To enable exporting of samba shares we use this command: | ||
+ | <code winst> | ||
+ | setsebool -P samba_export_all_rw on | ||
+ | </ | ||
+ | Now we can use the samba shares! Doesn' | ||
+ | Well, this also happened a lot with the TFTP server, when serving netboot products. :-(\\ | ||
+ | After a SELinux alert I used these commands: | ||
+ | <code winst> | ||
+ | cd /root | ||
+ | cat / | ||
+ | checkmodule -M -m -o opsi-tftp.mod opsi-tftp.te | ||
+ | semodule_package -o opsi-tftp.pp -m opsi-tftp.mod | ||
+ | semodule -v -i opsi-tftp.pp | ||
+ | </ | ||
+ | Well, each time you recieve a SELinux alert you have to use these commands. And of course, to make it easier, you overwrite your last opsi-tftp.te, | ||
+ | <code winst> | ||
+ | module opsi-tftp 1.0; | ||
+ | |||
+ | require { | ||
+ | type smbd_t; | ||
+ | type var_lib_t; | ||
+ | class file getattr; | ||
+ | type tftpd_t; | ||
+ | type usr_t; | ||
+ | type tftpdir_t; | ||
+ | class fifo_file { read getattr open }; | ||
+ | class file { read getattr open }; | ||
+ | class lnk_file { read getattr }; | ||
+ | class capability { dac_read_search dac_override }; | ||
+ | } | ||
+ | |||
+ | # | ||
+ | allow tftpd_t self: | ||
+ | allow tftpd_t tftpdir_t: | ||
+ | allow tftpd_t usr_t:file { read getattr open }; | ||
+ | </ | ||
+ | If you copy this to your OPSI server, you would only have to use the above commands from ' | ||
+ | |||
+ | The setsebool command to fix the samba shares was whining about userIds or something. So I changed the UID of the opsiconfd and pcpatch account. Most distributions have no problems with system accounts with an UID below 1000, but with CentOS this is still limited to 500. This is not really necessary, but I'm trying to fix any strange messages I recieve. This thing is supposed to go into production.\\ | ||
+ | <code winst> | ||
+ | usermod -u 450 opsiconfd | ||
+ | usermod -u 451 pcpatch | ||
+ | groupmod -g 450 pcpatch | ||
+ | groupmod -g 451 opsiadmin | ||
+ | </ | ||
+ | |||
+ | ===== Troubleshooting OPSI ===== | ||
+ | |||
+ | When OPSI is having problems you could read the logfiles, but before you do, use these commands: | ||
+ | <code winst> | ||
+ | opsi-setup --init-current-config | ||
+ | opsi-setup --auto-configure-samba | ||
+ | opsi-setup --set-rights | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | Most problems can be fixed this way. If this fails, then read the logfiles and try to find the problem.\\ | ||
+ | When copying files from other systems, be sure to run // | ||
+ | |||
+ | ===== Conclusion ===== | ||
+ | |||
+ | If I have transcribed my notes correctly you now have a working OPSI server!\\ | ||
+ | If not, it isn't my fault! ;-)\\ | ||
+ | \\ | ||
+ | I was talking with the nice people at uib.de, and it seems the mysql backend can be used for hardware and software audit purposes, without a license. When I find the time I will expand this entry to include the mysql configuration. | ||
+ | |||
+ | ==== Change to mysql for inventory ==== | ||
+ | |||
+ | |||
+ | That's right and we recommend to use the mysql-Database for inventory-functions. To change from file-backend to mysql for the inventory data, you must at first install the mysql-server. If you don't have done before, you can use the following commands: | ||
+ | |||
+ | <code bash> | ||
+ | yum install mysql-server | ||
+ | / | ||
+ | mysql_secure_installation | ||
+ | chkconfig mysqld on | ||
+ | </ | ||
+ | |||
+ | No you can run opsi-setup to configure your mysql-database (create a opsi database, create opsi user, set privileges and patch backend-configuration file from opsi.) For the next step you need the root password, that you have set with the command: mysql_secure_installation: | ||
+ | |||
+ | <code bash> | ||
+ | opsi-setup --configure-mysql | ||
+ | </ | ||
+ | |||
+ | Now you must configure the opsi-Dispatcher to use mysql for Hard- and Software Inventory (You should set the licensemanagement to mysql-server too. If you don't use opsi-licensemanagement, | ||
+ | |||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | The important entries are the following: | ||
+ | |||
+ | |||
+ | backend_.* | ||
+ | ...\\ | ||
+ | license.* | ||
+ | softwareLicense.* | ||
+ | audit.* | ||
+ | ...\\ | ||
+ | |||
+ | After a new init-current-config and a webservice-restart your Inventory-data should be written in mysql: | ||
+ | |||
+ | <code bash> | ||
+ | opsi-setup --init-current-config | ||
+ | / | ||
+ | /etc/init.d/opsipxeconfd restart | ||
+ | </code> | ||
+ | |||
+ | **Finally your right, to use mysql for the Inventorydata, | ||