OPSI DokuWiki

User Tools

Site Tools

Trace:
userspace:centos_6.3

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision 		Previous revision
userspace:centos_6.3 [2013/02/06 17:03]
SisterOfMercy created 		userspace:centos_6.3 [2021/08/23 08:37] (current)
Line 3: Line 3:
 These are my personal notes for installing OPSI on a CentOS 6.3 server, and may be of help to others.\\ These are my personal notes for installing OPSI on a CentOS 6.3 server, and may be of help to others.\\
 Of course I also used the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]].\\ Of course I also used the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]].\\
-For installing the CentOS-6.3-x86_64-bin-DVD1.iso was used, because LiveCD iso's do not include minimal install options. It might still be possible, to do a minimal install with a LiveCD, but I was unable to do that.+For installing the CentOS-6.3-x86_64-bin-DVD1.iso was used, because LiveCD iso's do not include minimal install options. It might still be possible, to do a minimal install with a LiveCD, but I was too lazy to find out.
 So this is about a minimal install, without any additional packages. So this is about a minimal install, without any additional packages.
 +
 +===== Preparation =====
  
 In the DHCP server on the network we use the mac address of the OPSI server to set a static lease. In the DHCP server on the network we use the mac address of the OPSI server to set a static lease.
Line 10: Line 12:
 //dhcp-boot=linux/pxelinux.0,opsi.anarchy.lan,10.0.0.97//\\ //dhcp-boot=linux/pxelinux.0,opsi.anarchy.lan,10.0.0.97//\\
 With a different DHCP server you will have to look for the correct commands.\\ With a different DHCP server you will have to look for the correct commands.\\
-(insert opsi1.jpg blah)\\+The static lease looks a bit like this (with DD-WRT):\\ 
 +{{http://www.gcecad-service.nl/images/opsi1.JPG}}\\ 
 I use [[http://www.spacewalkproject.org/|Spacewalk]] to manage my CentOS servers, so installation of packages and updates is done via Spacewalk. That is why the yum commands may be incorrect, I did not use them myself, and am making them up. In the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]] is mentioned how to add the OPSI repository.\\ I use [[http://www.spacewalkproject.org/|Spacewalk]] to manage my CentOS servers, so installation of packages and updates is done via Spacewalk. That is why the yum commands may be incorrect, I did not use them myself, and am making them up. In the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]] is mentioned how to add the OPSI repository.\\
  
-After installing CentOS we turn on the network by editing: /etc/sysconfig/network-scripts/ifcfg-eth0+After installing CentOS we turn on the network by editing: /etc/sysconfig/network-scripts/ifcfg-eth0\\
 //ONBOOT="no"// should become //ONBOOT="yes"//\\ //ONBOOT="no"// should become //ONBOOT="yes"//\\
-After saving this file, we restart the network with this command: ///etc/init.d/network restart//+After saving this file, we restart the network with this command: ///etc/init.d/network restart//\\
 Now the CentOS server gets the IP address which was set in the DHCP server. This saves a lot of trouble, no messing with resolv.conf and //hostname -f// returns the correct hostname. Now the CentOS server gets the IP address which was set in the DHCP server. This saves a lot of trouble, no messing with resolv.conf and //hostname -f// returns the correct hostname.
 +
 +===== First part of installation =====
  
 We first install xinetd and samba, then we start their services and make sure they start again when rebooting the server:\\ We first install xinetd and samba, then we start their services and make sure they start again when rebooting the server:\\
-//yum install xinetd samba\\ +<code winst> 
-/etc/init.d/smb start\\ +yum install xinetd samba 
-/etc/init.d/nmb start\\ +/etc/init.d/smb start 
-/etc/init.d/xinetd start\\ +/etc/init.d/nmb start 
-chkconfig smb on\\ +/etc/init.d/xinetd start 
-chkconfig nmb on\\ +chkconfig smb on 
-chkconfig xinetd on//+chkconfig nmb on 
 +chkconfig xinetd on 
 +</code>
 As you can see, mysql is not installed, but I do not have a license for the mysql-module, so we are going to use the file backend and do not need mysql. It might also be easier to configure if you do not have much experience.\\ As you can see, mysql is not installed, but I do not have a license for the mysql-module, so we are going to use the file backend and do not need mysql. It might also be easier to configure if you do not have much experience.\\
  
-//yum install p7zip p7zip-plugins cabextract//+Now we install the OPSI packages:\\ 
 +<code winst> 
 +yum install p7zip p7zip-plugins cabextract 
 +yum install opsi-depotserver opsi-configed 
 +</code> 
 + 
 +This is shamelessly copied from the [[http://download.uib.de/opsi_stable/doc/opsi-getting-started-stable-en.pdf|getting started documentation]]:\\ 
 +<code winst> 
 +/etc/init.d/opsiconfd restart 
 +/etc/init.d/opsipxeconfd restart 
 +opsi-setup --auto-configure-samba 
 +chkconfig opsiconfd on 
 +chkconfig opsipxeconfd on 
 +/etc/init.d/smb restart 
 +/etc/init.d/nmb restart 
 +</code> 
 + 
 +===== Iptables configuration ===== 
 + 
 +To make OPSI work correctly we have to open some ports on the firewall. I can never remember the iptables commands, and with Spacewalk I deployed the following to: /etc/sysconfig/network/iptables: 
 + 
 +//(In my case, after clean installation of Centos 6.3 the path of the file is not the same. On my machine the file is located at: /etc/sysconf/iptables)//\\ 
 +<code winst> 
 +# Firewall configuration written by system-config-firewall 
 +# Manual customization of this file is not recommended. 
 +*filter 
 +:INPUT ACCEPT [0:0] 
 +:FORWARD ACCEPT [0:0] 
 +:OUTPUT ACCEPT [0:0] 
 +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
 +-A INPUT -p icmp -j ACCEPT 
 +-A INPUT -i lo -j ACCEPT 
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 
 +-A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT 
 +-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT 
 +-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT 
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT 
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT 
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 4441 -j ACCEPT 
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 4447 -j ACCEPT 
 +-A INPUT -j REJECT --reject-with icmp-host-prohibited 
 +-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
 +COMMIT 
 +</code> 
 +We then restart iptables: ///etc/init.d/iptables restart//\\ 
 + 
 +TCP port 22 is used by SSH. UDP port 69 is used by the TFTP server.\\ 
 +UDP ports 137, 137 and TCP ports 139 and 445 are used by Samba.\\ 
 +TCP ports 4441 and 4447 are of course used by OPSI.\\ 
 + 
 +===== OPSI configuration ===== 
 +Now we are going to edit the opsi configuration files:\\ 
 +This is /etc/opsi/backendManager/dispatch.conf:\\ 
 +<code winst> 
 +backend_.*         : file, opsipxeconfd 
 +host_.*            : file, opsipxeconfd 
 +productOnClient_.* : file, opsipxeconfd 
 +configState_.*     : file, opsipxeconfd 
 +.*                 : file 
 +</code> 
 +/etc/opsi/opsiconfd.conf has only been edited minimally. I think I only edited 'update ip'. Comments removed for readability:\\ 
 +<code winst> 
 +[global] 
 +        backend config dir = /etc/opsi/backends 
 +        dispatch config file = /etc/opsi/backendManager/dispatch.conf 
 +        extension config dir = /etc/opsi/backendManager/extend.d 
 +        acl file = /etc/opsi/backendManager/acl.conf 
 +        admin networks = 0.0.0.0/0 
 +        message bus = no 
 +        multiprocessing = no 
 +        pid file = /var/run/opsiconfd/opsiconfd.pid 
 +        log file = /var/log/opsi/opsiconfd/%m.log 
 +        symlink logs = yes 
 +        log level = 5 
 +        log format = [%l] [%D] %M (%F|%N) 
 +        max execution statistics = 250 
 +        monitoring user = monitoring 
 + 
 +[service] 
 +        interface = 0.0.0.0 
 +        http port = 0 
 +        https port = 4447 
 +        ssl server cert = /etc/opsi/opsiconfd.pem 
 +        ssl server key = /etc/opsi/opsiconfd.pem 
 + 
 +[session] 
 +        session name = OPSISID 
 +        verify ip = no 
 +        update ip = yes 
 +        max inactive interval = 120 
 +        max authentication failures = 5 
 + 
 +[directories] 
 +        / = /usr/share/opsiconfd/static (noauth) 
 +        configed = /usr/lib/configed (noauth) 
 +</code> 
 +The same is valid for /etc/opsi/backends/hostcontrol.conf but this file is entirely standard:\\ 
 +<code winst> 
 +# -*- coding: utf-8 -*- 
 + 
 +module = 'HostControl' 
 +config = { 
 +    "opsiclientdPort":    4441, 
 +    "hostRpcTimeout":     15, 
 +    "resolveHostAddress": False, 
 +    "maxConnections":     50, 
 +    "broadcastAddresses": ["255.255.255.255"
 +</code> 
 + 
 +===== Second part of installation ===== 
 + 
 +Now we fire off the next part of commands:\\ 
 +<code winst> 
 +opsi-setup --init-current-config 
 +opsi-setup --set-rights 
 +/etc/init.d/opsiconfd restart 
 +/etc/init.d/opsipxeconfd restart 
 +</code> 
 + 
 +To set the password of the pcpatch user, we use this command:\\ 
 +<code winst> 
 +opsi-admin -d task setPcpatchPassword 
 +</code> 
 +Then we create the adminuser, set the linux password and the samba password:\\ 
 +<code winst> 
 +useradd -m -s /bin/bash adminuser 
 +passwd adminuser 
 +smbpasswd -a adminuser 
 +</code> 
 +We also add the adminuser to the opsiadmin and pcpatch group - at least if I am not mistaken:\\ 
 +<code winst> 
 +usermod -aG opsiadmin adminuser 
 +usermod -aG pcpatch adminuser 
 +</code> 
 +You can check your work with these commands:\\ 
 +<code winst> 
 +cat /etc/passwd 
 +cat /etc/group 
 +</code> 
 + 
 +Ok, now we are finally getting to the good stuff, letting OPSI install the rest of the packages:\\ 
 +<code winst> 
 +opsi-product-updater -i -vv 
 +</code> 
 +This is going to take some time if you do not have a fast internet connection. In the meantime you could check out the [[http://forum.opsi.org/|OPSI Forum]].\\ 
 + 
 +===== Troubleshooting Samba and TFTP ===== 
 + 
 +I opened https://opsi.anarchy.lan:4447/configed in my browser, but somehow the Java runtime on my client did not work correctly. After updating I could finally use the OPSI webinterface.\\ 
 +My Samba share was not working, so I tried this: 
 +<code winst> 
 +opsi-setup --auto-configure-samba 
 +opsi-setup --set-rights 
 +/etc/init.d/opsiconfd restart 
 +/etc/init.d/opsipxeconfd restart 
 +/etc/init.d/smb restart 
 +/etc/init.d/nmb restart 
 +</code> 
 +That did not help, and to make a long story short: SELinux was blocking access.\\ 
 +<code winst> 
 +yum install setroubleshoot-server 
 +</code> 
 +At least now SELinux alerts show up in /var/log/messages.\\ 
 +To enable exporting of samba shares we use this command:\\ 
 +<code winst> 
 +setsebool -P samba_export_all_rw on 
 +</code> 
 +Now we can use the samba shares! Doesn't that feel good, making SELinux work instead of just disabling it?\\ 
 +Well, this also happened a lot with the TFTP server, when serving netboot products. :-(\\ 
 +After a SELinux alert I used these commands:\\ 
 +<code winst> 
 +cd /root 
 +cat /var/log/audit/audit.log | audit2allow -l -v -m local > opsi-tftp.te 
 +checkmodule -M -m -o opsi-tftp.mod opsi-tftp.te 
 +semodule_package -o opsi-tftp.pp -m opsi-tftp.mod 
 +semodule -v -i opsi-tftp.pp 
 +</code> 
 +Well, each time you recieve a SELinux alert you have to use these commands. And of course, to make it easier, you overwrite your last opsi-tftp.te, so you have to make a backup and merge the differences. A lot of Whisky later I ended up with this opsi-tftp.te file:\\ 
 +<code winst> 
 +module opsi-tftp 1.0; 
 + 
 +require { 
 +        type smbd_t; 
 +        type var_lib_t; 
 +        class file getattr; 
 +        type tftpd_t; 
 +        type usr_t; 
 +        type tftpdir_t; 
 +        class fifo_file { read getattr open }; 
 +        class file { read getattr open }; 
 +        class lnk_file { read getattr }; 
 +        class capability { dac_read_search dac_override }; 
 +
 + 
 +#============= tftpd_t ============== 
 +allow tftpd_t self:capability { dac_read_search dac_override }; 
 +allow tftpd_t tftpdir_t:fifo_file { read getattr open }; 
 +allow tftpd_t usr_t:file { read getattr open }; 
 +</code> 
 +If you copy this to your OPSI server, you would only have to use the above commands from 'checkmodule'.\\ 
 + 
 +The setsebool command to fix the samba shares was whining about userIds or something. So I changed the UID of the opsiconfd and pcpatch account. Most distributions have no problems with system accounts with an UID below 1000, but with CentOS this is still limited to 500. This is not really necessary, but I'm trying to fix any strange messages I recieve. This thing is supposed to go into production.\\ 
 +<code winst> 
 +usermod -u 450 opsiconfd 
 +usermod -u 451 pcpatch 
 +groupmod -g 450 pcpatch 
 +groupmod -g 451 opsiadmin 
 +</code> 
 + 
 +===== Troubleshooting OPSI ===== 
 + 
 +When OPSI is having problems you could read the logfiles, but before you do, use these commands:\\ 
 +<code winst> 
 +opsi-setup --init-current-config 
 +opsi-setup --auto-configure-samba 
 +opsi-setup --set-rights 
 +/etc/init.d/opsiconfd restart 
 +/etc/init.d/opsipxeconfd restart 
 +</code> 
 +Most problems can be fixed this way. If this fails, then read the logfiles and try to find the problem.\\ 
 +When copying files from other systems, be sure to run //opsi-setup --set-rights//!\\ 
 + 
 +===== Conclusion ===== 
 + 
 +If I have transcribed my notes correctly you now have a working OPSI server!\\ 
 +If not, it isn't my fault! ;-)\\ 
 +\\ 
 +I was talking with the nice people at uib.de, and it seems the mysql backend can be used for hardware and software audit purposes, without a license. When I find the time I will expand this entry to include the mysql configuration. 
 + 
 +==== Change to mysql for inventory ==== 
 + 
 + 
 +That's right and we recommend to use the mysql-Database for inventory-functions. To change from file-backend to mysql for the inventory data, you must at first install the mysql-server. If you don't have done before, you can use the following commands: 
 + 
 +<code bash> 
 +yum install mysql-server  
 +/etc/init.d/mysqld start 
 +mysql_secure_installation 
 +chkconfig mysqld on 
 +</code> 
 + 
 +No you can run opsi-setup to configure your mysql-database (create a opsi database, create opsi user, set privileges and patch backend-configuration file from opsi.) For the next step you need the root password, that you have set with the command: mysql_secure_installation: 
 + 
 +<code bash> 
 +opsi-setup --configure-mysql 
 +</code> 
 + 
 +Now you must configure the opsi-Dispatcher to use mysql for Hard- and Software Inventory (You should set the licensemanagement to mysql-server too. If you don't use opsi-licensemanagement, this entries doing nothing. For this modification edit the file: 
 + 
 +<file> 
 +/etc/opsi/backendManager/dispatch.conf 
 +</file> 
 + 
 +The important entries are the following: 
 + 
 + 
 +backend_.*         : file, **mysql**, opsipxeconfd\\ 
 +...\\ 
 +license.*          : **mysql**\\ 
 +softwareLicense.*  : **mysql**\\ 
 +audit.*            : **mysql**\\ 
 +...\\ 
 + 
 +After a new init-current-config and a webservice-restart your Inventory-data should be written in mysql: 
 + 
 +<code bash> 
 +opsi-setup --init-current-config 
 +/etc/init.d/opsiconfd restart 
 +/etc/init.d/opsipxeconfd restart 
 +</code> 
 + 
 +**Finally your right, to use mysql for the Inventorydata, you don't need a valid license.**
  
  
userspace/centos_6.3.1360170203.txt.gz · Last modified: 2021/08/23 08:37 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki