1. Copyright
The Copyright of this manual is held by uib gmbh in Mainz, Germany.
This manual is published under the creative commons license
'Attribution - ShareAlike' (by-sa).
A description of the license can be found here:
https://creativecommons.org/licenses/by-sa/3.0/
The legally binding text of the license can be found here:
https://creativecommons.org/licenses/by-sa/3.0/legalcode
Most parts of the opsi software is open source.
Not open source are the parts of the source code which contain new extensions, that are still under cofunding, which have not been paid off yet.
See also: opsi cofunding projects
All of the open source code is published under the AGPLv3.
The legally binding text of the AGPLv3 license can be found here: http://www.gnu.org/licenses/agpl-3.0-standalone.html
Information about the AGPL: http://www.gnu.org/licenses/agpl-3.0.en.html
For licenses to use opsi in the context of closed source software, please contact uib gmbh.
The names 'opsi', 'opsi.org', 'open pc server integration' and the opsi logo are registered trademarks of uib gmbh. :leveloffset: +1
2. Overview of the new features
Main aspects of this release are:
-
Switch to Python 3
-
All Python applications are distributed as executable binary files
-
opsi-python interpreter for your own scripts
-
opsi server
-
Complete new implementation of opsiconfd with a focus on performance and scalability
-
opsiconfd can now run in a docker container
-
New dependency on Redis Server >= 5 including the RedisTimeSeries module
-
Use of Grafana for visualization of performance data
-
New default ACLs for API access
-
3. Important information - please note
opsi 4.2 is an independent release and has its own repositories. These new repositories have to be added to the system and the repositories of the previous version have to be removed. Only then can the installation / upgrade be carried out.
For an upgrade from opsi 4.1 the installed packages need to be the latest opsi 4.1 stable versions. Other packages - such as MySQL server - should also be up-to-date. Otherwise errors in the upgrade process may occur.
It is also strongly recommended to update the packages 'opsi-winst', 'opsi-client-agent' or 'opsi-linux-client-agent' on all clients to the latest opsi 4.1 versions before upgrading.
3.1. Python 3
opsi 4.2 is now completely based on Python 3. Furthermore, all Python-based packages are now distributed as executable binary files. The 'python-opsi' package is no longer provided as an installable package. It is therefore important to note the following points:
3.1.1. Opsi packages containing server-side Python scripts
After upgrading the server to opsi 4.2, please use 'opsi-package-manager' to reinstall opsi-packages that contain Python scripts running on the server:
-
opsi-client-agent:
opsi-deploy-client-agent -
win*:
create_driver_links.py,show_drivers.py
The postinst script automatically corrects these scripts and sets the new interpreter to opsi-python.
Alternatively, the Python scripts can be corrected manually.
For this, the interpreter must be set to opsi-python (use #!/usr/bin/opsi-python as 'shebang').
3.1.2. Own Python scripts that use python-opsi (import OPSI)
If scripts are used that depend on python-opsi, the following steps must be carried out:
* Convert these scripts to Python 3 (Python’s own 2to3 can be used for this).
* Change the interpreter to opsi-python, which provides python-opsi (import OPSI) (use #!/usr/bin/opsi-python as 'shebang').
3.1.3. Backend extensions (/etc/opsi/backendManager/extend.d)
If you have modified the configuration files in /etc/opsi/backendManager/extend.d or added new ones, these changes must be checked for Python 3 compatibility and adjusted if necessary.
3.2. File admin group pcpatch / opsifileadmins.
With opsi 4.2 the default name for the opsi file admin group was changed from 'pcpatch' to 'opsifileadmins'.
However, when upgrading from opsi 4.1, the previously used name will continue to be used.
The name can be customized in the /etc/opsi/opsi.conf configuration file via option fileadmingroup of the groups section.
When changing to the 'opsifileadmins' group, note that the 'pcpatch' user must also be added to this group.
3.3. opsiconfd configuration and logs
There are some changes in the configuration and the logs of 'opsiconfd'.
-
All configuration options are documented in the help text of opsiconfd ('opsiconfd --help').
-
These command line parameters can also be used in the configuration file
opsiconfd.conf(without '--'). -
The opsiconfd now has a built-in log rotation. This can be configured with the options 'max-log-size' and 'keep-rotated-logs'.
-
The log file 'package.log' is now part of 'opsiconfd.log'.
-
The logs now contain context that can be used to filter the logs. For example you can filter these with 'grep' or start opsiconfd with the option '--log-filter LOG_FILTER':
opsiconfd --log-filter instance=package_install[6] [2020-09-07 14:41:17.864] [package_install] Running postinst script (Depotserver.py:235)
[5] [2020-09-07 14:41:17.865] [package_install] Running package script 'postinst' (Product.py:477)
...opsiconfd --log-filter client_addr=10.100.7.5[6] [2020-09-07 14:25:16.966] [10.100.7.5 ] Filtering objects by acls (AccessControl.py:475)
...3.4. Verification of the server identity
Since opsi 4.2, the trustworthiness of the opsi-server can be ensured using standard TLS methods. Each opsi-config-server maintains a Certificate Authority (CA), the opsi CA. This CA is automatically managed by the opsi-config-server. Each opsi-server, also the opsi-depot-server receive a TLS certificate from the opsi-config-server, which is signed by this CA. These certificates are also automatically created, distributed and updated as needed. Any client that trusts the opsi CA also trusts these server certificates.
This applies especially to the 'verify_server_cert' and 'verify_server_cert_by_ca' options. For more information please refer to the corresponding chapter in the opsi-manual.
3.5. Depraction of opsi4ucs package
With opsi 4.2 the ucs support was adepted to the opsi-standard like on other supported distibutions. The function of opsi4ucs was implemented in opsi-server package and its variants. The opsi4ucs package exists in opsi 4.2 as a transitionpackage to make the migration easier. This package will automatically removed during the upgrade process.
4. Installation instructions
We strongly suggest to create a backup of the backends with opsi-backup before upgrading:
opsi-backup createAll opsi components that are published in this release depend on each other in many places. Therefore all components should be upgraded.
We recommend to first upgrade the server, and then update the opsi packages (products).
In a multi-depot environment, it is recommended to upgrade the config server first before upgrading the depots.
We recommend running opsi-setup --set-rights after the update to ensure that access rights are set correctly.
This command can take several minutes to complete.
4.1. Advice for updating the operating system packages
Please make sure that you are using the latest opsi 4.1 packages from the stable branch at the time of the upgrade!
4.2. Notes on updating opsi-packages
Usually, opsi packages are compatible with both opsi 4.1 and opsi 4.2.
The official opsi 4.2 repositories on download.uib.de contain packages which are compatible with opsi 4.1.
Please note that these packages do not necessarily have to specify 4.2 as the version in order to be compatible.
4.3. Migration of an opsi 4.1 server
On supported operating systems it is possible to migrate an existing opsi 4.1 installation to opsi 4.2.
If the opsi servers are managed with opsi, the migration can be done with the package l-opsi-server-migrate.
| Upgrading from opsi 4.0 directly to opsi 4.2 is not supported. In such a case an upgrade to opsi 4.1 has to be carried out before an upgrade to opsi 4.2 is possible. |
4.3.1. Requirements for a migration
From version 4.2 the opsi-server needs access to a Redis and a Grafana instance. If these services will also be provided by the opsi server, we recommend switching to the 'opsi-server-full' package during the migration. This package installs and configures everything that is necessary on the opsi server (this will be referred to as a single server setup).
The Grafana repositories are required for the installation of Grafana:
Debian/Ubuntu:
sudo apt-get install -y apt-transport-https software-properties-common wget gnupg
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" > /etc/apt/sources.list.d/grafana.listRHEL/CentOS:
yum install wget
cd /etc/yum.repos.d
cat <<EOF > grafana.repo
[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOFopenSUSE:
zypper install wget
cd /etc/zypp/repos.d
cat <<EOF > grafana.repo
[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOF4.3.2. Switching to the new repositories
First, the opsi 4.2 repositories have to be registered in the package sources of your operating system.
The commands below add the new repositories and, if required, the repository key. The following commands require 'root'-rights.
Ubuntu 20.04 LTS Focal Fossa:
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_20.04/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_20.04/Release.key | sudo apt-key add -Ubuntu 18.04 LTS Bionic Beaver:
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_18.04/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_18.04/Release.key | sudo apt-key add -Debian 11 Bullseye:
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_11/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_11/Release.key | sudo apt-key add -Debian 10 Buster:
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_10/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_10/Release.key | sudo apt-key add -CentOS 8:
cd /etc/yum.repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/CentOS_8/home:uibmz:opsi:4.2:stable.repo
yum makecacheRHEL 8:
cd /etc/yum.repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/RHEL_8/home:uibmz:opsi:4.2:stable.repo
yum makecacheopenSUSE Leap 15.1:
cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/openSUSE_Leap_15.1/home:uibmz:opsi:4.2:stable.repo
zypper refreshopenSUSE Leap 15.2:
cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/openSUSE_Leap_15.2/home:uibmz:opsi:4.2:stable.repo
zypper refreshSLES 15 SP 1:
cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/SLE_15_SP1/home:uibmz:opsi:4.2:stable.repo
zypper refreshSLES 15 SP 2:
cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/SLE_15_SP1/home:uibmz:opsi:4.2:stable.repo
zypper refreshUnivention UCS 4.4:
echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Univention_4.4/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Univention_4.4/Release.key | sudo apt-key add -4.3.3. Upgrading the operating system packages
After adding the new package sources, the system can be migrated.
The default ACLs (/etc/opsi/backendManager/acl.conf) were changed in opsi 4.2 for security reasons.
We therefore urgently recommend using the new version of the configuration file.
|
| With RPM-based distributions, existing configuration files are replaced with new ones as part of the migration. Please refer to the information for the relevant distributions. |
Debian and Ubuntu are upgraded to opsi 4.2 with the following commands:
Single-Server-Setup:
apt update
apt install opsi-server-fullManual Setup:
apt update
apt install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
apt dist-upgradeRedHat and CentOS are updated to opsi 4.2 with the following commands:
Single-Server-Setup:
yum makecache
yum install opsi-server-full
yum upgradeManual Setup:
yum makecache
yum install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
yum upgradeOpenSUSE is ans SUSE Linux Enterprise Server (SLES) updated to opsi 4.2 with the following commands:
Single-Server-Setup:
zypper refresh
zypper install opsi-server-fullManual Setup:
zypper refresh
zypper install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
zypper dup --from home_uibmz_opsi_4.2_{release}Univention UCS is updated to opsi 4.2 with the following commands:
Single-Server-Setup:
univention-install opsi-server-fullManuelles Setup:
univention-install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
univention-install opsi-server4.3.4. Updating the opsi packages
The last step is to update to the latest opsi packages.
Using the default configuration
If you have not made any changes to the standard configuration in /etc/opsi/package-updater.repos.d/, you can update the opsi packages directly using this command:
opsi-package-updater -v update4.3.5. Opsi packages that contain server-side Python scripts
Please reinstall opsi packages that contain Python scripts that are executed on the server.
These are usually opsi-client-agent, opsi-linux-client-agent and all packages that install Windows operating systems (win *).
Details can be found at: Section 3.1.1.
After these steps your opsi 4.1 server is migrated to release 4.2 and ready for use.
Upgrading from opsi 4.0.7
If you are coming from an opsi 4.0.7, you should skip opsi 4.1 and upgrade directly to opsi 4.2. * First update your server operating system to a version supported by opsi 4.0.7 and 4.2 (e.g. Ubuntu 18.04). * Then update your opsi server to opsi 4.2 as described above. * Finally update the opsi-client-agent to the latest stable version 4.2.
5. Known bugs / known problems
-
opsi-admin: The interactive mode does not work with non-ASCII characters such as ö, ä, ü.
6. End of support
Discontinuations are listed in this chapter.
6.1. EOL: opsi 4.1 Q4/2021
So far we have supported the respective opsi version (oldstable) for at least one year parallel to the current version. But in this case we decided to shorten the time to half and to discontinue opsi 4.1 for Q4 2021 (11/30/2021). The main reason for the shortened EOL time: Not all current operating systems support opsi 4.1, including e.g. Ubuntu 20.04. opsi 4.1 is completely based on Python 2, and this version has already reached EOL in April 2020 and will no longer receive updates.
Via the opsi support contracts we are happy to support you to update to the new opsi version. Also after the EOL of opsi 4.1 we are there for you and help with migrations - but we strongly recommend to use the time until the end of Q4/2021 and update to opsi 4.2.
6.2. End of support: Distributions for opsi-server
These distributions will not be supported anymore by opsi for various reasons.
-
CentOS 7.x
-
Debian 8.x
-
RedHat Enterprise Linux 7.x
-
Suse Linux Enterprise Server 12
See the separate chapter: Chapter 7.
7. opsi support matrix
This is an overview on which platforms opsi runs as a server.
7.1. Supported distributions for server
Date: 11.12.2020
Distribution |
Opsi 4.2 |
Debian 8 Jessie |
|
Debian 9 Stretch |
|
Debian 10 Buster |
|
Debian 11 Bullseye |
|
Ubuntu 16.04 LTS Xenial Xerus |
|
Ubuntu 18.04 LTS Bionic Beaver |
|
Ubuntu 20.04 LTS Focal Fossa |
|
RHEL 7 |
|
RHEL 8 |
|
CentOS 7 |
|
CentOS 8 |
|
openSUSE Leap 15.1 |
|
openSUSE Leap 15.2 |
|
SLES 12SP1 |
|
SLES 12SP2 |
|
SLES 12SP3 |
|
SLES 15SP1 |
|
SLES 15SP2 |
|
UCS 4.4 |
|
: Supported
: Unsupported
: Under development
: Discontinued
If you are using opsi-server on an operating system version which is not listed as supported in the previous section, we recommend an operating system upgrade before installing opsi 4.2.
8. Changes in default settings
With opsi 4.2 some default settings have been changed to reflect experiences from running opsi.
This is especially important if new opsi servers are installed in an existing environment, as this may lead to a change in expected behavior.
-
Note the changed acl.conf.
9. Switch to Python 3 and PyInstaller
This version is based on Python 3.
All opsi Python applications (opsiconfd, opsipxeconfd, opsiclientd, opsi-utils, …) are now distributed as binaries built with PyInstaller.
Please use the opsi-python interpreter for your own scripts that need access to the python-opsi library.
10. MySQL backend: Limiting connection lifetime
To avoid the error messages: "mysql server has gone away", the default configuration of the MySQL backend was changed. The connectionPoolRecycling option now has been set to 28800 as the default value.
This setting limits the lifetime of the connections in the connection pool, which is used for the connections to MySQL (or MariaDB) server.
11. opsi support matrix for Linux clients
This is an overview on which Linux platforms opsi runs as a client.
11.1. Supported as opsi-client: Linux
{lang@de:Stand 11.01.2021} {lang@en:As of 11.01.2021}
{lang@en:.Supported Linux OS as Client in opsi 4.2 and 4.1} {lang@de:.Unterstützte Linux-OS als Client in opsi 4.2 und 4.1}
Distribution |
OS-Installation |
netboot products |
client-agent |
opsiclientd |
Debian 11 Bullseye |
|
debian, debian11 |
|
|
Debian 10 Buster |
|
debian, debian10 |
|
|
Debian 9 Stretch |
|
debian, debian9 |
|
|
Debian 8 Jessie |
|
debian, debian8 |
|
|
Ubuntu Jammy 22.04 LTS |
|
ubuntu, ubuntu22-04 |
|
|
Ubuntu Focal 20.04 LTS |
|
ubuntu, ubuntu20-04 |
|
|
Ubuntu Bionic 18.04 LTS |
|
ubuntu, ubuntu18-04 |
|
|
Ubuntu Xenial 16.04 LTS |
|
ubuntu, ubuntu16-04 |
|
|
Ubuntu Trusty 14.04 LTS |
|
ubuntu, ubunt14-04 |
|
|
Linux Mint 21 |
|
mint21 |
|
|
Linux Mint 20-3 |
|
mint20-3 |
|
|
Linux Mint 20-2 |
|
mint20-2 |
|
|
Linux Mint 20-1 |
|
mint20-1 |
|
|
RHEL 9 |
|
rhel9 |
|
|
RHEL 8 |
|
rhel8 |
|
|
Alma Linux 9 |
|
alma9 |
|
|
Alma Linux 9 |
|
alma8 |
|
|
Rocky Linux 9 |
|
rocky9 |
|
|
Rocky Linux 8 |
|
rocky8 |
|
|
RHEL 7 |
|
CentOS 8 |
||
|
centos8 |
|
|
CentOS 7 |
|
centos70 |
|
|
SLES 15-4 |
|
sles15-4 |
|
|
SLES 15-3 |
|
sles15-3 |
|
|
SLES 15-2 |
|
sles15-2 |
|
|
SLES 15-1 |
|
sles15-1 |
|
|
SLES 12 SP5 |
|
sles12sp5 |
|
|
SLES 12 SP4 |
|
sles12sp4 |
|
|
SLES 12 SP3 |
|
sles12sp3 |
|
|
SLES 12 SP2 |
|
sles12sp2 |
|
|
SLES 12 SP1 |
|
sles12sp1 |
|
|
SLES 12 |
|
sles12 |
|
|
openSuse Leap 15.4 |
|
opensusel15-4 |
|
|
openSuse Leap 15.3 |
|
opensusel15-3 |
|
|
openSuse Leap 15.2 |
|
opensusel15-2 |
|