The Copyright of this manual is held by uib gmbh in Mainz, Germany.

This manual is published under the creative commons license
'Attribution - ShareAlike' (by-sa).

CC by sa

A description of the license can be found here:
https://creativecommons.org/licenses/by-sa/3.0/

The legally binding text of the license can be found here:
https://creativecommons.org/licenses/by-sa/3.0/legalcode

Most parts of the opsi software is open source.
Not open source are the parts of the source code which contain new extensions, that are still under cofunding, which have not been paid off yet. See also: opsi cofunding projects

All of the open source code is published under the AGPLv3.

agplv3

The legally binding text of the AGPLv3 license can be found here: http://www.gnu.org/licenses/agpl-3.0-standalone.html

Information about the AGPL: http://www.gnu.org/licenses/agpl-3.0.en.html

For licenses to use opsi in the context of closed source software, please contact uib gmbh.

The names 'opsi', 'opsi.org', 'open pc server integration' and the opsi logo are registered trademarks of uib gmbh. :leveloffset: +1

2. Overview of the new features

Main aspects of this release are:

  • Switch to Python 3

  • All Python applications are distributed as executable binary files

  • opsi-python interpreter for your own scripts

  • opsi server

    • Complete new implementation of opsiconfd with a focus on performance and scalability

    • opsiconfd can now run in a docker container

    • New dependency on Redis Server >= 5 including the RedisTimeSeries module

    • Use of Grafana for visualization of performance data

    • New default ACLs for API access

3. Important information - please note

opsi 4.2 is an independent release and has its own repositories. These new repositories have to be added to the system and the repositories of the previous version have to be removed. Only then can the installation / upgrade be carried out.

For an upgrade from opsi 4.1 the installed packages need to be the latest opsi 4.1 stable versions. Other packages - such as MySQL server - should also be up-to-date. Otherwise errors in the upgrade process may occur.

It is also strongly recommended to update the packages 'opsi-winst', 'opsi-client-agent' or 'opsi-linux-client-agent' on all clients to the latest opsi 4.1 versions before upgrading.

3.1. Python 3

opsi 4.2 is now completely based on Python 3. Furthermore, all Python-based packages are now distributed as executable binary files. The 'python-opsi' package is no longer provided as an installable package. It is therefore important to note the following points:

3.1.1. Opsi packages containing server-side Python scripts

After upgrading the server to opsi 4.2, please use 'opsi-package-manager' to reinstall opsi-packages that contain Python scripts running on the server:

  • opsi-client-agent: opsi-deploy-client-agent

  • win*: create_driver_links.py, show_drivers.py

The postinst script automatically corrects these scripts and sets the new interpreter to opsi-python.

Alternatively, the Python scripts can be corrected manually. For this, the interpreter must be set to opsi-python (use #!/usr/bin/opsi-python as 'shebang').

3.1.2. Own Python scripts that use python-opsi (import OPSI)

If scripts are used that depend on python-opsi, the following steps must be carried out: * Convert these scripts to Python 3 (Python’s own 2to3 can be used for this). * Change the interpreter to opsi-python, which provides python-opsi (import OPSI) (use #!/usr/bin/opsi-python as 'shebang').

3.1.3. Backend extensions (/etc/opsi/backendManager/extend.d)

If you have modified the configuration files in /etc/opsi/backendManager/extend.d or added new ones, these changes must be checked for Python 3 compatibility and adjusted if necessary.

3.2. File admin group pcpatch / opsifileadmins.

With opsi 4.2 the default name for the opsi file admin group was changed from 'pcpatch' to 'opsifileadmins'. However, when upgrading from opsi 4.1, the previously used name will continue to be used. The name can be customized in the /etc/opsi/opsi.conf configuration file via option fileadmingroup of the groups section. When changing to the 'opsifileadmins' group, note that the 'pcpatch' user must also be added to this group.

3.3. opsiconfd configuration and logs

There are some changes in the configuration and the logs of 'opsiconfd'.

  • All configuration options are documented in the help text of opsiconfd ('opsiconfd --help').

  • These command line parameters can also be used in the configuration file opsiconfd.conf (without '--').

  • The opsiconfd now has a built-in log rotation. This can be configured with the options 'max-log-size' and 'keep-rotated-logs'.

  • The log file 'package.log' is now part of 'opsiconfd.log'.

  • The logs now contain context that can be used to filter the logs. For example you can filter these with 'grep' or start opsiconfd with the option '--log-filter LOG_FILTER':

opsiconfd --log-filter instance=package_install
[6] [2020-09-07 14:41:17.864] [package_install] Running postinst script   (Depotserver.py:235)
[5] [2020-09-07 14:41:17.865] [package_install] Running package script 'postinst'   (Product.py:477)
...
opsiconfd --log-filter client_addr=10.100.7.5
[6] [2020-09-07 14:25:16.966] [10.100.7.5     ] Filtering objects by acls   (AccessControl.py:475)
...

3.4. Verification of the server identity

Since opsi 4.2, the trustworthiness of the opsi-server can be ensured using standard TLS methods. Each opsi-config-server maintains a Certificate Authority (CA), the opsi CA. This CA is automatically managed by the opsi-config-server. Each opsi-server, also the opsi-depot-server receive a TLS certificate from the opsi-config-server, which is signed by this CA. These certificates are also automatically created, distributed and updated as needed. Any client that trusts the opsi CA also trusts these server certificates.

This applies especially to the 'verify_server_cert' and 'verify_server_cert_by_ca' options. For more information please refer to the corresponding chapter in the opsi-manual.

3.5. Depraction of opsi4ucs package

With opsi 4.2 the ucs support was adepted to the opsi-standard like on other supported distibutions. The function of opsi4ucs was implemented in opsi-server package and its variants. The opsi4ucs package exists in opsi 4.2 as a transitionpackage to make the migration easier. This package will automatically removed during the upgrade process.

4. Installation instructions

We strongly suggest to create a backup of the backends with opsi-backup before upgrading:

opsi-backup create

All opsi components that are published in this release depend on each other in many places. Therefore all components should be upgraded.

We recommend to first upgrade the server, and then update the opsi packages (products).

In a multi-depot environment, it is recommended to upgrade the config server first before upgrading the depots.

We recommend running opsi-setup --set-rights after the update to ensure that access rights are set correctly. This command can take several minutes to complete.

4.1. Advice for updating the operating system packages

Please make sure that you are using the latest opsi 4.1 packages from the stable branch at the time of the upgrade!

4.2. Notes on updating opsi-packages

Usually, opsi packages are compatible with both opsi 4.1 and opsi 4.2.

The official opsi 4.2 repositories on download.uib.de contain packages which are compatible with opsi 4.1. Please note that these packages do not necessarily have to specify 4.2 as the version in order to be compatible.

4.3. Migration of an opsi 4.1 server

On supported operating systems it is possible to migrate an existing opsi 4.1 installation to opsi 4.2.

If the opsi servers are managed with opsi, the migration can be done with the package l-opsi-server-migrate.

Upgrading from opsi 4.0 directly to opsi 4.2 is not supported. In such a case an upgrade to opsi 4.1 has to be carried out before an upgrade to opsi 4.2 is possible.

4.3.1. Requirements for a migration

From version 4.2 the opsi-server needs access to a Redis and a Grafana instance. If these services will also be provided by the opsi server, we recommend switching to the 'opsi-server-full' package during the migration. This package installs and configures everything that is necessary on the opsi server (this will be referred to as a single server setup).

The Grafana repositories are required for the installation of Grafana:

Debian/Ubuntu:
sudo apt-get install -y apt-transport-https software-properties-common wget gnupg
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
echo "deb https://packages.grafana.com/oss/deb stable main" > /etc/apt/sources.list.d/grafana.list
RHEL/CentOS:
yum install wget
cd /etc/yum.repos.d
cat <<EOF > grafana.repo
[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOF
openSUSE:
zypper install wget
cd /etc/zypp/repos.d
cat <<EOF > grafana.repo
[grafana]
name=grafana
baseurl=https://packages.grafana.com/oss/rpm
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://packages.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
EOF

4.3.2. Switching to the new repositories

First, the opsi 4.2 repositories have to be registered in the package sources of your operating system.

The commands below add the new repositories and, if required, the repository key. The following commands require 'root'-rights.

Ubuntu 20.04 LTS Focal Fossa:

echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_20.04/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_20.04/Release.key | sudo apt-key add -

Ubuntu 18.04 LTS Bionic Beaver:

echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_18.04/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/xUbuntu_18.04/Release.key | sudo apt-key add -

Debian 11 Bullseye:

echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_11/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_11/Release.key | sudo apt-key add -

Debian 10 Buster:

echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_10/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_10/Release.key | sudo apt-key add -

Debian 9 Stretch:

echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_9.0/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Debian_9.0/Release.key | sudo apt-key add -

CentOS 8:

cd /etc/yum.repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/CentOS_8/home:uibmz:opsi:4.2:stable.repo
yum makecache

RHEL 8:

cd /etc/yum.repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/RHEL_8/home:uibmz:opsi:4.2:stable.repo
yum makecache

openSUSE Leap 15.1:

cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/openSUSE_Leap_15.1/home:uibmz:opsi:4.2:stable.repo
zypper refresh

openSUSE Leap 15.2:

cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/openSUSE_Leap_15.2/home:uibmz:opsi:4.2:stable.repo
zypper refresh

SLES 15 SP 1:

cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/SLE_15_SP1/home:uibmz:opsi:4.2:stable.repo
zypper refresh

SLES 15 SP 2:

cd /etc/zypp/repos.d
wget https://download.opensuse.org/repositories/home:uibmz:opsi:4.2:stable/SLE_15_SP1/home:uibmz:opsi:4.2:stable.repo
zypper refresh

Univention UCS 4.4:

echo "deb http://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Univention_4.4/ /" > /etc/apt/sources.list.d/opsi.list
wget -q -O - https://download.opensuse.org/repositories/home:/uibmz:/opsi:/4.2:/stable/Univention_4.4/Release.key | sudo apt-key add -

4.3.3. Upgrading the operating system packages

After adding the new package sources, the system can be migrated.

The default ACLs (/etc/opsi/backendManager/acl.conf) were changed in opsi 4.2 for security reasons. We therefore urgently recommend using the new version of the configuration file.
With RPM-based distributions, existing configuration files are replaced with new ones as part of the migration. Please refer to the information for the relevant distributions.

Debian and Ubuntu are upgraded to opsi 4.2 with the following commands:

Single-Server-Setup:

apt update
apt install opsi-server-full

Manual Setup:

apt update
apt install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
apt dist-upgrade

RedHat and CentOS are updated to opsi 4.2 with the following commands:

Single-Server-Setup:

yum makecache
yum install opsi-server-full
yum upgrade

Manual Setup:

yum makecache
yum install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
yum upgrade

OpenSUSE is ans SUSE Linux Enterprise Server (SLES) updated to opsi 4.2 with the following commands:

Single-Server-Setup:

zypper refresh
zypper install opsi-server-full

Manual Setup:

zypper refresh
zypper install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
zypper dup --from home_uibmz_opsi_4.2_{release}

Univention UCS is updated to opsi 4.2 with the following commands:

Single-Server-Setup:

univention-install opsi-server-full

Manuelles Setup:

univention-install redis-server redis-timeseries grafana
systemctl daemon-reload
systemctl enable grafana-server
systemctl start grafana-server
univention-install opsi-server

4.3.4. Updating the opsi packages

The last step is to update to the latest opsi packages.

Using the default configuration

If you have not made any changes to the standard configuration in /etc/opsi/package-updater.repos.d/, you can update the opsi packages directly using this command:

opsi-package-updater -v update

4.3.5. Opsi packages that contain server-side Python scripts

Please reinstall opsi packages that contain Python scripts that are executed on the server. These are usually opsi-client-agent, opsi-linux-client-agent and all packages that install Windows operating systems (win *). Details can be found at: Section 3.1.1.

After these steps your opsi 4.1 server is migrated to release 4.2 and ready for use.

5. Known bugs / known problems

KNOWN BUGS:
  • opsi-admin: The interactive mode does not work with non-ASCII characters such as ö, ä, ü.

6. End of support

Discontinuations are listed in this chapter.

6.1. EOL: opsi 4.1 Q4/2021

So far we have supported the respective opsi version (oldstable) for at least one year parallel to the current version. But in this case we decided to shorten the time to half and to discontinue opsi 4.1 for Q4 2021 (11/30/2021). The main reason for the shortened EOL time: Not all current operating systems support opsi 4.1, including e.g. Ubuntu 20.04. opsi 4.1 is completely based on Python 2, and this version has already reached EOL in April 2020 and will no longer receive updates.

Via the opsi support contracts we are happy to support you to update to the new opsi version. Also after the EOL of opsi 4.1 we are there for you and help with migrations - but we strongly recommend to use the time until the end of Q4/2021 and update to opsi 4.2.

6.2. End of support: Distributions for opsi-server

These distributions will not be supported anymore by opsi for various reasons.

  • CentOS 7.x

  • Debian 8.x

  • RedHat Enterprise Linux 7.x

  • Suse Linux Enterprise Server 12

See the separate chapter: Chapter 7.

7. opsi support matrix

This is an overview on which platforms opsi runs as a server.

7.1. Supported distributions for server

Date: 11.12.2020

Distribution

Opsi 4.2

Debian 8 Jessie

discontinued

Debian 9 Stretch

supported

Debian 10 Buster

supported

Debian 11 Bullseye

supported

Ubuntu 16.04 LTS Xenial Xerus

discontinued

Ubuntu 18.04 LTS Bionic Beaver

supported

Ubuntu 20.04 LTS Focal Fossa

supported

RHEL 7

unsupported

RHEL 8

supported

CentOS 7

unsupported

CentOS 8

supported

openSUSE Leap 15.1

supported

openSUSE Leap 15.2

supported

SLES 12SP1

unsupported

SLES 12SP2

unsupported

SLES 12SP3

unsupported

SLES 15SP1

supported

SLES 15SP2

supported

UCS 4.4

supported

supported: Supported unsupported: Unsupported develop: Under development discontinued: Discontinued

If you are using opsi-server on an operating system version which is not listed as supported in the previous section, we recommend an operating system upgrade before installing opsi 4.2.

8. Changes in default settings

With opsi 4.2 some default settings have been changed to reflect experiences from running opsi.

This is especially important if new opsi servers are installed in an existing environment, as this may lead to a change in expected behavior.

  • Note the changed acl.conf.

9. Switch to Python 3 and PyInstaller

This version is based on Python 3. All opsi Python applications (opsiconfd, opsipxeconfd, opsiclientd, opsi-utils, …​) are now distributed as binaries built with PyInstaller. Please use the opsi-python interpreter for your own scripts that need access to the python-opsi library.

10. MySQL backend: Limiting connection lifetime

To avoid the error messages: "mysql server has gone away", the default configuration of the MySQL backend was changed. The connectionPoolRecycling option now has been set to 28800 as the default value. This setting limits the lifetime of the connections in the connection pool, which is used for the connections to MySQL (or MariaDB) server.

11. opsi support matrix for Linux clients

This is an overview on which Linux platforms opsi runs as a client.

11.1. Supported as opsi-client: Linux

{lang@de:Stand 11.01.2021} {lang@en:As of 11.01.2021}

{lang@en:.Supported Linux OS as Client in opsi 4.2 and 4.1} {lang@de:.Unterstützte Linux-OS als Client in opsi 4.2 und 4.1}

Distribution

OS-Installation

netboot products

client-agent

opsiclientd

Debian 11 Bullseye

supported

debian, debian11

supported

supported

Debian 10 Buster

supported

debian, debian10

supported

supported

Debian 9 Stretch

supported

debian, debian9

supported

supported

Debian 8 Jessie

discontinued

debian, debian8

discontinued

discontinued

Ubuntu Bionic 20.04 LTS

supported

ubuntu, ubuntu20-04

supported

supported

Ubuntu Bionic 18.04 LTS

supported

ubuntu, ubuntu18-04

supported

supported

Ubuntu Xenial 16.04 LTS

supported

ubuntu, ubuntu16-04

supported

supported

Ubuntu Trusty 14.04 LTS

discontinued

ubuntu, ubunt14-04

discontinued

discontinued

RHEL 8

supported

rhel8

supported

supported

RHEL 7

supported

rhel70

supported

supported

RHEL 6

discontinued

CentOS 8

supported

centos8

supported

supported

CentOS 7

supported

centos70

supported

supported

CentOS 6

discontinued

SLES 15 SP1

supported

supported

supported

SLES 15 SP2

supported

supported

supported

SLES 12 SP4

supported

sles12sp4

supported

supported

SLES 12 SP3

supported

sles12sp3

supported

supported

SLES 12 SP2

supported

sles12sp2

supported

develop

SLES 12 SP1

supported

sles12sp1

supported

supported

SLES 12

supported

sles12

supported

supported

openSuse Leap 15.2

supported

opensusel15-2

supported

supported

openSuse Leap 15.1

supported

opensusel15-1

supported

supported

openSuse Leap 15.0

supported

opensusel15

supported

supported

openSuse Leap 42.3

discontinued

opensusel42-2

discontinued

discontinued

openSuse Leap 42.2

discontinued

opensusel42-2

discontinued

discontinued

openSuse Leap 42.1

discontinued

opensusel42-1

discontinued

discontinued

UCS 4.4

supported

ucs44

supported

supported

UCS 4.3

discontinued

ucs43

supported

supported

supported: Supported unsupported: Unsupported develop: Under Development discontinued: Discontinued

{lang@en:.Linux netboot products and the used installer type in opsi 4.2 and 4.1} {lang@de:.Linux Netboot-Produkte nach Installer-Typ in opsi 4.2 und 4.1}

Netbootproduct

Installer

State

Remark

debian

opsi

supported

squeeze - buster

debian10

distribution

supported

debian9

distribution

supported

debian8

distribution

supported

debian8

distribution

discontinued

debian7

distribution

discontinued

ubuntu

opsi

supported

trusty - focal

ubuntu20-04

distribution

supported

ubuntu18-04

distribution

supported

ubuntu16-04

distribution

supported

ubuntu14-04

distribution

discontinued

centos8

distribution

supported

centos70

distribution

supported

redhat8

distribution

supported

redhat70

distribution

supported

sles15

distribution

develop

sles12sp4

distribution

supported

sles12sp3

distribution

supported

sles12sp2

distribution

supported

sles12sp1

distribution

supported

sles12

distribution

supported

opensusel15-2

distribution

supported

opensusel15-1

distribution

supported

opensusel15

distribution

supported

opensusel42-3

distribution

discontinued

opensusel42-2

distribution