By Florian Effenberger
Corporate networks with a large number of client workstations often rely on some form of network service for installing operating systems upgrades and software updates. Installing updates on a Linux system is very easy because almost every Linux distribution comes with some form of package manager. However, the concept of package management is not as familiar to the Windows world.
Many Windows programs support automatic online updates, but everyday users often do not have sufficient privileges to complete the installation. On top of this, online updates consume a huge amount of bandwidth if, for instance, all of your clients attempt to download the latest Office update at the same time.
Several proprietary solutions offer deployment and software management services for Windows clients. Windows Active Directory has a rudimentary software deployment solution, but only for Microsoft's MSI package system. Microsoft Systems Management Server (SMS, now replaced by System Center Configuration Manager), Materna DX-Union, Novell Zen for Desktops, some HP OpenView components, and IBM Tivoli offer similar features. Community projects such as WPKG [1], Unattended [2], and Unattended GUI [3] have also gotten in the game.
In theory, it is possible to build a homegrown software deployment server without resorting to any third-party tools. Many Internet sites provide ready-to-run installation scripts [4]. Given time and sufficient experience, any administrator can handle the packetizing themselves (see also the "Do-it-Yourself Software Deployment" box). However, most administrators don't have the time to build such a system from scratch. A solution that offers the freedom for custom configuration while providing commercial support and packetizing services for common applications would seem to be ideal.
Opsi ("Open PC Server Integration") [11] is a tool that offers remote OS installation and software deployment for Windows clients from a Linux server. Opsi - which is produced by a company called UIB in Mainz, Germany - can handle the installation of Windows 2000, XP, Vista, and Windows Server 2003/2008 systems, as well as deployment and upgrade of applications that run on these Windows platforms. Additionally, Opsi includes a hardware and software inventorying feature (Figures 1 and 2), Windows Registry support, and a history function. An intuitive license management feature automatically assigns and releases keys. Opsi can handle multiple license pools and can even support downgrade licenses (Figure 3).
Opsi relies on free software components such as Debian GNU/Linux, Samba, TFTP, DHCP, and MySQL. Support for Windows Vista and Server 2008 (and according to the manufacturer for Windows 7, which is due for release in October), license management, VPN support, and a number of other features are available to paying customers only (see the "Commercial Opsi Support" box). The company promises to open up commercial modules as soon as they have recouped their development costs.
| Commercial Opsi Support |
|
UIB, Opsi's manufacturer, provides commercial support, workshops, and training, as well as software packetizing subscriptions (a variety of models are available [12]). Options such as support for a complete file server and remote administration in a complete package are available on request. |
The homepage points to sponsoring the development of future features. The projects on the roadmap are Linux installation, multiple role support, schedule installation via wake-on-LAN, and templates for individual clients.
At the heart of the Opsi environment is the opsi-wInst utility, which the developers call "the central tool for installing and configuring Opsi software packages." The accompanying wInst scripting language lets you create custom installation scripts for unattended upgrades, and Opsi provides its own packaging system for enclosing a script, dependency data, and a Windows-style installer .exe file into a single easy-to-manage package.
Opsi is officially available for Debian, Ubuntu, SUSE, and the Univention Corporate Server, and it is integrated with an installable Debian DVD. The downloadable VMware server and client images are definitely useful for initial testing, giving you the option of trying Opsi without modifying your existing system.
After launching the server and entering the network configuration, users, and access passwords, just update the system via apt-get and decide whether Opsi will run as your DHCP server or whether you will rely on an existing service. After completing the setup, you can access the system with SSH and https.
Opsi is useful both for existing clients and for new systems. To launch a fresh Windows installation, you simply need to copy the contents of the Windows CD to your server. Once the PC has the network booted with PXE or a custom CD, Opsi loads a modified Linux environment, analyzes your hardware, and copies the setup files. The installation process runs without user interaction; when done, the Windows login screen appears. Alternatively, Opsi also supports disk image installations.
Once the basic operating system is installed, the software deployment service steps in to add client applications Opsi gives you several do-it-yourself installation methods: snapshot, silent installation, script-based, or simulated keyboard input. Alternatively, you can use the (non-free) packages available from UIB, or you can exchange goodies in the free community. An Opsi forum [13] and wiki [14] provide ready-to-run installation scripts.
According to the manufacturer, critical updates, such as monthly Microsoft Security Fixes, are available on a commercial basis within three days of their release, unless you packetize them yourself; this saves the cost of running a Windows update server. Other packages and Service Packs are provided to commercial customers in one or two weeks.
| Do-It-Yourself Software Deployment |
|
If you prefer to avoid an off-the-shelf solution, you can build your own. Besides the typical Windows XP licenses used in enterprise environments, you will need a custom DHCP, TFTP, and Samba server configuration; the free BINL server [5] with prepared network drivers; and a WINNT.SIF or UNATTEND.TXT file for each PC to control the setup process [6]. The setup starts with a PXE boot from the TFTP server, uses BINL to install the network drivers, then downloads the control file and the image from the Samba share. The image needs to include a full set of drivers for, say, graphics, sound, or controllers [7]. The whole process is fairly complex, but luckily you can find various How-tos on the web [8] [9] [10]. If you have a Windows server, you can use the integrated RIS or WDS service to install the clients and then choose a software deployment approach. Incidentally, Microsoft completely reworked the installation process for Windows Vista; both the protocols and the configuration are totally different from their predecessors, and free deployment solutions are correspondingly rare. To sum things up, a 100% do-it-yourself system is only recommend for administrators with very special requirements. |
To manage clients, you can use either the extensive Java web interface, which is capable of grouping and filtering machines along with their hardware information and software status (Figure 4); the command line; or the graphical server console. Opsi tools support management from a client. For individual PCs, you can assign the operating system and individual software packages, thus creating different profiles for different departments.
Clients push detailed information to the server defining the local environment. The web interface also supports polling of information from the clients to discover, for example, which Vista PCs have at least 4GB of RAM and which graphics cards are suitable for video editing. During the installation, Opsi supports package dependencies and client-specific settings, which allows users to prioritize the installation process. Details such as Windows keys can be defined globally.
If an installation fails, Opsi alerts the administrator via the web interface for the package. Additionally, each client generates a detailed log that Opsi stores both centrally on the server and also locally on the client for diagnostics in the case of connection issues.
Optionally, Opsi can pass messages to a Syslog server. When you create a software package, you can also add a custom logfile. In the course of Opsi-controlled Windows installation over the network, logfiles are created on both the server and the client.
In enterprise environments, Opsi supports the use and central configuration of multiplex depot servers for software installation in distributed scenarios. Implementations of this kind seem to be fairly complex, and the manufacturer recommends signing a support agreement before setting up a multiplex depot server.
When Windows boots, the Opsi service calls Winst.exe, which in turn installs the individual packages (Figure 5). An installation-ready Opsi package comprises the executable binaries, some metadata, and an installation script for updating and uninstalling.
Installation control relies on a special, semantically rich scripting language that is documented in a separate installation manual and reference card, along with details of the various installation programs, on the Opsi website [15]. A template supplied with the Opsi distribution is useful for help in getting started, and the wiki [14], with its collection of sample scripts, helps to explain the concept further.
The scripting language supports all known installation variants (i.e., snapshot, silent, script-based, and simulated keyboard input), which means that the underlying language does not change from program to program. The files have a similar structure to INI files; that is, they are divided into sections.
Opsi distinguishes between a primary section, which controls the basic flow of the script and the run-time behavior of Winst, and multiple secondary sections, which are called by the primary section (for an example, see Listing 1). A secondary section contains instructions, which in turn can reside in external functions or are drawn from external sources, such as programs or included scripts.
| Listing 1: Installation Script for TightVNC |
01 [Initial] 02 Message=Installing tightvnc 1.2.9 ...... 03 04 [Actions] 05 ; Launch AutoIt as a background process to suppress the window 06 ; that appears when tightvnc is running as a service during the install 07 winbatch_tightvnc_autoit_confirm /LetThemGo 08 ; Start the setup program in silent mode 09 winbatch_tightvnc_silent_install 10 11 [winbatch_tightvnc_autoit_confirm] 12 %SCRIPTPATH%\autoit %SCRIPTPATH%\confirm.aut 13 14 [winbatch_tightvnc_silent_install] 15 %SCRIPTPATH%\tightvnc-1.2.9-setup.exe /silent |
Opsi's scripting language includes conditions (if and else), for loops, and string lists to guide the installation, depending on the existence of certain properties. Also, it offers assignable variables, pre-defined functions, and global constants. The constants let you reference system paths, drive letters, operating system versions, environmental variables, and network settings in the script. Opsi automatically discovers the value of global variables at run time.
The code in the secondary section can make various changes to the system, such as copying and deleting files and directories, editing Registry entries, and creating or removing links in the start menu and on the desktop. Also, it is possible to launch external programs via the Windows API, or cmd.exe, and to reboot the target system depending on the file version, operating system, language, free disk space, and other factors.
Administrators can use configurable installation messages and graphics to modify the look of the Opsi service and even modify a system's restart behavior in a script. The Opsi scripting language provides file-patching functions for software configuration and supports INI, hosts, XML, BDE, and Mozilla configuration files, as well as text files.
Custom solutions make sense in some environments; however, you should not underestimate the initial setup effort or the maintenance overhead. Opsi gives you the freedom to decide how much to do yourself and what level of vendor support to rely on. The Opsi alternative also saves you the cost of a Windows server, and you can manage the software on your Windows clients from the stability and security of Linux.
| INFO |
|
[1] Windows Packager (WPKG): http://wpkg.org/
[2] Unattended: http://unattended.sourceforge.net [3] Unattended GUI: http://unattended-gui.sourceforge.net [4] WPKG wiki: http://wpkg.org/Category:Silent_Installers [5] BINL server in Python: http://oss.netfarm.it/guides/pxe.php [6] Entry-level article by Microsoft: http://unattended.msfn.org/unattended.xp/view/web/7/ [7] Prebuilt packages by the Driverpacks project: http://driverpacks.net [8] Linux RIS Howto: http://www.promodus.net/linuxris [9] Reference for WINNT.SIF: http://unattended.msfn.org/unattended.xp/view/web/19 [10] Guide to BINL server: http://oss.netfarm.it/guides/ris-linux.pdf [11] Opsi: http://www.opsi.org/ [12] UIB maintenance and support offerings: http://uib.de/en/opsi%20support/index.html [13] Opsi community forum: https://forum.opsi.org [14] Opsi wiki with ready-to-run scripts: http://www.opsi.org/opsi_wiki/WinstScripts [15] Opsi documentation: http://download.uib.de/doku/ |
| THE AUTHOR |
|
Florian Effenberger has been a free software evangelist for many years. He is the OpenOffice.org project's International Marketing Co-Lead and a member of the OpenOffice.org Germany board. His work mainly focuses on designing enterprise and educational networks based on free software. Florian is a regular contributor to several German- and English-language publications. |