Pablo Iranzo Gómez's blog

jul 29, 2006

OCS Deployment Tips and tricks

Prior to using the following info for creating own-made packages, let's test if everything is working fine.

I've created a NSIS script that writes into registry in a key called HKLMSOFTWAREOCS and puts a key named "cert" with value "creilla".

If we create a package with action "LAUNCH", and attach the regcert.zip with command to execute "regcert.exe", all clients with functional package deployment, will add that key to registry, so we can check, using OCS registry query function for a key named "cert" into: HKLM SOFTWAREOCS.

After some time, affected and with working software deployment (Read OCS Inventory Package deployment to learn how to setup it properly), we could know in which ones it's working and in which ones it doesn't work, just doing a search for computers with a special value in that registry key. (I've also uploaded the precompiled version I use for your testing purpouses).

Software

  ------------------------------------------------------------------- ----------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  **Software**                                                        Command switches                                                  **Result**
  [OCS Inventory](http://ocsinventory.sf.net/)                        /S /SERVER:serverip                                               Installs new OCS version on top of older one, this is only recommended if package deployment was setup successfully, if not, use NSIS script referred at OCS Inventory Package Deployment
  [VNC](http://www.realvnc.com/)                                      /SP- /VERYSILENT                                                  Installs VNC without any user intervention
  [PowerOff](http://users.pandora.be/jbosman/poweroff/poweroff.htm)   Just copy to desired folder                                       Allows to shutdown, reboot hibernate, etc remotely or from command line
  [EICAR](http://www.eicar.org/)                                      Copy and run from any folder                                      This file is detected by antivirus as a virus, but it isn't harmful (read [http://www.eicar.org](http://www.eicar.org/)), if execution fails... target computer has a working antivirus engine running
  [Firefox](http://www.mozilla.com/)                                  -ms -ira                                                          Installs Mozilla Firefox silently (with 1.5 it show uncompressing dialog, but with 2b2 it's totally invisible)
  [Java](http://www.java.com/)                                        /S /v/qn" WEBSTARTICON=0 REBOOT=Suppress MOZILLA=1 IEXPLORER=1"   Installs Java Runtime Environment (tested on 1.5.0.0.6) silently, totally invisible
  [Acrobat Reader](http://www.adobe.com/)                             msiexec.exe /i acrobat.msi /qb-!                                  Silent install, must first uncompress installation and copy extracted files to a folder, zip them, and upload to OCS (you can extract Acrobat components doing: AdbeRdr80.exe -nos_s -nos_ne -nos_oC:temp)
  [Flash Player](http://www.adobe.com/)                               msiexec /i fp9.msi /qn                                            Silent install using windows installer interface (it's ok for other programs distributed in msi files
  ------------------------------------------------------------------- ----------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Registry

  Hive   Path                                                                             Value          Utility
  ------ -------------------------------------------------------------------------------- -------------- ---------------------------------------------------------------------------
  HKLM   SOFTWAREMicrosoftWindowsCurrentVersionRun                                *             Know which programs are executed at startup
  HKCU   SOFTWAREMicrosoftWindowsCurrentVersionRun                                *             Know which programs are executed at user login
  HKLM   SOFTWARENetwork AssociatesTVDShared ComponentsVirusScan Engine4.0.xx   szVirDefDate   Know Mcafee Virus Definitions date
  HKLM   SoftwareSymantecSharedDefs                                                   *             Shows different norton products definitions
  HKLM   SoftwareMicrosoftWindowsCurrentVersion                                     ProductKey     Windows 9x Install key
  HKLM   SoftwareMicrosoftWindowsCurrentVersionRunServices                        *             Services in the machine
  HKLM   SoftwareMicrosoftWindowsCurrentVersionRunServices                        *             Windows 9x Services
  HKLM   SoftwareOCS                                                                    cert           Allows us to check if package deployment is working using regcert example

Packages

  Action   File   Command line                                                 Description
  -------- ------ ------------------------------------------------------------ -----------------------------------------------------------------------------------------------
  RUN             "%PROGRAMFILES%RealVNCVNC4winvnc4.exe" -connect HOST   Launches a new VNC client to HOST, allowing to watch Desktop as HOST initiated the connection
  RUN             netsh firewall add portopening TCP 5900 VNC                  Opens 5900 port on TCP in Windows Firewall (XP SP2) (for using with VNC)

Please, feel free to contribute with your Registry Keys or command line commands to improve this guide.

Using win-get (an apt-get clone for Win32), you can use this big list of supported applications for installation doing win-get sinstall APPNAME

posted at 20:13  ·   ·  ocs  linux
Click to read and post comments

jul 27, 2006

OCS Inventory Package deployment

Introduction

OCS Inventory is an excelent piece of GPL Software for getting info from hardware components, and software installed on computers running Windows or UNIX-like operating systems (there are also some unofficial clients for running on other platforms).

Since New Generation (OCS-NG), a new architecture was implemented: server were contacted using standard TCP/IP connection (Previous versions, used an MDB file to store information, and required a SMB share to inventory computers ), allowing remote computers to connect as well as providing a new web interface for computer administration, and inventory query.

Within new features, a new small client (about 64kb), was able to contact inventory server, and download from it the full set of required files (OcsAgent.exe) which was expanded to %SYSTEMDRIVE%ocs-ng, then executed, an inventory sent to server.

This approach had a little problem, if you had a small outgoing connection, serving a 700 Kb file was painful... but at least, despite some minor revision changes, machines were able to upgrade automatically (In many other times, you had to manually redeploy or force with the /DEPLOY:#VERNUMBER# the new deployment) when new version was deployed on the server.

With RC3, agent for installation uses near double that size, about 1.5 Mb, but the ability for after first installed, use external servers with a bigger upload bandwidth, eases installation of new versions in computers.

Release Candidate 3, and 1.0

OCS-NG RC3 came with important architectural changes, including several major and minor improvements, being these the more important ones:

  • Now the windows client works as a service (for the first time it includes a windows agent)
  • RC3 includes a component for software/files deployment/distribution

The new tool is called package deployment. This feature it is managed using the also improved admin web interface.

OCS-NG could be setup on different machines hosting each service:

  • An Inventory-receiving machine
  • An Admin web interface
  • A site with information about packages
  • A site with package fragments for deployment

or, as I did in my setup, use a Debian Linux machine for doing the four tasks, but I plan to relay the fourth task to other machines, when packages are bigger than expected.

Setting it up and running

I'll assume that you've running Apache, PHP, and were able to setup OCS using the bundled instructions, so you only have to enable new features for using package deployment.

First of all, we need SSL support in Apache.

Package deployment infrastructure, is too much powerfull, so it requiress SSL access to validate server before trying to download from it, so... we'll need some SSL certificates for use with our server.

I like http://www.cacert.org services: they sign your certificates, and provide one certificate aiming to be used with many FOSS projects, because it's free instead of paid certificates like the ones from Thawte or Verisign.

Getting SSL Certificates

First of all, we need to create a private key and a CSR (Certificate Signing Request) which we will send to CACERT for signing (please, note that if you don't have a domain name, will make it impossible to use OCS Package Deployment if your IP is also dynamic, so if that is your case (as was mine too), open an account at No-IP and create a URL-Redirector to your machine, you'll have to install an update client, but this will allow you to use certificates) it.

Having openssl installed, we will execute (please, double check that questions, specially CN exactly matches ServerName and "hostname", for it to work properly after) the following commands:

#!bash
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr

First one, will create a private key called "server.key", second one, will create a CSR which we will paste at https://www.cacert.org/account.php?id=10 to get our server certificate signed.

For being able to use http://www.cacert.org services, we'll have to create an account and add a domain to it, this is verified sending an email to an account like webmaster, root or so, clicking on the supplied link, will entitle to work in representation of that domain.

After that, Cacert.org will show you a certificate for your server that you'll have to copy to a file called "server.crt".

Let's then download CACERT's root certificate to "cacert.pem"

Configuring apache for using that certificates

Next, we'll have to tell apache, to use this certificate for SSL support, in my case, I configured:

#!apache
/etc/apache2/conf.d/ssl:
SSLProtocol all
SSLOptions +StdEnvVars
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificateFile /etc/apache2/ssl/cacert.pem
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

So, I had to put server.crt, server.key and cacert.pem in /etc/apache2/ssl/

Next one, was to configure a new site that requires SSL to work:

#!apache
/etc/apache2/sites-enabled/001-default:
ServerName yourserver.no-ip.org
NameVirtualHost \*:443
ErrorLog /var/log/apache2/errssl.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ssl.log combined
ServerSignature On
DocumentRoot /var/www
SSLEngine on
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".\*MSIE.\*" nokeepalive ssl-unclean-shutdown

Afterthat... we have to reload apache configuration and try to connect to https://yourserver.no-ip.org to check if everything is ok.

Well, if this works, we had the first and harder step done ;)

Creating a package

There are three types of packages: RUN, STORE and LAUNCH.

Each of them has different behaviour, one runs a command, the other downloads a file and stores it on a folder, and the other does a combined thing: downloads a file, unzips it, and then runs a command.

For Package creating, we must have write access to Apache's DocumentRoot/download folder, and after creation, copy contents of "/download" to "/", or as I did, gave write access to "/var/www", and create (ln -s . download) a symbolic link for download.

So... let's create a first package:

  1. We must login into OCS Web interface, and select (first menu option on first yellow icon) package creation
  2. We must assign a name for the package, Platform, Protocol and Priority (priority will allow us to decide package execution order in the client, the lower number, the higher priority)
  3. If we're going to upload files, we must ZIP it BEFORE, so OCS will unzip on client machine, and then run commands
  4. We choose an action, and then, a path (we can use system variables like %SYSTEMDRIVE%, %TEMP%, %USERPROFILE%,%PROGRAMFILES%, etc) to store the file, or command to run
  5. We can choose if we want the user to be warned about package execution, and even to allow user to delay execution (useful for service pack deployments, etc)

Next step, will allow us to specify fragments (pieces in wich the package will be splitted for allowing better deployment, making use of redownloading for only failed fragments, etc), as well as checksum for data validity

Your package, will be created then on "/var/www/download/#pkgid#".

Activating a package

Once a package has been defined, we have an "info" file, describing package actions, and package fragments, we can have them together or split it between different servers, and we will have to specify where is located each piece, before using it on our machines. That process is called "Activation".

When we select that option, we have to specify the pkgid, so we use the second menu entry in the package deployment icon, and we'll get a list of packages ready for activation, and then, we select "Activate" from the one we're interested in.

On package activation, we will be asked for two SERVERS (thanks to the development team, specially to Pascal who helped in determining that we require to specify server name, not URL) one with https (for downloading info file) and one with http for downloading fragments (if any).

After sending server names, OCS will check availability of "info" and fragment files (if any (On RUN packages, there is nothing to download prior to running the commands) and then, package will be activated and ready for next step.

Afecting a package

In this step, we can select a computer in the main view, or do a search using specific criteria, and as a result, apply a package on listed computers.

We can affect a package to several computers at once, just to one, and even, have different packages affect to the same computer....

OCS will connect, and execute actions defined in priority order...

How to get client side Package working

Packages from client side, are as easy to setup, as having a working OCS Agent Service installed and a file called cacert.pem, which we got from the SSL Creation step... having them in the OCS Agent folder, and a package affected to a computer, will make computer to download, and do the actions specified. ¿What are the pro's and con's of this method?

When installing OCSAgent, using: OCSAgentSetup.exe /S /SERVER:yourserver.no-ip.org, we have no cacert.pem file copied, so we must copy it by hand, or, as I did, use a scriptable install system whicho does this in one step.

I've used NSIS to create a script for doing this:

First, we'll have to create a folder and put in it:

  • OcsAgentSetup.exe
  • cacert.pem
  • NSIS Script
  • service.ini (in my case, for accelerating first inventory creation)

service.ini like this:

#!ini
[OCS_SERVICE]
TTO_WAIT=10
PROLOG_FREQ=1
OLD_PROLOG_FREQ=1
Miscellaneous= /S /SERVER:yourserver.no-ip.org

And NSIS script with:

#!bat
; Script edited using HM NIS Edit Script Wizard.
; Creator Pablo Iranzo Gómez (Pablo.Iranzo@uv.es)
; Homepage: http://Alufis35.uv.es/~iranzo/
; License: http://creativecommons.org/licenses/by-sa/2.5/
; HM NIS Edit Wizard helper
defines
!define PRODUCT_NAME "OCS"
!define PRODUCT_VERSION "RC3"
!define PRODUCT_PUBLISHER "Pablo Iranzo Gomez (Pablo.Iranzo@uv.es)"
!define PRODUCT_WEB_SITE "http://Alufis35.uv.es/~iranzo/"
SetCompressor zlib
Name "${PRODUCT_NAME} ${PRODUCT_VERSION}"
OutFile "ocs-inst.exe"
InstallDir "$TEMP"
Icon "${NSISDIR}ContribGraphicsIconsmodern-install.ico"
SilentInstall silent
InstallDirRegKey HKLM "${PRODUCT_DIR_REGKEY}" ""  Section "Principal" SEC01
SetOverwrite on
SetOutPath "$TEMP"
File "OcsAgentSetup.exe"
Exec "$TEMPOcsAgentSetup.exe /S /SERVER:yourserver.no-ip.org"
Exec "$PROGRAMFILESOCS Inventory AgentOCSService.exe -stop"
SetOutPath "$PROGRAMFILESOCS Inventory Agent"
File "cacert.pem"
File "service.ini"
Exec "$PROGRAMFILESOCS Inventory AgentOCSService.exe -start"
Exec "$PROGRAMFILESOCS Inventory AgentOCSInventory.exe /SERVER:yourserver.no-ip.org /DEBUG"
SectionEnd
Section -Post
SectionEnd`

This script, when compiled, will create a ocs-inst.exe file, with all files needed packed in it, when executed, will:

  1. silently run
  2. extract OCSAgentSetup
  3. install it using silent install
  4. then, stop service
  5. output cacert.pem certificate in OCS Service folder
  6. replace service.ini for faster inventory, and then,
  7. start service
  8. Force DEBUG and hand-started inventory

This will leave us with a working OCS Agent Setup, with a valid certificate for autenticating against our deployment server, and ready for creating more packages.

I hope this document is good for you to test this excelent software.

Thanks (again) to the OCS Developing team (specially to Pascal Danek) for creating such a nice program, and helping in diagnosing problems found and setup procedures for correctly using it.

Thanks to Pablo Chamorro for reviewing this article too ;)

Have a look at OCS Deployment Tips and tricks to get ideas on how to use package deployment

Click to read and post comments