opsi 4.3 released

After the testing release on 2023/10/09, we are officially releasing opsi 4.3 as a stable version today. If a pre-release version of opsi 4.3 is already installed on your opsi server, please switch to the stable repositories now.

MySQL and UEFI support for all, new look and stable communication thanks to message bus.

The new opsi release is here: For more than two years we have been working on modernizing opsi, making it more secure and reliable than ever. Now the time has finally come: We are very proud of the result, which we would like to officially present today.

MySQL backend

We have removed the old file backend and are completely freeing the previously paid MySQL backend with this release. At the same time, we have fundamentally reworked the MySQL backend: It now offers more security and also gets a performance boost of up to 50%.

And what happens when upgrading to opsi 4.3? Don’t worry, because old file backends will be converted fully automatic!

UEFI support

The previously paid UEFI support is now also freely available.. This means that the benefits of UEFI technology are now available in all opsi environments free of license costs. opsi does, however, continue to support the management of clients with legacy BIOS.

New design

With the new release all opsi components shine in a new modern design, with fresh colors and a new logo.

opsi-WebGUI

We officially release the opsi-WebGUI as a stable version with opsi 4.3. Now most opsi features can be easily managed in the browser. Thereby the opsi-WebGUI offers full support for mobile devices. This means that you can manage most opsi features comfortably from your smartphone or tablet in the browser. No matter where you are, you have control of your opsi environment right in the palm of your hand.

opsi-configed

We’ve also given the opsi-configed management interface a major overhaul. With support for a light and a dark mode, you can customize the user interface to suit your preferences.

The performance improvements in the new opsi-configed version are really impressive with up to 100%. Faster loading times and more responsive user interface means you can get your tasks done in no time.

opsi message bus

The newly introduced opsi message bus ensures reliable communication between servers and clients. Clients are now always reachable across proxies, NAT and network boundaries.

The message bus is so performant that even fluent remote terminal sessions are possible via the new technology. These sessions are started via opsi-WebGUI, opsi-configed, the admin interface or the command line tool ‘opsi-cli’ in the terminal.

Via the message bus state changes in opsi-WebGUI and opsi-configed are detected immediately. For example, the graphical user interfaces update the installation progress without delays. You can now see at a glance which clients are online and which are offline.

Also the communication of the opsi config server with the opsi depot servers is now done via the message bus.

Two-Factor Authentication (2FA)

The login of opsi administrators can now be secured by a two-factor authentication based on Time-based One-Time Passwords (TOTP). This means that in addition to the traditional password a time-based one-time password is required to access the opsi system.

Backup

The new backup procedure secures configuration files, MySQL and Redis data - if desired also AES encrypted. This way your backup copies are even better protected.

When it comes to restoring, we offer even more flexibility. Not only can you restore your data, but you can also rename the server during the restore. This is especially handy if you want to reorganize your infrastructure or transfer data from a production environment to a test environment.

Backup and restore are available via the admin interface, the opsi WebGUI, the JSON API and as command line call (opsiconfd backup and opsiconfd restore).

Health-Check

The new Health-Check allows you to check the state of your opsi infrastructure for potential problems at any time.

Of particular note is the upgrade check, which helps you identify potential problems before you perform a version upgrade. This check allows you to ensure that your upgrade goes smoothly.

You can run the health check through both graphical interfaces (opsi-configed and opsi-WebGUI), the JSON API, and on the command line with the opsiconfd health-check command.

We have also backported parts of the health check to opsi 4.2, so you can already benefit from the advantages of the upgrade check.

Boot image

Both systems with UEFI and systems with legacy BIOS now use the Grub boot loader. opsi can now identify clients not only by MAC addresses, but also supports identifying clients by SMBIOS UUID. We have also revised the directory structure in the TFTP section.

Docker

Our official Docker image is now available as a stable version. You can use it to set up a config server or a depot server.

New server distributions

With this release opsi 4.3 also supports new Linux distributions for the opsi server. Among the major new features are installation packages for Oracle Linux 8 and 9. Furthermore you can install opsi 4.3 now also under Debian GNU/Linux 12, openSUSE 15-5 and SLES15-5.

Other new features

• Direct database access only via opsiconfd; all other components use the API.
• Upgrade and cleanup of the database are fully automatic.
• opsiconfd now offers a maintenance mode.
• IPv6 support now works for all components.
• Product dependencies now definable for each action.
• /etc/opsi/opsi.conf now in TOML format. Fully automatic creation and migration of opsi.conf. Once the file exists, opsi no longer uses the FQDN of the machine.
• The previous extender methods are now hardcoded in opsiconfd; /etc/opsi/backendManager/extend.d is therefore now shipped empty and moved during upgrade. However, the extender mechanism can still be used.
• Server certificate checking is enabled by default for all components, but there is no automatic activation on upgrade.
• Transfer slots: Per depot configurable maximum number of clients that can fill the packet cache in parallel in WAN/VPN mode.
• opsiconfd now acts as a reverse proxy for Grafana by default.
• New metrics: Worker connections, Messagebus messages sent, Messagebus mssages received.
• repository meta files (packages.json) to be used by `opsi-package-updater
• opsi packages are created in tar.zstd format by default.
• Clients inherit the settings of the associated repository.
• The default directory for temporary files is now /var/lib/opsi/tmp.
• opsi-configed can copy clients.
• Ability to execute only part of several set product actions on_demand.
• algorithm for dynamic selection of depots now selectable via depot- or client-specific configuration.
• hostControl_ methods are preferentially executed via opsi message bus (configuration via useMessagebus in /etc/opsi/backends/hostcontrol.conf).
• Change to Python 3.11

Breaking Changes

• Fixed directories for workbench, depot and repository below /var/lib/opsi. Depot configurations depotLocalUrl, repositoryLocalUrl, workbenchLocalUrl without function. If the directories are located elsewhere, they must be moved manually or symlinks must be created.
• The boot loaders in the opsi-Linux boot image are now located under <TFTP-ROOT>/opsi/opsi-linux-bootimage/loader. The bootloader names are now opsi-netboot.bios (legacy BIOS) and shimx64.efi.signed (UEFI BIOS & SecureBoot). When using Netboot/PXE, the DHCP server configuration may have to be adjusted manually (option 67/ BootFile Name).
• There is only one (new) sort algorithm for product actions, no distinction between algorithm1/algorithm2. The new algorithm produces largely the same results as the old algorithm1.
• The RPC method backend_setOptions is now functionless; configState_getValues and productPropertyState_getValues serve as replacements for addConfigStateDefaults=true and addProductPropertyStateDefaults=true.
• Many JSON API methods are marked as deprecated and will be removed in the next major release. Whether such deprecated methods are used can be checked with the health check.
• opsi-setup has been replaced by opsiconfd setup.
• opsi-backup has been replaced by opsiconfd backup/opsiconfd restore.

Upgrade from opsi 4.2 to 4.3

A detailed upgrade guide can be found here . As part of our support-contracts we are happy to assist you with the upgrade.

Please note, that the new opsi packages are now located at https://opsipackages.43.opsi.org/ and the opsi tools at at https://tools.43.opsi.org/.

• We support the same distributions on the server side as for opsi 4.2.
• Install current opsi 4.2 packages on opsi configserver or opsi depotserver.
• Update opsi-client-agent, opsi-mac-client-agent, opsi-linux-client-agent and opsi-script to the latest opsi 4.2 version and roll it out to the clients.
• Run opsiconfd health-check --upgrade-check and fix any problems displayed.
• Backup the opsi config server (best is to backup the complete server, at least opsi-backup create)
• First upgrade the opsi config server, afterwards the depots.
  • If you use Docker, update to the opsi-4.3 image
  • For manual installs/VM, enter the opsi 4.3 repository and update packages
  • For UCS, switch to the opsi-4.3 app
• Optional: set the opsiclientd.config_service.permanent_connection = true configuration to enable client and server communication via the opsi message bus.
• Optional: set the opsiclientd.global.verify_server_cert = true configuration to enable server certificate verification of clients.

Upgrade now

Get started for free

Discontinuation opsi 4.2

opsi 4.2 will be provided with security related updates until June 30, 2024. As part of our Support contracts we support our customers in being able to operate opsi 4.2 environments securely beyond this time.