opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>opsi</strong> <strong>manual</strong> <strong>opsi</strong> <strong>version</strong> <strong>4.0.2</strong><br />
If you configure an admin networks parameter, all administrative accesses are restricted to these network(s).<br />
97 / 193<br />
Setting the option [global] admin networks at the /etc/<strong>opsi</strong>/<strong>opsi</strong>confd.conf will restrict the administrative<br />
access to the <strong>opsi</strong>confd to connections coming from the specified network address(es).<br />
You may give multiple addresses separated by comma.<br />
Non administrative access may also come from other networks.<br />
The default is:<br />
admin networks = 0.0.0.0/0<br />
and allows administrative access from all networks.<br />
A configuration like e.g.<br />
admin networks = 127.0.0.1/32, 10.1.1.0/24<br />
restricts administrative access to the server itself and to the network 10.1.1.0/24.<br />
12.9 The user pcpatch<br />
With <strong>opsi</strong> 4 the user pcpatch is used just by the <strong>opsi</strong>-client-agent to mount the depot shares (and at the moment by<br />
the netboot products ntfs-write-image and ntfs-restore-image to read and write the image files via ssh).<br />
The password of the user pcpatch is usually stored and transmitted encrypted. Under special circumstances it might<br />
be possible to catch the clear password. To reduce risks arising from that, you should do the following:<br />
Deny for the user pcpatch the access to all other shares than the <strong>opsi</strong>_depot share. You should do this by adding the<br />
following entry to all share definitions (besides the <strong>opsi</strong>_depot) at the /etc/samba/smb.conf:<br />
invalid users = root pcpatch<br />
Alternative<br />
At the /etc/samba/smb.conf restrict privileges for the user pcpatch to global read only by setting in the [global]<br />
section:<br />
read list = pcpatch<br />
As an additional task you should frequently change the password of the user pcpatch. You may set the password to a<br />
random string which no one knows (besides <strong>opsi</strong>). You may do this by calling the following command e.g by a cronjob:<br />
<strong>opsi</strong>-admin -d task setPcpatchPassword $(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c16)<br />
If you do not plan to use the netboot products ntfs-write-image or ntfs-restore-image, you may deny a unix logon for<br />
the user pcpatch by setting at the /etc/passwd the shell /bin/false for the user pcpatch.<br />
13 <strong>opsi</strong>-backup<br />
13.1 Introduction<br />
Your <strong>opsi</strong>-server should be backuped (like any other important system). This chapter shows what to backup and how.<br />
And of course - how to restore.<br />
13.2 Preconditions for a backup<br />
You should run the <strong>opsi</strong>-backup command as root.<br />
You have to install the mysqldump program before you can use the <strong>opsi</strong>-backup in connection with the mysql backend.<br />
Usually this program is part of the mysql client packages.