opsi-client-agent: problems during update if using on_shutdown-installation

Antworten
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

opsi-client-agent: problems during update if using on_shutdown-installation

Beitrag von n.wenselowski »

We have been made aware of a problem with the on-shutdown-installation behaviour of the opsi-client-agent that leads to the client losing it's local configuration of client ID and hostkey.

The Problem
If a client is configured to install via on_shutdown and then attempts to install the opsi-client-agent during shutdown it fails to patch the opsiclientd configuration file. This happens because the responsible component for triggering an installation on shutdown (opsiclientd_shutdown_starter.exe) has this file locked. In the end this leads to an unpatched configuration file. Therefore this the server does not accept any connections that authenticate via the clientID and hostkey and also any communication-attempt to contact the server, due to invalid client credentials.

Other products are not affected by this.

The Solutions
We provide fixed applications alongside help on how to fix the problem.

New Version Of opsi-client-agent

A new version of the opsi-client-agent is available immediatly in the testing repository. The version of this opsi-client-agent is 4.0.5.7.
We recommend rolling this out to all clients running an older version to avoid possible future problems.

Due to the nature of this bug it is not recommended to install this version with on_shutdown!

Please be aware that installing a new version of opsi-client-agent on a client will request a restart of the machine!

Opsi Product opsiclientd-online-fix

We offer a product called opsiclientd-online-fix that will do nothing but to replace the old opsiclientd_shutdown_starter.exe with the new one.
This will not require a restart of the client.

These are the download links for this product and the corresponding checksum and zsync files: The md5sum of the files are:
  • 7c972b2c871d36aafe2cfe3b99dca17b opsiclientd-online-fix_1.0-1.opsi
  • 257a3cb193c087987e67ec3af2415aad opsiclientd-online-fix_1.0-1.opsi.md5
  • 49d9c198a3c4bd5827c0d008c0fde432 opsiclientd-online-fix_1.0-1.opsi.zsync
Finding Disconnected Clients
Clients that are already disconnect are not easy to spot. One indicator is that clients that are running may not be reached from the server.
Because there may be network setups blocking or the clients are simply not powered this is no certain way of checking if a client has been disconnected due to this bug.

Currently the only definitive way of telling if a client is to check for the existance of a values for host_id, opsi_host_key and the correct config-service-url in the file: C:\Program Files (x86)\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf

You can find a script at http://download.uib.de/opsi4.0/find_cli ... problem.py that checks for clients that are running a version of opsi-client-agent that is possibly vulnerable and where the product property 'on_shutdown' has been set.
It also will sort out any clients that have the shutdown fix installed.
Please be aware that this also lists clients that are currently not reachable.

This script is meant to be run on an opsi server.
It aims on making the search easier but is not a final solution.

Rescuing clients that have been disconnected
Clients that have been disconnected can not communicate with the opsi-server anymore.

Rescuing a client is possible by re-inserting the clientID and the hostKey in C:\Program Files (x86)\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf. Also make sure that the url of the config_server is correct.

There are many ways to do this depending on your local environment.
See below for two examples on how to rescue clients.
Customers interested in an individual solution should contact us.

opsi-deploy-client-agent
If you have used opsi-deploy-client-agent you can use this script to re-deploy the opsi-client-agent to your clients.
Please refert to the getting started document on how to do this: http://download.uib.de/opsi_stable/doc/ ... ntegration

Manually Editing The Configuration On The Client
A manual rescue attempt is always possible.

To read the hostkey of a client you can use opsi-admin.
The following command will display the hostkey of the client with the ID "yourClient.domain.local":

Code: Alles auswählen

opsi-admin -dS method getOpsiHostKey yourClient.domain.local
For manually replacing the values please stop the service "opsiclientd" on the client first.
Then insert the key as value for opsi_host_key and the client ID as value for host_id into the file C:\Program Files (x86)\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf. In the same file please check that under the section config_service the attribute for url is correct.
You now can start the service "opsiclientd" again.

Code: Alles auswählen

import OPSI
Nach oben
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: opsi-client-agent: problems during update if using on_shutdown-installation

Beitrag von n.wenselowski »

Updated post :)

Code: Alles auswählen

import OPSI
Nach oben
Benutzeravatar
n.wenselowski
Ex-uib-Team
Beiträge: 3194
Registriert: 04 Apr 2013, 12:15

Re: opsi-client-agent: problems during update if using on_shutdown-installation

Beitrag von n.wenselowski »

Updated post: also check config_service's url.

Code: Alles auswählen

import OPSI
Nach oben
Benutzeravatar
wolfbardo
uib-Team
Beiträge: 1354
Registriert: 01 Jul 2008, 12:10

Re: opsi-client-agent: problems during update if using on_shutdown-installation

Beitrag von wolfbardo »

Version 22.9.2015

We have been made aware of a problem with the on-shutdown-installation behaviour of the opsi-client-agent that leads to the client losing it's local configuration of client ID and hostkey.

The Problem
If a client is configured to install via on_shutdown and then attempts to install the opsi-client-agent during shutdown it fails to patch the opsiclientd configuration file. This happens because the responsible component for triggering an installation on shutdown (opsiclientd_shutdown_starter.exe) has this file locked. In the end this leads to an unpatched configuration file. Therefore this the server does not accept any connections that authenticate via the clientID and hostkey and also any communication-attempt to contact the server, due to invalid client credentials.

Other products are not affected by this.

The Solutions
We provide fixed applications alongside help on how to fix the problem.

New Version Of opsi-client-agent

A new version of the opsi-client-agent is available in the stable repository. The version of this opsi-client-agent is 4.0.5.8-3.
We recommend rolling this out to all clients running an older version to avoid possible future problems.

The version opsi-client-agent is 4.0.5.8-3 can be instaled "on_shutdown"!

Please be aware that installing a new version of opsi-client-agent on a client will request a restart of the machine!

Opsi Product opsiclientd-online-fix

We offer a product called opsiclientd-online-fix that will do nothing but to replace the old opsiclientd_shutdown_starter.exe with the new one.
This will not require a restart of the client.

These are the download links for this product and the corresponding checksum and zsync files: The md5sum of the files are:
  • 7c972b2c871d36aafe2cfe3b99dca17b opsiclientd-online-fix_1.0-1.opsi
  • 257a3cb193c087987e67ec3af2415aad opsiclientd-online-fix_1.0-1.opsi.md5
  • 49d9c198a3c4bd5827c0d008c0fde432 opsiclientd-online-fix_1.0-1.opsi.zsync
Finding Disconnected Clients
Clients that are already disconnect are not easy to spot. One indicator is that clients that are running may not be reached from the server.
Because there may be network setups blocking or the clients are simply not powered this is no certain way of checking if a client has been disconnected due to this bug.

Currently the only definitive way of telling if a client is to check for the existance of a values for host_id, opsi_host_key and the correct config-service-url in the file: C:\Program Files (x86)\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf

You can find a script at http://download.uib.de/opsi4.0/find_cli ... problem.py that checks for clients that are running a version of opsi-client-agent that is possibly vulnerable and where the product property 'on_shutdown' has been set.
It also will sort out any clients that have the shutdown fix installed.
Please be aware that this also lists clients that are currently not reachable.

This script is meant to be run on an opsi server.
It aims on making the search easier but is not a final solution.

Rescuing clients that have been disconnected
Clients that have been disconnected can not communicate with the opsi-server anymore.

Rescuing a client is possible by re-inserting the clientID and the hostKey in C:\Program Files (x86)\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf. Also make sure that the url of the config_server is correct.

There are many ways to do this depending on your local environment.
See below for two examples on how to rescue clients.
Customers interested in an individual solution should contact us.

opsi-deploy-client-agent
If you have used opsi-deploy-client-agent you can use this script to re-deploy the opsi-client-agent to your clients.

Generate a list with possibly affected Clients:

Code: Alles auswählen

python find_clients_affected_by_on_shutdown_problem.py > clientliste.txt
Check with some Clients of this list for example with

Code: Alles auswählen

/var/lib/opsi/depot/opsi-client-agent# ./opsi-deploy-client-agent -x --username="windowsdomain\adminpass" -p "<passowrd>" --keep-client-on-failure <opsi-client-name>
before working with the complete list:

Code: Alles auswählen

cd /var/lib/opsi/depot/opsi-client-agent
  # ./opsi-deploy-client-agent -x  --username=<windowsdomain\adminuser> -p "password" --keep-client-on-failure
--hosts-from-file /pathtoyour/clientlist.txt
Please refer for further information to the getting started document : http://download.uib.de/opsi_stable/doc/ ... ntegration



Manually Editing The Configuration On The Client
A manual rescue attempt is always possible.

To read the hostkey of a client you can use opsi-admin.
The following command will display the hostkey of the client with the ID "yourClient.domain.local":

Code: Alles auswählen

opsi-admin -dS method getOpsiHostKey yourClient.domain.local
For manually replacing the values please stop the service "opsiclientd" on the client first.
Then insert the key as value for opsi_host_key and the client ID as value for host_id into the file C:\Program Files (x86)\opsi.org\opsi-client-agent\opsiclientd\opsiclientd.conf. In the same file please check that under the section config_service the attribute for url is correct.
You now can start the service "opsiclientd" again.


OPSICONF 2024
https://opsi.org/en/opsiconf/

Basisworkshop Mainz :

17. - 20. 06. 2024


opsi support - uib gmbh
For productive opsi installations we recommend maintainance + support contracts which are the base of opsi development.

http://www.uib.de
Nach oben
Antworten

Zurück zu „News“