we are pleased to announce the official release of the latest version of opsi today.
With this feature release, we continue the modernizations in the Netboot area that began in August.
The focus is on improved usability, higher stability, increased security, and a clear foundation for future extensions.
There is also a new blog entry on modernizing Netboot.
Netboot Modernization
The configuration of Netboot components now takes place primarily via host parameters (Configs / ConfigStates).
In opsi-configed, these are now grouped together in their own subsection `netboot`.
Host parameters set for a depot are treated as defaults for all clients connected to that depot.
For individual clients, these parameters can be set differently.
However, it should be noted that these deviating values currently only take effect if a Netboot product action is assigned to a client.
Only in that case is a special configuration file generated for the client.
The following parameters control PXE boot behavior:
netboot.usehostonetime_password
During network boot, the client authenticates with the opsi service.
By default, the opsi host key is used.
If this parameter is set to `true`, a one-time password is used instead, which increases security.
netboot.host_identifiers
Defines how clients are identified during network boot. Possible values are:
- `mac_address` (MAC address of the network card)
- `system_uuid` (system UUID of the client)
Depending on the selection, a configuration file is created in the boot directory, based on either the system UUID or the MAC address.
netboot.grub.additionalmenuentries
Allows adding additional menu entries to GRUB2.
netboot.grub.graphicsmode
Enables or disables GRUB2 graphics mode.
netboot.grub.password
Sets a password for accessing the GRUB2 menu.
This prevents regular users from using or editing menu entries.
The username is always `admin`.
The password can be provided in plain text or as a hash (`grub.pbkdf2.sha512.10000.<salt>.<hash-value>`).
Hashes can, for example, be generated using `grub-mkpasswd-pbkdf2`.
netboot.grub.timeout
Specifies how many seconds the GRUB2 menu is displayed before the default entry starts automatically (if no Netboot product action is set).
netboot.linux-bootimage.cmdline.*
All parameters beginning with `netboot.linux-bootimage.cmdline.` configure the opsi-linux-bootimage.
Each parameter is passed as a Linux kernel parameter during boot.
These new host parameters replace the previous host parameter `opsi-linux-bootimage.append`.
Client-specific values are automatically migrated to the new parameters, and `opsi-linux-bootimage.append` is no longer effective.
There are two types of host parameters:
Boolean host parameters
Act as flags.
They are added to the kernel command line if set to `true`.
If set to `false`, they are not passed.
String host parameters
Are passed to the kernel command line as `<parameter>=<value>`.
Multiple values are separated by commas.
If no value is set, the parameter is not passed.
Additional kernel parameters can be added at any time by defining host parameters with the prefix `netboot.opsi-linux-bootimage.cmdline.`.
The new opsi-linux-bootimage
With this release, we continue renewing the opsi-linux-bootimage.
For the first time, the opsi-linux-bootimage now supports the ARM64 architecture, paving the way for future operating system installations on ARM64 hardware.
In standard mode, the new opsi-linux-bootimage now boots faster than ever before, featuring a newly designed splash screen.
The splash screen can be enabled or disabled using the host parameter `netboot.linux-bootimage.cmdline.splash`.
Support for multiple languages and keyboard layouts (`netboot.linux-bootimage.cmdline.lang`) has been significantly improved, and time zones (`netboot.linux-bootimage.cmdline.tz`) can now also be configured.
To improve security, the built-in SSH server is no longer started by default.
It can be re-enabled via the parameter `netboot.opsi-linux-bootimage.cmdline.ssh`.
The root password for the opsi-linux-bootimage is configured using the parameter `netboot.opsi-linux-bootimage.cmdline.pwh`.
By default, a random value is set.
Netboot products with special PXE boot configurations
By default, Netboot products run via the opsi-linux-bootimage.
However, it is also possible to integrate custom boot images by creating an individual PXE boot configuration.
For this, the `pxeConfigTemplate` attribute in the Netboot product metadata can be used.
This attribute can now contain a GRUB2 configuration template, which is automatically integrated into the GRUB2 configuration when the Netboot product starts.
The templates are based on Jinja2 and can access various information such as client metadata, product metadata, product properties, and ConfigStates.
This makes integration of third-party products like MemTest86 or Desinfec’t significantly easier and more flexible.
New directory structure
The directory structure of the boot directory has been completely redesigned.
Base directories and bootloaders are now shipped with opsipxeconfd.
Thanks to a unified naming scheme, it is always clear which file is intended for which architecture and BIOS type.
This also makes it easy to support future architectures.
Bootloaders (GRUB2, shim) are now located in `/tftpboot/opsi/loader`.
The primary boot files used for DHCP now follow the schema `opsi-netboot.<arch>.<bios|efi>`:
- `opsi/loader/opsi-netboot.x86.bios` (x86_64, Legacy BIOS)
- `opsi/loader/opsi-netboot.x64.efi` (x86_64, UEFI)
- `opsi/loader/opsi-netboot.arm64.efi` (aarch64, UEFI)
GRUB2 configurations are located in `/tftpboot/opsi/cfg`.
All configuration files are automatically generated by opsipxeconfd.
The general GRUB2 configuration can be found in `grub.cfg`.
Client-specific configuration files are based on either the MAC address (`<MAC address>.cfg`) or the system UUID (`<System-UUID>.cfg`) of the client.
The opsi-linux-bootimage is now located in `/tftpboot/opsi/opsi-linux-bootimage`.
It now only includes the Linux kernel (`kernel.<arch>`, previously `install-x64`), the initramfs (`initramfs.<arch>`, previously `miniroot-x64`), and the GRUB2 configuration template (`grub.cfg`).
Files from other opsi Netboot products, such as memtest86, can be placed in `/tftpboot/opsi/<product-id>`.
Updated documentation
The official opsi documentation has been updated and extensively revised to reflect these changes.
A guide for debugging network boot issues has also been added.
Netboot product memtest86
The revised memtest86 Netboot product makes use of the new GRUB configuration integration features.
This allows MemTest86+ to be controlled via product properties.
Thus, memtest86 also serves as a good example for the use of the new GRUB config templates.
Netboot product enter-uefi-firmware-setup
A new product enter-uefi-firmware-setup is available to launch the UEFI firmware setup once.
opsi-cli
The opsi-cli command `opsi-cli bootimage` has been adapted to the new configs for configuring the opsi-linux-bootimage.
opsiconfd
In addition to minor fixes, changes in opsiconfd also affect Netboot.
The new netboot parameters are created automatically, while existing `opsi-linux-bootimage.append` parameters are migrated.
The product attribute `pxeConfigTemplate` has been enlarged to provide space for GRUB config templates.
opsi-configed
This update brings numerous improvements and bug fixes.
Issues with assigning clients and licenses have been resolved.
Table handling has been optimized with new context menus and tooltips, and search fields now automatically focus.
Product selection is now possible even for clients with faulty entries.
Connections using client credentials or to non-config servers are blocked.
Additionally, Netboot parameters are now grouped in their own category.
opsi-server
The current version of opsi-server as well as the packages opsi-server-full and opsi-server-expert contain a new, extended-validity GPG key for our repository.
This update should be applied promptly.
Discontinuation of SLES 15 SP1/SP2/SP3
As of now, SLES 15 SP1 and SP2 are no longer supported as server or client systems.
Support for SLES 15 SP3 will also end in January 2026.
Packages for opsi 4.3 stable:
== OPSI_PACKAGE ==
- enter-uefi-firmware-setup 1.0-2 Changelog
- memtest86 7.20-4 Changelog
- opsi-cli 4.3.29.0-1 Changelog
- opsi-client-agent 4.3.14.1-1 Changelog
- opsi-configed 4.3.15.2-1 Changelog
- opsi-linux-client-agent 4.3.14.1-1 Changelog
- opsi-local-image-backup 4.3.0.2-1 Changelog
- opsi-local-image-restore 4.3.0.2-1 Changelog
- opsi-mac-client-agent 4.3.14.1-1 Changelog
- opsi-script 4.12.18.7-7 Changelog
- ubuntu 4.3.0.4-1 Changelog
- ubuntu22-04 4.3.0.2-8 Changelog
- ubuntu24-04 4.3.0.2-8 Changelog
- windows10-upgrade 22h2-7 Changelog
- windows11-enablement 25h2-1 Changelog
- windows11-upgrade 25h2-1 Changelog