Page 1 of 1
[RESOLVED] Necessary improvement to the Linux agent
Published: October 7, 2020 - 4:56 PM
by Vincent Lucy
Good morning,
Our NGO has approximately 70% of its systems running Linux. We purchased a professional license, but consequently, a large portion of our systems is not managed by WAPT due to current limitations
- The agent package on Ubuntu (for example) is not yet fully developed. Below, we outline what we add after installation that could be integrated into the package/supported by dpkg
- The lack of user session management is a drawback: we are trying to join the Linux workstations to the AD Samba domain, but for now there is no added value, whereas we would like to automate the configuration of several software programs under Linux: Firefox, Thunderbird, Gnome, Nautilus, Nextcloud...
Here are the actions we are currently taking to install the WAPT agent:
Code: Select all
apt install apt-transport-https lsb-release gnupg
wget -O - https://wapt.tranquil.it/debian/tiswapt-pub.gpg | apt-key add -
echo "deb https://srvwapt-pro.tranquil.it/entreprise/ubuntu/wapt-1.8/ $(lsb_release -c -s) main" > /etc/apt/sources.list.d/wapt.list
cat >> /etc/apt/auth.conf.d/tis.conf << EOF
machine srvwapt-pro.tranquil.it
login la_cle_de_login_entreprise
password le_mot-de_passe_entreprise
EOF
chmod 600 /etc/apt/auth.conf.d/tis.conf
apt update && apt install tis-waptagent
cat >> /opt/wpat/wpat-get.ini <<< EOF
[global]
repo_url=https://ip_server/wapt
wapt_server=https://ip_server/
use_hostpackages=1
use_kerberos=0
verify_cert=/opt/wapt/ssl/chemin_du_certificat.crt
verify_cert=0
EOF
Re: Necessary improvement of the Linux agent
Published: October 7, 2020 - 7:17 PM
by dcardon
I would say the problem doesn't necessarily stem from the agent itself, but rather from the differences between Windows and Linux infrastructure. Specifically, there's no Group Policy Object (GPO) deployment under Linux, so third-party methods (Ansible, Puppet, Chef, manual deployment, etc.) are necessary for the initial deployment, as well as the reliance on apt/yum repositories.
The need for `apt-get apt-transport-https lsb-release gnupg` is fairly standard these days.
Integrating Ubuntu clients into the domain is a definite plus. However, there's no management of user account lifecycles, passwords, etc.
In fact, downloading the agent from the TIS repository isn't the right approach, because the agent needs to be the same version as the server. It would be better to pre-download it to the server and then download it directly from there (which would also eliminate the need to configure an additional apt source). This is what we're preparing for the upcoming version 1.9. We'll update the documentation accordingly.
For Windows agents, we regenerate the installer with each update, which is convenient because it's self-contained, but it causes a signature validation issue during installation on Windows. A compromise could be to pass the configuration parameters to the agent during installation using a command line or a self-contained .sh file. We're also looking into this for version 1.9.
Re: Necessary improvement of the Linux agent
Published: October 8, 2020 - 7:18 PM
by dcardon
By the way, I was thinking about something: the Linux workstation connection is only necessary for automatic registration of the workstation with the WAPT server if Kerberos security is enabled (which is quite good from a security and automation standpoint).
For the self-service functionality, it's possible to enable authentication through the WAPT server or the LDAP server.
Re: Necessary improvement of the Linux agent
Published: October 12, 2020 - 1:01 PM
by Vincent Lucy
Thank you Denis for these answers
For joining the AD domain, we manage that manually during workstation installation; we may automate that in the future; a colleague is starting to master FOG.
In particular, because there is no deployment via GPO under Linux, and therefore third-party methods (ansible, puppet, chef, manual, etc.) must be used for the initial deployment, as well as the operation via apt/yum repository.
Yes, we can manage that via Ansible. Currently, we basically manage all our servers (or services) via SaltStack; I haven't found anything better yet, but it's more suited for 24/7 online servers.
In fact, downloading the agent from the TIS repository isn't the right approach, because the agent needs to be the same version as the server. It would be better to pre-download it to the server and then download it directly from there (which would also eliminate the need to configure an additional apt source). This is what we're preparing for the upcoming version 1.9. We'll update the documentation accordingly.
It will still mean one more storage space for us to manage, but why not? The problem, as with the WAPT server, is the internet-facing hosting for mobile devices, hence the need for security.
We will get back to you to provide support over several days for the system administrators of our NGO for a more effective implementation of WAPT.
We could plan this with the release of version 1.9, do you have any idea of the projected timeline?
Sincerely,
VL
Re: Necessary improvement of the Linux agent
Published: October 13, 2020 - 09:48
by cfargues
Hi Vincent,
Version 1.9 should be released before the end of the year. I've noted that you'd like support and will contact you upon release.
I'm marking this as resolved.
Have a good day,
Camille