Inhaltspezifische Aktionen

Configuration of fat LTSP clients

Configuration of fat LTSP clients
Debian LTSP fat clients on public PCs, HRZ Gießen

Overview

Overview.svg

LTSP Server configuration

NFS

Export LTSP root file system via nfs.

apt-get install nfs-kernel-server
/etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 4002"

Allow NFS through Firewall:

dpkg-reconfigure -plow arno-iptables-firewall

Enable tcp port 4002

/etc/hosts.allow
sshd: X.X.X.0/24 Y.Y.Y.0/24
rpcbind: X.X.X.0/24 Y.Y.Y.0/24 localhost
mountd:  X.X.X.0/24 Y.Y.Y.0/24
/etc/exports
/srv/ltsp X.X.X.0/24(ro,no_root_squash,async,no_subtree_check)

PAM LDAP

Migrate from libpam-ldap to libpam-ldapd

apt-get purge libnss-ldap libpam-ldap libpam-ldapd libnss-ldapd
apt-get install nslcd libpam-ldapd libnss-ldapd
pam-auth-update --force

Old configuration files:

/etc/pam_ldap.conf
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/nslcd.conf
# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://XXXX

# The search base that will be used for all queries.
base o=Universitaet Giessen,c=DE

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
bindpw XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
ssl start_tls
tls_reqcert hard
tls_cacert /etc/ssl/certs/ca-certificates.crt

# The search scope.
#scope sub

map passwd loginShell   /bin/bash
/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files myhostname mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

iPXE

Make /srv/tftp/linux-ipxe/undionly.kpxe according to http://ipxe.org/embed using the file

ltsp-server.ipxe
#!ipxe
# to make:
# cd ipxe/src
# ipxe/src$  make bin/undionly.kpxe EMBED=../../../ltsp-server.ipxe
# move  bin/undionly.kpxe to /srv/tftp/linux-ipxe/undionly.kpxe
:try_again
dhcp
chain http://[SERVER-IP]/live/ipxe.php ||
echo Konnte nicht laden:
echo chain http://[SERVER-IP]/live/ipxe.php
sleep 30
goto try_again
# echo local boot
# sanboot --no-describe

php5 generates the parameters for iPXE.

apt-get install  libapache2-mod-php5
cd /var/www/html/live
ln -s /srv/ltsp/amd64/boot/ ltspboot
iPXE Script

Provide kernel and initrd via http. Set boot parameters

/srv/www/html/live/ipxe.php
#!ipxe
set serveraddr '.$_SERVER['SERVER_ADDR'].'
set serverurl http://${serveraddr}/live/
set aktuellp ltspboot/
kernel ${serverurl}${aktuellp}vmlinuz ro root=/dev/nfs nfsroot=${serveraddr}:/srv/ltsp/amd64,nolock,tcp,ro ip=dhcp boot=nfs init=/sbin/init-ltsp quiet splash
initrd ${serverurl}${aktuellp}initrd.img
boot ||
 ...

TFTP, DHCP

Enable port 69/UDP in the Firewall

dpkg-reconfigure arno-iptables-firewall

DHCP tells the clients to load /srv/tftp/linux-ipxe/undionly.kpxe

LTSP

Installation

apt-get install ltsp-server

Configuration

We throw away the tftp stuff to /tmp . We use iPXE instead:

/etc/ltsp/ltsp-server.conf
BASE="/srv/ltsp"
TFTP_DIRS="/tmp"
/etc/ltsp/ltsp-build-client.conf
MIRROR="http://ftp.uni-giessen.de/debian"
COMPONENTS="main contrib non-free"
SECURITY_MIRROR="http://security.debian.org"
DISTRIBUTION="jessie"
DIST="jessie"

# Some must-have stuff
LATE_PACKAGES="
        less
        nano
        aptitude
        man
        nfs-common
        libpam-mount
"

Build client

Mount a partion on /srv/ltsp/
Build the ltsp-client in /srv/ltsp/amd64 with

$  ltsp-build-client --fat-client-desktop=task-gnome-desktop

Client unattended upgrades

The following cron job runs on the ltsp server.

# m h  dom mon dow   command
12 03  *  *    *     /usr/local/bin/ltsp-unattended-upgrades
ltsp-server: /usr/local/bin/ltsp-unattended-upgrades
#!/bin/sh
# nightly unattended upgrades for public pcs.
# started by crontab
# (change with crontab -e)

export PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH
/etc/init.d/nfs-kernel-server stop                > /dev/null
/bin/umount /srv/ltsp/amd64/dev                   > /dev/null  2>&1
/bin/umount /srv/ltsp/amd64/proc                  > /dev/null  2>&1
/bin/mount | grep /srv/ltsp/amd64/ && ( echo; echo   ERROR: /srv/ltsp/amd64/ is mounted; echo unattended upgrades will fail. )
/usr/sbin/ltsp-chroot --mount-proc --mount-dev apt-get update > /dev/null
/usr/sbin/ltsp-chroot --mount-proc --mount-dev unattended-upgrades
/etc/init.d/nfs-kernel-server start               > /dev/null

LTSP Client configuration

Boot configuration

/srv/ltsp/amd64/etc/lts.conf
# This is the default lts.conf file for ltsp 5.  For more information about
# valid options please see lts.conf(5) man page, available in the ltsp-docs
# package.
#
# Note that things like sound and local device support are auto-enabled if the
# corresponding packages are installed, there is no need to manually set these
# options anymore.

[default]
        LTSP_CONFIG=True
        #SOUND=False
        #LOCALDEV=False
        #CONFIGURE_X=False

        # Uncomment to start a root shell on tty12 for debugging
        # SCREEN_12=shell

        # Do not use ltsp's display manager - use whatever is in /etc/X11/default-display-manager
        DEFAULT_DISPLAY_MANAGER=""
        # KEEP_SYSTEM_SERVICES=lightdm

        # Do not disable getty on tty1-6
        DISABLE_GETTYS=False

        # Use local swap (if available) and network swap
        USE_LOCAL_SWAP=True
        # NBD_SWAP=True

        # Disable swap file encryption to workaround nbd swap file bug (see below the section about NBD swap)
        # ENCRYPT_SWAP=False

Enter the client with one of the following

sudo ltsp-chroot
sudo ltsp-chroot --mount-proc  --mount-dev

Use mount parameters with care. If the clients are running, umount might be only possible after stopping the nfs-kernel

Packages for ldap, chipcard, …

apt-get install  firmware-linux plymouth apt-utils nslcd  autofs ksh  ca-certificates pcscd opensc cups bash-completion emacs mc unattended-upgrades apt-listchanges ntp ntpdate virtualbox-guest-utils

PAM LDAP

/etc/nslcd.conf
same as in server
/etc/nsswitch.conf
same as in server

PAM-mount sshfs

Because of KDE programs: do not use option follow_symlinks.

/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--  See pam_mount.conf(5) for a description. -->
<pam_mount>
  <!-- debug should come before everything else,
       since this file is still processed in a single pass
       from top-to-bottom -->
  <debug enable="0" />
  <!-- Volume definitions -->
  <volume fstype="fuse" path="sshfs#%(USER)@ltsp-server.XXX.XX:" mountpoint="~" options="nonempty,reconnect,nosuid,nodev,ssh_command=/usr/local/bin/ssh_local,ServerAliveInterval=15,password_stdin" />
  <mntoptions require="nosuid,nodev" />
  <logout wait="0" hup="0" term="0" kill="0" />
  <!-- pam_mount parameters: Volume-related -->
  <mkmountpoint enable="1" remove="false" />
  <fuseumount>/bin/fusermount -u -z  %(MNTPT)  </fuseumount>
</pam_mount>

Disable SSH host key checking to keep ssh from looking into the home directory. Otherwise fusermount hangs.

/usr/local/bin/ssh_local
#!/bin/sh
/usr/bin/ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o IdentityFile=/etc/ssh/nonexistentfile -o StrictHostKeyChecking=no $@

Include mount.fuse to path

cd usr/local/bin/
ln -s ../../../sbin/mount.fuse
chmod +x ssh_local

/etc/ntp.conf

Configure local time servers.

arno-iptables-firewall

apt-get install arno-iptables-firewall
dpkg-reconfigure -plow arno-iptables-firewall

Note: dpkg-reconfigure -plow arno-iptables-firewall is essential, because you are not asked all questions during the installation.

/etc/arno-iptables-firewall/conf.d/00debconf.conf
#######################################################################
# Feel free to edit this file.  However, be aware that debconf writes #
# to (and reads from) this file too.  In case of doubt, only use      #
# 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file.  #
# If you really don't want to use debconf, or if you have specific    #
# needs, you're likely better off using placing an additional         #
# configuration snippet into/etc/arno-iptables-firewall/conf.d/.      #
# Also see README.Debian.                                             #
#######################################################################
EXT_IF="eth0"
EXT_IF_DHCP_IP=1
OPEN_TCP=""
OPEN_UDP=""
INT_IF=""
NAT=0
INTERNAL_NET=""
NAT_INTERNAL_NET=""
OPEN_ICMP=1

Unattended upgrades

Started by a cron-job of the LTSP Server.

/etc/apt/apt.conf.d/50unattended-upgrades

kdm

apt-get install kdm kdm-gdmcompat

Set kdm as display manager with

dpkg-reconfigure kdm

Greeter screen

diff in /usr/share/kde4/apps/kdm/themes/lines
diff lines.xml lines.xml.orig
34,61d33
<         <fixed>
<             <item type="label" id="welcome1">
<                 <pos anchor="nw" x="20" y="24%"/>
<                 <normal font="Serif Bold 12" color="#FFFFFF" alpha="0.5"/>
<                 <text>Benutzerkennung:</text>
<              </item>
<          </fixed>
<          <fixed>
<              <item type="label" id="welcome1">
<                 <pos anchor="nw" x="20" y="48%"/>
<                 <normal font="Serif Bold 12" color="#FFFFFF" alpha="0.5"/>
<                 <text>Netz-Passwort:</text>
<              </item>
<         </fixed>
<         <fixed>
<             <item type="label" id="welcome2">
<                 <pos anchor="nw" x="20" y="72%"/>
<                 <normal font="Serif 11" color="#FFFFFF" alpha="0.5"/>
<                 <text>mit der Eingabetaste abschließen.</text>
<              </item>
<         </fixed>
<         <fixed>
<             <item type="label" id="welcome3">
<                 <pos anchor="c" x="0" y="88%"/>
<                 <normal font="Serif 7" color="#FFFFFF" alpha="0.5"/>
<                 <text>Desktop:</text>
<              </item>
<         </fixed>

Result:

loginscreen.jpg

Desktops

apt-get install task-kde-desktop task-gnome-desktop task-cinnamon-desktop

apt-get install task-german-desktop task-greek-desktop task-spanish-desktop task-french-desktop task-portuguese-desktop task-russian-desktop task-turkish-desktop
apt-get install icedove-l10n-de kde-l10n-de
apt-get install kdeedu kdemultimedia lame kdm-gdmcompat

Default x-session-manager cinnamon

update-alternatives --config x-session-manager

Disable KDE4 sessions and "Gnome on Wayland"

KDE4 is very slow, session logout not working.

/usr/share/xsessions/kde-plasma.desktop
...
Hidden=true
...
/usr/share/wayland-sessions/gnome-wayland.desktop
...
Hidden=true
...

Gnome Shell Extensions

Show applications menu

/etc/xdg/autostart/enable_gnome_extensions.desktop
[Desktop Entry]
Type=Application
Name=enable gnome extensions
## Enable Extensions
Exec=/usr/local/bin/enable_gnome_extensions
OnlyShowIn=GNOME
/usr/local/bin/enable_gnome_extensions
#!/bin/sh
/usr/bin/gsettings get org.gnome.shell enabled-extensions | grep apps-menu || /usr/bin/gsettings set org.gnome.shell enabled-extensions "['alternate-tab@gnome-shell-extensions.gcampax.github.com', 'apps-menu@gnome-shell-extensions.gcampax.github.com']"

Show info page on login

/etc/xdg/autostart/show_info_page.desktop
[Desktop Entry]
Type=Application
Name=show info page
Exec=/usr/local/bin/info-on-login
/usr/local/bin/info-on-login
#!/bin/sh
export infohtml=https://www.uni-giessen.de/cms/fbz/svc/hrz/svc/raeume/raeume27_41/r27kurz/contentpanels_body
export browser=chromium
/usr/bin/$browser $infohtml
sleep 2
/usr/bin/wmctrl -r $browser -b add,maximized_horz,maximized_vert

Printer configuration

Configure in running client.

Start ltsp client root-console on SCREEN_12 (edit lts.conf). Example user user.

Add user user to group ldpadmin

usermod -G lpadmin user.

Log in as user, follow instructions.

iceweasel localhost:631 http://www.uni-giessen.de/cms/fbz/svc/hrz/svc/ausgabe/follow-me-printing/fmp-druckertreiber

Add printers

 lpd://druckserver.hrz.uni-giessen.de/SHARP_SW
 lpd://druckserver.hrz.uni-giessen.de/SHARP_Farbe

Copy

  • /etc/cups/ppd*

  • /etc/cups/printers*

to server.

Chip card

watch_reader

apt-get install pcsc-tools libterm-readkey-perl wmctrl
/usr/local/bin/watch_reader

https://www.uni-giessen.de/cms/fbz/svc/hrz/svc/ident/ckjlu/files/watch_reader

/etc/xdg/autostart/chipcard_watch_reader.desktop
[Desktop Entry]
Type=Application
Name=Chipcard watch reader
Exec=/usr/local/bin/watch_reader endless

opensc.conf

Disable pinpad (necessary for old cards)

/etc/opensc/opensc.conf
# Für alte Chipkarten nötig
                enable_pinpad = false;

Languages

apt-get install task-german task-greek task-english task-spanish task-french task-portuguese task-russian task-turkish
dpkg-reconfigure locales
  de_DE.UTF-8... done
  el_GR.UTF-8... done
  en_GB.UTF-8... done
  es_ES.UTF-8... done
  fr_FR.UTF-8... done
  pt_PT.UTF-8... done
  ru_RU.UTF-8... done
  tr_TR.UTF-8... done

Additional Software

apt-get install icedove chromium chromium-l10n pepperflashplugin-nonfree octave  r-base eclipse cervisia lyx lvm2  vim

Nightly shutdown

In chroot:

crontab -e
# m h  dom mon dow   command
00  22 *   *   *    /sbin/poweroff

Further reading

How to disable SSH host key checking
LTSP Fat Client Setup
Debian Wiki: LTSP How to
LTSP Wiki: LTSPedia

Not used

gdm3 (Gnome Display Manager)

  • When entering cinnamon via gdm, the keyboard doesn’t work properly.

  • gdm’s user dialog is poor, if the userlist is not shown.

/etc/gdm3/greeter.dconf-defaults
banner-message-enable=true
banner-message-text='Klicken Sie bitte auf "Nicht aufgeführt?"'