Configuration of fat LTSP clients
- Configuration of fat LTSP clients
-
Debian LTSP fat clients on public PCs, HRZ Gießen Debian LTSP fat clients on public PCs, HRZ Gießen
<Johannes.Becker@hrz.uni-giessen.de>
Table of ContentsOverview
LTSP Server configuration
NFS
Export LTSP root file system via nfs.
apt-get install nfs-kernel-server
/etc/default/nfs-kernel-serverRPCMOUNTDOPTS="--manage-gids --port 4002"
Allow NFS through Firewall:
dpkg-reconfigure -plow arno-iptables-firewall
Enable tcp port 4002
/etc/hosts.allowsshd: X.X.X.0/24 Y.Y.Y.0/24 rpcbind: X.X.X.0/24 Y.Y.Y.0/24 localhost mountd: X.X.X.0/24 Y.Y.Y.0/24
/etc/exports/srv/ltsp X.X.X.0/24(ro,no_root_squash,async,no_subtree_check)
PAM LDAP
Migrate from
libpam-ldap
tolibpam-ldapd
apt-get purge libnss-ldap libpam-ldap libpam-ldapd libnss-ldapd apt-get install nslcd libpam-ldapd libnss-ldapd pam-auth-update --force
Old configuration files:
/etc/pam_ldap.conf /etc/pam.d/common-account /etc/pam.d/common-auth
/etc/nslcd.conf# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://XXXX # The search base that will be used for all queries. base o=Universitaet Giessen,c=DE # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX bindpw XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl start_tls tls_reqcert hard tls_cacert /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub map passwd loginShell /bin/bash
/etc/nsswitch.conf# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap gshadow: files hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
iPXE
Make
/srv/tftp/linux-ipxe/undionly.kpxe
according to http://ipxe.org/embed using the fileltsp-server.ipxe#!ipxe # to make: # cd ipxe/src # ipxe/src$ make bin/undionly.kpxe EMBED=../../../ltsp-server.ipxe # move bin/undionly.kpxe to /srv/tftp/linux-ipxe/undionly.kpxe :try_again dhcp chain http://[SERVER-IP]/live/ipxe.php || echo Konnte nicht laden: echo chain http://[SERVER-IP]/live/ipxe.php sleep 30 goto try_again # echo local boot # sanboot --no-describe
php5 generates the parameters for iPXE.
apt-get install libapache2-mod-php5 cd /var/www/html/live ln -s /srv/ltsp/amd64/boot/ ltspboot
iPXE ScriptProvide kernel and initrd via http. Set boot parameters
/srv/www/html/live/ipxe.php#!ipxe set serveraddr '.$_SERVER['SERVER_ADDR'].' set serverurl http://${serveraddr}/live/ set aktuellp ltspboot/ kernel ${serverurl}${aktuellp}vmlinuz ro root=/dev/nfs nfsroot=${serveraddr}:/srv/ltsp/amd64,nolock,tcp,ro ip=dhcp boot=nfs init=/sbin/init-ltsp quiet splash initrd ${serverurl}${aktuellp}initrd.img boot || ...
TFTP, DHCP
Enable port 69/UDP in the Firewall
dpkg-reconfigure arno-iptables-firewall
DHCP tells the clients to load
/srv/tftp/linux-ipxe/undionly.kpxe
LTSP
Installation
apt-get install ltsp-server
Configuration
We throw away the tftp stuff to /tmp . We use iPXE instead:
/etc/ltsp/ltsp-server.confBASE="/srv/ltsp" TFTP_DIRS="/tmp"
/etc/ltsp/ltsp-build-client.confMIRROR="http://ftp.uni-giessen.de/debian" COMPONENTS="main contrib non-free" SECURITY_MIRROR="http://security.debian.org" DISTRIBUTION="jessie" DIST="jessie" # Some must-have stuff LATE_PACKAGES=" less nano aptitude man nfs-common libpam-mount "
Build client
Mount a partion on
/srv/ltsp/
Build the ltsp-client in/srv/ltsp/amd64
with$ ltsp-build-client --fat-client-desktop=task-gnome-desktop
Client unattended upgrades
The following cron job runs on the ltsp server.
# m h dom mon dow command 12 03 * * * /usr/local/bin/ltsp-unattended-upgrades
ltsp-server: /usr/local/bin/ltsp-unattended-upgrades#!/bin/sh # nightly unattended upgrades for public pcs. # started by crontab # (change with crontab -e) export PATH=/usr/local/sbin:/usr/sbin:/sbin:$PATH /etc/init.d/nfs-kernel-server stop > /dev/null /bin/umount /srv/ltsp/amd64/dev > /dev/null 2>&1 /bin/umount /srv/ltsp/amd64/proc > /dev/null 2>&1 /bin/mount | grep /srv/ltsp/amd64/ && ( echo; echo ERROR: /srv/ltsp/amd64/ is mounted; echo unattended upgrades will fail. ) /usr/sbin/ltsp-chroot --mount-proc --mount-dev apt-get update > /dev/null /usr/sbin/ltsp-chroot --mount-proc --mount-dev unattended-upgrades /etc/init.d/nfs-kernel-server start > /dev/null
LTSP Client configuration
Boot configuration
/srv/ltsp/amd64/etc/lts.conf# This is the default lts.conf file for ltsp 5. For more information about # valid options please see lts.conf(5) man page, available in the ltsp-docs # package. # # Note that things like sound and local device support are auto-enabled if the # corresponding packages are installed, there is no need to manually set these # options anymore. [default] LTSP_CONFIG=True #SOUND=False #LOCALDEV=False #CONFIGURE_X=False # Uncomment to start a root shell on tty12 for debugging # SCREEN_12=shell # Do not use ltsp's display manager - use whatever is in /etc/X11/default-display-manager DEFAULT_DISPLAY_MANAGER="" # KEEP_SYSTEM_SERVICES=lightdm # Do not disable getty on tty1-6 DISABLE_GETTYS=False # Use local swap (if available) and network swap USE_LOCAL_SWAP=True # NBD_SWAP=True # Disable swap file encryption to workaround nbd swap file bug (see below the section about NBD swap) # ENCRYPT_SWAP=False
Enter the client with one of the following
sudo ltsp-chroot sudo ltsp-chroot --mount-proc --mount-dev
Use mount parameters with care. If the clients are running, umount might be only possible after stopping the nfs-kernel
Packages for ldap, chipcard, …
apt-get install firmware-linux plymouth apt-utils nslcd autofs ksh ca-certificates pcscd opensc cups bash-completion emacs mc unattended-upgrades apt-listchanges ntp ntpdate virtualbox-guest-utils
PAM LDAP
/etc/nslcd.confsame as in server
/etc/nsswitch.confsame as in server
PAM-mount sshfs
Because of KDE programs: do not use option follow_symlinks.
/etc/security/pam_mount.conf.xml<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0" /> <!-- Volume definitions --> <volume fstype="fuse" path="sshfs#%(USER)@ltsp-server.XXX.XX:" mountpoint="~" options="nonempty,reconnect,nosuid,nodev,ssh_command=/usr/local/bin/ssh_local,ServerAliveInterval=15,password_stdin" /> <mntoptions require="nosuid,nodev" /> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="false" /> <fuseumount>/bin/fusermount -u -z %(MNTPT) </fuseumount> </pam_mount>
Disable SSH host key checking to keep ssh from looking into the home directory. Otherwise fusermount hangs.
/usr/local/bin/ssh_local#!/bin/sh /usr/bin/ssh -F /dev/null -o UserKnownHostsFile=/dev/null -o IdentityFile=/etc/ssh/nonexistentfile -o StrictHostKeyChecking=no $@
Include mount.fuse to path
cd usr/local/bin/ ln -s ../../../sbin/mount.fuse chmod +x ssh_local
/etc/ntp.conf
Configure local time servers.
arno-iptables-firewall
apt-get install arno-iptables-firewall dpkg-reconfigure -plow arno-iptables-firewall
Note:
dpkg-reconfigure -plow arno-iptables-firewall
is essential, because you are not asked all questions during the installation./etc/arno-iptables-firewall/conf.d/00debconf.conf####################################################################### # Feel free to edit this file. However, be aware that debconf writes # # to (and reads from) this file too. In case of doubt, only use # # 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file. # # If you really don't want to use debconf, or if you have specific # # needs, you're likely better off using placing an additional # # configuration snippet into/etc/arno-iptables-firewall/conf.d/. # # Also see README.Debian. # ####################################################################### EXT_IF="eth0" EXT_IF_DHCP_IP=1 OPEN_TCP="" OPEN_UDP="" INT_IF="" NAT=0 INTERNAL_NET="" NAT_INTERNAL_NET="" OPEN_ICMP=1
Unattended upgrades
Started by a cron-job of the LTSP Server.
/etc/apt/apt.conf.d/50unattended-upgradeskdm
apt-get install kdm kdm-gdmcompat
Set kdm as display manager with
dpkg-reconfigure kdm
Greeter screen
diff in /usr/share/kde4/apps/kdm/themes/linesdiff lines.xml lines.xml.orig 34,61d33 < <fixed> < <item type="label" id="welcome1"> < <pos anchor="nw" x="20" y="24%"/> < <normal font="Serif Bold 12" color="#FFFFFF" alpha="0.5"/> < <text>Benutzerkennung:</text> < </item> < </fixed> < <fixed> < <item type="label" id="welcome1"> < <pos anchor="nw" x="20" y="48%"/> < <normal font="Serif Bold 12" color="#FFFFFF" alpha="0.5"/> < <text>Netz-Passwort:</text> < </item> < </fixed> < <fixed> < <item type="label" id="welcome2"> < <pos anchor="nw" x="20" y="72%"/> < <normal font="Serif 11" color="#FFFFFF" alpha="0.5"/> < <text>mit der Eingabetaste abschließen.</text> < </item> < </fixed> < <fixed> < <item type="label" id="welcome3"> < <pos anchor="c" x="0" y="88%"/> < <normal font="Serif 7" color="#FFFFFF" alpha="0.5"/> < <text>Desktop:</text> < </item> < </fixed>
Result:
Desktops
apt-get install task-kde-desktop task-gnome-desktop task-cinnamon-desktop apt-get install task-german-desktop task-greek-desktop task-spanish-desktop task-french-desktop task-portuguese-desktop task-russian-desktop task-turkish-desktop apt-get install icedove-l10n-de kde-l10n-de apt-get install kdeedu kdemultimedia lame kdm-gdmcompat
Default x-session-manager cinnamon
update-alternatives --config x-session-manager
Disable KDE4 sessions and "Gnome on Wayland"
KDE4 is very slow, session logout not working.
/usr/share/xsessions/kde-plasma.desktop... Hidden=true ...
/usr/share/wayland-sessions/gnome-wayland.desktop... Hidden=true ...
Gnome Shell Extensions
Show applications menu
/etc/xdg/autostart/enable_gnome_extensions.desktop[Desktop Entry] Type=Application Name=enable gnome extensions ## Enable Extensions Exec=/usr/local/bin/enable_gnome_extensions OnlyShowIn=GNOME
/usr/local/bin/enable_gnome_extensions#!/bin/sh /usr/bin/gsettings get org.gnome.shell enabled-extensions | grep apps-menu || /usr/bin/gsettings set org.gnome.shell enabled-extensions "['alternate-tab@gnome-shell-extensions.gcampax.github.com', 'apps-menu@gnome-shell-extensions.gcampax.github.com']"
Show info page on login
/etc/xdg/autostart/show_info_page.desktop[Desktop Entry] Type=Application Name=show info page Exec=/usr/local/bin/info-on-login
/usr/local/bin/info-on-login#!/bin/sh export infohtml=https://www.uni-giessen.de/cms/fbz/svc/hrz/svc/raeume/raeume27_41/r27kurz/contentpanels_body export browser=chromium /usr/bin/$browser $infohtml sleep 2 /usr/bin/wmctrl -r $browser -b add,maximized_horz,maximized_vert
Printer configuration
Configure in running client.
Start ltsp client root-console on SCREEN_12 (edit lts.conf). Example user user.
Add user user to group ldpadmin
usermod -G lpadmin user.
Log in as user, follow instructions.
iceweasel localhost:631 http://www.uni-giessen.de/cms/fbz/svc/hrz/svc/ausgabe/follow-me-printing/fmp-druckertreiber
Add printers
lpd://druckserver.hrz.uni-giessen.de/SHARP_SW lpd://druckserver.hrz.uni-giessen.de/SHARP_Farbe
Copy
-
/etc/cups/ppd*
-
/etc/cups/printers*
to server.
Chip card
watch_reader
apt-get install pcsc-tools libterm-readkey-perl wmctrl
/usr/local/bin/watch_readerhttps://www.uni-giessen.de/cms/fbz/svc/hrz/svc/ident/ckjlu/files/watch_reader
/etc/xdg/autostart/chipcard_watch_reader.desktop[Desktop Entry] Type=Application Name=Chipcard watch reader Exec=/usr/local/bin/watch_reader endless
opensc.conf
Disable pinpad (necessary for old cards)
/etc/opensc/opensc.conf# Für alte Chipkarten nötig enable_pinpad = false;
Languages
apt-get install task-german task-greek task-english task-spanish task-french task-portuguese task-russian task-turkish dpkg-reconfigure locales de_DE.UTF-8... done el_GR.UTF-8... done en_GB.UTF-8... done es_ES.UTF-8... done fr_FR.UTF-8... done pt_PT.UTF-8... done ru_RU.UTF-8... done tr_TR.UTF-8... done
Additional Software
apt-get install icedove chromium chromium-l10n pepperflashplugin-nonfree octave r-base eclipse cervisia lyx lvm2 vim
Nightly shutdown
In chroot:
crontab -e
# m h dom mon dow command 00 22 * * * /sbin/poweroff
Further reading
Not used
gdm3 (Gnome Display Manager)
-
When entering cinnamon via gdm, the keyboard doesn’t work properly.
-
gdm’s user dialog is poor, if the userlist is not shown.
/etc/gdm3/greeter.dconf-defaultsbanner-message-enable=true banner-message-text='Klicken Sie bitte auf "Nicht aufgeführt?"'
-