Scanning the Internet for External Cloud Exposures via SSL Certs
Classroom ltsp configuration
1. Classroom LTSP Configuration
Note: this page should be moved to the Ubuntu LTSP Documentation when they fix the login
bug and I can actually edit that wiki.
We're supporting a two-server, 15-terminal thin client system which has been running Ubuntu
8.04 (Hardy) in the Cama Samfya Resource Centre in Samfya, a rural town in Zambia. It has
been working reasonably well for two years.
It's also used for IT training for about 150 school-leavers every year on Camfed's Goldman Sachs
10,000 Women Certificate Programme in Young Women's Leadership and Enterprise (the
Camfed Programme) which takes place in Lubwe, Samfya District, Zambia. The equipment is
moved from Samfya to Lubwe twice a year for the training course.
Contents
[hide]
1 Brief
2 Operating System Upgrade
o 2.1 Upgrade Issues
3 Partitioning with RAID and LVM
4 Installation Step by Step
o 4.1 Backup Existing Data
o 4.2 IP Address Check
o 4.3 Boot the Install CD
o 4.4 Configure Language and Keyboard
o 4.5 Configure Networking and Clock
o 4.6 Partition disks: Configuring partitions
o 4.7 Partition disks: Configuring Software RAID
o 4.8 Partition disks: Create Logical Volumes
o 4.9 Partition disks: Configure Filesystems
o 4.10 Set up users and passwords
o 4.11 Configure the package manager
o 4.12 Configure LTSP
o 4.13 Configuring grub-pc
o 4.14 Finish the installation
5 General Post-Install Configuration
o 5.1 Enable Local Repository
o 5.2 Install Ubuntu updates
o 5.3 Simplify File Management as Root
o 5.4 Install Server Kernel
o 5.5 Enable auto-creation of home directories
o 5.6 Configure LTSP Interface
o 5.7 Install Adobe Flash Plugin
2. o 5.8 Install Caching Servers
o 5.9 Enable Proxy Cache by Default
o 5.10 Enable Forwarding and Masquerading
o 5.11 LTSP Screen Blanking
o 5.12 Customising the LTSP Client Image
o 5.13 Disable Compiz for Compatibility
6 Camfed Programme Specific
o 6.1 Guest User Accounts
o 6.2 Student Accounts
o 6.3 Clean Guest Accounts
o 6.4 Internet Cafe Software
7 Work in Progress
o 7.1 Read-only Guest Users
[edit] 1 Brief
There are some problems that we'd like to fix:
Operating system needs to be upgraded before support expires
Hard disk filled up with files in /home, and not partitioned, so the proxy server failed to
start and Firefox can't browse
Users can corrupt the profiles of the guest accounts, by modifying panels and changing
icons
Users save personal files on the hard disk without limit until it fills up
No DNS cache installed
UPSes not up to requested spec, only last a few minutes, batteries degraded due to
frequent use
UPSes not monitored, servers and thin clients don't shut down automatically
Standalone mode on thin clients (Aleutia E2) broken due to filesystems corrupted by
power outages
Users storing important files on server which is not backed up
One server had a memory failure and now only has 4 GB RAM (the other has 8 GB)
Frequent internet outages at the SRC (no backup Internet access) leading to complaints
from customers
No automatic logout or Internet cafe billing system for SRC customers
Each terminal has its own LTSP guest user whose profile can become corrupted
[edit] 2 Operating System Upgrade
We will upgrade the system to a more recent Ubuntu version because:
the support lifetime for 8.04 will run out in April 2011, in four months
we'd rather not upgrade in a rush in April
3. we'd rather not upgrade in the middle of this year's Camfed programme and confuse
students with a new OS
much educational software is not available for 8.04 (e.g. GeoGebra).
We've been testing two newer versions of Ubuntu: 10.04 (Lucid) and 10.10 (Maverick). Lucid
has the advantage of being a Long-Term Support release, which means that it's supported (as
much as that means anything with Ubuntu) for three years, until April 2013. However we found
a serious bug, where plugging in a USB stick to a thin client caused the server's screen to become
corrupted and unusable. We have not yet been able to debug the problem sufficiently to file a
bug report in Ubuntu, so it's unlikely to be fixed in Lucid.
This problem does not occur in Maverick, and so far our experience with Maverick has been
quite good, so it looks like we'll be using Maverick for now. Maverick's support is only for 18
months, so we should either downgrade to Lucid, or upgrade to Natty (11.04, not released yet) in
April in order to keep our system supported with security updates for the longest possible time.
[edit] 2.1 Upgrade Issues
Problems encountered during the upgrade process:
The Maverick installer crashed at least once while compressing the LTSP image (84%
finished)
Maverick and Lucid's new version of Grub doesn't detect the old Hardy partition, and is
extremely complex to configure compared to the old version, so it's not at all clear how
we can now boot into the old system (maybe reinstall old Grub from an 8.04 rescue CD?)
Grub failed to install on the main server because the partition layout had no space after
the boot sector, possibly due to the drive being replaced and the partition table being
copied from the other disk, which has a different geometry
The Maverick kernel insists on trying to mirror /dev/sda3 with the whole of /dev/sdb,
which corrupts the second disk in the RAID array, in a way that's not obvious. This was
because, right at the end of /dev/sdb there was a RAID superblock with the same UUID
as /dev/sda3, so the kernel placed /dev/sda3 and /dev/sdb in the same array.
The installer's partition editor still fails to recognise existing RAID devices (and the LVM
logical volumes on them) automatically under some circumstances, and wouldn't
recognise the existing logical volumes even after entering and exiting the RAID menu.
When trying to create a new volume group, I was told that all devices were used, and
shown that 4 logical volumes were detected, but the partitioner wouldn't allow me to
partition them.
Maverick can't create working USB installers with usb-creator for older versions of
Ubuntu (e.g. Lucid)
Only zambiaserver2 has a CD writer, zambiaserver1 only has a DVD-ROM
Guest accounts appear on the login chooser
Login sessions sometimes, randomly, fail on E2s due to compiz failure to run (screen
width is not a power of two?), needs a hack in the Gnome registry to disable compiz
LTSP still fails to complete installation unless exactly one interface is configured, and
has to be manually configured later
4. NetworkManager tries to manage the LTSP server interface when the link comes up, and
acquire an IP from its own DHCP server, which wrecks LTSP clients
Scroll bars, unchecked checkboxes, active tabs in Firefox and highlighted unfocused
selections (e.g. usb-creator) are invisible in this theme
Physical power button on thin client does nothing (doesn't shut it down)
Root account is still locked by default, so it's useful to chroot into the LTSP client image
(/opt/ltsp/i386), use passwd to set a password for the root account, and install openssh
server with apt-get update; apt-get install openssh-server, and then rebuild the LTSP
client image with ltsp-build-client
LDM doesn't allow logging in with just the keyboard, e.g. by entering a blank user name
booting the system with a USB stick inserted generates scary messages on the text-mode
boot logo
sshd still doesn't log authentication errors because there's no socket in the sshd chroot.
Add "$AddUnixListenSocket /var/run/sshd/dev/log" to /etc/rsyslog.d/sshd.conf on the
server.
Favourite terminal keybindings: for i in "move_tab_left <Shift><Control>Left"
"move_tab_right <Shift><Control>Right" "next_tab <Shift>Right" "prev_tab
<Shift>Left"; do sudo -u guest_d9daff gconftool-2 --type string --set /apps/gnome-
terminal/keybindings/$i; done
Shutting down the server (on Maverick) from gdm doesn't work.
[edit] 3 Partitioning with RAID and LVM
We originally used a single partition for simplicity, and because we decided to use only 1/3 of
the 250 GB disk, or 75 GB, leaving the rest for backups or future uses. This came in handy for
the upgrade to Maverick, allowing us to reinstall without wiping the existing system. But it did
mean that the disk filled up faster.
For flexibility, we are reinstalling using LVM on the remaining space, with separate partitions
for:
Root (and all software, and everything not included below) - 15 GB
/var (logs, mailboxes and Squid cache) - 10 GB
Home directories (to stop them from bringing down the system) - 80 GB
Manager's home directory (to allow manager to use the system even if all other users fill
up their space) - 20 GB
Bjoern would like to enable video editing on these systems, which will require a lot of space, so
I've left plenty unallocated (about 40 GB) for a potential future "video" user. More space can be
reclaimed when the important parts of the old user data are copied over from the old Hardy
partition, after which that partition can be removed.
[edit] 4 Installation Step by Step
[edit] 4.1 Backup Existing Data
5. Before starting the installation, back up all important user data from /home, and also /etc/passwd
and /etc/shadow, onto an external hard disk.
[edit] 4.2 IP Address Check
Before proceeding, please check that your server's __eth0__ interface is attached to a network
with a DHCP server, and that the address range of that network is __NOT__ 192.168.1.x/24.
Also please check that __eth1__ is attached to a network switch that is powered up, but has no
DHCP server attached.
This is because the LTSP auto-configuration will FAIL if there is no IP address on an interface
(e.g. one interface connected to the Internet) or if that interface has an IP address in the range
that LTSP wants to use by default for its own private network. The interface for the private
network must also have a link.
The easiest way to check the IP address is to:
Attach a computer running Ubuntu desktop to the same Internet connection as the server
that you're installing
Click on the Network Manager icon on the menu bar and select the wired network
Wait for the computer to connect to the network (icon should change to up-and-down
arrows)
Right-click on the Network Manager icon and click Connection Details
Check that the IP Address doesn't start with 192.168.1.
[edit] 4.3 Boot the Install CD
On the server that you want to install (or reinstall), start by booting from the Ubuntu 10.10
Alternate CD. On the Dell servers: switch on/power up server. Press F11 when you see the Dell
logo. When the "Boot device menu" appears, insert Ubuntu 10.10 Alternate CD and choose
"Embedded Optical Drive Port C" from the menu.
A language menu will appear. Press Enter to select English.
Press F4 and choose Install an LTSP Server (using the down arrow key), then press Enter to load
the installer.
Press Enter again to install Ubuntu.
[edit] 4.4 Configure Language and Keyboard
Choose the following settings:
Language: English
Country: Other, then Africa, then Zambia (O, enter, A, enter, Z, enter)
Detect keyboard layout: No (just press enter)
6. Origin of the keyboard: United Kingdom
Keyboard layout: United Kingdom
[edit] 4.5 Configure Networking and Clock
Primary network interface: eth0 (The primary network interface is the one going to the
Internet.)
o If no DHCP server was found on eth0, this error will appear: Network
autoconfiguration failed. __DO NOT PROCEED__ - check that the DHCP server
or router is working, and retry the network configuration.
Hostname: see label on front of server, e.g. Template:Zambiaserver1 or
Template:Zambiaserver2
Ubuntu will then try to determine which country you are in from your Internet connection. If it
says something other than Your timezone is Africa/Lusaka, then:
Choose No
Scroll up to the top of the list (with the Page Up key) which should say Africa, then
choose Lusaka below that.
[edit] 4.6 Partition disks: Configuring partitions
The server has two disks. These are mirrored so that both contain the same data, as a backup in
case one disk fails. This mirroring is done by Ubuntu, so we have to configure it now.
This process will delete all existing data on the disks, so please ensure that all important data is
backed up before starting. (We can try to keep some data, but there are no guarantees).
Partitioning method: Manual
You should see the Partition disks menu
Each disk (SCSI1 and SCSI2) should now show something like:
#1 primary 75.0 GB raid
#2 primary 175.0 GB raid (if keeping existing data on partition #1)
Note that the sizes may be different. However, if the partitions don't appear like that, you'll need
to edit them:
If no partitions appear under SCSI1 or SCSI2, then enter each in turn and:
o Create new empty partition table on this device: Yes (if asked)
If you want to try to preserve existing data, then in the following steps, be careful not to delete
partition #1 from either disk.
7. Select each partition under SCSI1 and SCSI2 (except #1 if you want to save the existing
data), press Enter to edit it, and choose Delete the partition.
Each disk (SCSI1 and SCSI2) should now show:
o #1 primary 75.0 GB raid (if keeping existing data, size may vary)
o 175.0 GB FREE SPACE (amount of free space may vary)
Select the FREE SPACE on each disk in turn:
o Choose Create a new partition
o Press Enter to accept the default size (all of the free space)
o Choose Primary as the type
o Press Enter on Use as: Ext4 journaling file system
o Choose Physical volume for RAID
o Choose Done setting up the partition
[edit] 4.7 Partition disks: Configuring Software RAID
Choose Configure software RAID from the top of the Partition disks menu
Choose Yes to write the changes to the storage devices, or keep the current partition
layout
If you get an error message about an Error informing the kernel about modifications, then choose
Cancel and keep choosing Cancel until you get to the Software RAID configuration menu. Press
Ctrl+Alt+Delete to reboot the server, and follow all the steps above again. However your
partition changes should have been saved, so you may not need to delete or create any partitions
this time.
You should see the Software RAID configuration menu
Choose Create MD device
Choose RAID1
Press Enter to accept the default of 2 active devices
Press Enter to accept the default of 0 spare devices
Use the up and down arrow keys to select each of the two 175000 MB: raid partitions,
and press Space to make an asterisk (*) appear in the box to the left of each one.
There should be exactly two boxes with asterisks in them.
DO NOT PROCEED unless two devices are selected!
Press Tab to highlight the Continue button and Enter to continue
You should see the Software RAID configuration menu again
Choose Finish
[edit] 4.8 Partition disks: Create Logical Volumes
You should see the Partition disks menu
Under RAID1 Device, choose partition #1
Choose Use as: do not use
Choose physical volume for LVM
Choose Done setting up the partition
Choose Configure the Logical Volume Manager
8. Under Keep current partition layout and configure LVM, choose Yes
Choose Create volume group
Enter Raid as the volume group name
Under Devices for the new volume group, highlight /dev/md0 (175000 MB) (or /dev/md1
(175000 MB) if you are preserving existing data)
Use the Space key to put an asterisk (*) in the box next to it
Choose Continue
Create the Root volume for Ubuntu Maverick (10.10):
Choose Create logical volume
Choose the Raid volume group
Enter Root_Maverick as the volume name
Enter 15G (15 gigabytes) for the Logical volume size
Create the other volume groups:
One called Var_Maverick, 10G size
One called Home, 80G size
One called Home_Manager, 20G size
One called Swap, 4G size
Then choose Display configuration details, and check that the logical volumes are displayed as
follows:
Volume groups:
Raid
Uses physical volume: /dev/md1 (or /dev/md0)
Provides logical volume: Home (79997 MB)
Provides logical volume: Home_Manager (19998 MB)
Provides logical volume: Root_Maverick (14998 MB)
Provides logical volume: Swap (3997 MB)
Provides logical volume: Var_Maverick (9999 MB)
Choose Continue to exit the Current LVM configuration screen. On the LVM configuration
menu, choose Finish.
[edit] 4.9 Partition disks: Configure Filesystems
You should see the Partition disks menu
Under LVM VG Raid, LV Swap:
o Choose the #1 partition
o Choose Use as: do not use
o Choose swap area
o Choose Done setting up the partition
Under each of the other logical volumes created above (all except Swap):
9. o Remember which logical volume the partition belongs to, e.g. Home
o Choose the #1 partition
o Choose Use as: do not use
o Choose Ext4 journalling file system
o Choose Mount point: none
o For the Home volume, choose /home
o For the Home_Manager volume, choose Enter manually and then type
/home/manager
o For the Root_Maverick volume, choose /
o For the Var_Maverick volume, choose /var
o Choose Label: none
o Enter the name of the logical volume as its label, e.g. Root_Maverick
o Choose Done setting up the partition
Check that you have the following structure:
o LVM VG Raid, LV Home - 80.0 GB Linux device-mapper (linear)
#1 80.0 GB f ext4 /home
o LVM VG Raid, LV Home_Manager - 20.0 GB Linux device-mapper (linear)
#1 20.0 GB f ext4 /home/manager
o LVM VG Raid, LV Root_Maverick - 15.0 GB Linux device-mapper (linear)
#1 15.0 GB f ext4 /
o LVM VG Raid, LV Swap - 4.0 GB Linux device-mapper (linear)
#1 4.0 GB f swap swap
o LVM VG Raid, LV Var_Maverick - 10.0 GB Linux device-mapper (linear)
#1 10.0 GB f ext4 /var
Scroll down to the bottom of the menu and choose Finish partitioning and write changes
to disk
When asked Do you want to boot your system if your RAID becomes degraded choose No
When asked Write the changes to disks? choose Yes
The system will them display partitions formatting and then 'installing base system'. Wait for
process to finish.
[edit] 4.10 Set up users and passwords
For Full name for the new user: enter CAMA Network Manager, and continue.
For User name: enter manager
For Password: enter the password for the manager user (you will see a '*' for each
character)
[edit] 4.11 Configure the package manager
HTTP proxy information: leave blank, because no http proxy required, just press Enter
to continue
System responds with 'select and install softare'
Wait for the process to finish, which will take some time
10. You can cancel the Retrieving files steps if your internet connection is slow, and install
updates later (recommended)
[edit] 4.12 Configure LTSP
On one of the servers you will probably get the error message: There are no free interfaces for
use with LTSP or Build LTSP chroot: Installation step failed. In this case you will have to
configure the second network interface for LTSP later. In the latter case, you will also be
dropped to the installer menu, where you will have to choose the option Install the GRUB
bootloader and then Finish the installation.
[edit] 4.13 Configuring grub-pc
When asked Install the GRUB boot loader on the Master Boot Record? choose Yes.
[edit] 4.14 Finish the installation
Is the system clock set to UTC: Yes
Installation complete. Select continue to restart.
After installation has finished, the server should boot into Ubuntu. Once the boot has finished,
you should see the ubuntu login screen.
[edit] 5 General Post-Install Configuration
[edit] 5.1 Enable Local Repository
If you have a mirrored copy of the Ubuntu repository, enable it now to speed up software
installation. E.g. if it's mounted on /media/ubuntumirror, rename /etc/apt/sources.list to a backup
copy, and recreate it with just the following lines inside:
deb file:/media/ubuntumirror/mirror/archive.ubuntu.com/ubuntu maverick main
restricted universe multiverse
deb file:/media/ubuntumirror/mirror/archive.ubuntu.com/ubuntu maverick-
updates main restricted universe multiverse
deb file:/media/ubuntumirror/mirror/archive.ubuntu.com/ubuntu maverick-
security main restricted universe multiverse
Note that the path after the file: must exist, and must contain a subdirectory called "dists", which
contains maverick, maverick-updates and maverick-security.
Connect the device and run apt-get update.
Run apt-get upgrade to install any pending software updates.
[edit] 5.2 Install Ubuntu updates
11. Login using the manager account. If you have an internet connection, install any updates
available in the package manager.
[edit] 5.3 Simplify File Management as Root
Run Applications/Ubuntu Software Centre
Type nautilus-gksu into the search box
Click on Privilege granting extension for nautilus using gksu
Click on the Install button
Log out and log back in again to activate the extension
[edit] 5.4 Install Server Kernel
Allows use of RAM over 4GB.
Run Applications/Ubuntu Software Centre
Type linux-server into the search box
Click on Complete Linux kernel on Server Equipment
Click on the Install button
Reboot to activate the new kernel (Power off button then Restart and log back in once
rebooted).
[edit] 5.5 Enable auto-creation of home directories
Add the following line to the bottom of /etc/pam.d/common-session:
session required pam_mkhomedir.so umask=0077
Check it very carefully before saving, as a typing mistake could make it impossible for any user
to log in. You might need to boot the system using a rescue CD in that case.
[edit] 5.6 Configure LTSP Interface
The private network for LTSP clients must have a different IP address range from the public
(Internet) side of the server. Unfortunately the default is the very common 192.168.0.x range. It's
better to change the range to something less common, such as 192.168.2.x.
Also, NetworkManager has a tendency to try to get an IP address from its own DHCP server,
which breaks both Internet connectivity and thin clients. It's better to configure the LTSP
interface using /etc/network/interfaces rather than NetworkManager.
Right-click on the NetworkManager icon (probably a pair of arrows, up and down)
Choose Edit Connections...
Choose Auto eth1 and click Delete
Choose Auto eth2 if it exists, and click Delete
Click Close
12. Edit /etc/network/interfaces and add the following lines:
auto eth1
iface eth1 inet static
address 192.168.2.254
netmask 255.255.255.0
Bring the interface up manually with sudo ifup eth1.
Edit /etc/ltsp/dhcpd.conf
Change all instances of 192.168.0 to another subnet, such as 192.168.2
Start the DHCP server with sudo service dhcp3-server start
Run sudo ltsp-update-image to install the NBD server so that clients can boot.
[edit] 5.7 Install Adobe Flash Plugin
sudo apt-get install flashplugin-installer
[edit] 5.8 Install Caching Servers
Install Squid and Bind 9:
sudo apt-get install squid bind9
To stop Squid dying due to DNS tests failing if the system boots while the Internet connection is
offline, edit /etc/default/squid and add:
SQUID_ARGS=-D
Start or restart Squid:
sudo service squid stop
sudo service squid start
[edit] 5.9 Enable Proxy Cache by Default
To enable the proxy cache by default for all users:
Log in as the manager account
Open System/Preferences/Network Proxy
Choose Manual proxy configuration
Tick Use the same proxy for all protocols
For HTTP proxy: enter localhost
For Port: enter 3128
Click the Apply System-Wide... button
13. Check that you can still browse the Internet.
[edit] 5.10 Enable Forwarding and Masquerading
Needed if the thin clients need Internet access from local applications, or when running in
standalone mode.
Edit /etc/sysctl.conf, find the line that says:
#net.ipv4.ip_forward=1
and remove the "#" mark at the start of the line. Run this to apply immediately:
sudo sysctl -p /etc/sysctl.conf
Now enable masquerading:
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
Save the rules to a file:
sudo iptables-save | sudo tee /etc/iptables.conf
And configure the system to load these rules whenever the eth0 (public) interface comes up, by
editing /etc/network/interfaces, find the following line:
iface eth0 inet dhcp
If it starts with a "#" character, remove it. Then add a line below it which says:
post-up /sbin/iptables-restore < /etc/iptables.conf && echo "Rules loaded."
Test it by bringing the interface down and up again, and check for the line that says "Rules
loaded" in the output:
sudo ifdown eth0
sudo ifup eth0
Edit /etc/ltsp/dhcpd.conf and edit the following values:
option domain-name-servers
option routers
Change both to 192.168.2.254, save, and restart dhcpd:
sudo service dhcp3-server restart
14. Check that the DNS service is running: sudo service bind9 status should say bind9 is
running.
[edit] 5.11 LTSP Screen Blanking
We use the following script to blank all guest screens until the command is killed with Ctrl+C:
#!/bin/sh
set -e
command_all(){
ps --no-headers -oeuid:1 -o command -p $(pgrep -d, -G guest ) |
sed -ne 's/^([0-9]*) .*DISPLAY=([^ ]*).*/1 2/p' |
while read euid display ; do
sudo -H -u "#$euid" DISPLAY="$display"
sh -c "env XAUTHORITY=$HOME/.Xauthority gnome-screensaver-
command $1"
done
}
trap 'command_all --deactivate' EXIT
trap 'command_all --deactivate' INT
while true; do command_all --activate --lock; sleep 2; done
You can also create an icon for it, that runs in a terminal, and close the terminal window to stop
it.
The script runs Template:Sudo, and therefore requires that your user is a member of the
Template:Admin group, e.g. Template:Manager.
[edit] 5.12 Customising the LTSP Client Image
You can make changes in Classroom LTSP Configuration/opt/ltsp/i386 and then run
Template:Sudo ltsp-update-image to apply them. Each Aleutia needs to be rebooted for the
changes to take effect on it.
To be able to log in as root on the Aleutia (highly recommended):
sudo chroot /opt/ltsp/i386
passwd
(enter a root password)
exit
sudo ltsp-update-image
To install software in the chroot using apt, either online:
Replace /opt/ltsp/i386/etc/apt/sources.list with the unmodified (Internet) copy
from the server, for example /etc/apt/sources.list.bak
15. Or offline:
sudo mkdir /opt/ltsp/i386/cdrom
sudo mount --bind /media/ubuntumirror /opt/ltsp/i386/cdrom
sudo cp /etc/apt/sources.list /opt/ltsp/i386/etc/apt
edit /opt/ltsp/i386/etc/apt/sources.list and change /media/ubuntumirror to
/cdrom
sudo chroot apt-get update
To be able to log in remotely to the Aleutia for debugging (highly recommended):
sudo chroot /opt/ltsp/i386 apt-get install openssh-server
sudo ltsp-update-image
If the LTSP client tree gets corrupted then you can rebuild it. You may need Internet access for
this. Run the following commands:
sudo rm -rf /opt/ltsp/i386
sudo ltsp-build-client
To build an LTSP client tree with updates, using a UK mirror and a proxy server:
sudo env http_proxy=http://fen-fw.aptivate.org:3128
ltsp-build-client
--mirror "http://gb.archive.ubuntu.com/ubuntu"
--extra-mirror "http://gb.archive.ubuntu.com/ubuntu hardy-updates main
restricted"
[edit] 5.13 Disable Compiz for Compatibility
Some graphics cards in thin clients don't work with LTSP, or recent versions of Ubuntu in
general. The symptom is that when you log in, the session exits immediately and you're dumped
back at the login prompt.
If you look in the .xsession-errors file the user's home directory, you might see the following
line:
/usr/bin/compiz (core) - Fatal: Support for non power of two textures missing
/usr/bin/compiz (core) - Error: Failed to manage screen: 0
/usr/bin/compiz (core) - Fatal: No manageable screens found on display
localhost:11.0
The fix for this is to disable Compiz for each user individually:
sudo -u <user> gconftool-2 --type string --set
/desktop/gnome/session/required_components/windowmanager metacity
Or for all users:
16. sudo gconftool-2 --direct
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
--type string --set
/desktop/gnome/session/required_components/windowmanager metacity
Note that this disables pretty window effects for all users.
[edit] 6 Camfed Programme Specific
[edit] 6.1 Guest User Accounts
We use the "Login as Guest" feature of LDM in the classroom, to avoid having to hand out
passwords. Guest users can also expect not to be able to save files locally. The recommended
way seems to be to have a user account for each computer, with the same name as the computer,
to avoid needing to configure each computer in lts.conf. However we still have to create a large
number of user accounts in this case.
We use a script to create user accounts based on the MAC address of each thin client. This
requires us to boot all the clients to get their MAC addresses into the DHCP database.
The script will rewrite /var/lib/tftpboot/ltsp/i386/lts.conf and destroy its previous
contents, so don't run it if you've made any important changes to that file.
The user accounts are authenticated by an SSH public key pair, of which the private key is in the
LTSP image. If the key does not exist, the script generates one when run. The key is restricted to
logins from 192.168.1.0/24 (the default LTSP client subnet). The accounts have locked
passwords so there is no other way to log in. A rogue or compromised client or network device
could steal the key, so it's not completely secure, but much better than assigning passwords to
guest users.
The script is this:
#!/bin/bash
# creates guest accounts for each LTSP terminal that has already
# obtained an IP address using DHCP, so we know its MAC address
# from the DHCP server database
set -e
groupadd -f guests
guesthouse=/home/guests
mkdir -p $guesthouse
apt-get install ipcalc
subnet=`ip addr ls dev eth1 | grep "inet " | awk '{ print $2 }'`
subnet=`ipcalc $subnet | grep Network | awk '{ print $2 }'`
# generate a secure key to use for login to guest accounts
17. if [ ! -r /opt/ltsp/i386/root/.ssh/id_dsa ]; then
chroot /opt/ltsp/i386 ssh-keygen -t dsa
ltsp-update-image
fi
cat > /var/lib/tftpboot/ltsp/i386/lts.conf <<EOF
# http://manpages.ubuntu.com/manpages/maverick/en/man5/lts.conf.5.html
[default]
# Enable direct X connections (not using ssh), faster but not secure,
# important for youtube and general responsiveness on the E2s
LDM_DIRECTX = True
# Enable the "Login as Guest" button in LDM
LDM_GUESTLOGIN = True
# Reduce volume of the Ubuntu startup sound
VOLUME = 50
# Prevent X clients from using all system RAM and hanging the terminal
X_RAMPERC = 80
EOF
create_account()
{
user=$1
home=$2
# create the user if they don't exist, set their shell, put them in
the
# "guest" group and lock their password to prevent password logins
if getent passwd $user >/dev/null; then
usermod -g guests -s /bin/bash -d $home -L $user
else
useradd -g guests -s /bin/bash -d $home -m $user
fi
# Lock down the panel for guest users to stop them messing around
sudo -u $user gconftool-2
--type boolean
--set /apps/panel/global/locked_down true
# Set preferred keybindings for the user
for i in
"move_tab_left <Shift><Control>Left"
"move_tab_right <Shift><Control>Right"
"next_tab <Shift>Right"
"prev_tab <Shift>Left"
do
sudo -u $user gconftool-2 --type string
--set /apps/gnome-terminal/keybindings/$i
done
}
create_account guest $guesthouse/guest
grep ethernet /var/lib/dhcp3/dhcpd.leases
| awk '{ print $3 }'
| sed -e 's/;//'
18. | sort
| uniq
| while read mac; do
# echo something to show progress
echo $mac
# extract the last two bytes of the MAC, enough to be unique
# but not too long
shortmac=`echo $mac | perl -pe
's/(..):(..):(..):(..):(..):(..)/$5$6/'`
# generate the user name based on the MAC
user="guest_$shortmac"
home="$guesthouse/$user"
# write an entry for each terminal into lts.conf
cat >> /var/lib/tftpboot/ltsp/i386/lts.conf <<EOF
[$mac]
HOSTNAME = ltsp-$shortmac
LDM_USERNAME = $user
EOF
create_account $user $home
# allow public-key logins from thin clients using the secure key that
# we generated earlier
mkdir -p $home/.ssh
echo "from="$subnet"" `cat /opt/ltsp/i386/root/.ssh/id_dsa.pub`
> $home/.ssh/authorized_keys
# Disable locking the screen for users with no password to unlock it
sudo -u $user gconftool-2
--type boolean
--set /apps/gnome-screensaver/lock_enabled false
done
exit 0
You __must not__ have duplicate sections for the same machine in
/var/lib/tftpboot/ltsp/i386/lts.conf, so please double-check this.
If any client doesn't log in automatically at boot, check that its configuration in lts.conf is correct,
and see whether you can log on using its guest account on another station. The guest account
name is made from the prefix Template:Guest, followed by the last three bytes of the MAC
address, without colons, e.g. guest_d90e. You should not need to enter any password.
The MAC address of each Aleutia should be printed on a label on its back, but if not, boot the
Aleutia to the LTSP login screen, press Ctrl+Alt+F1, login as root, run ifconfig eth0 and
look for the HWaddr. Run logout and press Ctrl+Alt+F7 to get back to the LTSP login screen.
[edit] 6.2 Student Accounts
19. We have a list of students, with email addresses and passwords, in CSV format. To create
accounts for them, we use the following script:
#!/bin/sh
# abort if anything goes wrong
set -e
# set -x
groupadd -f students
hostel=/home/students
mkdir -p $hostel
if [ "$1" = "--delete" ]; then
DELETE=yes
fi
set_keybindings() {
sudo_opts=$1
shift
for i in
"move_tab_left <Shift><Control>Left"
"move_tab_right <Shift><Control>Right"
"next_tab <Shift>Right"
"prev_tab <Shift>Left"
do
sudo $sudo_opts gconftool-2 "$@" --type string
--set /apps/gnome-terminal/keybindings/$i
done
}
set_keybindings "" --direct --config-source
xml:readwrite:/etc/gconf/gconf.xml.defaults
while IFS=' ' read number email firstname lastname oldpassword
newpassword type rest
do
echo $email
if [ -n "$email" -a -n "$newpassword" ]; then
case $email in
*@camanetwork.org)
# remove @camanetwork.org from email address
user=`echo $email | sed -e 's/@.*//'`
echo $user $newpassword
crypt=`perl -e "
@a=('A'..'Z', 'a'..'z', '0'..'9');
print crypt '$newpassword',
join('', @a[rand @a,rand @a])"`
home="$hostel/$user"
opts="-p $crypt -g students -s /bin/bash -d $home"
name="$firstname $lastname, $type, 2010"
20. if [ -n "$user" -a -d "$home" -a -n "$DELETE" ]; then
rm -rf "$home"
fi
if getent passwd $user >/dev/null && [ -n "$DELETE" ]; then
userdel -r $user
fi
if getent passwd $user >/dev/null; then
usermod $opts -c "$name" $user
else
useradd $opts -c "$name" $user
fi
if [ -d "$home" ]; then
set_keybindings "-u $user"
fi
;;
esac
fi
done
Which we run as cat students.csv | sudo ./create-student-accounts.sh.
[edit] 6.3 Clean Guest Accounts
This script resets all guest accounts to the state of the special guest user. Log in as this user only
to configure what all other guest users should end up looking like when reset.
This can be useful if a guest user corrupts their profile, leaves litter in their home directory, or
their session crashes leaving stale processes running. It does not prevent trojan attacks, only
limits their scope.
__BE VERY CAREFUL WITH THIS.__ All the user's files and configuration be deleted. It
double-checks that it's only being used on guest users.
#!/bin/bash
# Resets a specified guest account, or all guest accounts, to the state of
# the "guest" user, to cleanup disk space and stale processes.
# Users who are logged in will not be cleaned up. Use the "-f" option to
# forcibly log them out first.
# abort on error
set -e
if [ "$1" = "-f" ]; then
force=yes
fi
all_users=`getent passwd | sed -e 's/:.*//'`
21. for i in $all_users; do
groups=`groups $i | sed -e 's/.* : //'`
for g in $groups; do
if [ "$g" = "guest" ]; then
guest_users="$guest_users $i"
break
fi
done
done
do_users="$guest_users"
if [ -n "$1" ]; then
do_users="$*"
fi
for i in $do_users; do
for g in $guest_users; do
if [ "$i" = "$g" ]; then
is_guest=yes
break
fi
done
if [ -z "$is_guest" ]; then
echo "$i is not a guest!"
exit 2
fi
if who | grep -q "^$i "; then
echo -n "$i is logged in! "
if [ -n "$force" ]; then
echo "killing session"
gnome-session-save --force-logout $i
else
echo "skipping. Use -f to kill their session."
continue
fi
fi
echo
if killall -0 -i $i; then
echo -n "$i has processes running!"
if [ -n "$force" ]; then
echo "killing them"
killall -9 -u $i
else
echo "skipping. Use -f to kill their processes."
continue
fi
fi
do_users_loggedout="$do_users_loggedout $i"
done
for i in $do_users_loggedout; do
22. home=`getent passwd $i | cut -d: -f6`
rsync -a --delete ~guest/ $home
chown -R $i $home
done
exit 0
[edit] 6.4 Internet Cafe Software
The SRC managers requested that we install some software that allows them to time-limit
customers at the Internet Cafe. We chose OutKafe, a system that is free, fully featured and was
supposed to be open source. We thought we would want to customise it, and in the end we did,
but some of the download links didn't work and the author never responded to our questions.
Once it's installed, we needed a way to make the guest users automatically run the client
program, oklin, in a way that they couldn't avoid or disable. As we're using the Gnome desktop,
we created an autostart file in /usr/share/gnome/autostart/56outkafe-client with the
following contents:
if groups | grep -qw guests; then
oklin > ~/.oklin.log 2>&1 &
fi
This will start the client for all guest users. Guests can login using LDM with no password. The
oklin client then locks the computer and requires entry of a username and password from its
own user database, which also stores user credit. It allows new users to set their passwords on
first login. When the user's credit runs out, it locks their screen again.
We would have liked to add some features, such as a way to log the guest user out (so that a
manager can log in on the same terminal), but without the source code we couldn't.
If the admin makes a mistake in OutKafe and gives too much credit to a user, there's no obvious
way to fix it. However we did discover that you can give them a negative amount of credit, and
this works to reduce their total credit.
[edit] 7 Work in Progress
[edit] 7.1 Read-only Guest Users