On Mon, Dec 30, 2019 at 08:28:21PM +0100, Wolfgang Schweer wrote: > On Thu, Dec 26, 2019 at 10:34:13PM +0000, Mike Gabriel wrote: > > On Di 10 Dez 2019 19:31:10 CET, Wolfgang Schweer wrote: > > > > > TBD: Integrating the x2gothinclient minidesktop (once available) > > > > x2gothinclient has arrived in unstable. > > Integrated. There's now support for three types of thin clients. > > The desktop mode type still needs more work to configure the environment > and firefox-esr, though. And the display mode type could be improved > too, I guess.
The X2Go minidesktop type is now preconfigured for firefox-esr inside the internal network (TLS, Proxy, homepage). See the attached script for more information about other changes. Wolfgang
#!/bin/bash # # Turn a Debian Edu workstation into an LTSP server for both diskless # workstations and thin clients (using X2Go). # The configuration below applies to a Debian Edu workstation in the internal # backbone network with two NICs. This system needs to be registered w/ GOSa�. # Also, kerberized NFS is needed, see: # https://www/debian-edu-doc/en/debian-edu-buster-manual.html#Administration--Kerberized_NFS # The modified system provides a separate LTSP client network (192.168.67.0/24) # attached to eth1. # In case of a combined server, for the time being the tftpd-hpa package needs # to be reconfigured like this: # #/etc/default/tftpd-hpa # # TFTP_USERNAME="tftp" # TFTP_DIRECTORY="/srv/tftp" # TFTP_ADDRESS="0.0.0.0:69" # TFTP_OPTIONS="-s" # # # Wolfgang Schweer <wschw...@arcor.de>, November 2019 # # Revision 2019-12-10: # - Add workaround for diskless workstation image generation (ltsp issue #43). # - Configure diskless workstation image and settings conditionally for both a # combined server (profiles 'Main-Server','Workstation) and a Workstation. # - Sound and USB mass storage support for thin clients. # - Improve inline documentation. # # Revision 2019-12-30: # - Adjust for ltsp 19.12.1-1 (entered bullseye recently). # - Improve security during diskless workstation image generation. # - Use the education-thin-client metapackage. # - Provide x2gothinclient (w/ and w/o displaymanager) as additional options; # a workaround is needed to make the x2go client get started (bug #947618). # - Added workaround for x2gothinclient bug #947785 (the login window shows # last username). # - Use /srv/ltsp as base for chroot and images (instead of /opt/ltsp). # - Rework options/values and their evaluation. # - Rework image location and iPXE menu configuration settings. # # Revision 2020-01-02: # - Fix some script flaws and improve documentation. # - Remove thin client chroot once the related image has been built. # - Customize X2Go minidesktop (environment settings, package installation, # - firefox-esr localization). set -e # usage if [ -z "$1" ] ; then echo "Use $0 -h or $0 --help for more information" exit 0 fi if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then cat <<EOF Usage information: $0 --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|display|desktop> Turn a Debian Edu workstation into an LTSP server for both diskless workstations and thin clients. --arch takes effect for a thin client chroot setup, default value is amd64. --dist takes effect for thin client chroot setup, default value is stable. --dns_server defaults to 10.0.2.2 if unset. --diskless_workstation defaults to yes if unset. --thin_type has no default value. bare: preconfigured x2go client running via 'startx' as user 'thin' with sound and client side mass storage support. display: x2gothinclient running in display mode. desktop: x2gothinclient running in minidesktop mode. This script applies to a system with two NICs, located inside the internal backbone network. EOF exit 0 fi if [ -r /etc/debian-edu/config ] ; then . /etc/debian-edu/config fi arch="amd64" dist="stable" dns_server="10.0.2.2" diskless_workstation="yes" thin_type="" while [ $# -gt 0 ] ; do case "$1" in --arch) arch="$2" ; shift ;; --dist) dist="$2" ; shift ;; --dns_server) dns_server="$2" ; shift ;; --diskless_workstation) diskless_workstation="$2" ; shift ;; --thin_type) thin_type="$2" ; shift ;; esac shift done kernel_arch="$arch" if [ "i386" == "$arch" ] ; then #kernel_arch="686-pae" # next one optimal for very old TC machines w/o PAE. kernel_arch="686" fi # Two cases: buster and bullseye. if grep -q 10 /etc/debian_version ; then # First get new LTSP package and install it manually (ltsp is not available for Buster). # FIXME: This will soon be ltsp_20.x if [ ! -x /usr/share/ltsp/ltsp ] ; then if [ ! -f ltsp_19.12.1-1_all.deb ] ; then wget http://ftp.debian.org/debian/pool/main/l/ltsp/ltsp_19.12.1-1_all.deb fi apt install -qy ./ltsp_19.12.1-1_all.deb apt -yq install debootstrap dnsmasq x2goserver ipxe iptables net-tools nfs-kernel-server squashfs-tools fi else if [ ! -x /usr/share/ltsp/ltsp ] ; then apt -yq install ltsp debootstrap dnsmasq x2goserver ipxe iptables net-tools nfs-kernel-server squashfs-tools fi fi # FIXME: Can't get name resolution working w/o this. apt -yq purge resolvconf # Common Debian Edu specific configuration (dirs and HERE documents), only minor # difference for thin and diskless (in ltsp.conf), see below. if [ ! -d /etc/ltsp/client ] ; then mkdir -p /etc/ltsp/client/init # Debian Edu uses LDAP/NFS/Kerberos (krb5i) instead of sshfs for home dirs. touch /etc/ltsp/client/init/54-pam.sh # Debian Edu wants a greeter w/o user list, i.e. don't modify existing config. touch /etc/ltsp/client/init/55-display-manager.sh # make ipxe menu entries more user friendly. cat <<EOF > /etc/ltsp/ltsp.conf # /bin/sh -n # LTSP configuration file # Documentation=man:ltsp.conf(5) # Provide a full menu name for thin/bare-amd64.img IPXE_BARE_AMD64_IMG="Plain X2Go Thin Client (64-Bit)" # Provide a full menu name for thin/bare-i386.img IPXE_BARE_I386_IMG="Plain X2Go Thin Client (very old machines, 32-Bit)" # Provide a full menu name for thin/display-amd64.img IPXE_DISPLAY_AMD64_IMG="Display Mode X2Go Thin Client (64-Bit)" # Provide a full menu name for thin/display-i386.img IPXE_DISPLAY_I386_IMG="Display Mode X2Go Thin Client (very old machines, 32-Bit)" # Provide a full menu name for thin/desktop-amd64.img IPXE_DESKTOP_AMD64_IMG="Desktop Mode X2Go Thin Client (64-Bit)" # Provide a full menu name for thin/desktop-i386.img IPXE_DESKTOP_I386_IMG="Desktop Mode X2Go Thin Client (very old machines, 32-Bit)" # Provide a full menu name for x86_64.img IPXE_X86_64_IMG="Diskless Workstation (64-Bit)" # Debian Edu specific DNS_SERVER=10.0.2.2 SEARCH_DOMAIN=intern # In the special [clients] section, parameters for all clients can be defined. # Most ltsp.conf parameters should be placed here. [clients] EOF fi # Debian Edu specific common additional image excludes; for diskless # workstations the /skole mountpoint (for autofs) needs to be clean. # This applies for both a combined server and 'a normal' LTSP server. # For a combined server image the autofs service needs to be enabled (see below). if echo "$PROFILE" | grep -Eq 'Workstation' ; then cat <<EOF > /etc/ltsp/image-local.excludes skole/* EOF fi # FIXME: On the main server even more additional excludes might be useful. if echo "$PROFILE" | grep -Eq 'Main-Server' ; then cat <<EOF >> /etc/ltsp/image-local.excludes usr/lib/apache2 usr/lib/exim4 usr/lib/icinga usr/log/samba/* usr/log/squid/* var/cache/apache2/* var/cache/apt/* var/cache/bind/* var/cache/debconf/* var/cache/etckeeper/* var/cache/gosa/* var/cache/icinga/* var/cache/munin/* var/cache/nscd/* var/cache/samba/* var/lib/apache2/* var/lib/cfengine3/* var/lib/dbus/* var/lib/dhcp/* var/lib/dpkg/* var/lib/exim4/* var/lib/icinga/* var/lib/munin/* var/lib/munin-node/* var/lib/nfs/* var/log/cfengine/* var/log/installer/* var/log/munin/* var/log/samba/* var/log/squid/* var/mail/* var/log/*.gz var/spool/squid EOF fi # Needed for thin client auto login user. mkdir -p /etc/ltsp/getty@tty1.service.d cat <<EOF > /etc/ltsp/getty@tty1.service.d/override.conf [Service] ExecStart= ExecStart=-/usr/sbin/agetty -a thin --noclear %I $TERM RestartSec=10 EOF # Needed for thin client autofs setup (USB mass storage support (rw mode). mkdir -p /etc/ltsp/autofs cat <<EOF > /etc/ltsp/autofs/extra.autofs /- /etc/auto.usb0 --mode=0777 --timeout=3 EOF cat <<EOF > /etc/ltsp/autofs/auto.usb0 /usb0 -fstype=auto,rw,user,umask=000 :/dev/sda1 EOF # Needed for thin client auto login configuration (startx). mkdir -p /etc/ltsp/skel cat <<EOF > /etc/ltsp/skel/.profile while true ; do startx done EOF # Needed for thin client auto login configuration (x2goclient start). cat <<EOF > /etc/ltsp/skel/.xinitrc exec x2goclient --no-menu --add-to-known-hosts --no-session-edit --close-disconnect EOF # Needed for thin client x2goclient configuration. mkdir -p /etc/ltsp/skel/.x2goclient cat <<EOF > /etc/ltsp/skel/.x2goclient/printing [General] pdfview=false showdialog=true [CUPS] defaultprinter= [print] command=lpr ps=false startcmd=false stdin=false [view] command=xpdf open=true EOF # Needed for thin client (x2goclient preconfigured session). cat <<EOF > /etc/ltsp/skel/.x2goclient/sessions [default] autologin=false clipboard=both command=XFCE defsndport=true directrdp=false directrdpsettings= directxdmcp=false directxdmcpsettings= display=1 dpi=96 export="/usb0:1;" fstunnel=true fullscreen=true height=600 host=$(hostname -s) icon=/usr/share/icons/hicolor/64x64/apps/x2goclient.png iconvfrom=ISO8859-1 iconvto=UTF-8 krbdelegation=false krblogin=false maxdim=false multidisp=false name=Debian Edu Thin Client pack=16m-jpeg print=true published=false quality=9 rootless=false setdpi=true sndport=4713 sound=true soundsystem=pulse soundtunnel=true speed=4 sshport=22 sshproxyautologin=false startsoundsystem=true type=auto useiconv=false usekbd=true usesshproxy=false width=800 xdmcpclient=Xnest xdmcpserver=localhost xinerama=false EOF # Needed for thin client x2goclient configuration. cat <<EOF > /etc/ltsp/skel/.x2goclient/settings [toolbar] show=false EOF # Create thin client chroot and generate image. export DEBIAN_FRONTEND=noninteractive if ! [ "" == "$thin_type" ] && [ ! -d /srv/ltsp/thin/"$thin_type"-"$arch"/etc/ltsp ] ; then mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch" # Install common thin client packages. debootstrap --arch="$arch" --variant=minbase --include=linux-image-"$kernel_arch" \ "$dist" /srv/ltsp/thin/"$thin_type"-"$arch" https://deb.debian.org/debian chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt clean mount /dev/pts -t devpts /srv/ltsp/thin/"$thin_type"-"$arch"/dev/pts mount proc -t proc /srv/ltsp/thin/"$thin_type"-"$arch"/proc mount tmpfs -t tmpfs /srv/ltsp/thin/"$thin_type"-"$arch"/tmp mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"/tmp/user/0 chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install education-thin-client # Install case specific additional packages. if [ "bare" == "$thin_type" ] ; then chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install autofs x2gothinclient-common xpdf fi if [ "display" == "$thin_type" ] ; then chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install x2gothinclient-displaymanager fi if [ "desktop" == "$thin_type" ] ; then chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install x2gothinclient-minidesktop \ x2gothinclient-management x2gothinclient-cdmanager x2gothinclient-usbmount \ firefox-esr-l10n-"$LANGCODE" fi umount /srv/ltsp/thin/"$thin_type"-"$arch"/dev/pts umount /srv/ltsp/thin/"$thin_type"-"$arch"/proc umount /srv/ltsp/thin/"$thin_type"-"$arch"/tmp rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/tmp/user rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/debconf rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/man rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/lib/dpkg cp /etc/locale.gen /srv/ltsp/thin/"$thin_type"-"$arch"/etc/ cp /etc/default/locale /srv/ltsp/thin/"$thin_type"-"$arch"/etc/default chroot /srv/ltsp/thin/"$thin_type"-"$arch" locale-gen cp /etc/default/keyboard /srv/ltsp/thin/"$thin_type"-"$arch"/etc/default cp /etc/default/console-setup /srv/ltsp/thin/"$thin_type"-"$arch"/etc/default chroot /srv/ltsp/thin/"$thin_type"-"$arch" setupcon -k # Customize X2Go client for Debian Edu use. if [ "display" == "$thin_type" ] || [ "desktop" == "$thin_type" ] ; then cp /etc/ltsp/skel/.x2goclient/sessions /srv/ltsp/thin/"$thin_type"-"$arch"/etc/x2go/x2gothinclient_sessions fi # Firefox-ESR customization for Debian Edu. if [ "desktop" == "$thin_type" ] ; then cp /etc/environment /srv/ltsp/thin/"$thin_type"-"$arch"/etc cp /etc/firefox-esr/debian-edu.js /srv/ltsp/thin/"$thin_type"-"$arch"/etc/firefox-esr cp /etc/firefox-esr/debian-edu-homepage-ldap.js /srv/ltsp/thin/"$thin_type"-"$arch"/etc/firefox-esr cp /etc/ssl/certs/Debian-Edu_rootCA.crt /srv/ltsp/thin/"$thin_type"-"$arch"/etc/ssl/certs cat <<EOF > /srv/ltsp/thin/"$thin_type"-"$arch"/usr/share/firefox-esr/distribution/policies.json { "policies": { "Certificates": { "ImportEnterpriseRoots": true, "Install": [ "/etc/ssl/certs/Debian-Edu_rootCA.crt" ] }, "NewTabPage": false, "OverrideFirstRunPage": "" } } EOF fi # FIXME: Workaround for x2gothinclient bug (#947618). if [ "display" == "$thin_type" ] ; then sed -i 's/session=X2Go.Example/close-disconnect/' /srv/ltsp/thin/"$thin_type"-"$arch"/etc/x2go/x2gothinclient-displaymanager_start fi if [ "desktop" == "$thin_type" ] ; then sed -i 's/session=X2Go.Example/close-disconnect/' /srv/ltsp/thin/"$thin_type"-"$arch"/etc/x2go/x2gothinclient-minidesktop_start fi ltsp image /srv/ltsp/thin/"$thin_type"-"$arch" # Remove chroot now that the image has been built (to save space) rm -rf /srv/ltsp/thin/"$thin_type"-"$arch" # Create a runtime user for x2go login terminal; configure autofs (USB storage support). if [ "bare" == "$thin_type" ] ; then cat <<EOF >> /etc/ltsp/ltsp.conf POST_INIT_THIN_USER='useradd -G disk -m -d /run/home/thin -k /etc/ltsp/skel -r thin' POST_INIT_SYSTEMD='mkdir /etc/systemd/system/getty@tty1.service.d && \ cp /etc/ltsp/getty@tty1.service.d/override.conf /etc/systemd/system/getty@tty1.service.d' POST_INIT_AUTOFS='cp /etc/ltsp/autofs/extra.autofs /etc/auto.master.d && \ cp /etc/ltsp/autofs/auto.* /etc' EOF fi # FIXME: Workaround for x2gothinclient bug (#947618). if [ "display" == "$thin_type" ] ; then cat <<EOF >> /etc/ltsp/ltsp.conf POST_INIT_X2GOTHIN_SVG='cp /etc/x2go/x2gothinclient-displaymanager_background.svg \ /etc/x2go/x2gothinclient-background.svg' EOF fi # Create the ltsp.img file and move it to where it belongs. ltsp initrd mv /srv/tftp/ltsp/ltsp.img /srv/tftp/ltsp/"$thin_type"-"$arch"/ltsp.img # Create the iPXE menu entry ltsp ipxe # Clean up ltsp.conf from image specific items. sed -i '/POST_INIT/d' /etc/ltsp/ltsp.conf fi # Generate image for diskless workstation. if [ "yes" == "$diskless_workstation" ] ; then if echo "$PROFILE" | grep -Eq 'Main-Server' ; then # The image is a copy of the main server's fs. On the server, autofs # is disabled, but it is needed for diskless workstations. # OTOH some services need to be disabled, i.e. 'masked'. cat <<EOF >> /etc/ltsp/ltsp.conf PRE_INIT_MAIN_SERVER="systemctl enable autofs" MASK_SYSTEM_SERVICES="apache2 bind9 cups dovecot etckeeper exim4 squid tftpd-hpa \ icinga nmbd smbd systemd-journald" EOF fi # ltsp image / # Begin workaround for 'ltsp image /' (which only works for 'atomic' partitioning). # See: https://github.com/ltsp/ltsp/issues/43 and (for the more general case) # https://github.com/ltsp/ltsp/issues/105 (closed because being a duplicate of #43). TEMPDIR=$(mktemp -d) mkdir "$TEMPDIR"/etc cp /etc/shadow "$TEMPDIR"/etc cp /etc/shadow- "$TEMPDIR"/etc # The next two lines improve security, temporarily disables new root login. sed -i '/root:/d' /etc/shadow sed -i '/root:/d' /etc/shadow- cp /usr/share/ltsp/server/image/image.excludes "$TEMPDIR"/excludes if [ -f /etc/ltsp/image-local.excludes ] ; then cat /etc/ltsp/image-local.excludes >> "$TEMPDIR"/excludes fi mksquashfs / /srv/ltsp/images/"$(uname -m)".img -noappend -wildcards -ef "$TEMPDIR"/excludes cp "$TEMPDIR"/etc/shadow* /etc rm -rf "$TEMPDIR" ALL_IMAGES=1 ltsp kernel # End workaround. ltsp initrd ltsp ipxe mv /srv/tftp/ltsp/ltsp.img /srv/tftp/ltsp/"$(uname -m)"/ltsp.img # Clean up ltsp.conf from specific items. sed -i '/PRE_INIT_MAIN/d' /etc/ltsp/ltsp.conf sed -i '/MASK_SYSTEM/d' /etc/ltsp/ltsp.conf fi # ipxe menue edit (ltsp.img has previously been stored in an image specific dir). sed -i 's#ltsp/ltsp.img#ltsp/${img}/ltsp.img#' /srv/tftp/ltsp/ltsp.ipxe # Get rid of additional excludes just in case they exist (main server). rm -rf /etc/ltsp/image-local.excludes # Use legacy network interfaces names. if ! grep -q net.ifnames /etc/default/grub ; then sed -i 's/quiet/net.ifnames=0 quiet/' /etc/default/grub update-grub fi # Tweak network interfaces file to match the use case. if echo "$PROFILE" | grep -Eq 'Main-Server' ; then cat <<EOF > /etc/network/interfaces auto eth0 iface eth0 inet static address 10.0.2.2 gateway 10.0.0.1 allow-hotplug eth1 iface eth1 inet static address 192.168.67.1 EOF else cat <<EOF > /etc/network/interfaces auto eth0 iface eth0 inet dhcp post-up /usr/sbin/update-hostname-from-ip allow-hotplug eth1 iface eth1 inet static address 192.168.67.1 EOF fi # Configure NFS ltsp nfs # Restrict dnsmasq to the eth1, i.e. LTSP network interface. cat <<EOF > /etc/dnsmasq.d/99-debian-edu.conf interface=eth1 bind-interfaces EOF if echo "$PROFILE" | grep -Eq 'Main-Server' ; then ltsp dnsmasq -d0 -p0 -t0 --dns-server="$dns_server" else ltsp dnsmasq -d0 -p0 --dns-server="$dns_server" fi
signature.asc
Description: PGP signature
