On Thu, Dec 26, 2019 at 10:34:13PM +0000, Mike Gabriel wrote: > On Di 10 Dez 2019 19:31:10 CET, Wolfgang Schweer wrote: > > > TBD: Integrating the x2gothinclient minidesktop (once available) > > x2gothinclient has arrived in unstable. Integrated. There's now support for three types of thin clients. The desktop mode type still needs more work to configure the environment and firefox-esr, though. And the display mode type could be improved too, I guess. The attached script contains some more documentation. Wolfgang
#!/bin/bash
#
# Turn a Debian Edu workstation into an LTSP server for both diskless
# workstations and thin clients (using X2Go).
# The configuration below applies to a Debian Edu workstation in the internal
# backbone network with two NICs. This system needs to be registered w/ GOSa�.
# Also, kerberized NFS is needed, see:
# https://www/debian-edu-doc/en/debian-edu-buster-manual.html#Administration--Kerberized_NFS
# The modified system provides a separate LTSP client network (192.168.67.0/24)
# attached to eth1.
# In case of a combined server, for the time being the tftpd-hpa package needs
# to be reconfigured like this:
# #/etc/default/tftpd-hpa
#
# TFTP_USERNAME="tftp"
# TFTP_DIRECTORY="/srv/tftp"
# TFTP_ADDRESS="0.0.0.0:69"
# TFTP_OPTIONS="-s"
#
#
# Wolfgang Schweer <wschweer@arcor.de>, November 2019
#
# Revision 2019-12-10:
# - Add workaround for diskless workstation image generation (ltsp issue #43).
# - Configure diskless workstation image and settings conditionally for both a
# combined server (profiles 'Main-Server','Workstation) and a Workstation.
# - Sound and USB mass storage support for thin clients.
# - Improve inline documentation.
# Revision 2019-12-30:
# - Adjust for ltsp 19.12.1-1 (entered bullseye recently).
# - Improve security during diskless workstation image generation.
# - Use the education-thin-client metapackage.
# - Provide x2gothinclient (w/ and w/o displaymanager) as additional options,
# a workaround is needed to make the x2go client get started (bug #947618).
# - Added workaround for x2gothinclient bug #947785 (login wondow shows last username).
# - Use /srv/ltsp as base for chroot and images (instead of /opt/ltsp).
# - Rework options/values and their evaluation.
# - Rework image location and iPXE menu configuration settings.
set -e
# usage
if [ -z "$1" ] ; then
echo "Use $0 -h or $0 --help for more information"
exit 0
fi
if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
cat <<EOF
Usage information:
$0 --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|managed|desktop>
Turn a Debian Edu workstation into an LTSP server for both diskless
workstations and thin clients.
--arch takes effect for a thin client chroot setup, default value is amd64.
--dist takes effect for thin client chroot setup, default value is stable.
--dns_server defaults to 10.0.2.2 if unset.
--diskless_workstation defaults to yes if unset.
--thin_type has no default value.
bare: preconfigured x2go client running via 'startx' as user 'thin' with sound and
client side mass storage support.
managed: x2gothinclient running in display mode.
desktop: x2gothinclient running in minidesktop mode.
This script applies to a system with two NICs, located inside the internal backbone network.
EOF
exit 0
fi
if [ -r /etc/debian-edu/config ] ; then
. /etc/debian-edu/config
fi
arch="amd64"
dist="stable"
dns_server="10.0.2.2"
diskless_workstation="yes"
thin_type=""
while [ $# -gt 0 ] ; do
case "$1" in
--arch) arch="$2" ; shift ;;
--dist) dist="$2" ; shift ;;
--dns_server) dns_server="$2" ; shift ;;
--diskless_workstation) diskless_workstation="$2" ; shift ;;
--thin_type) thin_type="$2" ; shift ;;
esac
shift
done
kernel_arch=$arch
if [ "i386" == "$arch" ] ; then
#kernel_arch="686-pae"
# next one optimal for very old TC machines w/o PAE.
kernel_arch="686"
fi
# Two cases: buster and bullseye.
if grep -q 10 /etc/debian_version ; then
# First get new LTSP package and install it manually (ltsp is not available for Buster).
# FIXME this will soon be ltsp_20.x
if [ ! -x /usr/share/ltsp/ltsp ] ; then
if [ ! -f ltsp_19.12.1-1_all.deb ] ; then
wget http://ftp.debian.org/debian/pool/main/l/ltsp/ltsp_19.12.1-1_all.deb
fi
apt install -qy ./ltsp_19.12.1-1_all.deb
apt -yq install debootstrap dnsmasq x2goserver ipxe iptables net-tools nfs-kernel-server squashfs-tools
fi
else
if [ ! -x /usr/share/ltsp/ltsp ] ; then
apt -yq install ltsp debootstrap dnsmasq x2goserver ipxe iptables net-tools nfs-kernel-server squashfs-tools
fi
fi
# Can't get name resolution working w/o this.
apt -yq purge resolvconf
# Common Debian Edu specific configuration (dirs and HERE documents), only minor
# difference for thin and diskless (in ltsp.conf), see below.
if [ ! -d /etc/ltsp/client ] ; then
mkdir -p /etc/ltsp/client/init
# Debian Edu uses LDAP/NFS/Kerberos (krb5i) instead of sshfs for home dirs.
touch /etc/ltsp/client/init/54-pam.sh
# Debian Edu wants a greeter w/o user list, i.e. don't modify existing config.
touch /etc/ltsp/client/init/55-display-manager.sh
# make ipxe menu entries more user friendly.
cat <<EOF > /etc/ltsp/ltsp.conf
# /bin/sh -n
# LTSP configuration file
# Documentation=man:ltsp.conf(5)
# Provide a full menu name for thin/bare-amd64.img
IPXE_BARE_AMD64_IMG="Plain Thin Client (64-Bit)"
# Provide a full menu name for thin/bare-i386.img
IPXE_BARE_I386_IMG="Plain Thin Client (very old machines, 32-Bit)"
# Provide a full menu name for thin/managed-amd64.img
IPXE_MANAGED_AMD64_IMG="Display Mode Thin Client (64-Bit)"
# Provide a full menu name for thin/managed-i386.img
IPXE_MANAGED_I386_IMG="Display Mode Thin Client (very old machines, 32-Bit)"
# Provide a full menu name for thin/desktop-amd64.img
IPXE_DESKTOP_AMD64_IMG="Desktop Mode Thin Client (64-Bit)"
# Provide a full menu name for thin/desktop-i386.img
IPXE_DESKTOP_I386_IMG="Desktop Mode Thin Client (very old machines, 32-Bit)"
# Provide a full menu name for x86_64.img
IPXE_X86_64_IMG="Diskless Workstation (64-Bit)"
# Debian Edu specific
DNS_SERVER=10.0.2.2
SEARCH_DOMAIN=intern
# In the special [clients] section, parameters for all clients can be defined.
# Most ltsp.conf parameters should be placed here.
[clients]
EOF
# Debian Edu specific common additional image excludes; for diskless
# workstations the /skole mountpoint (for autofs) needs to be clean.
# This applies for both a combined server and 'a normal' LTSP server.
# For a combined server image the autofs service needs to be enabled (see below).
if echo "$PROFILE" | egrep -q 'Workstation' ; then
cat <<EOF > /etc/ltsp/image-local.excludes
skole/*
EOF
fi
# FIXME: On the main server even more additional excludes could be useful.
if echo "$PROFILE" | egrep -q 'Main-Server' && [ -z "$thin_type" ] ; then
cat <<EOF >> /etc/ltsp/image-local.excludes
usr/local/ltsp/*
usr/local/ltsp/
usr/lib/apache2
usr/lib/exim4
usr/lib/icinga
usr/lib/ldap
usr/lib/x2go
usr/log/samba/*
usr/log/squid/*
var/cache/apache2/*
var/cache/apt/*
var/cache/bind/*
var/cache/debconf/*
var/cache/etckeeper/*
var/cache/gosa/*
var/cache/icinga/*
var/cache/munin/*
var/cache/nscd/*
var/cache/samba/*
var/lib/apache2/*
var/lib/cfengine3/*
var/lib/dbus/*
var/lib/dhcp/*
var/lib/dpkg/*
var/lib/exim4/*
var/lib/icinga/*
var/lib/ldap/*
var/lib/munin/*
var/lib/munin-node/*
var/lib/nfs/*
var/log/cfengine/*
var/log/installer/*
var/log/munin/*
var/log/ntpstats/*
var/log/samba/*
var/log/squid/*
var/mail/*
var/log/*.gz
var/spool/squid
EOF
fi
# Needed for thin client auto login user.
mkdir -p /etc/ltsp/getty@tty1.service.d
cat <<EOF > /etc/ltsp/getty@tty1.service.d/override.conf
[Service]
ExecStart=
ExecStart=-/usr/sbin/agetty -a thin --noclear %I $TERM
RestartSec=10
EOF
# Needed for thin client autofs setup (USB mass storage support (rw mode).
mkdir -p /etc/ltsp/autofs
cat <<EOF > /etc/ltsp/autofs/extra.autofs
/- /etc/auto.usb0 --mode=0777 --timeout=3
EOF
cat <<EOF > /etc/ltsp/autofs/auto.usb0
/usb0 -fstype=auto,rw,user,umask=000 :/dev/sda1
EOF
# Needed for thin client auto login configuration (startx).
mkdir -p /etc/ltsp/skel
cat <<EOF > /etc/ltsp/skel/.profile
while true ; do
startx
done
EOF
# Needed for thin client auto login configuration (x2goclient start).
cat <<EOF > /etc/ltsp/skel/.xinitrc
exec x2goclient --no-menu --haltbt --add-to-known-hosts --no-session-edit --close-disconnect
EOF
# Needed for thin client x2goclient configuration.
mkdir -p /etc/ltsp/skel/.x2goclient
cat <<EOF > /etc/ltsp/skel/.x2goclient/printing
[General]
pdfview=false
showdialog=true
[CUPS]
defaultprinter=
[print]
command=lpr
ps=false
startcmd=false
stdin=false
[view]
command=xpdf
open=true
EOF
# Needed for thin client x2goclient configuration.
cat <<EOF > /etc/ltsp/skel/.x2goclient/sessions
[default]
autologin=false
clipboard=both
command=XFCE
defsndport=true
directrdp=false
directrdpsettings=
directxdmcp=false
directxdmcpsettings=
display=1
dpi=96
export="/usb0:1;"
fstunnel=true
fullscreen=true
haltbt=true
height=600
host=$(hostname -s)
icon=/usr/share/icons/hicolor/64x64/apps/x2goclient.png
iconvfrom=ISO8859-1
iconvto=UTF-8
krbdelegation=false
krblogin=false
maxdim=false
multidisp=false
name=Debian Edu Thin Client
pack=16m-jpeg
print=true
published=false
quality=9
rootless=false
setdpi=true
sndport=4713
sound=true
soundsystem=pulse
soundtunnel=true
speed=4
sshport=22
sshproxyautologin=false
startsoundsystem=true
type=auto
useiconv=false
usekbd=true
usesshproxy=false
width=800
xdmcpclient=Xnest
xdmcpserver=localhost
xinerama=false
EOF
# Needed for thin client x2goclient configuration.
cat <<EOF > /etc/ltsp/skel/.x2goclient/settings
[toolbar]
show=false
EOF
fi
# Create thin client chroot and generate image.
export DEBIAN_FRONTEND=noninteractive
if [ ! -d /srv/ltsp/thin/$thin_type-$arch/etc/ltsp ] ; then
mkdir -p /srv/ltsp/thin/$thin_type-$arch
debootstrap --arch=$arch --variant=minbase --include=linux-image-$kernel_arch \
$dist /srv/ltsp/thin/$thin_type-$arch https://deb.debian.org/debian
chroot /srv/ltsp/thin/$thin_type-$arch/ apt clean
mount /dev/pts -t devpts /srv/ltsp/thin/$thin_type-$arch/dev/pts
mount proc -t proc /srv/ltsp/thin/$thin_type-$arch/proc
mount tmpfs -t tmpfs /srv/ltsp/thin/$thin_type-$arch/tmp
mkdir -p /srv/ltsp/thin/$thin_type-$arch/tmp/user/0
chroot /srv/ltsp/thin/$thin_type-$arch/ apt -y -qq install education-thin-client
if [ "bare" == "$thin_type" ] ; then
chroot /srv/ltsp/thin/$thin_type-$arch/ apt -y -qq install xpdf autofs
fi
if [ "managed" == "$thin_type" ] ; then
chroot /srv/ltsp/thin/$thin_type-$arch/ apt -y -qq install x2gothinclient
fi
if [ "desktop" == "$thin_type" ] ; then
chroot /srv/ltsp/thin/$thin_type-$arch/ apt -y -qq install x2gothinclient-minidesktop
fi
umount /srv/ltsp/thin/$thin_type-$arch/dev/pts
umount /srv/ltsp/thin/$thin_type-$arch/proc
umount /srv/ltsp/thin/$thin_type-$arch/tmp
rm -rf /srv/ltsp/thin/$thin_type-$arch/tmp/user
rm -rf /srv/ltsp/thin/$thin_type-$arch/var/cache/apt
rm -rf /srv/ltsp/thin/$thin_type-$arch/var/cache/debconf
rm -rf /srv/ltsp/thin/$thin_type-$arch/var/cache/man
rm -rf /srv/ltsp/thin/$thin_type-$arch/var/lib/dpkg
cp /etc/locale.gen /srv/ltsp/thin/$thin_type-$arch/etc/
cp /etc/default/locale /srv/ltsp/thin/$thin_type-$arch/etc/default
chroot /srv/ltsp/thin/$thin_type-$arch locale-gen
cp /etc/default/keyboard /srv/ltsp/thin/$thin_type-$arch/etc/default
cp /etc/default/console-setup /srv/ltsp/thin/$thin_type-$arch/etc/default
chroot /srv/ltsp/thin/$thin_type-$arch setupcon -k
# Customize sessions for Debian Edu use.
cp /etc/ltsp/skel/.x2goclient/sessions /srv/ltsp/thin/$thin_type-$arch/etc/x2go/x2gothinclient_sessions
# Workaround for x2gothinclient bug (#947618).
if [ "managed" == "$thin_type" ] ; then
sed -i 's/session=X2Go.Example/close-disconnect/' /srv/ltsp/thin/$thin_type-$arch/etc/x2go/x2gothinclient-displaymanager_start
fi
if [ "desktop" == "$thin_type" ] ; then
sed -i 's/session=X2Go.Example/close-disconnect/' /srv/ltsp/thin/$thin_type-$arch/etc/x2go/x2gothinclient-minidesktop_start
fi
ltsp image /srv/ltsp/thin/$thin_type-$arch
# Create a runtime user for x2go login terminal; configure autofs (USB storage support).
if [ "bare" == "$thin_type" ] ; then
cat <<EOF >> /etc/ltsp/ltsp.conf
POST_INIT_THIN_USER='useradd -G disk -m -d /run/home/thin -k /etc/ltsp/skel -r thin'
POST_INIT_SYSTEMD='mkdir /etc/systemd/system/getty@tty1.service.d && \
cp /etc/ltsp/getty@tty1.service.d/override.conf /etc/systemd/system/getty@tty1.service.d'
POST_INIT_AUTOFS='cp /etc/ltsp/autofs/extra.autofs /etc/auto.master.d && \
cp /etc/ltsp/autofs/auto.* /etc'
EOF
fi
# Workaround for x2gothinclient bug (#947618).
if [ "managed" == "$thin_type" ] ; then
cat <<EOF >> /etc/ltsp/ltsp.conf
POST_INIT_X2GOTHIN_SVG='cp /etc/x2go/x2gothinclient-displaymanager_background.svg \
/etc/x2go/x2gothinclient-background.svg'
EOF
fi
ltsp initrd
ltsp ipxe
mv /srv/tftp/ltsp/ltsp.img /srv/tftp/ltsp/$thin_type-$arch/ltsp.img
# Clean up ltsp.conf from specific items.
sed -i '/POST_INIT/d' /etc/ltsp/ltsp.conf
fi
# Generate image for diskless workstation.
if [ "yes" == "$diskless_workstation" ] ; then
if echo "$PROFILE" | egrep -q 'Main-Server' ; then
# The image is a copy of the main server's fs. On the server, autofs
# is disabled, it is needed for diskless workstations.
# OTOH some services need to be disabled, i.e. 'masked'.
cat <<EOF >> /etc/ltsp/ltsp.conf
PRE_INIT_MAIN_SERVER="systemctl enable autofs"
MASK_SYSTEM_SERVICES="apache2 bind9 cups dovecot etckeeper exim4 squid tftpd-hpa \
icinga nmbd smbd systemd-journald"
EOF
fi
# ltsp image /
# Begin workaround for 'ltsp image /' (which only works for 'atomic' partitioning).
# See: https://github.com/ltsp/ltsp/issues/43 and (for the more general case)
# https://github.com/ltsp/ltsp/issues/105 (closed because being a duplicate of #43).
TEMPDIR=$(mktemp -d)
mkdir $TEMPDIR/etc
cp /etc/shadow $TEMPDIR/etc
cp /etc/shadow- $TEMPDIR/etc
# The next two lines improve security, temporarily disables new root login.
sed -i '/root:/d' /etc/shadow
sed -i '/root:/d' /etc/shadow-
cp /usr/share/ltsp/server/image/image.excludes $TEMPDIR/excludes
if [ -f /etc/ltsp/image-local.excludes ] ; then
cat /etc/ltsp/image-local.excludes >> $TEMPDIR/excludes
fi
mksquashfs / /srv/ltsp/images/$(uname -m).img -noappend -wildcards -ef $TEMPDIR/excludes
cp $TEMPDIR/etc/shadow* /etc
rm -rf $TEMPDIR
ltsp kernel
# End workaround.
ltsp initrd
ltsp ipxe
mv /srv/tftp/ltsp/ltsp.img /srv/tftp/ltsp/$(uname -m)/ltsp.img
# Clean up ltsp.conf from specific items.
sed -i '/PRE_INIT_MAIN/d' /etc/ltsp/ltsp.conf
sed -i '/MASK_SYSTEM/d' /etc/ltsp/ltsp.conf
fi
# ipxe menue edit
sed -i 's#ltsp/ltsp.img#ltsp/${img}/ltsp.img#' /srv/tftp/ltsp/ltsp.ipxe
# Get rid of additional excludes just in case they exist (main server).
rm -rf /etc/ltsp/image-local.excludes
# Use legacy network interfaces names.
if ! grep -q net.ifnames /etc/default/grub ; then
sed -i 's/quiet/net.ifnames=0 quiet/' /etc/default/grub
update-grub
fi
# Tweak network interfaces file to match the use case.
if echo "$PROFILE" | egrep -q 'Main-Server' ; then
cat <<EOF > /etc/network/interfaces
auto eth0
iface eth0 inet static
address 10.0.2.2
gateway 10.0.0.1
allow-hotplug eth1
iface eth1 inet static
address 192.168.67.1
EOF
else
cat <<EOF > /etc/network/interfaces
auto eth0
iface eth0 inet dhcp
post-up /usr/sbin/update-hostname-from-ip
allow-hotplug eth1
iface eth1 inet static
address 192.168.67.1
EOF
fi
# Configure NFS and dnsmasq (conditionally).
ltsp nfs
# Restrict dnsmasq to the eth1, i.e. LTSP network interface.
cat <<EOF > /etc/dnsmasq.d/99-debian-edu.conf
interface=eth1
bind-interfaces
EOF
if echo "$PROFILE" | egrep -q 'Main-Server' ; then
ltsp dnsmasq -d0 -p0 -t0 --dns-server="$dns_server"
else
ltsp dnsmasq -d0 -p0 --dns-server="$dns_server"
fi
Attachment:
signature.asc
Description: PGP signature