Re: next-generation LTSP landing in unstable

[Wolfgang Schweer <w.schweer@gmx.de>]

On Mon, Dec 30, 2019 at 08:28:21PM +0100, Wolfgang Schweer wrote:
> On Thu, Dec 26, 2019 at 10:34:13PM +0000, Mike Gabriel wrote:
> > On  Di 10 Dez 2019 19:31:10 CET, Wolfgang Schweer wrote:
> > 
> > > TBD: Integrating the x2gothinclient minidesktop (once available)
> > 
> > x2gothinclient has arrived in unstable.
>  
> Integrated. There's now support for three types of thin clients.
> 
> The desktop mode type still needs more work to configure the environment 
> and firefox-esr, though. And the display mode type could be improved 
> too, I guess.

The X2Go minidesktop type is now preconfigured for firefox-esr inside 
the internal network (TLS, Proxy, homepage).
 
See the attached script for more information about other changes.

Wolfgang

#!/bin/bash
#
# Turn a Debian Edu workstation into an LTSP server for both diskless
# workstations and thin clients (using X2Go).
# The configuration below applies to a Debian Edu workstation in the internal
# backbone network with two NICs. This system needs to be registered w/ GOSa�.
# Also, kerberized NFS is needed, see:
# https://www/debian-edu-doc/en/debian-edu-buster-manual.html#Administration--Kerberized_NFS
# The modified system provides a separate LTSP client network (192.168.67.0/24)
# attached to eth1.
# In case of a combined server, for the time being the tftpd-hpa package needs
# to be reconfigured like this:
# #/etc/default/tftpd-hpa
#
# TFTP_USERNAME="tftp"
# TFTP_DIRECTORY="/srv/tftp"
# TFTP_ADDRESS="0.0.0.0:69"
# TFTP_OPTIONS="-s"
#
#
# Wolfgang Schweer <wschweer@arcor.de>, November 2019
#
# Revision 2019-12-10:
# - Add workaround for diskless workstation image generation (ltsp issue #43).
# - Configure diskless workstation image and settings conditionally for both a
#   combined server (profiles 'Main-Server','Workstation) and a Workstation.
# - Sound and USB mass storage support for thin clients.
# - Improve inline documentation.
#
# Revision 2019-12-30:
# - Adjust for ltsp 19.12.1-1 (entered bullseye recently).
# - Improve security during diskless workstation image generation.
# - Use the education-thin-client metapackage.
# - Provide x2gothinclient (w/ and w/o displaymanager) as additional options;
#   a workaround is needed to make the x2go client get started (bug #947618).
# - Added workaround for x2gothinclient bug #947785 (the login window shows
#   last username).
# - Use /srv/ltsp as base for chroot and images (instead of /opt/ltsp).
# - Rework options/values and their evaluation.
# - Rework image location and iPXE menu configuration settings.
#
# Revision 2020-01-02:
# - Fix some script flaws and improve documentation.
# - Remove thin client chroot once the related image has been built.
# - Customize X2Go minidesktop (environment settings, package installation,
# - firefox-esr localization).

set -e

# usage
if [ -z "$1" ] ; then
	echo "Use $0 -h or $0 --help for more information"
	exit 0
fi

if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
	cat <<EOF

Usage information:

$0 --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|display|desktop>

Turn a Debian Edu workstation into an LTSP server for both diskless
workstations and thin clients.

--arch takes effect for a thin client chroot setup, default value is amd64.
--dist takes effect for thin client chroot setup, default value is stable.
--dns_server defaults to 10.0.2.2 if unset.
--diskless_workstation defaults to yes if unset.
--thin_type has no default value.
    bare:    preconfigured x2go client running via 'startx' as user 'thin' with sound and
             client side mass storage support.
    display: x2gothinclient running in display mode.
    desktop: x2gothinclient running in minidesktop mode.

This script applies to a system with two NICs, located inside the internal backbone network.

EOF
	exit 0
fi

if [ -r /etc/debian-edu/config ] ; then
    . /etc/debian-edu/config
fi

arch="amd64"
dist="stable"
dns_server="10.0.2.2"
diskless_workstation="yes"
thin_type=""

while [ $# -gt 0 ] ; do
  case "$1" in
    --arch) arch="$2" ; shift ;;
    --dist) dist="$2" ; shift ;;
    --dns_server) dns_server="$2"  ; shift ;;
    --diskless_workstation) diskless_workstation="$2" ; shift ;;
    --thin_type) thin_type="$2" ; shift ;;
  esac
  shift
done

kernel_arch="$arch"

if [ "i386" == "$arch" ] ; then
	#kernel_arch="686-pae"
	# next one optimal for very old TC machines w/o PAE.
	kernel_arch="686"
fi

# Two cases: buster and bullseye.
if grep -q 10 /etc/debian_version ; then
	# First get new LTSP package and install it manually (ltsp is not available for Buster).
	# FIXME: This will soon be ltsp_20.x
	if [ ! -x /usr/share/ltsp/ltsp ] ; then
		if [ ! -f ltsp_19.12.1-1_all.deb ] ; then
			wget http://ftp.debian.org/debian/pool/main/l/ltsp/ltsp_19.12.1-1_all.deb
		fi
		apt install -qy ./ltsp_19.12.1-1_all.deb
		apt -yq install debootstrap dnsmasq x2goserver ipxe iptables net-tools nfs-kernel-server squashfs-tools
	fi
else
	if [ ! -x /usr/share/ltsp/ltsp ] ; then
		apt -yq install ltsp debootstrap dnsmasq x2goserver ipxe iptables net-tools nfs-kernel-server squashfs-tools
	fi
fi

# FIXME: Can't get name resolution working w/o this.
apt -yq purge resolvconf

# Common Debian Edu specific configuration (dirs and HERE documents), only minor
# difference for thin and diskless (in ltsp.conf), see below.
if [ ! -d /etc/ltsp/client ] ; then
	mkdir -p /etc/ltsp/client/init

	# Debian Edu uses LDAP/NFS/Kerberos (krb5i) instead of sshfs for home dirs.
	touch  /etc/ltsp/client/init/54-pam.sh

	# Debian Edu wants a greeter w/o user list, i.e. don't modify existing config.
	touch  /etc/ltsp/client/init/55-display-manager.sh

	# make ipxe menu entries more user friendly.
	cat <<EOF > /etc/ltsp/ltsp.conf
# /bin/sh -n
# LTSP configuration file
# Documentation=man:ltsp.conf(5)

# Provide a full menu name for thin/bare-amd64.img
IPXE_BARE_AMD64_IMG="Plain X2Go Thin Client (64-Bit)"
# Provide a full menu name for thin/bare-i386.img
IPXE_BARE_I386_IMG="Plain X2Go Thin Client (very old machines, 32-Bit)"

# Provide a full menu name for thin/display-amd64.img
IPXE_DISPLAY_AMD64_IMG="Display Mode X2Go Thin Client (64-Bit)"
# Provide a full menu name for thin/display-i386.img
IPXE_DISPLAY_I386_IMG="Display Mode X2Go Thin Client (very old machines, 32-Bit)"

# Provide a full menu name for thin/desktop-amd64.img
IPXE_DESKTOP_AMD64_IMG="Desktop Mode X2Go Thin Client (64-Bit)"
# Provide a full menu name for thin/desktop-i386.img
IPXE_DESKTOP_I386_IMG="Desktop Mode X2Go Thin Client (very old machines, 32-Bit)"

# Provide a full menu name for x86_64.img
IPXE_X86_64_IMG="Diskless Workstation (64-Bit)"

# Debian Edu specific
DNS_SERVER=10.0.2.2
SEARCH_DOMAIN=intern

# In the special [clients] section, parameters for all clients can be defined.
# Most ltsp.conf parameters should be placed here.
[clients]
EOF
fi

# Debian Edu specific common additional image excludes; for diskless
# workstations the /skole mountpoint (for autofs) needs to be clean.
# This applies for both a combined server and 'a normal' LTSP server.
# For a combined server image the autofs service needs to be enabled (see below).
if echo "$PROFILE" | grep -Eq 'Workstation' ; then
	cat <<EOF > /etc/ltsp/image-local.excludes
skole/*
EOF
fi

# FIXME: On the main server even more additional excludes might be useful.
if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
	cat <<EOF >> /etc/ltsp/image-local.excludes
usr/lib/apache2
usr/lib/exim4
usr/lib/icinga
usr/log/samba/*
usr/log/squid/*
var/cache/apache2/*
var/cache/apt/*
var/cache/bind/*
var/cache/debconf/*
var/cache/etckeeper/*
var/cache/gosa/*
var/cache/icinga/*
var/cache/munin/*
var/cache/nscd/*
var/cache/samba/*
var/lib/apache2/*
var/lib/cfengine3/*
var/lib/dbus/*
var/lib/dhcp/*
var/lib/dpkg/*
var/lib/exim4/*
var/lib/icinga/*
var/lib/munin/*
var/lib/munin-node/*
var/lib/nfs/*
var/log/cfengine/*
var/log/installer/*
var/log/munin/*
var/log/samba/*
var/log/squid/*
var/mail/*
var/log/*.gz
var/spool/squid
EOF
fi

# Needed for thin client auto login user.
mkdir -p /etc/ltsp/getty@tty1.service.d
cat <<EOF > /etc/ltsp/getty@tty1.service.d/override.conf
[Service]
ExecStart=
ExecStart=-/usr/sbin/agetty -a thin --noclear %I $TERM
RestartSec=10
EOF

# Needed for thin client autofs setup (USB mass storage support (rw mode).
mkdir -p /etc/ltsp/autofs
cat <<EOF > /etc/ltsp/autofs/extra.autofs
/- /etc/auto.usb0 --mode=0777 --timeout=3
EOF
cat <<EOF > /etc/ltsp/autofs/auto.usb0
/usb0 -fstype=auto,rw,user,umask=000 :/dev/sda1
EOF

# Needed for thin client auto login configuration (startx).
mkdir -p /etc/ltsp/skel
cat <<EOF > /etc/ltsp/skel/.profile
while true ; do
	startx
done
EOF

# Needed for thin client auto login configuration (x2goclient start).
cat <<EOF > /etc/ltsp/skel/.xinitrc
exec x2goclient --no-menu --add-to-known-hosts --no-session-edit --close-disconnect
EOF

# Needed for thin client x2goclient configuration.
mkdir -p /etc/ltsp/skel/.x2goclient
cat <<EOF > /etc/ltsp/skel/.x2goclient/printing
[General]
pdfview=false
showdialog=true

[CUPS]
defaultprinter=

[print]
command=lpr
ps=false
startcmd=false
stdin=false

[view]
command=xpdf
open=true
EOF

# Needed for thin client (x2goclient preconfigured session).
cat <<EOF > /etc/ltsp/skel/.x2goclient/sessions
[default]
autologin=false
clipboard=both
command=XFCE
defsndport=true
directrdp=false
directrdpsettings=
directxdmcp=false
directxdmcpsettings=
display=1
dpi=96
export="/usb0:1;"
fstunnel=true
fullscreen=true
height=600
host=$(hostname -s)
icon=/usr/share/icons/hicolor/64x64/apps/x2goclient.png
iconvfrom=ISO8859-1
iconvto=UTF-8
krbdelegation=false
krblogin=false
maxdim=false
multidisp=false
name=Debian Edu Thin Client
pack=16m-jpeg
print=true
published=false
quality=9
rootless=false
setdpi=true
sndport=4713
sound=true
soundsystem=pulse
soundtunnel=true
speed=4
sshport=22
sshproxyautologin=false
startsoundsystem=true
type=auto
useiconv=false
usekbd=true
usesshproxy=false
width=800
xdmcpclient=Xnest
xdmcpserver=localhost
xinerama=false
EOF

# Needed for thin client x2goclient configuration.
cat <<EOF > /etc/ltsp/skel/.x2goclient/settings
[toolbar]
show=false
EOF

# Create thin client chroot and generate image.
export DEBIAN_FRONTEND=noninteractive
if ! [ "" == "$thin_type" ] && [ ! -d /srv/ltsp/thin/"$thin_type"-"$arch"/etc/ltsp ] ; then
	mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"
	# Install common thin client packages.
debootstrap --arch="$arch" --variant=minbase --include=linux-image-"$kernel_arch" \
	"$dist" /srv/ltsp/thin/"$thin_type"-"$arch" https://deb.debian.org/debian
	chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt clean
	mount /dev/pts -t devpts /srv/ltsp/thin/"$thin_type"-"$arch"/dev/pts
	mount proc -t proc /srv/ltsp/thin/"$thin_type"-"$arch"/proc
	mount tmpfs -t tmpfs /srv/ltsp/thin/"$thin_type"-"$arch"/tmp
	mkdir -p /srv/ltsp/thin/"$thin_type"-"$arch"/tmp/user/0
	chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install education-thin-client
	# Install case specific additional packages.
	if [ "bare" == "$thin_type" ] ; then
		chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install autofs x2gothinclient-common xpdf
	fi
	if [ "display" == "$thin_type" ] ; then
		chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install x2gothinclient-displaymanager
	fi
	if [ "desktop" == "$thin_type" ] ; then
		chroot /srv/ltsp/thin/"$thin_type"-"$arch"/ apt -y -qq install x2gothinclient-minidesktop \
		x2gothinclient-management x2gothinclient-cdmanager x2gothinclient-usbmount \
		firefox-esr-l10n-"$LANGCODE"
	fi
	umount /srv/ltsp/thin/"$thin_type"-"$arch"/dev/pts
	umount /srv/ltsp/thin/"$thin_type"-"$arch"/proc
	umount /srv/ltsp/thin/"$thin_type"-"$arch"/tmp
	rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/tmp/user
	rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/apt
	rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/debconf
	rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/cache/man
	rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"/var/lib/dpkg
	cp /etc/locale.gen /srv/ltsp/thin/"$thin_type"-"$arch"/etc/
	cp /etc/default/locale /srv/ltsp/thin/"$thin_type"-"$arch"/etc/default
	chroot /srv/ltsp/thin/"$thin_type"-"$arch" locale-gen
	cp /etc/default/keyboard /srv/ltsp/thin/"$thin_type"-"$arch"/etc/default
	cp /etc/default/console-setup /srv/ltsp/thin/"$thin_type"-"$arch"/etc/default
	chroot /srv/ltsp/thin/"$thin_type"-"$arch" setupcon -k

	# Customize X2Go client for Debian Edu use.
	if [ "display" == "$thin_type" ] || [ "desktop" == "$thin_type" ] ; then
		cp /etc/ltsp/skel/.x2goclient/sessions /srv/ltsp/thin/"$thin_type"-"$arch"/etc/x2go/x2gothinclient_sessions
	fi
	# Firefox-ESR customization for Debian Edu.
	if [ "desktop" == "$thin_type" ] ; then
		cp /etc/environment /srv/ltsp/thin/"$thin_type"-"$arch"/etc
		cp /etc/firefox-esr/debian-edu.js /srv/ltsp/thin/"$thin_type"-"$arch"/etc/firefox-esr
		cp /etc/firefox-esr/debian-edu-homepage-ldap.js /srv/ltsp/thin/"$thin_type"-"$arch"/etc/firefox-esr
		cp /etc/ssl/certs/Debian-Edu_rootCA.crt /srv/ltsp/thin/"$thin_type"-"$arch"/etc/ssl/certs
		cat <<EOF > /srv/ltsp/thin/"$thin_type"-"$arch"/usr/share/firefox-esr/distribution/policies.json
{
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true,
      "Install": [
        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
      ]
    },
    "NewTabPage": false,
    "OverrideFirstRunPage": ""
  }
}
EOF
	fi

	# FIXME: Workaround for x2gothinclient bug (#947618).
	if [ "display" == "$thin_type" ] ; then
		sed -i 's/session=X2Go.Example/close-disconnect/' /srv/ltsp/thin/"$thin_type"-"$arch"/etc/x2go/x2gothinclient-displaymanager_start
	fi
	if [ "desktop" == "$thin_type" ] ; then
		sed -i 's/session=X2Go.Example/close-disconnect/' /srv/ltsp/thin/"$thin_type"-"$arch"/etc/x2go/x2gothinclient-minidesktop_start
	fi
	ltsp image /srv/ltsp/thin/"$thin_type"-"$arch"

	# Remove chroot now that the image has been built (to save space)
	rm -rf /srv/ltsp/thin/"$thin_type"-"$arch"

	# Create a runtime user for x2go login terminal; configure autofs (USB storage support).
	if [ "bare" == "$thin_type" ] ; then
		cat <<EOF >> /etc/ltsp/ltsp.conf
POST_INIT_THIN_USER='useradd -G disk -m -d /run/home/thin -k /etc/ltsp/skel -r thin'

POST_INIT_SYSTEMD='mkdir /etc/systemd/system/getty@tty1.service.d && \
cp /etc/ltsp/getty@tty1.service.d/override.conf /etc/systemd/system/getty@tty1.service.d'

POST_INIT_AUTOFS='cp /etc/ltsp/autofs/extra.autofs /etc/auto.master.d && \
cp /etc/ltsp/autofs/auto.* /etc'
EOF
	fi

	# FIXME: Workaround for x2gothinclient bug (#947618).
	if [ "display" == "$thin_type" ] ; then
		cat <<EOF >> /etc/ltsp/ltsp.conf
POST_INIT_X2GOTHIN_SVG='cp /etc/x2go/x2gothinclient-displaymanager_background.svg \
/etc/x2go/x2gothinclient-background.svg'
EOF
	fi

	# Create the ltsp.img file and move it to where it belongs.
	ltsp initrd
	mv /srv/tftp/ltsp/ltsp.img /srv/tftp/ltsp/"$thin_type"-"$arch"/ltsp.img

	# Create the iPXE menu entry
	ltsp ipxe

	# Clean up ltsp.conf from image specific items.
	sed -i '/POST_INIT/d' /etc/ltsp/ltsp.conf
fi

# Generate image for diskless workstation.
if [ "yes" == "$diskless_workstation"  ] ; then
	if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
		# The image is a copy of the main server's fs. On the server, autofs
		# is disabled, but it is needed for diskless workstations.
		# OTOH some services need to be disabled, i.e. 'masked'.
		cat <<EOF >> /etc/ltsp/ltsp.conf
PRE_INIT_MAIN_SERVER="systemctl enable autofs"
MASK_SYSTEM_SERVICES="apache2 bind9 cups dovecot etckeeper exim4 squid tftpd-hpa \
icinga nmbd smbd systemd-journald"
EOF
	fi

	# ltsp image /

	# Begin workaround for 'ltsp image /' (which only works for 'atomic' partitioning).
	# See: https://github.com/ltsp/ltsp/issues/43 and (for the more general case)
	# https://github.com/ltsp/ltsp/issues/105 (closed because being a duplicate of #43).
	TEMPDIR=$(mktemp -d)
	mkdir "$TEMPDIR"/etc
	cp /etc/shadow "$TEMPDIR"/etc
	cp /etc/shadow- "$TEMPDIR"/etc
	# The next two lines improve security, temporarily disables new root login.
	sed -i '/root:/d' /etc/shadow
	sed -i '/root:/d' /etc/shadow-
	cp /usr/share/ltsp/server/image/image.excludes "$TEMPDIR"/excludes
	if [ -f /etc/ltsp/image-local.excludes ] ; then
		cat /etc/ltsp/image-local.excludes >> "$TEMPDIR"/excludes
	fi
	mksquashfs / /srv/ltsp/images/"$(uname -m)".img -noappend -wildcards -ef "$TEMPDIR"/excludes
	cp "$TEMPDIR"/etc/shadow* /etc
	rm -rf "$TEMPDIR"
	ALL_IMAGES=1 ltsp kernel
	# End workaround.

	ltsp initrd
	ltsp ipxe
	mv /srv/tftp/ltsp/ltsp.img /srv/tftp/ltsp/"$(uname -m)"/ltsp.img

	# Clean up ltsp.conf from specific items.
	sed -i '/PRE_INIT_MAIN/d' /etc/ltsp/ltsp.conf
	sed -i '/MASK_SYSTEM/d' /etc/ltsp/ltsp.conf
fi

# ipxe menue edit (ltsp.img has previously been stored in an image specific dir).
sed -i 's#ltsp/ltsp.img#ltsp/${img}/ltsp.img#' /srv/tftp/ltsp/ltsp.ipxe

# Get rid of additional excludes just in case they exist (main server).
rm -rf /etc/ltsp/image-local.excludes

# Use legacy network interfaces names.
if ! grep -q net.ifnames /etc/default/grub ; then
    sed -i 's/quiet/net.ifnames=0 quiet/' /etc/default/grub
    update-grub
fi

# Tweak network interfaces file to match the use case.
if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
	cat <<EOF > /etc/network/interfaces
auto eth0
iface eth0 inet static
	address 10.0.2.2
	gateway 10.0.0.1

allow-hotplug eth1
iface eth1 inet static
	address 192.168.67.1
EOF
	else
	cat <<EOF > /etc/network/interfaces
auto eth0
iface eth0 inet dhcp
	post-up /usr/sbin/update-hostname-from-ip

allow-hotplug eth1
iface eth1 inet static
	address 192.168.67.1
EOF
fi

# Configure NFS
ltsp nfs

# Restrict dnsmasq to the eth1, i.e. LTSP network interface.
cat <<EOF > /etc/dnsmasq.d/99-debian-edu.conf
interface=eth1
bind-interfaces
EOF

if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
	ltsp dnsmasq -d0 -p0 -t0 --dns-server="$dns_server"
else
	ltsp dnsmasq -d0 -p0 --dns-server="$dns_server"
fi

Attachment: signature.asc
Description: PGP signature