Classroom ltsp configuration


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Classroom ltsp configuration

  1. 1. Classroom LTSP ConfigurationNote: this page should be moved to the Ubuntu LTSP Documentation when they fix the loginbug and I can actually edit that wiki.Were supporting a two-server, 15-terminal thin client system which has been running Ubuntu8.04 (Hardy) in the Cama Samfya Resource Centre in Samfya, a rural town in Zambia. It hasbeen working reasonably well for two years.Its also used for IT training for about 150 school-leavers every year on Camfeds Goldman Sachs10,000 Women Certificate Programme in Young Womens Leadership and Enterprise (theCamfed Programme) which takes place in Lubwe, Samfya District, Zambia. The equipment ismoved from Samfya to Lubwe twice a year for the training course.Contents[hide] 1 Brief 2 Operating System Upgrade o 2.1 Upgrade Issues 3 Partitioning with RAID and LVM 4 Installation Step by Step o 4.1 Backup Existing Data o 4.2 IP Address Check o 4.3 Boot the Install CD o 4.4 Configure Language and Keyboard o 4.5 Configure Networking and Clock o 4.6 Partition disks: Configuring partitions o 4.7 Partition disks: Configuring Software RAID o 4.8 Partition disks: Create Logical Volumes o 4.9 Partition disks: Configure Filesystems o 4.10 Set up users and passwords o 4.11 Configure the package manager o 4.12 Configure LTSP o 4.13 Configuring grub-pc o 4.14 Finish the installation 5 General Post-Install Configuration o 5.1 Enable Local Repository o 5.2 Install Ubuntu updates o 5.3 Simplify File Management as Root o 5.4 Install Server Kernel o 5.5 Enable auto-creation of home directories o 5.6 Configure LTSP Interface o 5.7 Install Adobe Flash Plugin
  2. 2. o 5.8 Install Caching Servers o 5.9 Enable Proxy Cache by Default o 5.10 Enable Forwarding and Masquerading o 5.11 LTSP Screen Blanking o 5.12 Customising the LTSP Client Image o 5.13 Disable Compiz for Compatibility 6 Camfed Programme Specific o 6.1 Guest User Accounts o 6.2 Student Accounts o 6.3 Clean Guest Accounts o 6.4 Internet Cafe Software 7 Work in Progress o 7.1 Read-only Guest Users[edit] 1 BriefThere are some problems that wed like to fix: Operating system needs to be upgraded before support expires Hard disk filled up with files in /home, and not partitioned, so the proxy server failed to start and Firefox cant browse Users can corrupt the profiles of the guest accounts, by modifying panels and changing icons Users save personal files on the hard disk without limit until it fills up No DNS cache installed UPSes not up to requested spec, only last a few minutes, batteries degraded due to frequent use UPSes not monitored, servers and thin clients dont shut down automatically Standalone mode on thin clients (Aleutia E2) broken due to filesystems corrupted by power outages Users storing important files on server which is not backed up One server had a memory failure and now only has 4 GB RAM (the other has 8 GB) Frequent internet outages at the SRC (no backup Internet access) leading to complaints from customers No automatic logout or Internet cafe billing system for SRC customers Each terminal has its own LTSP guest user whose profile can become corrupted[edit] 2 Operating System UpgradeWe will upgrade the system to a more recent Ubuntu version because: the support lifetime for 8.04 will run out in April 2011, in four months wed rather not upgrade in a rush in April
  3. 3. wed rather not upgrade in the middle of this years Camfed programme and confuse students with a new OS much educational software is not available for 8.04 (e.g. GeoGebra).Weve been testing two newer versions of Ubuntu: 10.04 (Lucid) and 10.10 (Maverick). Lucidhas the advantage of being a Long-Term Support release, which means that its supported (asmuch as that means anything with Ubuntu) for three years, until April 2013. However we founda serious bug, where plugging in a USB stick to a thin client caused the servers screen to becomecorrupted and unusable. We have not yet been able to debug the problem sufficiently to file abug report in Ubuntu, so its unlikely to be fixed in Lucid.This problem does not occur in Maverick, and so far our experience with Maverick has beenquite good, so it looks like well be using Maverick for now. Mavericks support is only for 18months, so we should either downgrade to Lucid, or upgrade to Natty (11.04, not released yet) inApril in order to keep our system supported with security updates for the longest possible time.[edit] 2.1 Upgrade IssuesProblems encountered during the upgrade process: The Maverick installer crashed at least once while compressing the LTSP image (84% finished) Maverick and Lucids new version of Grub doesnt detect the old Hardy partition, and is extremely complex to configure compared to the old version, so its not at all clear how we can now boot into the old system (maybe reinstall old Grub from an 8.04 rescue CD?) Grub failed to install on the main server because the partition layout had no space after the boot sector, possibly due to the drive being replaced and the partition table being copied from the other disk, which has a different geometry The Maverick kernel insists on trying to mirror /dev/sda3 with the whole of /dev/sdb, which corrupts the second disk in the RAID array, in a way thats not obvious. This was because, right at the end of /dev/sdb there was a RAID superblock with the same UUID as /dev/sda3, so the kernel placed /dev/sda3 and /dev/sdb in the same array. The installers partition editor still fails to recognise existing RAID devices (and the LVM logical volumes on them) automatically under some circumstances, and wouldnt recognise the existing logical volumes even after entering and exiting the RAID menu. When trying to create a new volume group, I was told that all devices were used, and shown that 4 logical volumes were detected, but the partitioner wouldnt allow me to partition them. Maverick cant create working USB installers with usb-creator for older versions of Ubuntu (e.g. Lucid) Only zambiaserver2 has a CD writer, zambiaserver1 only has a DVD-ROM Guest accounts appear on the login chooser Login sessions sometimes, randomly, fail on E2s due to compiz failure to run (screen width is not a power of two?), needs a hack in the Gnome registry to disable compiz LTSP still fails to complete installation unless exactly one interface is configured, and has to be manually configured later
  4. 4. NetworkManager tries to manage the LTSP server interface when the link comes up, and acquire an IP from its own DHCP server, which wrecks LTSP clients Scroll bars, unchecked checkboxes, active tabs in Firefox and highlighted unfocused selections (e.g. usb-creator) are invisible in this theme Physical power button on thin client does nothing (doesnt shut it down) Root account is still locked by default, so its useful to chroot into the LTSP client image (/opt/ltsp/i386), use passwd to set a password for the root account, and install openssh server with apt-get update; apt-get install openssh-server, and then rebuild the LTSP client image with ltsp-build-client LDM doesnt allow logging in with just the keyboard, e.g. by entering a blank user name booting the system with a USB stick inserted generates scary messages on the text-mode boot logo sshd still doesnt log authentication errors because theres no socket in the sshd chroot. Add "$AddUnixListenSocket /var/run/sshd/dev/log" to /etc/rsyslog.d/sshd.conf on the server. Favourite terminal keybindings: for i in "move_tab_left <Shift><Control>Left" "move_tab_right <Shift><Control>Right" "next_tab <Shift>Right" "prev_tab <Shift>Left"; do sudo -u guest_d9daff gconftool-2 --type string --set /apps/gnome- terminal/keybindings/$i; done Shutting down the server (on Maverick) from gdm doesnt work.[edit] 3 Partitioning with RAID and LVMWe originally used a single partition for simplicity, and because we decided to use only 1/3 ofthe 250 GB disk, or 75 GB, leaving the rest for backups or future uses. This came in handy forthe upgrade to Maverick, allowing us to reinstall without wiping the existing system. But it didmean that the disk filled up faster.For flexibility, we are reinstalling using LVM on the remaining space, with separate partitionsfor: Root (and all software, and everything not included below) - 15 GB /var (logs, mailboxes and Squid cache) - 10 GB Home directories (to stop them from bringing down the system) - 80 GB Managers home directory (to allow manager to use the system even if all other users fill up their space) - 20 GBBjoern would like to enable video editing on these systems, which will require a lot of space, soIve left plenty unallocated (about 40 GB) for a potential future "video" user. More space can bereclaimed when the important parts of the old user data are copied over from the old Hardypartition, after which that partition can be removed.[edit] 4 Installation Step by Step[edit] 4.1 Backup Existing Data
  5. 5. Before starting the installation, back up all important user data from /home, and also /etc/passwdand /etc/shadow, onto an external hard disk.[edit] 4.2 IP Address CheckBefore proceeding, please check that your servers __eth0__ interface is attached to a networkwith a DHCP server, and that the address range of that network is __NOT__ 192.168.1.x/24.Also please check that __eth1__ is attached to a network switch that is powered up, but has noDHCP server attached.This is because the LTSP auto-configuration will FAIL if there is no IP address on an interface(e.g. one interface connected to the Internet) or if that interface has an IP address in the rangethat LTSP wants to use by default for its own private network. The interface for the privatenetwork must also have a link.The easiest way to check the IP address is to: Attach a computer running Ubuntu desktop to the same Internet connection as the server that youre installing Click on the Network Manager icon on the menu bar and select the wired network Wait for the computer to connect to the network (icon should change to up-and-down arrows) Right-click on the Network Manager icon and click Connection Details Check that the IP Address doesnt start with 192.168.1.[edit] 4.3 Boot the Install CDOn the server that you want to install (or reinstall), start by booting from the Ubuntu 10.10Alternate CD. On the Dell servers: switch on/power up server. Press F11 when you see the Delllogo. When the "Boot device menu" appears, insert Ubuntu 10.10 Alternate CD and choose"Embedded Optical Drive Port C" from the menu.A language menu will appear. Press Enter to select English.Press F4 and choose Install an LTSP Server (using the down arrow key), then press Enter to loadthe installer.Press Enter again to install Ubuntu.[edit] 4.4 Configure Language and KeyboardChoose the following settings: Language: English Country: Other, then Africa, then Zambia (O, enter, A, enter, Z, enter) Detect keyboard layout: No (just press enter)
  6. 6. Origin of the keyboard: United Kingdom Keyboard layout: United Kingdom[edit] 4.5 Configure Networking and Clock Primary network interface: eth0 (The primary network interface is the one going to the Internet.) o If no DHCP server was found on eth0, this error will appear: Network autoconfiguration failed. __DO NOT PROCEED__ - check that the DHCP server or router is working, and retry the network configuration. Hostname: see label on front of server, e.g. Template:Zambiaserver1 or Template:Zambiaserver2Ubuntu will then try to determine which country you are in from your Internet connection. If itsays something other than Your timezone is Africa/Lusaka, then: Choose No Scroll up to the top of the list (with the Page Up key) which should say Africa, then choose Lusaka below that.[edit] 4.6 Partition disks: Configuring partitionsThe server has two disks. These are mirrored so that both contain the same data, as a backup incase one disk fails. This mirroring is done by Ubuntu, so we have to configure it now.This process will delete all existing data on the disks, so please ensure that all important data isbacked up before starting. (We can try to keep some data, but there are no guarantees). Partitioning method: Manual You should see the Partition disks menuEach disk (SCSI1 and SCSI2) should now show something like: #1 primary 75.0 GB raid #2 primary 175.0 GB raid (if keeping existing data on partition #1)Note that the sizes may be different. However, if the partitions dont appear like that, youll needto edit them: If no partitions appear under SCSI1 or SCSI2, then enter each in turn and: o Create new empty partition table on this device: Yes (if asked)If you want to try to preserve existing data, then in the following steps, be careful not to deletepartition #1 from either disk.
  7. 7. Select each partition under SCSI1 and SCSI2 (except #1 if you want to save the existing data), press Enter to edit it, and choose Delete the partition. Each disk (SCSI1 and SCSI2) should now show: o #1 primary 75.0 GB raid (if keeping existing data, size may vary) o 175.0 GB FREE SPACE (amount of free space may vary) Select the FREE SPACE on each disk in turn: o Choose Create a new partition o Press Enter to accept the default size (all of the free space) o Choose Primary as the type o Press Enter on Use as: Ext4 journaling file system o Choose Physical volume for RAID o Choose Done setting up the partition[edit] 4.7 Partition disks: Configuring Software RAID Choose Configure software RAID from the top of the Partition disks menu Choose Yes to write the changes to the storage devices, or keep the current partition layoutIf you get an error message about an Error informing the kernel about modifications, then chooseCancel and keep choosing Cancel until you get to the Software RAID configuration menu. PressCtrl+Alt+Delete to reboot the server, and follow all the steps above again. However yourpartition changes should have been saved, so you may not need to delete or create any partitionsthis time. You should see the Software RAID configuration menu Choose Create MD device Choose RAID1 Press Enter to accept the default of 2 active devices Press Enter to accept the default of 0 spare devices Use the up and down arrow keys to select each of the two 175000 MB: raid partitions, and press Space to make an asterisk (*) appear in the box to the left of each one. There should be exactly two boxes with asterisks in them. DO NOT PROCEED unless two devices are selected! Press Tab to highlight the Continue button and Enter to continue You should see the Software RAID configuration menu again Choose Finish[edit] 4.8 Partition disks: Create Logical Volumes You should see the Partition disks menu Under RAID1 Device, choose partition #1 Choose Use as: do not use Choose physical volume for LVM Choose Done setting up the partition Choose Configure the Logical Volume Manager
  8. 8. Under Keep current partition layout and configure LVM, choose Yes Choose Create volume group Enter Raid as the volume group name Under Devices for the new volume group, highlight /dev/md0 (175000 MB) (or /dev/md1 (175000 MB) if you are preserving existing data) Use the Space key to put an asterisk (*) in the box next to it Choose ContinueCreate the Root volume for Ubuntu Maverick (10.10): Choose Create logical volume Choose the Raid volume group Enter Root_Maverick as the volume name Enter 15G (15 gigabytes) for the Logical volume sizeCreate the other volume groups: One called Var_Maverick, 10G size One called Home, 80G size One called Home_Manager, 20G size One called Swap, 4G sizeThen choose Display configuration details, and check that the logical volumes are displayed asfollows: Volume groups: Raid Uses physical volume: /dev/md1 (or /dev/md0) Provides logical volume: Home (79997 MB) Provides logical volume: Home_Manager (19998 MB) Provides logical volume: Root_Maverick (14998 MB) Provides logical volume: Swap (3997 MB) Provides logical volume: Var_Maverick (9999 MB)Choose Continue to exit the Current LVM configuration screen. On the LVM configurationmenu, choose Finish.[edit] 4.9 Partition disks: Configure Filesystems You should see the Partition disks menu Under LVM VG Raid, LV Swap: o Choose the #1 partition o Choose Use as: do not use o Choose swap area o Choose Done setting up the partition Under each of the other logical volumes created above (all except Swap):
  9. 9. o Remember which logical volume the partition belongs to, e.g. Home o Choose the #1 partition o Choose Use as: do not use o Choose Ext4 journalling file system o Choose Mount point: none o For the Home volume, choose /home o For the Home_Manager volume, choose Enter manually and then type /home/manager o For the Root_Maverick volume, choose / o For the Var_Maverick volume, choose /var o Choose Label: none o Enter the name of the logical volume as its label, e.g. Root_Maverick o Choose Done setting up the partition Check that you have the following structure: o LVM VG Raid, LV Home - 80.0 GB Linux device-mapper (linear)  #1 80.0 GB f ext4 /home o LVM VG Raid, LV Home_Manager - 20.0 GB Linux device-mapper (linear)  #1 20.0 GB f ext4 /home/manager o LVM VG Raid, LV Root_Maverick - 15.0 GB Linux device-mapper (linear)  #1 15.0 GB f ext4 / o LVM VG Raid, LV Swap - 4.0 GB Linux device-mapper (linear)  #1 4.0 GB f swap swap o LVM VG Raid, LV Var_Maverick - 10.0 GB Linux device-mapper (linear)  #1 10.0 GB f ext4 /var Scroll down to the bottom of the menu and choose Finish partitioning and write changes to disk When asked Do you want to boot your system if your RAID becomes degraded choose No When asked Write the changes to disks? choose YesThe system will them display partitions formatting and then installing base system. Wait forprocess to finish.[edit] 4.10 Set up users and passwords For Full name for the new user: enter CAMA Network Manager, and continue. For User name: enter manager For Password: enter the password for the manager user (you will see a * for each character)[edit] 4.11 Configure the package manager HTTP proxy information: leave blank, because no http proxy required, just press Enter to continue System responds with select and install softare Wait for the process to finish, which will take some time
  10. 10. You can cancel the Retrieving files steps if your internet connection is slow, and install updates later (recommended)[edit] 4.12 Configure LTSPOn one of the servers you will probably get the error message: There are no free interfaces foruse with LTSP or Build LTSP chroot: Installation step failed. In this case you will have toconfigure the second network interface for LTSP later. In the latter case, you will also bedropped to the installer menu, where you will have to choose the option Install the GRUBbootloader and then Finish the installation.[edit] 4.13 Configuring grub-pcWhen asked Install the GRUB boot loader on the Master Boot Record? choose Yes.[edit] 4.14 Finish the installation Is the system clock set to UTC: Yes Installation complete. Select continue to restart.After installation has finished, the server should boot into Ubuntu. Once the boot has finished,you should see the ubuntu login screen.[edit] 5 General Post-Install Configuration[edit] 5.1 Enable Local RepositoryIf you have a mirrored copy of the Ubuntu repository, enable it now to speed up softwareinstallation. E.g. if its mounted on /media/ubuntumirror, rename /etc/apt/sources.list to a backupcopy, and recreate it with just the following lines inside:deb file:/media/ubuntumirror/mirror/ maverick mainrestricted universe multiversedeb file:/media/ubuntumirror/mirror/ maverick-updates main restricted universe multiversedeb file:/media/ubuntumirror/mirror/ maverick-security main restricted universe multiverseNote that the path after the file: must exist, and must contain a subdirectory called "dists", whichcontains maverick, maverick-updates and maverick-security.Connect the device and run apt-get update.Run apt-get upgrade to install any pending software updates.[edit] 5.2 Install Ubuntu updates
  11. 11. Login using the manager account. If you have an internet connection, install any updatesavailable in the package manager.[edit] 5.3 Simplify File Management as Root Run Applications/Ubuntu Software Centre Type nautilus-gksu into the search box Click on Privilege granting extension for nautilus using gksu Click on the Install button Log out and log back in again to activate the extension[edit] 5.4 Install Server KernelAllows use of RAM over 4GB. Run Applications/Ubuntu Software Centre Type linux-server into the search box Click on Complete Linux kernel on Server Equipment Click on the Install button Reboot to activate the new kernel (Power off button then Restart and log back in once rebooted).[edit] 5.5 Enable auto-creation of home directoriesAdd the following line to the bottom of /etc/pam.d/common-session:session required umask=0077Check it very carefully before saving, as a typing mistake could make it impossible for any userto log in. You might need to boot the system using a rescue CD in that case.[edit] 5.6 Configure LTSP InterfaceThe private network for LTSP clients must have a different IP address range from the public(Internet) side of the server. Unfortunately the default is the very common 192.168.0.x range. Itsbetter to change the range to something less common, such as 192.168.2.x.Also, NetworkManager has a tendency to try to get an IP address from its own DHCP server,which breaks both Internet connectivity and thin clients. Its better to configure the LTSPinterface using /etc/network/interfaces rather than NetworkManager. Right-click on the NetworkManager icon (probably a pair of arrows, up and down) Choose Edit Connections... Choose Auto eth1 and click Delete Choose Auto eth2 if it exists, and click Delete Click Close
  12. 12. Edit /etc/network/interfaces and add the following lines:auto eth1iface eth1 inet static address netmask the interface up manually with sudo ifup eth1. Edit /etc/ltsp/dhcpd.conf Change all instances of 192.168.0 to another subnet, such as 192.168.2 Start the DHCP server with sudo service dhcp3-server startRun sudo ltsp-update-image to install the NBD server so that clients can boot.[edit] 5.7 Install Adobe Flash Pluginsudo apt-get install flashplugin-installer[edit] 5.8 Install Caching ServersInstall Squid and Bind 9:sudo apt-get install squid bind9To stop Squid dying due to DNS tests failing if the system boots while the Internet connection isoffline, edit /etc/default/squid and add:SQUID_ARGS=-DStart or restart Squid:sudo service squid stopsudo service squid start[edit] 5.9 Enable Proxy Cache by DefaultTo enable the proxy cache by default for all users: Log in as the manager account Open System/Preferences/Network Proxy Choose Manual proxy configuration Tick Use the same proxy for all protocols For HTTP proxy: enter localhost For Port: enter 3128 Click the Apply System-Wide... button
  13. 13. Check that you can still browse the Internet.[edit] 5.10 Enable Forwarding and MasqueradingNeeded if the thin clients need Internet access from local applications, or when running instandalone mode.Edit /etc/sysctl.conf, find the line that says:#net.ipv4.ip_forward=1and remove the "#" mark at the start of the line. Run this to apply immediately:sudo sysctl -p /etc/sysctl.confNow enable masquerading:sudo iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADESave the rules to a file:sudo iptables-save | sudo tee /etc/iptables.confAnd configure the system to load these rules whenever the eth0 (public) interface comes up, byediting /etc/network/interfaces, find the following line:iface eth0 inet dhcpIf it starts with a "#" character, remove it. Then add a line below it which says:post-up /sbin/iptables-restore < /etc/iptables.conf && echo "Rules loaded."Test it by bringing the interface down and up again, and check for the line that says "Rulesloaded" in the output:sudo ifdown eth0sudo ifup eth0Edit /etc/ltsp/dhcpd.conf and edit the following values: option domain-name-servers option routersChange both to, save, and restart dhcpd:sudo service dhcp3-server restart
  14. 14. Check that the DNS service is running: sudo service bind9 status should say bind9 isrunning.[edit] 5.11 LTSP Screen BlankingWe use the following script to blank all guest screens until the command is killed with Ctrl+C:#!/bin/shset -ecommand_all(){ ps --no-headers -oeuid:1 -o command -p $(pgrep -d, -G guest ) | sed -ne s/^([0-9]*) .*DISPLAY=([^ ]*).*/1 2/p | while read euid display ; do sudo -H -u "#$euid" DISPLAY="$display" sh -c "env XAUTHORITY=$HOME/.Xauthority gnome-screensaver-command $1" done}trap command_all --deactivate EXITtrap command_all --deactivate INTwhile true; do command_all --activate --lock; sleep 2; doneYou can also create an icon for it, that runs in a terminal, and close the terminal window to stopit.The script runs Template:Sudo, and therefore requires that your user is a member of theTemplate:Admin group, e.g. Template:Manager.[edit] 5.12 Customising the LTSP Client ImageYou can make changes in Classroom LTSP Configuration/opt/ltsp/i386 and then runTemplate:Sudo ltsp-update-image to apply them. Each Aleutia needs to be rebooted for thechanges to take effect on it.To be able to log in as root on the Aleutia (highly recommended):sudo chroot /opt/ltsp/i386passwd(enter a root password)exitsudo ltsp-update-imageTo install software in the chroot using apt, either online: Replace /opt/ltsp/i386/etc/apt/sources.list with the unmodified (Internet) copy from the server, for example /etc/apt/sources.list.bak
  15. 15. Or offline: sudo mkdir /opt/ltsp/i386/cdrom sudo mount --bind /media/ubuntumirror /opt/ltsp/i386/cdrom sudo cp /etc/apt/sources.list /opt/ltsp/i386/etc/apt edit /opt/ltsp/i386/etc/apt/sources.list and change /media/ubuntumirror to /cdrom sudo chroot apt-get updateTo be able to log in remotely to the Aleutia for debugging (highly recommended):sudo chroot /opt/ltsp/i386 apt-get install openssh-serversudo ltsp-update-imageIf the LTSP client tree gets corrupted then you can rebuild it. You may need Internet access forthis. Run the following commands:sudo rm -rf /opt/ltsp/i386sudo ltsp-build-clientTo build an LTSP client tree with updates, using a UK mirror and a proxy server:sudo env http_proxy= ltsp-build-client --mirror "" --extra-mirror " hardy-updates mainrestricted"[edit] 5.13 Disable Compiz for CompatibilitySome graphics cards in thin clients dont work with LTSP, or recent versions of Ubuntu ingeneral. The symptom is that when you log in, the session exits immediately and youre dumpedback at the login prompt.If you look in the .xsession-errors file the users home directory, you might see the followingline:/usr/bin/compiz (core) - Fatal: Support for non power of two textures missing/usr/bin/compiz (core) - Error: Failed to manage screen: 0/usr/bin/compiz (core) - Fatal: No manageable screens found on displaylocalhost:11.0The fix for this is to disable Compiz for each user individually:sudo -u <user> gconftool-2 --type string --set/desktop/gnome/session/required_components/windowmanager metacityOr for all users:
  16. 16. sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set/desktop/gnome/session/required_components/windowmanager metacityNote that this disables pretty window effects for all users.[edit] 6 Camfed Programme Specific[edit] 6.1 Guest User AccountsWe use the "Login as Guest" feature of LDM in the classroom, to avoid having to hand outpasswords. Guest users can also expect not to be able to save files locally. The recommendedway seems to be to have a user account for each computer, with the same name as the computer,to avoid needing to configure each computer in lts.conf. However we still have to create a largenumber of user accounts in this case.We use a script to create user accounts based on the MAC address of each thin client. Thisrequires us to boot all the clients to get their MAC addresses into the DHCP database.The script will rewrite /var/lib/tftpboot/ltsp/i386/lts.conf and destroy its previouscontents, so dont run it if youve made any important changes to that file.The user accounts are authenticated by an SSH public key pair, of which the private key is in theLTSP image. If the key does not exist, the script generates one when run. The key is restricted tologins from (the default LTSP client subnet). The accounts have lockedpasswords so there is no other way to log in. A rogue or compromised client or network devicecould steal the key, so its not completely secure, but much better than assigning passwords toguest users.The script is this:#!/bin/bash# creates guest accounts for each LTSP terminal that has already# obtained an IP address using DHCP, so we know its MAC address# from the DHCP server databaseset -egroupadd -f guestsguesthouse=/home/guestsmkdir -p $guesthouseapt-get install ipcalcsubnet=`ip addr ls dev eth1 | grep "inet " | awk { print $2 }`subnet=`ipcalc $subnet | grep Network | awk { print $2 }`# generate a secure key to use for login to guest accounts
  17. 17. if [ ! -r /opt/ltsp/i386/root/.ssh/id_dsa ]; then chroot /opt/ltsp/i386 ssh-keygen -t dsa ltsp-update-imageficat > /var/lib/tftpboot/ltsp/i386/lts.conf <<EOF#[default]# Enable direct X connections (not using ssh), faster but not secure,# important for youtube and general responsiveness on the E2sLDM_DIRECTX = True# Enable the "Login as Guest" button in LDMLDM_GUESTLOGIN = True# Reduce volume of the Ubuntu startup soundVOLUME = 50# Prevent X clients from using all system RAM and hanging the terminalX_RAMPERC = 80EOFcreate_account(){ user=$1 home=$2 # create the user if they dont exist, set their shell, put them inthe # "guest" group and lock their password to prevent password logins if getent passwd $user >/dev/null; then usermod -g guests -s /bin/bash -d $home -L $user else useradd -g guests -s /bin/bash -d $home -m $user fi # Lock down the panel for guest users to stop them messing around sudo -u $user gconftool-2 --type boolean --set /apps/panel/global/locked_down true # Set preferred keybindings for the user for i in "move_tab_left <Shift><Control>Left" "move_tab_right <Shift><Control>Right" "next_tab <Shift>Right" "prev_tab <Shift>Left" do sudo -u $user gconftool-2 --type string --set /apps/gnome-terminal/keybindings/$i done}create_account guest $guesthouse/guestgrep ethernet /var/lib/dhcp3/dhcpd.leases | awk { print $3 } | sed -e s/;//
  18. 18. | sort | uniq | while read mac; do # echo something to show progress echo $mac # extract the last two bytes of the MAC, enough to be unique # but not too long shortmac=`echo $mac | perl -pes/(..):(..):(..):(..):(..):(..)/$5$6/` # generate the user name based on the MAC user="guest_$shortmac" home="$guesthouse/$user" # write an entry for each terminal into lts.conf cat >> /var/lib/tftpboot/ltsp/i386/lts.conf <<EOF[$mac]HOSTNAME = ltsp-$shortmacLDM_USERNAME = $userEOF create_account $user $home # allow public-key logins from thin clients using the secure key that # we generated earlier mkdir -p $home/.ssh echo "from="$subnet"" `cat /opt/ltsp/i386/root/.ssh/` > $home/.ssh/authorized_keys # Disable locking the screen for users with no password to unlock it sudo -u $user gconftool-2 --type boolean --set /apps/gnome-screensaver/lock_enabled falsedoneexit 0You __must not__ have duplicate sections for the same machine in/var/lib/tftpboot/ltsp/i386/lts.conf, so please double-check this.If any client doesnt log in automatically at boot, check that its configuration in lts.conf is correct,and see whether you can log on using its guest account on another station. The guest accountname is made from the prefix Template:Guest, followed by the last three bytes of the MACaddress, without colons, e.g. guest_d90e. You should not need to enter any password.The MAC address of each Aleutia should be printed on a label on its back, but if not, boot theAleutia to the LTSP login screen, press Ctrl+Alt+F1, login as root, run ifconfig eth0 andlook for the HWaddr. Run logout and press Ctrl+Alt+F7 to get back to the LTSP login screen.[edit] 6.2 Student Accounts
  19. 19. We have a list of students, with email addresses and passwords, in CSV format. To createaccounts for them, we use the following script:#!/bin/sh# abort if anything goes wrongset -e# set -xgroupadd -f studentshostel=/home/studentsmkdir -p $hostelif [ "$1" = "--delete" ]; then DELETE=yesfiset_keybindings() { sudo_opts=$1 shift for i in "move_tab_left <Shift><Control>Left" "move_tab_right <Shift><Control>Right" "next_tab <Shift>Right" "prev_tab <Shift>Left" do sudo $sudo_opts gconftool-2 "$@" --type string --set /apps/gnome-terminal/keybindings/$i done}set_keybindings "" --direct --config-sourcexml:readwrite:/etc/gconf/gconf.xml.defaultswhile IFS= read number email firstname lastname oldpassword newpassword type restdo echo $email if [ -n "$email" -a -n "$newpassword" ]; then case $email in * # remove from email address user=`echo $email | sed -e s/@.*//` echo $user $newpassword crypt=`perl -e " @a=(A..Z, a..z, 0..9); print crypt $newpassword, join(, @a[rand @a,rand @a])"` home="$hostel/$user" opts="-p $crypt -g students -s /bin/bash -d $home" name="$firstname $lastname, $type, 2010"
  20. 20. if [ -n "$user" -a -d "$home" -a -n "$DELETE" ]; then rm -rf "$home" fi if getent passwd $user >/dev/null && [ -n "$DELETE" ]; then userdel -r $user fi if getent passwd $user >/dev/null; then usermod $opts -c "$name" $user else useradd $opts -c "$name" $user fi if [ -d "$home" ]; then set_keybindings "-u $user" fi ;; esac fidoneWhich we run as cat students.csv | sudo ./[edit] 6.3 Clean Guest AccountsThis script resets all guest accounts to the state of the special guest user. Log in as this user onlyto configure what all other guest users should end up looking like when reset.This can be useful if a guest user corrupts their profile, leaves litter in their home directory, ortheir session crashes leaving stale processes running. It does not prevent trojan attacks, onlylimits their scope.__BE VERY CAREFUL WITH THIS.__ All the users files and configuration be deleted. Itdouble-checks that its only being used on guest users.#!/bin/bash# Resets a specified guest account, or all guest accounts, to the state of# the "guest" user, to cleanup disk space and stale processes.# Users who are logged in will not be cleaned up. Use the "-f" option to# forcibly log them out first.# abort on errorset -eif [ "$1" = "-f" ]; then force=yesfiall_users=`getent passwd | sed -e s/:.*//`
  21. 21. for i in $all_users; do groups=`groups $i | sed -e s/.* : //` for g in $groups; do if [ "$g" = "guest" ]; then guest_users="$guest_users $i" break fi donedonedo_users="$guest_users"if [ -n "$1" ]; then do_users="$*"fifor i in $do_users; do for g in $guest_users; do if [ "$i" = "$g" ]; then is_guest=yes break fi done if [ -z "$is_guest" ]; then echo "$i is not a guest!" exit 2 fi if who | grep -q "^$i "; then echo -n "$i is logged in! " if [ -n "$force" ]; then echo "killing session" gnome-session-save --force-logout $i else echo "skipping. Use -f to kill their session." continue fi fi echo if killall -0 -i $i; then echo -n "$i has processes running!" if [ -n "$force" ]; then echo "killing them" killall -9 -u $i else echo "skipping. Use -f to kill their processes." continue fi fi do_users_loggedout="$do_users_loggedout $i"donefor i in $do_users_loggedout; do
  22. 22. home=`getent passwd $i | cut -d: -f6` rsync -a --delete ~guest/ $home chown -R $i $homedoneexit 0[edit] 6.4 Internet Cafe SoftwareThe SRC managers requested that we install some software that allows them to time-limitcustomers at the Internet Cafe. We chose OutKafe, a system that is free, fully featured and wassupposed to be open source. We thought we would want to customise it, and in the end we did,but some of the download links didnt work and the author never responded to our questions.Once its installed, we needed a way to make the guest users automatically run the clientprogram, oklin, in a way that they couldnt avoid or disable. As were using the Gnome desktop,we created an autostart file in /usr/share/gnome/autostart/56outkafe-client with thefollowing contents:if groups | grep -qw guests; then oklin > ~/.oklin.log 2>&1 &fiThis will start the client for all guest users. Guests can login using LDM with no password. Theoklin client then locks the computer and requires entry of a username and password from itsown user database, which also stores user credit. It allows new users to set their passwords onfirst login. When the users credit runs out, it locks their screen again.We would have liked to add some features, such as a way to log the guest user out (so that amanager can log in on the same terminal), but without the source code we couldnt.If the admin makes a mistake in OutKafe and gives too much credit to a user, theres no obviousway to fix it. However we did discover that you can give them a negative amount of credit, andthis works to reduce their total credit.[edit] 7 Work in Progress[edit] 7.1 Read-only Guest Users