LTSP Kiosk
Introduction

Basic Setup
Server-side Changes
Client-side Changes
Adding New Clients

Additional Features
Locking FireFox
PDF Support
Background Image
Printing

Advanced Issues
Securing Connection
Client Firewall
Detect Kiosk Idle
Booting Clients Remotely

Tailored Tools

Configuring the Server

Core LTSP Installation

  • Starting point are the normal LTSP 3.0 packages
  • Following packages are needed:
    • ltsp_core
    • ltsp_kernel
    • ltsp_x_core
    • ltsp_x_fonts
  • Install these packages
  • Run ltsp_initialize as suggested in the LTSP documentation. Following setups must be done using this script:
    • /etc/exports
    • /etc/hosts.allow
    • /etc/inetd.conf
    • Use Review function to turn of unnecessary actions and Apply
  • Skip the DHCP setup suggested in the LTSP manual. You should alread have an active DHCP server in your network. Also, the /etc/hosts must not be edited, since you probably have a DNS server in your net.
  • In lts.conf there is one significant extra attribute that should be set. The functionality will be added below to /etc/rc.local
    • XRUN_LOCAL = Y

Hacking the Server Files

/etc/rc.local

In the server side you want to edit the client's /etc/rc.local so that the X server will be run on the client side.

In client's /etc/rc.local (/opt/ltsp/i386/etc/rc.local) make following addition below these rows (lines 418-428):

ACCESS_CONTROL=`get_cfg DISABLE_ACCESS_CONTROL N`
if [ "${ACCESS_CONTROL}" = "Y" ]; then
	ACC_CTRL="-ac"
else
	ACC_CTRL=""
fi

You need to add the following set of code, which replaces the short if-/proc/progress-fi construction before the syslog daemon part:

 XRUN_LOCAL=`get_cfg XRUN_LOCAL N`
	if [ "${XRUN_LOCAL}" = "Y" ]; then

	  # Create home directory for UID 1001 (kiosk). The UID is
	  # hard-coded to su_kioski executable. Make sure that these
	  # UIDs are equal.

	  mkdir /tmp/home
	  chown 1001 /tmp/home

	  # Create temp /var/tmp, X11 uses this

	  mkdir /var/tmp
	  chmod 777 /var/tmp
	  if [ -w /proc/progress ]; then
		echo "su_kiosk -e \"/usr/X11R6/bin/xinit /etc/xinitrc -- /usr/X11R6/bin/${XBINARY} ${XOPTS} >/dev/tty3 2>&1\"" >/tmp/start_ws
	  else
		echo "su_kiosk -e \"/usr/X11R6/bin/xinit /etc/xinitrc -- /usr/X11R6/bin/${XBINARY} ${XOPTS}\"" >/tmp/start_ws
	  fi
	else
	  if [ -w /proc/progress ]; then
		echo "/usr/X11R6/bin/${XBINARY} ${XOPTS} ${ACC_CTRL} -query ${XDM_SERVER} >/dev/tty3 2>&1" >/tmp/start_ws
	  else
		echo "/usr/X11R6/bin/${XBINARY} ${XOPTS} ${ACC_CTRL} -query ${XDM_SERVER}" >/tmp/start_ws
	  fi
	fi

chmod 0755 /tmp/start_ws

This implements the XRUN_LOCAL directive in the lts.conf.

/etc/passwd

The kiosk user will be using UID/GID 1001 (this is hard-coded to su_kioski and the chown in rc.local). You might want to add following line to the client's /etc/passwd:

kiosk:x:1001:1001:kiosk:/tmp/home:/bin/false

/etc/xinitrc

Now you can write your xinitrc, which starts your X applications, probably the window manager and the browser. Remember that rc.local will be run as root, but the xinitrc will be executed using GID 1001. The /etc/xinitrc might look something like this:

# This is executed when XRUN_LOCAL = Y
# Starts all X applications

# Set variable HOME (points to home directory) /tmp/home
export HOME=/tmp/home

# Create home directory /tmp/home (tyhjennä, jos on jo)
if [ -d $HOME ]; then
	rm -fR $HOME/*
else
	mkdir $HOME
fi

# Execute Matchbox Window Manager (http://matchbox.handhelds.org/)
# Compiled to standalone-mode
/usr/bin/matchbox-window-manager &

# Create Mozilla profile to home directory 
/usr/local/MozillaFirebird/MozillaFirebird -CreateProfile kioski

# Replace the created, empty profile with the predefined profile

cp /usr/local/mozilla-prof/kioski/y4e07pve.slt/* $HOME/.phoenix/kioski/*/

# Start Mozilla using the profile
/usr/local/MozillaFirebird/MozillaFirebird -P kioski

Installing Additional Binaries to LTSP tree (Server)

The LTSP Contrib area has a useful script called ltsacp that can be used to copy binary and required libraries to LTSP tree (the /opt/ltsp/i386/ of your server).

Libraries for resolving DNS

To get the DNS resolving to work, you need to copy following libraries to client's /lib:

cp /usr/lib/libnss_dns.so /opt/ltsp/i386/lib/
cp /usr/lib/libresolv.so /opt/ltsp/i386/lib/

Edit the client's /etc/nsswitch.conf so that there is a following line:

hosts: files dns

Make sure that you have correct DNS_SERVER value in your lts.conf. As far as I understand there is no way to use multiple DNS IPs here.

Libraries for getting UID/GID info

Warning: Adding this library breaks the NFS-over-SSL connection in the documented form. Use the patched rlpr instead of following these instructions to get your rlpr to work.

Some tools (like rlpr printing client) expect UID info from /etc/passwd. This functionality requires some extra libraries:

cp /usr/lib/libnss_files.so.2 /opt/ltsp/i386/lib/

Depending on your distribution you might want to create symlinks libnss_files.so.1 and libnss_files.so which point to libnss_files.so.2.

After making the relevant libraries available edit the client's /etc/nsswitch.conf again. Make sure that you have following lines in your configuration:

passwd: files
group: files
shadow: files

This configuration tells kernel to get the user info from the files (/etc/passwd, /etc/group, /etc/shadow*). You may have other options after "files" attribute, but make sure "files" is the first one.

In case you are using NFS over SSL setup you have to change priority to all other options as well.

xinit

You should get a binary of /usr/X11R6/bin/xinit and place it to corresponding client directory. To make sure that all relevant libraries should come along (they should be there already) use ltsacp:

./ltsacp -t /usr/X11R6/bin/xinit

Make sure that the permissions of the client's /usr/X11R6/bin/ are correct, especially XFree86 (note the suid bit):

drwxr-xr-x 2 root root 4096 Oct 25 21:56 .
drwxr-xr-x 4 root root 4096 Oct 25 20:37 ..
-rws--x--x 1 root root 1615492 Oct 17 2002 XFree86
-rwxr-xr-x 1 root root 9800 Oct 25 21:56 xinit

su_kiosk

su_kiosk is a small program that changes the effective GID from root's. Read the source (note the NEWID which will be the new GID), compile and copy it to client's /usr/bin with proper attributes.

su_kiosk.c source

Mozilla Firebird

Download the Mozilla Firebird (http://www.mozilla.org/products/firebird/). The following commands untar the package and copies the files to the client's /usr/local.

tar --get -z <MozillaWhatever.tar.gz
mkdir /opt/ltsp/i386/usr/local/
mkdir /opt/ltsp/i386/usr/local/MozillaFirebird
cp -rp MozillaFirebird/* /opt/ltsp/i386/usr/local/MozillaFirebird/
./ltsacp -t MozillaFirebird/MozillaFirebird-bin

Before running ltsacp make sure that you have all relevant libraries in your server

ldd MozillaFirebird/MozillaFirebird-bin

It should give something like this:

libmozjs.so => not found
libxpcom.so => not found
libplds4.so => not found
libplc4.so => not found
libnspr4.so => not found
libpthread.so.0 => /lib/libpthread.so.0 (0x40018000)
libdl.so.2 => /lib/libdl.so.2 (0x4002c000)
libgtk-1.2.so.0 => /usr/lib/libgtk-1.2.so.0 (0x4002f000)
libgdk-1.2.so.0 => /usr/lib/libgdk-1.2.so.0 (0x40154000)
libgmodule-1.2.so.0 => /usr/lib/libgmodule-1.2.so.0 (0x40189000)
libglib-1.2.so.0 => /usr/lib/libglib-1.2.so.0 (0x4018c000)
libXi.so.6 => /usr/X11R6/lib/libXi.so.6 (0x401af000)
libXext.so.6 => /usr/X11R6/lib/libXext.so.6 (0x401b7000)
libX11.so.6 => /usr/X11R6/lib/libX11.so.6 (0x401c4000)
libm.so.6 => /lib/libm.so.6 (0x4029e000)
libc.so.6 => /lib/libc.so.6 (0x402bf000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

The fist five libraries are in the MozillaFirebird directory. In my case I had to install GTK 1.2 library.

Finally, you can run ltscp. In its output you see that some "not" files are missing. There are five of them, and these messages stand for the five Mozilla libraries which you already copied to client's /usr/local/MozillaFirebird.

Window Manager (matchbox)

The window manager which was used in this project was Matchbox (http://matchbox.handhelds.org/) because of its easy configurability. However, it has no timeout function (auto-logout), which makes is less lucrative in this use. Here are the configuration directives which work for 0.8.4:

./configure --disable-xft --disable-png --disable-keyboard \
	--enable-standalone --x-includes=/usr/X11R6/libs/ \
	--disable-ping-protocol --with-x

Finally, install the matchbox binary (src/matchbox-window-manager) to the client's /usr/bin. Although all needed libraries should be at place already, you may want to check this with ldd/ltsacp as explained above.

Updating LTSP's libc

The Mozilla needs later C library that is bundled in LTSP packages. The server probably has more up-to-date libc, so copy the following files to client's /lib:

cp /lib/libc.so.6 /opt/ltsp/i386/lib/libc.so.6
cp /lib/ld-linux.so.2 /opt/ltsp/i386/lib/ld-linux.so.2
cp /lib/libdl.so.2 /opt/ltsp/i386/lib/libdl.so.2

MozillaFirebird profile

TODO

Updated: 10-MAR-2005