Customizing Ubuntu Lucid for Public Computing

These are my notes on how I customize Ubuntu to lock down Gnome, refresh user accounts after use, etc.

Software Installation

installed 10.04 amd64 server edition installed ubuntu-desktop installed ltsp-server-standalone (config 2nd nic with 192.168.0.254 first) built ltsp client with –arch i386 installed opera & chrome via download installed acroread (Adobe Acrobat Reader) and Flash from Ubuntu Software Center removed unnecessary software that wasn’t required by ubuntu-desktop

Faster thin clients (1+ ghz processor, 128m or more of ram) seem to work plenty fast with ltsp 5 default settings. Our older thin clients (including the ones from disklessworkstations with 533mhz processors and more ram) will need to be replaced. They were extremely slow, taking an eternity to boot and laggy on the desktop. On previous installation attempts I changed the settings to those that would supposedly make things faster, but nothing really seemed to help, and disabling the ssl tunnel (which is supposed to make things faster) seemed to make things less robust. Crashing if you shut the TC off and turned it back on, etc.

More on hardware: I prefer using two hard drives in a RAID1 array for the server. That way, if one hard drive dies you should still be able to keep running with just one drive, until you can replace the drive that goes bad. Also, it's best to have Gigabit network cards in the server, especially on the thin client network interface, to allow as much bandwidth as possible for the thin clients to use. I also recommend using Gigabit network switches on the thin client network.

Desktop customization:

Create an account for each type of patron account you wish to have–one for public Internet computing, one for OPACs, etc. Make all interface customizations there, and then you can use that account as a template for each workstation's account. (I create an account for each thin client workstation.) I recommend creating one template account, making the gnome customizations, and then creating further template accounts for each type of account you want to use with Gnome. There *is* a tool called Sabayon that is supposed to let you create user templates, but I have had a lot of difficulty with it in the past so I don't use it.

I created an account called “patrontemplate” which would serve as the template for all the user accounts. For I plan to make all my customizations there, and then create the user accounts and copy the home folder of template, changing permissions and usernames where necessary.

Template account customizations:

  • disabled unnecessary startup apps (bluetooth, ubuntu one, etc)
  • edited the menu to exclude stuff I don’t want patrons to access, including extras on the Places & System menus.
  • installed Pessulus. Used it to lock down some settings, like changing the panel.
  • disabled screensaver (this uses a lot of resources, apparently)
  • used gconf-editor to remove keyboard shortcuts, make desktop background unchangeable. Values you only want to change for that user can be done as that user, as long as you can get to a terminal or what not to run gconf-editor. However, once the menus are weeded, and shortcuts disabled, you may not be able to run it as that user. Same goes for Pessulus (Lockdown editor) Changes can only be made mandatory for all users when run as the administrator. Background set as default & mandatory under apps - desktop - gnome - background.
  • changed permissions for desktop icons to 555 so they cannot be edited
  • changed permission of Desktop folder so new icons could not be added to it.

Also see Kyle’s instructions for locking down gnome: http://wiki.libki.org/doku.php?id=libki_on_gnome

Account creation:

  For patron accounts -
    * create account w/ user settings tool
    * modify user privileges (remove unnecessary privileges)
    * delete existing files from user directory
    * replace with files from /home/patrontemplate & change ownership to user;
    * search & replace all instances of /home/publictmpl with /home/username  --see note below
    * copy firefox prefs.js to user.js & change ownership to root
    * make backups of new home directories for use with refresh script

this works beautifully to find an replace all instances of a word within a directory:

find /path/to/start/from/ -type f | xargs perl -pi -e 's/applicationX/applicationY/g'

refresh script: /etc/X11/Xsession.d/01refreshuser:

case “$USER” in
    root|nimda|staff)
    echo “do nothing!”
    ;;
    *)
    /usr/bin/rsync -az --delete --exclude-from=/path/to/excludefile \

/var/userbackups/$USER/ /home/$USER || echo “rsync failed!” \

> /tmp/rsync.log

;;
esac

In the exclude file I have .Xauthority and .xsession-errors. After much putzing around to get logins to work properly, this is what I wound up with.I also set up autologin for each workstation. See the documentation for lts.conf for instructions.

Automatic Updates:

I use script for automatically updating software on the server. However, I've noticed that a lot of times it doesn't do anything, and I need to figure out why.

#!/bin/bash

aptitude -y update && aptitude -y safe-upgrade && aptitude -y dist-upgrade && aptitude -y autoclean

Automatic Login and lts.conf

You can set boot parameters for each thin client in lts.conf, located in /var/lib/tftpboot/ltsp/i386 (or whatever your arch is). You'll have to create the file, but there's an example in /opt/ltsp/i386/usr/share/doc/ltsp-client-core/examples. Any parameters you want to pass to all thin clients can go in the [Default] section. Individual thin clients can be identified by mac address. Documentation for the parameters can be found here http://softlayer.dl.sourceforge.net/project/ltsp/Docs-Admin-Guide/LTSPManual.pdf in chapters 8, 9, & 10. You can also use the LIKE keyword to create a shortcut for several parameters, to keep your rules tidy. Here's a sample from mine:


[Default]
X_NUMLOCK = True

[Atom_tc]
XSERVER = intel
X_OPTION_01 = "\"noapic\""
X_OPTION_02 = "\"acpi=off\""
LDM_AUTOLOGIN = True

[Opacs]
LDM_SESSION = /usr/local/bin/bbstartup

#############

# standard patron thin client

[90:fb:a6:ed:7f:7d]
LIKE = Atom_tc
LDM_USERNAME = patron1
LDM_PASSWORD = password

###########

# opac account
[90:fb:a6:ed:7f:8a]
LIKE = Atom_tc
LDM_USERNAME = opac1
LDM_PASSWORD = password
LIKE = Opacs

For autologin, you must set LDM_AUTOLOGIN to True, and you need to define LDM_USERNAME and LDM_PASSWORD. I have some Intel Atom-based thin clients, and they won't boot unless “noapic” and “acpi=off” are set as boot parameters, so I have that in the Atom_tc shortcut. First try booting your thin clients without any boot parameters, and tweak the settings if needed. Also, I set the default session to blackbox for OPAC accounts with LDM_SESSION. More on that below.

User Process Cleanup

I wrote a script that will clean up users at the end of the day, to be run via cron. If the thin client is shut off & rebooted, LDM takes care of cleaning up the user’s old processes, it seems. But if you shut it down and leave it off, they just keep running, potentially clogging up the works later. This script kills processes of all users listed in /home. It excludes users nimda & root.

/usr/local/bin/usercleanup.pl:

#!/usr/bin/perl -w

use warnings;
use strict;

my $activeusers  = `ls /home` ;

my @userlist = split /\s+/, $activeusers;

foreach my $user (@userlist) {
   if ( $user eq ( "nimda" || "root" ) ) {
       print "User was $user.  Not Killing. \n";
       }
       else {
       system ( "killall -u $user" );
       }
}

OPAC setup

Set home page in Firefox to the OPAC's url. I also installed squid on the thin client server and configured it so that I can use it limit the OPACs to just the library catalog url. Set up Firefox's preferences, including configuring the proxy to use squid, and copy the prefs.js file to user.js. Change ownership of user.js to root. I also do this on the accounts for the public Internet computers–if a patron changes Firefox's preferences in any way, this will reset them to the original settings when Firefox is closed and reopened.

I use this script to restart Firefox every time it's closed; it's invoked in the bbstartup script that follows.

/usr/bin/ffstart:

#!/bin/bash

/usr/bin/firefox -P default

while true ; do
    /usr/bin/firefox -P default
done

I’m using blackbox for the opacs. Install & configure it as below. From original article here:

http://kerkness.blogspot.com/2008/04/creating-touch-screen-kiosk-using-flex.html

aptitude install blackbox blackbox-themes bbkeys

mkdir /home/user/.blackbox
touch /home/user/.blackbox/menu
touch /home/user/.blackboxrc
chown -R user.user /home/user/.blackbox
chown user.user /home/user/.blackboxrc

Add this to .blackboxrc:

session.styleFile: /usr/share/blackbox/styles/Gray
session.menuFile: ~/.blackbox/menu
session.screen0.workspaces: 1

Add this to ~/.blackbox/menu:

[begin] (Blackbox)
    [exec] (Quit) {/usr/local/bin/blackbox-usercleanup}
[end]

(Also installed bbkeys for setting custom keybindings.)

Create /usr/local/bin/bbstartup, like so:

#!/bin/bash

/usr/local/bin/ffstart &

exec bbkeys&

exec blackbox

and put the path to that in lts.conf, like so: LDM_SESSION=/usr/local/bin/bbstartup

The normal Xsession script for cleaning up the user environment doesn't seem to be recognized by blackbox, so I couldn’t use it to kill off processes on logout. So to do it I created a script which is executed by Ctrl+Alt+Delete, controlled by bbkeys. edit /etc/bbkeys/bbkeysrc like so:

# default bbkeys definitions....

[begin] (bbkeys configuration file)

 [config]
   [option] (stylefile) {/etc/bbkeys/defaultStyle}
   [option] (honorModifiers) {false}
   [option] (raiseWhileCycling) {false}
   [option] (showCycleMenu)  {true}
   [option] (menuTextJustify) {right}
   [option] (autoConfig)   {true}
   [option] (autoConfigCheckTimeout) {2}
   [option] (workspaceColumns) {4}
#    [option] (workspaceRows) {2}
#    only one can be effective at a time
#    if both are given, workspaceColumns takes precedence
   [option] (cycleMenuX) {20}
   [option] (cycleMenuY) {20}
 [end]

 [keybindings] (begin keybindings)
   # custom stuff--cm
   [Execute]    (Control-Mod1-Delete) {/usr/local/bin/blackbox-user-cleanup}
 [end] (end keybindings)
[end] (end bbkeys configuration)

Create /usr/local/bin/blackbox-user-cleanup, containing this:

#!/bin/bash


case "$USER" in
   root)
       echo "Really not a good idea!"
        ;;
        *)
        /usr/bin/killall -9 -u $USER
        ;;
esac

This will clean up the user's processes. If you don't do this, and simply shut off the thin client and turn it back on again, Firefox will restart seemingly infinitely.

 
customizing_ubuntu_lucid_for_public_computing.txt · Last modified: 2011/01/12 11:59 by admin
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki