Differences

This shows you the differences between two versions of the page.

--- doc:howto:tce [2025/05/01 17:47]
stefanbaur [Client Branding/Theming using SVGs] added Launch Button Theming
+++ doc:howto:tce [2025/09/07 14:58] (current)
stefanbaur
@@ Line 94: / Line 94: @@
 # Make sure to leave a trailing space at the end of your string(s)!
 export LBX2GO_BOOTAPPEND_LIVE="boot=live components noswap lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 silent "
-export LBX2GO_BOOTAPPEND_LIVE+="quiet essionsurl=https://your_server_here/config/sessions "
+export LBX2GO_BOOTAPPEND_LIVE+="quiet sessionsurl=https://your_server_here/config/sessions "
 export LBX2GO_BOOTAPPEND_LIVE+="pubkey=https://your_server_here/config/authorized_keys toram "
@@ Line 1075: / Line 1075: @@
 === These are entirely optional ===
+  * ''allowedapps=app1[,app2[,app3[,...,appn]'' - a comma-separated list of applications that should be shown in the start button menu and on the task bar. Obviously, these apps need to be included in the image - apps that are not installed will be skipped. If this parameter isn't specified, it will default to ''x2goclient,firefox,firefox-esr,debian-uxterm''. Other apps you might want to add to the list are: ''chromium,debian-xterm,x5250,x3270''. Note that in case of x3270 and x5250, all sessions listed in the ''x3270servers=''/''x5250servers='' parameters will be added to the start menu and task bar. (As of 2025-05-01, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
   * ''audioout=list'' / ''audioout="alsa_card.something|output:something"'' - use this to list all available audio outputs / select a particular audio output. Note that when selecting one, the parameter consists of two values (as displayed in the output on /dev/tty8 when specifying ''list'') that need to be separated with a ''|'', and the set of the two values needs to be enclosed in double quotes. Do //not// enclose each value in double quotes separately! Correct example: ''audioout="alsa_card.pci-0000_00_1b.0|output:hdmi-stereo"''
+  * ''autostartapps=app1[,app2[,app3[,...,appn]'' - a comma-separated list of applications that should be shown in the start button menu and on the task bar. Obviously, these apps need to be included in the image - apps that are not installed will be skipped. If this parameter isn't specified, it will default to an empty string - note that X2GoClient will be started automatically anyway. Other apps you might want to add to the list are: ''chromium,debian-xterm,x5250,x3270''. Note that in case of x3270 and x5250, all sessions listed in the ''x3270servers=''/''x5250servers='' parameters will be autostarted. If the ''x3270servers=''/''x5250servers='' parameter is left empty, x3270/x5250 will start in offline mode with no sessions configured. (As of 2025-05-01, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
   * ''bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace the blue background theme of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server.  **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
   * ''blank=n|n:n:n'' - Will disable (''blank=0'') or set screensaver timeout. Use ''blank=n:n:n'' to set DPMS Standby/Suspend/Off values. Standby value equals screensaver timeout value. All values are given in seconds.
@@ Line 1081: / Line 1083: @@
   * ''branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server.  **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.**  To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
     * The SVG must be in SVG1.1 or SVG1.2 tiny format, or things may break
-    * Newer versions of X2Go-TCE-Live will check for the strings ''BOOTEDENVPLACEHOLDER'', ''TIMESTAMPPLACEHOLDER'', ''IPPLACEHOLDER'', ''MACPLACEHOLDER'' in the plaintext of the SVG and will try to replace them. (As of 2025-04-21, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
+    * Newer versions of X2Go-TCE-Live will check for the strings ''BOOTEDENVPLACEHOLDER'', ''TIMESTAMPPLACEHOLDER'', ''IPPLACEHOLDER'', ''MACPLACEHOLDER'' in the plaintext of the SVG and will try to replace them. See [[doc:howto:tce:branding-with-placeholders-svg]] for a sample SVG that you can download and adapt to your needs. (As of 2025-04-21, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
     * Newer versions of X2Go-TCE-Live also support ''branding=qrcode'', which will display a QR code containing information regarding the booted environment, version, IP(s) and MAC(s). (As of 2025-04-21, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
-  * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. The volume must be labeled ''X2GO-TCE-LIVE'' or ''PORTABLEAPP'' and may use any supported file system. Any SSH Secret Keys found there will be copied into ''/home/user/.ssh'' (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).**  To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the FAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done.
+  * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. The volume must be labeled ''X2GO-TCE-LIVE'' or ''PORTABLEAPP'' and may use any supported file system. Any SSH Secret Keys found there will be copied into ''/home/user/.ssh'' (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).**  To mitigate this risk, be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the FAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done.
   * ''earlyblankdpmsfix'' - This forces the TFT do black for a few seconds during the initial boot phase (right after the squashfs was downloaded), then forces it back on again.  This fixes an occasional "black screen" issue that occurs with some flaky client/TFT hardware combinations when using DisplayPort connectors, and could otherwise only be remediated by manually turning the TFT off and back on again. Earlyblankdpmsfix can also be called as ''earlyblankdpmsfix=nnnn'', where ''nnnn'' is the blanking time in milliseconds (so, ''earlyblankdpmsfix=1500'' equals 1.5 seconds).
   * ''homepageurl="URL1[|URL2|URLn]"'' - this is only available in MiniDesktop mode. It allows you to specify one or more web pages that show up on Browser start/when clicking the "Home" icon. URLs need to be separated with a ''|'', and the set of URLs needs to be enclosed in double quotes. Do //not// enclose each URL in double quotes separately! Correct example: ''homepageurl="https://www.google.de|https://wiki.x2go.org"''
   * ''initrdblankdpmsfix'' is the same as ''earlyblankdpmsfix'', only that it activates in the initial ramdisk already. Like ''earlyblankdpmsfix'', it can also be called as ''initrdblankdpmsfix=nnnn''.  This parameter is useful if you are affected by the //black screen at boot// issue, and you are not combining squashfs and initrd into one file when netbooting.
+  * ''launchicon=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-launchicon.png'' - use this to specify a PNG file to “brand” your X2Go-TCE with. It will replace the seal icon in the task bar's launch button on the lower left of the screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate. (As of 2025-04-21, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
   * ''ldap=ldap.example.com:389:cn=cngoeshere,dc=example,dc=com'' - this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication, only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead.
   * ''ldap1=ldap-backupserver-1.example.com:389'' - this allows you to specify the first of up to two LDAP backup servers when using LDAP authentication
   * ''ldap2=ldap-backupserver-2.example.com:389'' - this allows you to specify the second of up to two LDAP backup servers when using LDAP authentication
+  * ''liveboot_params=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/liveboot_params'' - this is an __experimental__ feature that allows you to put all boot parameters not used by the kernel, but by the userspace programs, into a configuration file. This file may be a single-line file, or list all parameters as ''name=value'' pairs, each pair on a separate line, for improved readability. You can either save it as includes.chroot/boot/liveboot_params, or offer it for download via this parameter. The local file will always take precedence over an URL. Be sure to keep essential parameters like ''nouser'' and ''noroot'' in the local boot parameters, rather than in the remote file, or bad things may happen! (As of 2025-05-04, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
+  * ''lprdest=host[:port]'' - this activeates a stub bash script posing as lpr - it will attempt to blindly forward all data passed on STDIN to the host and port specified here. If no port is given, port 9100 is assumed. You can combine this with ''tcpprint'' and point it at 127.0.0.1:9100, but this will only work if your printer is able to understand the raw data - no processing is taking place on the client. If you need some form of processing, point this at a network print server instead. (As of 2025-05-04, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
   * ''nodpms'' - Will not touch DPMS settings at all (by default, ''blank=0'' does both ''xset s off'' and ''xset -dpms''). Use this along with ''blank=n'' if you do want to blank the screen, but your screen is confused by DPMS settings.
   * ''nomagicpixel=1'' or ''nomagicpixel=2'' - you should set ''nomagicpixel=1'' while the "magic pixel" (clicking in the upper right corner of the screen will minimize a fullscreen session) is still active in thinclient mode (this feature is expected to be disabled at some point in the future). ''nomagicpixel=1'' will disable the window manager when exactly 3 windows are detected (that's the usual situation when a fullscreen session is active). It will re-enable openbox whenever more or less than 3 windows are detected. If this fails for you, you can try ''nomagicpixel=2'', which will try to trigger on the window-minimize command and restore it to fullscreen (this will cause a short screen flickering effect). Note that ''nomagicpixel=2'' will make your ThinClient unusable when trying to run the actual X2Go-TCE client as a virtual machine guest (the //X2GoServer// you connect to may be a VM guest, no problems there). To live with the magic pixel bug, simply do not add this option at all.
   * ''ntp="server1 server2 ... servern"'' - this allows you to specify your own NTP server.  If this parameter is not used, time will be synced with standard Debian NTP servers.  To disable NTP syncing entirely, use ''ntp=false''
+  * ''openboxbuttons=Text1,Text2,Text3'' - This will change the default "Logout,Reboot,Shutdown" entries in the Openbox-MicroDesktop flavor's launcher menu to whatever you define here. Try ''Abmelden,Neustart,Herunterfahren'' for German, or ''Déconnecter,Redémarrer,Arrêter'' for French. (As of 2025-05-04, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
   * ''pavol=[n:]volume%[|[n:]volume% ...]'' - Allows you to set default volume levels for one or more audio output devices. ''pavol=50%'' will set the default audio output device (#0) to 50%. ''pavol=1:99%'' will set audio output device #1 to 99%. ''pavol="0:50%|1:99%"'' will set audio output device #0 to 50%, and audio output device #1 to 99%. Note that this opion only makes sense in MATE-MiniDesktop mode, as regular TCE sessions get their volume levels restored from the host they connect to.
   * ''pubkey=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.authorized_keys'' - Allows you to add an ssh public key file to the ThinClient, so your administrators can log in remotely using SSH. Note that this file needs to be chmodded 644, not 600, on the web server.  **Attention: Whoever manages to spoof this server name will have root access to your ThinClients.** Using HTTPS will mitigate this - an attacker would not only have to spoof the server name, but also the matching certificate.
   *  ''session=sessionname'' - use this to specify a session by name that should be pre-selected on startup. The name must be listed in the sessions file and may only contain characters from the following charset: //a-zA-Z0-9.:/ _-// (We suggest naming the default session ''default'' and using ''session=default''.) When using a session name with blanks, please enclose the sessionname in either single or double quotes, like so: ''session="session name"'' / ''session='session name'''
+  * ''showbattstate'' - show battery charge/pop up a warning message when battery charge is nearing its end (As of 2025-04-21, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
+  * ''startupmsg="Your startup message here"'' - This will change the message text in the Openbox-MicroDesktop flavor's autostart popup to whatever you define here. Try ''System startet, bitte warten ...'' for German, or ''Démarrage du système en cours, un instant s'il vous plaît ...'' for French. (As of 2025-05-04, only available in openbox-microdesktop-bookworm on gitlab.com/bauritcs)
   * ''tcedebug'' - this switches X2GoClient into debug mode and will also lead to increased logging to /var/log/x2goclient and to tty9
   * ''tcpprint'' - Will allow you to use local LPT/USB printers like "dumb" network printers (listening to port 9100 and above). Requires MAC->IP mapping in DHCP server (and optionally, DNS->IP mapping), or static IPs - else your print jobs will end up on random devices. This setup is preferred over the X2GoClient's built-in printing for locally attached printers if X2GoServer and ThinClients are on the same network. It is not recommended when your X2Go connection goes across the internet or when the ThinClient is actually a laptop roaming between different networks. **Attention: When used without ''tcpprintonlyfrom'' (see below), this means anyone that can reach your thin client via e.g. ping can also send print jobs to it!**

X2Go - everywhere@home

User Tools

Site Tools

Differences

Page Tools