User Tools

Site Tools


doc:howto:tce

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:tce [2018/12/04 21:13]
stefanbaur [List of open ToDos/FIXMEs for this page] - tested nottyautologon
doc:howto:tce [2019/03/19 17:17] (current)
stefanbaur [What options are available under FURTHER-OPTIONS-GO-HERE?] added note that pavol is primarily for MMD
Line 12: Line 12:
 During the time of Debian Wheezy being Debian'​s stable release, we started developing a new ThinClientEdition then called TCE-Next Generation, or TCE-NG for short - one that is based on Debian-Live and thus does no longer rely on NFS (though NFS can still be used to deploy the image - but we do not recommend that approach). ​ Instead, the entire image is loaded into the RAM of the ThinClient machine. ​ To avoid confusion, and because it has since left the "​NG"​ state, we now call it TCE-Live. During the time of Debian Wheezy being Debian'​s stable release, we started developing a new ThinClientEdition then called TCE-Next Generation, or TCE-NG for short - one that is based on Debian-Live and thus does no longer rely on NFS (though NFS can still be used to deploy the image - but we do not recommend that approach). ​ Instead, the entire image is loaded into the RAM of the ThinClient machine. ​ To avoid confusion, and because it has since left the "​NG"​ state, we now call it TCE-Live.
  
-The disadvantage is that your ThinClient now needs at least 1 GB of RAM (see below).  ​+The disadvantage is that your ThinClient now needs at least 512 MB to 1 GB of RAM (see below).  ​Working with 256 MB is possible when you use local storage instead of netbooting (don't use the ''​toram''​ parameter, either), but not really recommended.
  
 However, the huge advantage is that there no longer is a need for any high-availibility setup concerning NFS (nor HTTP/​HTTPS/​FTP). ​ If you follow our advice of loading the entire image into the ThinClient'​s RAM, or using local storage, ​ all you need is an HTTP (HTTPS optional for later stages) or FTP server with a dedicated IP, if you want to use netbooting. ​ It is also possible to deploy the image to the ThinClient'​s local storage, if present, and have it update in the background. However, the huge advantage is that there no longer is a need for any high-availibility setup concerning NFS (nor HTTP/​HTTPS/​FTP). ​ If you follow our advice of loading the entire image into the ThinClient'​s RAM, or using local storage, ​ all you need is an HTTP (HTTPS optional for later stages) or FTP server with a dedicated IP, if you want to use netbooting. ​ It is also possible to deploy the image to the ThinClient'​s local storage, if present, and have it update in the background.
Line 38: Line 38:
 ==== Configuring the Build ==== ==== Configuring the Build ====
 <​code>​ <​code>​
 +#!/bin/bash
 # Select ONE of the following git reposities # Select ONE of the following git reposities
 # this one loosely corresponds to "​stable"​ # this one loosely corresponds to "​stable"​
Line 120: Line 121:
 # This patches the squashfs file into the initrd. Only parsed when image type "​netboot"​ is set. # This patches the squashfs file into the initrd. Only parsed when image type "​netboot"​ is set.
 # Will require boot parameter live-media=/​ instead of fetch=... # Will require boot parameter live-media=/​ instead of fetch=...
-# Both TFTP client and TFTP server must support file transfers >32MB for this to work, if you want to deploy this initrd via TFTP.+# Both TFTP client and TFTP server must support file transfers >32MB for this to work, if you want to deploy this initrd via TFTP,  
 +# so e.g. atftpd will not work - tftpd-hpa, howeverm seems to have no problem with larger files.
 # When using iPXE, you can use http instead of TFTP. # When using iPXE, you can use http instead of TFTP.
 # This is especially helpful if you want to netboot via http and cannot use the server'​s IP, but must specify a DNS name - as "​fetch=..."​ only understands IPs. # This is especially helpful if you want to netboot via http and cannot use the server'​s IP, but must specify a DNS name - as "​fetch=..."​ only understands IPs.
Line 144: Line 146:
  
 <​code>​ <​code>​
 +#!/bin/bash
 mkdir -p ./​patch/​includes.chroot/​usr/​lib/​x2go/​tce/​ mkdir -p ./​patch/​includes.chroot/​usr/​lib/​x2go/​tce/​
- +wget -O ./​patch/​includes.chroot/​usr/​lib/​x2go/​tce/​x2gousbmount 'https://code.x2go.org/gitweb?p=x2gothinclient.git;a=blob_plain;f=usbmount/x2gousbmount;hb=c6106bd12ca0278b8706e87813ff782c0bbb6132'  ​
-cat >./​patch/​includes.chroot/​usr/​lib/​x2go/​tce/​x2gousbmount ​<<'USBMOUNTPATCH'​ +
- +
-#​!/​usr/​bin/​perl +
-# Copyright (C) 2007-2017 by X2Go project, http://wiki.x2go.org +
-#       ​Oleksandr Shneyder <​oleksandr.shneyder@obviously-nice.de>​ +
- +
-# X2Go is free software; you can redistribute it and/or modify +
-# it under the terms of the GNU General Public License as published by +
-# the Free Software Foundation; either version 2 of the License, or +
-# (at your option) any later version. +
-+
-# X2Go is distributed in the hope that it will be useful, +
-# but WITHOUT ANY WARRANTY; without even the implied warranty of +
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ​ See the +
-# GNU General Public License for more details. +
-+
-# You should have received a copy of the GNU General Public License +
-# along with this program; if not, write to the +
-# Free Software Foundation, Inc., +
-# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. +
- +
-use strict; +
-use File::​Path::​Expand;​ +
-# comment out this "​use"​ and the following two lines, and instead +
-# uncomment the block below if you need to do early boot stage +
-# debugging of the automounter,​ when rsyslogd isn't running yet +
-use Sys::Syslog qw( :standard :macros ); +
-openlog($0,'​cons,​pid','​user'​);​ +
-setlogmask( LOG_UPTO(LOG_NOTICE) ); +
-#open (B,">>/​var/​log/​usbdebug"​);​ +
-#sub syslog { +
-#       print B $_[0].':​ '​.$_[1]."​\n";​ +
-#} +
- +
-my $user; +
-if ( -f "/​etc/​x2go/​x2gothinclient-minidesktop_start"​ ) { +
-        # this is a minidesktop environment,​ which uses +
-        # username "​x2gothinclient"​ regardless of whether +
-        # it runs on X2Go-TCE-Live or X2Go-TCE-NFS +
-        $user='x2gothinclient'; +
-+
-elsif ( -d "/​lib/​live/​config"​ ) { +
-        # this is X2Go-TCE-Live,​ but not with minidesktop +
-        # (if it were, the first condition would have matched), +
-        # so we use Debian-Live'​s standard username "​user"​ +
-        $user='​user'​; +
-+
-else { +
-        # this is X2Go-TCE-NFS or something completely different,​ +
-        # so we'll play it safe and pick the username "​x2gothinclient"​ +
-        # just like previous versions of this script did +
-        $user='​x2gothinclient';​ +
-+
- +
-# We need this as chown requires numeric uid/gid +
-my ($login,​$pass,​$uid,​$gid) = getpwnam($user); +
- +
-# Some last-ditch efforts to fulfill the prerequisites for File Sharing: +
-# - This is stuff that should already have happened earlier in the boot process. +
-# - Also, if a directory already exists, we silently assume that ownership and +
-#   ​permissions are correct. This is so that users that deliberately set +
-#   ​different ownership/​permission values don't have their settings silently +
-#   ​overwritten. +
- +
-unless ( -d expand_filename("​~$user/​mounts"​) ) { +
-        mkdir expand_filename("​~$user/​mounts"​);​ +
-        chmod 0700, expand_filename("​~$user/​mounts"​);​ +
-        chown $uid, $gid, expand_filename("​~$user/​mounts"​);​ +
-+
- +
-unless ( -d expand_filename("​~$user/​export"​) ) { +
-        mkdir expand_filename("​~$user/​export"​);​ +
-        chmod 0700, expand_filename("​~$user/​export"​);​ +
-        chown $uid, $gid, expand_filename("​~$user/​export"​);​ +
-+
- +
-unless ( -d expand_filename("​~$user/​logins"​) ) { +
-        mkdir expand_filename("​~$user/​logins"​);​ +
-        chmod 0700, expand_filename("​~$user/​logins"​);​ +
-        chown $uid, $gid, expand_filename("​~$user/​logins"​);​ +
-+
- +
-sub check_x2gothinclientmode { +
-        my $ret 0; +
- +
-        # Check for x2gothinclientd first... +
-        my $x=`ps ax | grep x2gothinclient`;​ +
-        if ( $x=~m/​thinclientd/​ ) { +
-                $ret = 1; +
-        } +
- +
-        return $ret; +
-+
- +
-#    TCE-NFS ​                        ​TCE-Live ​                                               MMD-Live +
-if ( check_x2gothinclientmode() || ( -x "/​lib/​live/​config/​2900-x2go-thinclientconfig"​ ) || ( -x "/​etc/​x2go/​x2gothinclient-minidesktop_start"​ ) ) +
-+
-        syslog('notice',​ "some kind of thinclient mode detected"​);​ +
- +
-        open (F,">>/​var/​log/​usb"​);​ +
- +
-        my $dev=$ENV{'​DEVNAME'​};​ +
-        my $model=$ENV{'​ID_MODEL'​};​ +
-        my $vendor=$ENV{'​ID_VENDOR'​};​ +
-        my $action=$ENV{'​ACTION'​};​ +
-        my @ldev=split("/","​$dev"​);​ +
-        my $ldev=@ldev[@ldev-1];​ +
-        # mntdir is not the directory where the mountpoint will be rooted, +
-        # but where tracking of mount states takes place +
-        my $mntdir; +
-        if ( -d expand_filename("​~$user/​mounts"​) ) { +
-                $mntdir=expand_filename("​~$user/​mounts"​);​ +
-        } +
-        elsif ( -d "/​var/​run"​ ) { +
-                $mntdir="/​var/​run";​ +
-        } +
-        elsif ( -d "/​run"​ ) { +
-                $mntdir="/​run";​ +
-        } +
-        else { +
-                die "No directory found that we could use as \$mntdir..."​ +
-        } +
- +
-        my $name="​${vendor}_${model}";​ +
-        $name=~s/ //g; +
-        $name=~s/​\\//​g;​ +
-        $name=~s/​\///​g;​ +
-        print F "​action:​ $action, ​ device: $dev, model: $model ($ldev), total: $name\n";​ +
-        mkdir("/​media"​);​ +
-        mkdir("/​media/​$name"​);​ +
-        print F "​$name\n";​ +
- +
-        if (`lsblk -ln -oRM $dev`=~/​0$/​) { +
-                syslog('​notice',​ "​device is non-removable device, skipping"​);​ +
-                exit 0; +
-        } +
- +
-        if ( $action eq "​add"​ ) { +
- +
-                ### +
-                ### ACTION: mount device after it has been added to USB subsystem +
-                ### +
- +
-                syslog('​notice',​ "​device add action called"​);​ +
- +
-                # prepare mount points +
-                mkdir("/​media"​);​ +
-                mkdir("/​media/​$name"​);​ +
-                mkdir("/​media/​$name/​$ldev"​);​ +
- +
-                # mount the USB device +
-                # sync is supported by all file systems +
-                # uid is supported by vfat (via fat),​ntfs,​hfs,​hpfs +
-                # uni_xlate is supported by vfat,ntfs +
-                # we must not trigger on iso9660 and udf, or else hybrid USB media +
-                # would only cause a mount of the iso9660 raw device, +
-                # blocking the mount of individual partitions +
-                # real optical media ->​x2gocdmanager/​x2gothinclient-cdmanager package +
- +
-                if ( system("​mount -tntfs $dev /​media/​$name/​$ldev -o uid=$user,​sync,​uni_xlate"​)==0 ) { +
-                        syslog('​notice',​ "USB device $name ($ldev) successfully mounted (ntfs detected)"​);​ +
-                        # if mounted, inform x2goclient about it... +
-                        system("​touch $mntdir/​$ldev.mounted"​);​ +
-                        open (D,">",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                        print D "​export=/​media/​$name/​$ldev\n";​ +
-                        close (D); +
-                } +
-                elsif ( system("​mount -tvfat $dev /​media/​$name/​$ldev -o uid=$user,​sync,​uni_xlate"​)==0 ) { +
-                        syslog('​notice',​ "USB device $name ($ldev) successfully mounted (vfat detected)"​);​ +
-                        # if mounted, inform x2goclient about it... +
-                        system("​touch $mntdir/​$ldev.mounted"​);​ +
-                        open (D,">",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                        print D "​export=/​media/​$name/​$ldev\n";​ +
-                        close (D); +
-                } +
-                elsif ( system("​mount -t hfs $dev /​media/​$name/​$ldev -o uid=$user,​sync"​)==0 ) { +
-                        syslog('​notice',​ "USB device $name ($ldev) successfully mounted (hfs detected)"​);​ +
-                        # if mounted, inform x2goclient about it... +
-                        system("​touch $mntdir/​$ldev.mounted"​);​ +
-                        open (D,">",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                        print D "​export=/​media/​$name/​$ldev\n";​ +
-                        close (D); +
-                } +
-                elsif ( system("​mount -t hpfs $dev /​media/​$name/​$ldev -o uid=$user,​sync"​)==0 ) { +
-                        syslog('​notice',​ "USB device $name ($ldev) successfully mounted (hpfs detected)"​);​ +
-                        # if mounted, inform x2goclient about it... +
-                        system("​touch $mntdir/​$ldev.mounted"​);​ +
-                        open (D,">",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                        print D "​export=/​media/​$name/​$ldev\n";​ +
-                        close (D); +
-                } +
-                elsif ( system("​fuseext2 $dev /​media/​$name/​$ldev -o ro,​allow_other"​)==0 ) { +
-                        syslog('​notice',​ "USB device $name ($ldev) successfully mounted readonly (ext*fs detected)"​);​ +
-                        # if mounted, inform x2goclient about it... +
-                        system("​touch $mntdir/​$ldev.mounted"​);​ +
-                        open (D,">",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                        print D "​export=/​media/​$name/​$ldev\n";​ +
-                        close (D); +
-                } +
-                else { +
-                        # the mount failed, let's assume that the device is encrypted... +
-                        my $enc=`ls -1 $mntdir | grep .encrypted`;​ +
-                        if ( $enc eq ""​ ) { +
-                                # use cryptsetup to decrypt the device... +
-                                system("/​sbin/​cryptsetup --key-file /​etc/​keys/​keystick.key luksOpen $dev keystick"​);​ +
- +
-                                # mount the ,,​decrypted''​ USB device via devmapper... +
-                                if ( system("​mount /​dev/​mapper/​keystick /​media/​$name/​$ldev"​)==0 ) { +
-                                        # inform x2goclient about this... +
-                                        system("​touch $mntdir/​$ldev.encrypted"​);​ +
-                                        system("​chown -R $user /​media/​$name/​$ldev/​dsa.key"​);​ +
-                                        open (D,">",​expand_filename("​~$user/​logins/​$name.$ldev"​));​ +
-                                        print D "​login=/​media/​$name/​$ldev\n";​ +
-                                        close (D); +
-                                        print F "​encrypted mount successful ($ldev)\n";​ +
-                                } +
-                                else { +
-                                        # on mount failures release the decrypted device again +
-                                        system("/​sbin/​cryptsetup luksClose keystick"​);​ +
-                                        print F "mount failed ($ldev)\n";​ +
-                                } +
-                        } +
-                        else { +
-                                print F "​cryptodisk already present\n";​ +
-                        } +
-                } +
-                if ( -e "/​media/​$name/​$ldev"​ ) { +
-                        print F "​detected mountpoint '/​media/​$name/​$ldev'​\n";​ +
-                        print F "​running '/​sbin/​blkid -o value -s LABEL $dev'​\n";​ +
-                        my $label=`/​sbin/​blkid -o value -s LABEL $dev`; +
-                        chomp($label);​ +
-                        if ($label) { +
-                                print F "​symlinking '/​media/​$name/​$ldev'​ and '/​media/​$name/​$label'​\n";​ +
-                                unlink "/​media/​$name/​$label"​ if ( -l "/​media/​$name/​$label"​ ); +
-                                symlink("/​media/​$name/​$ldev","/​media/​$name/​$label"​);​ +
-                                open (D,">>",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                                print D "​export=/​media/​$name/​$label\n";​ +
-                                close (D); +
-                        } +
-                } +
- +
-        } +
-        elsif ( $action eq "​remove"​ ) { +
- +
-                ### +
-                ### ACTION: unmount device after it has been removed from the USB subsystem +
-                ### +
- +
-                syslog('​notice',​ "​device remove action called"​);​ +
- +
-                # we rely on our own mount logistics here... +
-                if ( -e "​$mntdir/​$ldev.mounted"​ ) { +
-                        # inform x2goclient that the device has been removed +
-                        system ("​umount -ff /​media/​$name/​$ldev"​);​ +
-                        unlink ("​$mntdir/​$ldev.mounted"​);​ +
-                        open ( D,">",​expand_filename("​~$user/​export/​$name.$ldev.unexport"​));​ +
-                        open (I,"<",​expand_filename("​~$user/​export/​$name.$ldev"​));​ +
-                        while (<I>) { +
-                                $_=~s/​^export=/​unexport=/​i;​ +
-                                print D $_; +
-                        } +
-                        close (I); +
-                        close (D); +
-                        syslog('​notice',​ "USB device $name ($ldev) successfully unmounted"​);​ +
-                } +
-                elsif ( -e "​$mntdir/​$ldev.encrypted"​ ) { +
-                        # inform x2goclient that the device has been removed +
-                        # release the encrypted device mapping +
-                        unlink ("​$mntdir/​$ldev.encrypted"​);​ +
-                        open ( D,">",​expand_filename("​~$user/​logins/​$name.$ldev.unexport"​));​ +
-                        print D "​logout=/​media/​$name/​$ldev\n";​ +
-                        system("​umount /​media/​$name/​$ldev"​);​ +
-                        system("/​sbin/​cryptsetup luksClose keystick"​);​ +
-                        close (D); +
-                } +
-        } +
- +
-        close (F); +
-} else { +
- +
-        syslog('​notice',​ "not in any thinclient mode, exiting"​);​ +
-+
-USBMOUNTPATCH+
 chmod 755 ./​patch/​includes.chroot/​usr/​lib/​x2go/​tce/​x2gousbmount chmod 755 ./​patch/​includes.chroot/​usr/​lib/​x2go/​tce/​x2gousbmount
 </​code>​ </​code>​
  
 ==== Starting the Build ==== ==== Starting the Build ====
-Change to a directory where you want to save your builds, and run the following commands:<​code>​+Change to a directory where you want to save your builds, and run the following commands: 
 +<​code>​ 
 +#!/bin/bash
 # Create Timestamp # Create Timestamp
 LBX2GO_TIMESTAMP=$(date +"​%Y%m%d%H%M%S"​) LBX2GO_TIMESTAMP=$(date +"​%Y%m%d%H%M%S"​)
Line 539: Line 261:
     * It **might** be possible to already use HTTPS in this early stage when using iPXE.  This is untested and requires building your own iPXE image. see http://​ipxe.org/​crypto for details. Alternatively,​ use ipxe.lkrn (from [[http://​boot.ipxe.org/​ipxe.lkrn]]) and pxelinux.0 in combination with scripted ipxe commands in the pxelinux.cfg.     * It **might** be possible to already use HTTPS in this early stage when using iPXE.  This is untested and requires building your own iPXE image. see http://​ipxe.org/​crypto for details. Alternatively,​ use ipxe.lkrn (from [[http://​boot.ipxe.org/​ipxe.lkrn]]) and pxelinux.0 in combination with scripted ipxe commands in the pxelinux.cfg.
   * You will also need an HTTP/​HTTPS/​FTP server with a dedicated IP (no name-based virtual hosts) for the squashfs image. - **Note:** set LBX2GO_NOSQUASHFS=true and use iPXE (e.g. with ipxe.lkrn + pxelinux.0) if you cannot use an IP for your host. Another option (untested) is explained [[https://​blog.jacekk.info/​2016/​01/​debian-live-webboot-dns/​|here]]   * You will also need an HTTP/​HTTPS/​FTP server with a dedicated IP (no name-based virtual hosts) for the squashfs image. - **Note:** set LBX2GO_NOSQUASHFS=true and use iPXE (e.g. with ipxe.lkrn + pxelinux.0) if you cannot use an IP for your host. Another option (untested) is explained [[https://​blog.jacekk.info/​2016/​01/​debian-live-webboot-dns/​|here]]
-    * This image cannot be deployed via TFTP as it is too large - some TFTP servers refuse to serve files lager than 32MB, and some TFTP clients have problems with that as well.+    * This image cannot be deployed via TFTP as it is too large - some TFTP servers ​(atftpd in particular) ​refuse to serve files lager than 32MB, and some TFTP clients have problems with that as well.
     * Also, even if you have a TFTP server/​client combination that handles files larger than 32 MB, it will still be waaaay slower than the HTTP/FTP transfer.     * Also, even if you have a TFTP server/​client combination that handles files larger than 32 MB, it will still be waaaay slower than the HTTP/FTP transfer.
     * Note that whoever manages to spoof this server name can deploy rogue images to your ThinClients. ​ If this is a serious issue for you, consider using local storage media and the autoupdater instead.     * Note that whoever manages to spoof this server name can deploy rogue images to your ThinClients. ​ If this is a serious issue for you, consider using local storage media and the autoupdater instead.
Line 883: Line 605:
   * ''​branding=https|http|ftp://​your-http-server-ip-or-dns-here/​x2go-tce/​x2go-tce-branding.svg''​ - use this to specify an SVG file to "​brand"​ your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. ​ **Attention:​ Whoever manages to spoof the server name can inject rogue images into your ThinClients.** ​ To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.   * ''​branding=https|http|ftp://​your-http-server-ip-or-dns-here/​x2go-tce/​x2go-tce-branding.svg''​ - use this to specify an SVG file to "​brand"​ your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. ​ **Attention:​ Whoever manages to spoof the server name can inject rogue images into your ThinClients.** ​ To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
   * ''​copysecring''​ - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories:​ ''​config/​ssh'',​ '​ssh',​ ''​.ssh''​. The volume must be labeled ''​X2GO-TCE-LIVE''​ or ''​PORTABLEAPP''​ and may use any supported file system. Any SSH Secret Keys found there will be copied into ''/​home/​user/​.ssh''​ (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/​don'​t want to have to re-insert it before each session startup. **Attention:​ This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).** ​ To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the FAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done.   * ''​copysecring''​ - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories:​ ''​config/​ssh'',​ '​ssh',​ ''​.ssh''​. The volume must be labeled ''​X2GO-TCE-LIVE''​ or ''​PORTABLEAPP''​ and may use any supported file system. Any SSH Secret Keys found there will be copied into ''/​home/​user/​.ssh''​ (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/​don'​t want to have to re-insert it before each session startup. **Attention:​ This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).** ​ To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the FAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done.
-  * ''​earlyblankdpmsfix''​ - This forces the TFT do black for a few seconds during the initial boot phase (right after the squashfs was downloaded),​ then forces it back on again. ​ This fixes an occasional "black screen"​ issue that occurs with some flaky client/TFT hardware combinations when using DisplayPort connectors, and could otherwise only be remediated by manually turning the TFT off and back on again. (feature available via github repo, soon via x2go repo too)+  * ''​earlyblankdpmsfix''​ - This forces the TFT do black for a few seconds during the initial boot phase (right after the squashfs was downloaded),​ then forces it back on again. ​ This fixes an occasional "black screen"​ issue that occurs with some flaky client/TFT hardware combinations when using DisplayPort connectors, and could otherwise only be remediated by manually turning the TFT off and back on again. Earlyblankdpmsfix can also be called as ''​earlyblankdpmsfix=nnnn'',​ where ''​nnnn''​ is the blanking time in milliseconds (so, ''​earlyblankdpmsfix=1500''​ equals 1.5 seconds). (feature available via github repo, soon via x2go repo too)
   * ''​homepageurl="​URL1[|URL2|URLn]"''​ - this is only available in MiniDesktop mode. It allows you to specify one or more web pages that show up on Browser start/when clicking the "​Home"​ icon. URLs need to be separated with a ''​|'',​ and the set of URLs needs to be enclosed in double quotes. Do //not// enclose each URL in double quotes separately! Correct example: ''​homepageurl="​https://​www.google.de|https://​wiki.x2go.org"''​   * ''​homepageurl="​URL1[|URL2|URLn]"''​ - this is only available in MiniDesktop mode. It allows you to specify one or more web pages that show up on Browser start/when clicking the "​Home"​ icon. URLs need to be separated with a ''​|'',​ and the set of URLs needs to be enclosed in double quotes. Do //not// enclose each URL in double quotes separately! Correct example: ''​homepageurl="​https://​www.google.de|https://​wiki.x2go.org"''​
 +  * ''​initrdblankdpmsfix''​ is the same as ''​earlyblankdpmsfix'',​ only that it activates in the initial ramdisk already. Like ''​earlyblankdpmsfix'',​ it can also be called as ''​initrdblankdpmsfix=nnnn''​. ​ This parameter is useful if you are affected by the //black screen at boot// issue, and you are not combining squashfs and initrd into one file when netbooting. (feature available via github repo, soon via x2go repo too)
   * ''​ldap=ldap.example.com:​389:​cn=cngoeshere,​dc=example,​dc=com''​ - this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication,​ only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead.   * ''​ldap=ldap.example.com:​389:​cn=cngoeshere,​dc=example,​dc=com''​ - this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication,​ only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead.
   * ''​ldap1=ldap-backupserver-1.example.com:​389''​ - this allows you to specify the first of up to two LDAP backup servers when using LDAP authentication   * ''​ldap1=ldap-backupserver-1.example.com:​389''​ - this allows you to specify the first of up to two LDAP backup servers when using LDAP authentication
Line 891: Line 614:
   * ''​nomagicpixel=1''​ or ''​nomagicpixel=2''​ - you should set ''​nomagicpixel=1''​ while the "magic pixel" (clicking in the upper right corner of the screen will minimize a fullscreen session) is still active in thinclient mode (this feature is expected to be disabled at some point in the future). ''​nomagicpixel=1''​ will disable the window manager when exactly 3 windows are detected (that'​s the usual situation when a fullscreen session is active). It will re-enable openbox whenever more or less than 3 windows are detected. If this fails for you, you can try ''​nomagicpixel=2'',​ which will try to trigger on the window-minimize command and restore it to fullscreen (this will cause a short screen flickering effect). Note that ''​nomagicpixel=2''​ will make your ThinClient unusable when trying to run the actual X2Go-TCE client as a virtual machine guest (the //​X2GoServer//​ you connect to may be a VM guest, no problems there). To live with the magic pixel bug, simply do not add this option at all.   * ''​nomagicpixel=1''​ or ''​nomagicpixel=2''​ - you should set ''​nomagicpixel=1''​ while the "magic pixel" (clicking in the upper right corner of the screen will minimize a fullscreen session) is still active in thinclient mode (this feature is expected to be disabled at some point in the future). ''​nomagicpixel=1''​ will disable the window manager when exactly 3 windows are detected (that'​s the usual situation when a fullscreen session is active). It will re-enable openbox whenever more or less than 3 windows are detected. If this fails for you, you can try ''​nomagicpixel=2'',​ which will try to trigger on the window-minimize command and restore it to fullscreen (this will cause a short screen flickering effect). Note that ''​nomagicpixel=2''​ will make your ThinClient unusable when trying to run the actual X2Go-TCE client as a virtual machine guest (the //​X2GoServer//​ you connect to may be a VM guest, no problems there). To live with the magic pixel bug, simply do not add this option at all.
   * ''​ntp="​server1 server2 ... servern"''​ - this allows you to specify your own NTP server. ​ If this parameter is not used, time will be synced with standard Debian NTP servers. ​ To disable NTP syncing entirely, use ''​ntp=false''​ (feature available via github repo, soon via x2go repo too)   * ''​ntp="​server1 server2 ... servern"''​ - this allows you to specify your own NTP server. ​ If this parameter is not used, time will be synced with standard Debian NTP servers. ​ To disable NTP syncing entirely, use ''​ntp=false''​ (feature available via github repo, soon via x2go repo too)
 +  * ''​pavol=[n:​]volume%[|[n:​]volume% ...]''​ - Allows you to set default volume levels for one or more audio output devices. ''​pavol=50%''​ will set the default audio output device (#0) to 50%. ''​pavol=1:​99%''​ will set audio output device #1 to 99%. ''​pavol="​0:​50%|1:​99%"''​ will set audio output device #0 to 50%, and audio output device #1 to 99%. Note that this opion only makes sense in MATE-MiniDesktop mode, as regular TCE sessions get their volume levels restored from the host they connect to. (''​pavol''​ feature available via github repo, soon via x2go repo too).
   * ''​pubkey=tftp|http|https|ftp://​your-http-server-ip-or-dns-here/​x2go-tce/​x2go-tce.authorized_keys''​ - Allows you to add an ssh public key file to the ThinClient, so your administrators can log in remotely using SSH. Note that this file needs to be chmodded 644, not 600, on the web server. ​ **Attention:​ Whoever manages to spoof this server name will have root access to your ThinClients.** Using HTTPS will mitigate this - an attacker would not only have to spoof the server name, but also the matching certificate.   * ''​pubkey=tftp|http|https|ftp://​your-http-server-ip-or-dns-here/​x2go-tce/​x2go-tce.authorized_keys''​ - Allows you to add an ssh public key file to the ThinClient, so your administrators can log in remotely using SSH. Note that this file needs to be chmodded 644, not 600, on the web server. ​ **Attention:​ Whoever manages to spoof this server name will have root access to your ThinClients.** Using HTTPS will mitigate this - an attacker would not only have to spoof the server name, but also the matching certificate.
   *  ''​session=sessionname''​ - use this to specify a session by name that should be pre-selected on startup. The name must be listed in the sessions file and may only contain characters from the following charset: //​a-zA-Z0-9.:/​ _-// (We suggest naming the default session ''​default''​ and using ''​session=default''​.) When using a session name with blanks, please enclose the sessionname in either single or double quotes, like so: ''​session="​session name"''​ / ''​session='​session name'''​   *  ''​session=sessionname''​ - use this to specify a session by name that should be pre-selected on startup. The name must be listed in the sessions file and may only contain characters from the following charset: //​a-zA-Z0-9.:/​ _-// (We suggest naming the default session ''​default''​ and using ''​session=default''​.) When using a session name with blanks, please enclose the sessionname in either single or double quotes, like so: ''​session="​session name"''​ / ''​session='​session name'''​
Line 897: Line 621:
   * ''​tcpprintonlyfrom=x.x.x.x''​ - Will allow you to specify which IP address may connect to Port 9100 and above for printing to a locally attached LPT/USB printer. This should be the IP of your CUPS server or whatever print server system you use.  Understands the same syntax as ''​xinetd'''​s ''​only_from''​. ​   * ''​tcpprintonlyfrom=x.x.x.x''​ - Will allow you to specify which IP address may connect to Port 9100 and above for printing to a locally attached LPT/USB printer. This should be the IP of your CUPS server or whatever print server system you use.  Understands the same syntax as ''​xinetd'''​s ''​only_from''​. ​
   * ''​throttle=n|n:​n:​n:​n:​n''​ - Will throttle down- and upload speed (''​throttle=n''​) or set throttling limits as follows: download:​upload:​smoothingtime:​smoothinglength:​latency. Defaults for up- and download are 10 (KiloBytes/​s),​ 3.0 (seconds, using decimals is permitted) smoothingtime,​ 20 (KiloBytes),​ 0 (ms). for a detailed description of these parameters, see "man trickle"​. You can use the first 1, 2, 3, 4 or all 5 parameters. To set down- and/or upload speed to unlimited, use the letter "​u"​ instead of a numeric value.   * ''​throttle=n|n:​n:​n:​n:​n''​ - Will throttle down- and upload speed (''​throttle=n''​) or set throttling limits as follows: download:​upload:​smoothingtime:​smoothinglength:​latency. Defaults for up- and download are 10 (KiloBytes/​s),​ 3.0 (seconds, using decimals is permitted) smoothingtime,​ 20 (KiloBytes),​ 0 (ms). for a detailed description of these parameters, see "man trickle"​. You can use the first 1, 2, 3, 4 or all 5 parameters. To set down- and/or upload speed to unlimited, use the letter "​u"​ instead of a numeric value.
 +  * ''​timezone=TIMEZONE''​ - can be used to define a timezone other than UTC, e.g. '​Europe/​Berlin'​. This especially makes sense for MATE-MiniDesktop,​ but is nice to have in regular TCE-Live as well, because the timestamp of the log messages will show the local time instead of UTC. This is a standard parameter of live-boot, and not specific to X2Go.
 +  * ''​x3270servers="​host[:​port][|host[:​port]...]"''​ - this is only available in MiniDesktop mode. It allows you to specify one or more hosts (with optional ports) for x3270 terminal emulation sessions that will be created as desktop shortcuts on the thinclient. For a default 3270 connection, the port is 23 (telnet) and does not need to be specified. For an SSL-encrypted connection (recommended),​ the port is 992. Hosts may be IP addresses or DNS names, and need to be separated with a ''​|''​. (feature available via github repo, soon via x2go repo too)
 +  * ''​x5250servers="​host[:​port][|host[:​port]...]"''​ - this is only available in MiniDesktop mode. It allows you to specify one or more hosts (with optional ports) for x5250 terminal emulation sessions that will be created as desktop shortcuts on the thinclient. For a default 5250 connection, the port is 23 (telnet) and does not need to be specified. For an SSL-encrypted connection (recommended),​ the port is 992. Hosts may be IP addresses or DNS names, and need to be separated with a ''​|''​. Note that x5250 support is currently not part of the standard image available via git, as there is no x5250 executable in Debian. You can try using x3270 instead, most modern IBM i (System i, iSeries, AS/400) systems support 3270-type connections as well. If you need native 5250 support, say, with a commercial, closed-source 5250 terminal emulator, please leave a message on the X2Go-User Mailing List and we'll tell you if and how you can integrate that into your build. (feature available via github repo, soon via x2go repo too)
   * ''​xinerama=left-of|right-of|above|below|same-as''​ - Allows you to specify how multiple screens are handled (same-as clones the primary screen to all secondary screens, the other commands will cascade and thus expand the screen). Note that the current implementation will enforce "​same-as"​ if it detects a touch screen driver (wacom) and no other pointing device. This is so you won't get stuck being unable to log off, for example, due to your touch device being limited to one screen.   * ''​xinerama=left-of|right-of|above|below|same-as''​ - Allows you to specify how multiple screens are handled (same-as clones the primary screen to all secondary screens, the other commands will cascade and thus expand the screen). Note that the current implementation will enforce "​same-as"​ if it detects a touch screen driver (wacom) and no other pointing device. This is so you won't get stuck being unable to log off, for example, due to your touch device being limited to one screen.
-  * ''​xorg-resolution=HRESxVRES''​ - will force the horizontal resolution to HRES and the vertical resolution to VRES, e.g. ''​xorg-resolution=1280x1024'',​ useful if autodetection for the correct screen size fails, but you do get as far as seeing the X2Go GUI+  ​* ''​xorg-driver=DRIVERNAME''​ - will skip graphics driver autodetection and force the specified driver instead. This is a standard parameter of live-boot, and not specific to X2Go. 
 +  ​* ''​xorg-resolution=HRESxVRES''​ - will force the horizontal resolution to HRES and the vertical resolution to VRES, e.g. ''​xorg-resolution=1280x1024'',​ useful if autodetection for the correct screen size fails, but you do get as far as seeing the X2Go GUI. This is a standard parameter of live-boot, and not specific to X2Go.
   * ''​xorgconfurl=tftp|http|https|ftp://​your-http-server-ip-or-dns-here/​x2go-tce/​x2go-tce.xorg.conf''​ - when a client outright refuses to boot into the graphical X2Go login screen, but gets stuck at the console or a black screen instead, yet you can get the GUI to work using a regular Linux on the same hardware, you can disable the X Server'​s autodetection and force it to use the xorg.conf specified here.  Note that you should use a more descriptive name for the file, as described below. **Attention:​ Whoever manages to spoof the server name can inject rogue xorg config files into your ThinClients.** ​ To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.   * ''​xorgconfurl=tftp|http|https|ftp://​your-http-server-ip-or-dns-here/​x2go-tce/​x2go-tce.xorg.conf''​ - when a client outright refuses to boot into the graphical X2Go login screen, but gets stuck at the console or a black screen instead, yet you can get the GUI to work using a regular Linux on the same hardware, you can disable the X Server'​s autodetection and force it to use the xorg.conf specified here.  Note that you should use a more descriptive name for the file, as described below. **Attention:​ Whoever manages to spoof the server name can inject rogue xorg config files into your ThinClients.** ​ To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.
 +  * ''​xroot=[0xaabbcc|URI1[|URI2|...]]''​ - can be used to set a local desktop background image or color (in hex format, with leading 0x, not leading #). On the main screen, this is only visible during startup, while additional screens will display whatever is set for them when there is no active session. The background also becomes visible for a short moment when the optional local screensaver activates or deactivates. Specifying more than one image will cause the first image to show up on the first screen, the second image on the second screen, and so on (feature available via github repo, soon via x2go repo too). 
 +  * ''​xrootmode=center|fill|scale|tile''​ can be used to determine how the local desktop background image(s) should be positioned. If the parameter has been set, but something is wrong, it will default to a //grey mesh// background. (feature available via github repo, soon via x2go repo too). (feature available via github repo, soon via x2go repo too) 
 +  * ''​xsaveridletime=n''​ - this value determines how long the screen should have been idle before the local slideshow screensaver sets in (value given in seconds). We recommend using 60 seconds less than for the server-sided,​ locking screensaver. (feature available via github repo, soon via x2go repo too) 
 +  * ''​xsaverimages=[URI1[|URI2|...]]''​ - if you want a local, non-locking slideshow screensaver,​ you can specify image URLs here. These Images will be downloaded once, at boot. That way, one can display a slideshow without having to push the images across the network every time. Especially for slow links, this is the recommended way of running a slideshow screensaver. For security, combine this with a locking screensaver on the server with only one slide or a black background. (feature available via github repo, soon via x2go repo too) 
 +  * ''​xsaverimgtime=n''​ - this determines how long each slide of the local, non-locking screensaver will be shown. (feature available via github repo, soon via x2go repo too)
 === These are only intended to be used with TCE images stored on local media === === These are only intended to be used with TCE images stored on local media ===
   * ''​bwlimit=nnn''​ - Will allow you to specify a bandwidth limit (valid values: 1-100) in percent for the backgrounded update task.   * ''​bwlimit=nnn''​ - Will allow you to specify a bandwidth limit (valid values: 1-100) in percent for the backgrounded update task.
Line 963: Line 695:
     * create a symlink matching "​01-",​ followed by the first three out of the six bytes of your hardware address, each separated by "​-"​ (say, 01-AA-BB-CC when the full MAC was shown as AA:​BB:​CC:​DD:​EE:​FF),​ that points to the file "​name-of-your-stubborn-hardware"​.     * create a symlink matching "​01-",​ followed by the first three out of the six bytes of your hardware address, each separated by "​-"​ (say, 01-AA-BB-CC when the full MAC was shown as AA:​BB:​CC:​DD:​EE:​FF),​ that points to the file "​name-of-your-stubborn-hardware"​.
   * In your boot configuration file (either "​name-of-your-stubborn-hardware",​ when using netbooting, or menu.lst, when using local or USB storage media and grub-legacy,​ or X2Go-live1.cfg/​X2Go-live2.cfg,​ when using local or USB storage media and syslinux), add the boot parameter ''​xorgconfurl=tftp|http|https|ftp://​your-http-server-ip-here/​x2go-tce/​x2go-tce.xorg.conf.name-of-your-stubborn-hardware''​   * In your boot configuration file (either "​name-of-your-stubborn-hardware",​ when using netbooting, or menu.lst, when using local or USB storage media and grub-legacy,​ or X2Go-live1.cfg/​X2Go-live2.cfg,​ when using local or USB storage media and syslinux), add the boot parameter ''​xorgconfurl=tftp|http|https|ftp://​your-http-server-ip-here/​x2go-tce/​x2go-tce.xorg.conf.name-of-your-stubborn-hardware''​
 +
 +==== The session itself works fine, but Audio is not working ====
 +
 +First, check that the audio isn't simply muted (some cards/​setups do this by default). Run ''​pavucontrol''​ inside the X2Go session. Check the settings on the tabs //Output Devices// and //​Configuration//​. ​ If that is the case, you probably need to create a script on the server that raises the volume/​toggles the mute setting upon user login.
 +
 +If that doesn'​t help, please boot with additional boot parameter ''​audioout=list''​ and look at the output on /dev/tty8 (Hit Ctrl+Alt+F8) - it will give you a list of available audio output devices. ​ This list also gets written to ''/​tmp/​audiolog''​ on the ThinClient.
 +
 +You might have to pick a different one from the list, by using boot parameter ''​audioout=''​ with a particular card/output value, like: ''​audioout=“alsa_card.pci-0000_00_1b.0|output:​hdmi-stereo”''​ (you need to copy the proper value from the list generated on your particular thinclient).
 +
 +If you need different settings for different manufacturers,​ you can try to tell them apart by MAC address and set separate pxe boot configuration files for them.
  
 ===== Support Tools available in X2Go-TCE ===== ===== Support Tools available in X2Go-TCE =====
Line 1114: Line 856:
 </​file>​ </​file>​
   * after you have prepared all this, execute ''​service rsync start''​   * after you have prepared all this, execute ''​service rsync start''​
-  * Note that whoever manages to spoof the server name can deploy rogue images to your ThinClients. ​ Even though it is slower, using an HTTPS web server is the safer way of doing this. Be sure that your web server delivers a last-modified header for all files. ​+  * Note that whoever manages to spoof the server name can deploy rogue images to your ThinClients. ​ Even though it is slower, using an HTTPS web server is the safer way of doing this. Be sure that your web server delivers a last-modified header for all files.  In future, support for rsyncd via stunnel might be added, if the rsync project does not add native SSL support to rsyncd before that.
  
 FIXME Some of the optional steps above could be moved to a separate subpage to reduce clutter. FIXME Some of the optional steps above could be moved to a separate subpage to reduce clutter.
Line 1133: Line 875:
  
 FIXME autodetection for SSH Private Keys might need some more bells and whistles. FIXME autodetection for SSH Private Keys might need some more bells and whistles.
-<​del>​For USB media, this may require adding an automounter.</​del>​ 
   * how about a script that patches the sessions file to enable autologin for all sessions when keys have been found?   * how about a script that patches the sessions file to enable autologin for all sessions when keys have been found?
   * 2800-x2go-thinclientconfig needs to be changed so it uses the keyfile(s) when in broker mode (''​--broker-ssh-key''​)   * 2800-x2go-thinclientconfig needs to be changed so it uses the keyfile(s) when in broker mode (''​--broker-ssh-key''​)
-  * <​del>​directory scan </​del>​ 
-    * <​del>​should we abort on first match?</​del>​ 
-  * <​del>​how do we treat multiple keys?</​del>​ 
-    * <​del>​no keys on USB and exactly one key on disk -> use key</​del>​ 
-    * <​del>​exactly one key on USB -> takes precedence over key/keys found on disk? Or present chooser based on gxmessage?</​del>​ 
-    * <​del>​multiple keys -> Present chooser based on gxmessage?</​del>​ 
-  * <​del>​problem with gxmessage as chooser is that it can only display 6 buttons on 640x480 (Which we should assume as minimum screen size)</​del>​ 
-    * <​del>​4 key choices, back, next?</​del>​ 
-  * <​del>​oooooor we might just load all keys into ssh-agent and let it figure out which one it needs?</​del>​ 
-    * <​del>​next problem: How do we prompt for passwords of such keys?</​del>​ 
   * Situation: We have a working automounter,​ and ''​copysecring''​ will copy all keys found to the live-user'​s homedir under .ssh:   * Situation: We have a working automounter,​ and ''​copysecring''​ will copy all keys found to the live-user'​s homedir under .ssh:
     * If a session is set to "Try auto login (via SSH Agent or default SSH key)" and NO keyfile is set, then X2GoClient will try **all** secret keys in .ssh. Showing a password prompt if a key is password-protected is handled by X2GoClient, so needs no extra work.     * If a session is set to "Try auto login (via SSH Agent or default SSH key)" and NO keyfile is set, then X2GoClient will try **all** secret keys in .ssh. Showing a password prompt if a key is password-protected is handled by X2GoClient, so needs no extra work.
Line 1151: Line 882:
       * use ''​~/​.ssh/​keyfilename''​ as path and use ''​copysecring'',​ or       * use ''​~/​.ssh/​keyfilename''​ as path and use ''​copysecring'',​ or
       * do not use ''​copysecring''​ and use ''/​media/​vendor_model_name/​sdxn/​path/​to/​keyfile''​ (or ''/​media/​vendor_model_name/​partlabel/​path/​to/​keyfile'',​ if you assigned a partition label - which is recommended for this use case) as keyfile path/name       * do not use ''​copysecring''​ and use ''/​media/​vendor_model_name/​sdxn/​path/​to/​keyfile''​ (or ''/​media/​vendor_model_name/​partlabel/​path/​to/​keyfile'',​ if you assigned a partition label - which is recommended for this use case) as keyfile path/name
- 
-FIXME copying ssh private keys seems to fail in MiniDesktop-Mode - possibly because of the priming/​pruning/​cleanup action performed on the homedirectory by the minidesktop init scripts? 
- 
-FIXME ''​2200-xserver-xorg-getxorgconf''​ should be taught to understand ''​file:<​nowiki>//</​nowiki>''​ URLs. 
  
 FIXME Parsing the output of e.g. <​code>​udevadm info --query path /dev/sdb FIXME Parsing the output of e.g. <​code>​udevadm info --query path /dev/sdb
Line 1161: Line 888:
 Authentification and "​hard"​ identification could be implemented using OpenPGP cards, ''​scdaemon''​ and a script based on ''/​usr/​share/​doc/​scdaemon/​examples/​scd-event''​. For Status ''​NOCARD'',​ suspend the session (kill x2goclient or send a signal that means "​suspend",​ if available, or maybe sighup nxproxy), for status ''​USABLE'',​ run ''​gpg --card-status 2>&1 | awk '​$1=="​Serial"​ && $2=="​number"​ {print $4}'''​ to determine the card's serial number, then act based on that (pull new sessions file or set default user, for example, and restart x2goclient). Authentification and "​hard"​ identification could be implemented using OpenPGP cards, ''​scdaemon''​ and a script based on ''/​usr/​share/​doc/​scdaemon/​examples/​scd-event''​. For Status ''​NOCARD'',​ suspend the session (kill x2goclient or send a signal that means "​suspend",​ if available, or maybe sighup nxproxy), for status ''​USABLE'',​ run ''​gpg --card-status 2>&1 | awk '​$1=="​Serial"​ && $2=="​number"​ {print $4}'''​ to determine the card's serial number, then act based on that (pull new sessions file or set default user, for example, and restart x2goclient).
  
-FIXME <​del>​Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/​permissions are ignored).</​del>​ fixed. +FIXME Automount script currently expects a LUKS password in ''/​etc/​keys/​keystick.key''​ when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. ​Such a password file would have to be saved as ''​./​patch/​includes.chroot/​etc/​keys/​keystick.key''​ (with the proper restrictive permissions) before starting the build. Adding a boot parameter instead of hardcoding it would allow for dynamic password files (by specifying an URI that points to a CGI script, for example - you could output a different password depending on the source IP range, thus locking media to a particular department, if your departments have different IP ranges), but on the other hand, would make it even easier to sniff out the password. It would only really make sense for Netboot installations,​ and also not for a MiniDesktop in any way, because you have to block the user from accessing the TCE's local environment/​files. And you also have to make sure that people cannot boot rogue clients. ​ This means a DHCP setup that is locked to known MAC addresses, and physically blocking access to the ThinClient and its network wiring - because the MAC is displayed during boot, and thus trivial to clone.
- +
-FIXME <​del>​Maybe we should add symlinks to the mount points created by the automounter:​ Currently, we create ''/​media/​vendor_model_name/​sdxn''​ as a mount point. The idea is to allow the user to find their portable device using the vendor/​model name description. However, this is unusable for scripting, as the ''//​x//''​ in ''​sdxn''​ may change any time. We should replace ''//​sdx//''​ with ''//​partition//''​ (or have corresponding symlinks created), but what should we do for //​superfloppies//​ that only have ''​sdx''​ with no partition number? We could mount them as ''/​media/​vendor_model_name/​partition/''​ or directly at ''/​media/​vendor_model_name/''​. Also, symlinks using labels and uuids, similar to ''/​dev/​by-*''​ would be handy for scripting. Another problem: when replacing ''​sdx'',​ what will happen when a user inserts two media with the same vendor/​model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''/​media/​vendor_model_name/​1/​partitionn''​ or ''/​media/​vendor_model_name-1/​partitionn''</​del>​ Fixed. When a label is detected, a symlink is now created under ''/​media/​vendor_model_name/​label''​ that points to ''/​media/​vendor_model_name/​partitionn''​. +
- +
-FIXME Automount script currently expects a LUKS password in ''/​etc/​keys/​keystick.key''​ when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. ​If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password.+
  
 FIXME ''​x2gocdmanager''​ is currently not part of the image, but should become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. FIXME ''​x2gocdmanager''​ is currently not part of the image, but should become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs.
Line 1173: Line 896:
 FIXME Even though we set the hostname to ''​localhost''​ using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://​blog.schlomo.schapiro.org/​2013/​11/​setting-hostname-from-dhcp-in-debian.html FIXME Even though we set the hostname to ''​localhost''​ using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://​blog.schlomo.schapiro.org/​2013/​11/​setting-hostname-from-dhcp-in-debian.html
  
-FIXME At least when building a stretch TCE on a jessie system, ​you need to add kernel parameters ''​net.ifnames=0 biosdevname=0''​ to the image'​s kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required.+FIXME When building a stretch TCE you need to add kernel parameters ''​net.ifnames=0 biosdevname=0''​ to the image'​s kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. For a jessie TCE, it is not required. This could be fixed for iso-hybrid and netboot in the buildscript,​ but it will only work if people are using the image 1:1 - as soon as they start using syslinux or grub manually (as actually recommended by us), they need to add these parameters themselves.
  
-FIXME <​del>​There might be a race condition between the scripts handling the sshd keyfile and the ssh private key file copy task (/​config ​...), causing one to umount the fixed disk before the other is done reading/copying. What's weird is that there already is code that is supposed to keep this from happening, but it doesn't.</​del>​ fixed in github reposoon in x2go repo+FIXME ''​bg='',​ ''​branding='',​ ''​broker-url='',​ ''​ldap='',​ ''​ldap1='',​ ''​ldap2='',​ ''​session='',​ ''​throttle='',​ are currently unsupported in MiniDesktop-Mode. This could be changed, given enough tuits. Probably ​the easiest way would be to have ''/​lib/​live/config/2900-x2go-thinclientconfig'' ​exist in the MiniDesktop branches as wellmake it aware of which environment it is running ​in (TCE/​TCE-MMD),​ and have it patch the appropriate files.
  
-FIXME <del>Setting the time via NTP will fail if the TC can't establish a connection to an NTP server via the internet. It would make sense to allow specifying an internal NTP server via a boot parameter.</​del> ​fixed in github repo, soon in x2go repo+FIXME <​del>'​'​2200-xserver-xorg-getxorgconf''​</​del> ​all scripts accepting URLs in boot parameters should be taught to understand ''​file:<​nowiki>///</​nowiki>''​ URLs. Such files can be included ​in the image by placing them in the ''​./​patch/​includes.chroot/''​ directory (in a suitable subdirectory) and referencing them from there.
  
-FIXME <​del>''​copysecring''​ currently does not work in MiniDesktop-Mode, as it copies the keys to the wrong user's homedir.</del> fixed in github reposoon in x2go repo+FIXME it would be cool if most of the TCE-specific boot parameters could be placed into a file that in turn can be specified ​as a boot parameter, to reduce clutter and boot parameter length. This could be aCGI script, even, thus making ​it possible ​to distribute different configs depending on the source IP of the ThinClient, rather than the MAC AddressSaid file would then have to be sourced by the scripts, after they have extracted everything from /proc/​cmdline. This will make adding the feature easierby simply deciding that parameters from this file take precendence over boot parameters. One might argue that boot parameters should take precedence over the config file, but this sounds way more complicated to implement.
  
-FIXME ''​audioout='',​ ''​blank='',​ ''​blankdpmsfix'',​ ''​broker-url='',​ ''​ldap='',​ ''​ldap1='', ​''​ldap2='',​ ''​nodpms'',​ ''​session='',​ ''​throttle='',​ ''​xinerama='',​ are currently unsupported in MiniDesktop-Mode. This could be changedgiven enough tuitsProbably the easiest way would be to outsource as many of them as possible into scripts under ''/​etc/​X11/​Xsession.d/'' ​(currently, they reside in ''/​lib/live/config/2900-x2go-thinclientconfig'' ​which doesn'​t exist in the MiniDesktop branches ​and from there, they get written to ''​~/.xsession''​ +FIXME A smaller image size can be achieved by removing the following packages from the squashfs: ​''​libxapian30 libpcsclite1 libdbus-glib-1-2 libfuse2 libpipeline1 libusb-1.0-0 libxv1 xnest xserver-xephyr rdesktop freerdp-x11 traceroute screen net-tools less ntfs-3g fuse locales cifs-utils xterm libgssglue1 libntfs-3g871 libtalloc2 libtcl8.6 libtk8.6 libutempter0 libvncclient1 libvncserver1 libwbclient0 libxcb-xf86dri0 libxcb-xv0 samba-common tcl tcl8.6 tk tk8.6 xbitmaps nfs-common rpcbind atmel-firmware bluez-firmware dahdi-firmware-nonfree hdmi2usb-fx2-firmware iso-codes ixo-usb-jtag libc-l10n libnfsidmap2 libtirpc1 firmware* x11vnc* libfreerdp* libwinpr* libapparmor1 systemd apt-utils libapt-inst2.0 acpi-support-base* acpid* acpi-support* pm-utils* powermgmt-base* gnupg gnupg-agent whiptail vim* vim-common* vim-tiny* xxd* xinetd libcroco3* libcurl3* libexif12* libgdk-pixbuf2.0-0* libgdk-pixbuf2.0-common* libgif7* libid3tag0* libimlib2* libnghttp2-14* libobrender32v5* libobt2v5* libpango-1.0-0* libpangocairo-1.0-0* libpangoft2-1.0-0* libpangoxft-1.0-0* librsvg2-2* librtmp1* libssh2-1* libstartup-notification0* libxft2* libxss1* vim-runtime* xprintidle feh xdotool openbox rsync   ​xserver-xorg-input-wacom* xserver-xorg-video-all* xserver-xorg-video-amdgpu* xserver-xorg-video-ati* xserver-xorg-video-nouveau* xserver-xorg-video-qxl* xserver-xorg-video-radeon* xserver-xorg-video-vmware* libdrm-amdgpu1* libdrm-nouveau2* libdrm-radeon1* libllvm3.9* libsensors4* libxatracker2*'' ​ 
- + check if this could be turned into a build parameter. Note that this makes only sense for a netboot image that uses X2Go sessions onlyand no NTFS media (neither fixed disk nor USB)Also, this causes an X startup failure during boot that needs to be worked around (by touching /​home/​user/​.xsession). 
-FIXME ''​nomagicpixel=''​ is currently unsupported in MiniDesktop-Mode and probably will be unsupported there forever, as it doesn'​t make sense for MiniDesktop-Mode.+Here's a script ​to do all of this automatically (needs to be run as root in the builddir: 
 +<file - stripimage.sh>​ 
 +#!/bin/bash -e 
 +if [ $UID -ne 0 ] ; then 
 + echo "Must be root."​ 
 + exit 1 
 +fi 
 +unsquashfs x2go-tce-filesystem.squashfs 
 +mount --bind /proc squashfs-root/​proc 
 +chroot squashfs-root apt purge -y acpi-support-base acpid acpi-support pm-utils powermgmt-base gnupg gnupg-agent whiptail vim vim-common vim-tiny xxd xinetd \ 
 +                                  libcroco3 libcurl3 libexif12 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgif7 libid3tag0 libimlib2 libnghttp2-14 \ 
 +                                  libobrender32v5 libobt2v5 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpangoxft-1.0-0 librsvg2-2 librtmp1 \ 
 +                                  libssh2-1 libstartup-notification0 libxft2 libxss1 vim-runtime rsync xserver-xorg-input-wacom xserver-xorg-video-all \ 
 +                                  xserver-xorg-video-amdgpu xserver-xorg-video-ati xserver-xorg-video-nouveau xserver-xorg-video-qxl \ 
 +                                  xserver-xorg-video-radeon xserver-xorg-video-vmware libdrm-amdgpu1 libdrm-nouveau2 libdrm-radeon1 libllvm3.9 libsensors4 \ 
 +                                  libxatracker2 xprintidle feh xdotool openbox libxapian30 libpipeline1 libnpth0 libksba8 libseccomp2 libsqlite3-0 libxdo3 \ 
 +                                  libnewt0.52 libslang2 keyutils libassuan0 libdatrie1 libevent-2.0-5 libthai-data libthai0 \ 
 +                                  pinentry-curses trickle libxapian30 libpcsclite1 libdbus-glib-1-2 libfuse2 libpipeline1 libusb-1.0-0 libxv1 xnest \ 
 +                                  xserver-xephyr rdesktop freerdp-x11 traceroute screen net-tools less ntfs-3g fuse locales cifs-utils xterm libgssglue1 \ 
 +                                  libntfs-3g871 libtalloc2 libtcl8.6 libtk8.6 libutempter0 libvncclient1 libvncserver1 libwbclient0 libxcb-xf86dri0 \ 
 +                                  libxcb-xv0 samba-common tcl tcl8.6 tk tk8.6 xbitmaps nfs-common rpcbind atmel-firmware bluez-firmware \ 
 +                                  dahdi-firmware-nonfree hdmi2usb-fx2-firmware iso-codes ixo-usb-jtag libc-l10n libnfsidmap2 libtirpc1 x11vnc x11vnc-data \ 
 +                                  libapparmor1 systemd apt-utils libapt-inst2.0 libfreerdp-cache1.1 libfreerdp-client1.1 libfreerdp-codec1.1 \ 
 +                                  libfreerdp-common1.1.0 libfreerdp-core1.1 libfreerdp-crypto1.1 libfreerdp-gdi1.1 libfreerdp-locale1.1 \ 
 +                                  libfreerdp-primitives1.1 libfreerdp-rail1.1 libfreerdp-utils1.1 libwinpr-crt0.1 libwinpr-crypto0.1 libwinpr-dsparse0.1 \ 
 +                                  libwinpr-environment0.1 libwinpr-file0.1 libwinpr-handle0.1 libwinpr-heap0.1 libwinpr-input0.1 libwinpr-interlocked0.1 \ 
 +                                  libwinpr-library0.1 libwinpr-path0.1 libwinpr-pool0.1 libwinpr-registry0.1 libwinpr-rpc0.1 libwinpr-sspi0.1 \ 
 +                                  libwinpr-synch0.1 libwinpr-sysinfo0.1 libwinpr-thread0.1 libwinpr-utils0.1 firmware-amd-graphics firmware-atheros \ 
 +                                  firmware-bnx2 firmware-bnx2x firmware-brcm80211 firmware-cavium firmware-crystalhd firmware-intel-sound \ 
 +                                  firmware-intelwimax firmware-ipw2x00 firmware-ivtv firmware-iwlwifi firmware-libertas firmware-linux firmware-linux-free \ 
 +                                  firmware-linux-nonfree firmware-misc-nonfree firmware-myricom firmware-netxen firmware-qlogic firmware-realtek \ 
 +                                  firmware-samsung firmware-siano firmware-ti-connectivity firmware-zd1211 
 +chroot squashfs-root dpkg -P apt tasksel tasksel-data 
 +rm squashfs-root/​etc/​X11/​Xsession.d/​60x11-openbox-start squashfs-root/​etc/​X11/​Xsession.d/​60x11-spawn-configure-slideshow-screensaver 
 +(cd squashfs-root/​usr/​bin/​ ; ln -sf ../​../​bin/​false xsetwacom) 
 +mkdir -p squashfs-root/​home/​user 
 +touch squashfs-root/​home/​user/​.xsession 
 +umount squashfs-root/​proc 
 +if ! grep '^eval $THROTTLINGCOMMAND' ​squashfs-root/​etc/​X11/​Xsession.d/​61x11-start-x2goclient | grep -q -- ' ​--thinclient ​' ​; then 
 +        sed -i -e 's#eval \$THROTTLINGCOMMAND x2goclient#​eval \$THROTTLINGCOMMAND x2goclient --thinclient#​g' ​
 +            squashfs-root/etc/​X11/​Xsession.d/​61x11-start-x2goclient 
 +fi 
 +if [ -f binary/live/filesystem.squashfs ] ; then 
 +        mv binary/live/​filesystem.squashfs binary/​live/​filesystem.squashfs.old 
 +fi 
 +mkdir -p binary/​live 
 +mksquashfs squashfs-root binary/​live/​filesystem.squashfs -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K -noappend 
 +rm -rf squashfs-root 
 +ln -f binary/​live/​filesystem.squashfs ​x2go-tce-filesystem-stripped.squashfs 
 +(cd binary; echo live$'\n'live/filesystem.squashfs |cpio -o -H newc | gzip --fast) >​./​tce-filesystem-stripped.cpio.gz 
 +cat ./​x2go-tce-initrd.img ./​tce-filesystem-stripped.cpio.gz >​./​x2go-tce-initrd-with-fs-stripped.img 
 +rm ./tce-filesystem-stripped.cpio.gz 
 +</​file>​
  
-FIXME ''​bg='' ​and ''​branding=''​ are currently unsupported in MiniDesktop-ModeAdding support ​for these doesn't need many tuits. A third option for the desktop background could be added as well possibly for regular TCE mode as welloverriding our default blue.+FIXME for MATE-MiniDesktop,​ it might make sense to teach the image how to do LDAP auth (preferably with LDAPS or LDAP+TLS) ​and use lightdm without the auto-loginThat way, a local screensaver //with// locking functionality (prompting ​for the actual user's LDAP password) should ​be possible ​and LDAP credential passthrough to X2GoClient should worktoo (though that might require kerberos in addition to LDAP,​we'​ll see).
  
-FIXME <​del>''​homepageurl=''​ (only available in MiniDesktop-Mode) is currently undocumentedSupports multiple URLs separated with pipes.</​del>​+FIXME Scripts triggered by if-up should check if a new download ​is really necessary.
  
 +FIXME Feature request: In TCE (not MMD), use <​code>​
 +while ! (grep "​^/​dev/"​ /etc/mtab | grep -q rw ) ; do # rw-mounted physical devices detected
 + echo s >/​proc/​sysrq-trigger # sync all
 + echo u >/​proc/​sysrq-trigger # remount all (physdevs) ro
 +done
 +echo o >/​proc/​sysrq-trigger # force fast shutdown/​poweroff
 +</​code>​ for faster poweroff when boot parameter ''​fastpo''​ is set
 +===== List of closed ToDos/​FIXMEs for this page ===== 
 +  * ''​audioout='',​ ''​blank='',​ ''​*blankdpmsfix'',​ ''​nodpms'',​ ''​xinerama='',​ are currently unsupported in MiniDesktop-Mode,​ but this is being worked on, by outsourcing them into scripts under ''/​etc/​X11/​Xsession.d/''​ (currently, they reside in ''/​lib/​live/​config/​2900-x2go-thinclientconfig''​ - which doesn'​t exist in the MiniDesktop branches - and from there, they get written to ''​~/​.xsession''​ - fixed in github repo, soon in x2go repo
 +  * It would be nice to have a boot parameter ''​xroot=[0xaabbcc|URI1[|URI2|...]]''​ for the desktop background image/​color,​ and a boot parameter ''​xrootmode=center|fill|scale|tile''​ to determine how the image(s) should be positioned (if the parameter has been set, but something is wrong, it should default to the "grey mesh" background) - fixed in github repo, soon in x2go repo
 +  * It would also be nice to have boot parameters ''​xsaverimages=[URI1[|URI2|...]]'',​ ''​xsaveridletime=n'',​ ''​xsaverimgtime=n'',​ for a local, non-locking slideshow screensaver (if no images are specified/​downloaded by the time it activates, it should just blank the screen). That way, one could display a slideshow without having to push the images across the network every time  - fixed in github repo, soon in x2go repo
 +  * Boot parameters ''​blankdpmsfix''​ and ''​earlyblankdpmsfix''​ still leave the screen blank for too long, when used in netboot mode (especially over slow links). Two ways to solve this are to either use local storage, or to use the initrd with the squashfs merged into it.  A third, new option would be a boot parameter ''​initrdblankdpmsfix'',​ where the un-blanking code of ''​earlyblankdpmsfix''​ is applied in the initrd already - fixed in github repo, soon in x2go repo
 +  * There might be a race condition between the scripts handling the sshd keyfile and the ssh private key file copy task (/config ...), causing one to umount the fixed disk before the other is done reading/​copying. What's weird is that there already is code that is supposed to keep this from happening, but it doesn'​t. - fixed in github repo, soon in x2go repo
 +  * Setting the time via NTP will fail if the TC can't establish a connection to an NTP server via the internet. It would make sense to allow specifying an internal NTP server via a boot parameter. - fixed in github repo, soon in x2go repo
 +  * ''​copysecring''​ currently does not work in MiniDesktop-Mode,​ as it copies the keys to the wrong user's homedir. - fixed in github repo, soon in x2go repo
 +  * copying ssh private keys seems to fail in MiniDesktop-Mode - possibly because of the priming/​pruning/​cleanup action performed on the homedirectory by the minidesktop init scripts? -  should already be fixed in github repo, soon in x2go repo 
 +  * Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/​permissions are ignored). - fixed.
 +  * ''​homepageurl=''​ (only available in MiniDesktop-Mode) is currently undocumented. Supports multiple URLs separated with pipes. - fixed
 +  * Maybe we should add symlinks to the mount points created by the automounter:​ Currently, we create ''/​media/​vendor_model_name/​sdxn''​ as a mount point. The idea is to allow the user to find their portable device using the vendor/​model name description. However, this is unusable for scripting, as the ''//​x//''​ in ''​sdxn''​ may change any time. We should replace ''//​sdx//''​ with ''//​partition//''​ (or have corresponding symlinks created), but what should we do for //​superfloppies//​ that only have ''​sdx''​ with no partition number? We could mount them as ''/​media/​vendor_model_name/​partition/''​ or directly at ''/​media/​vendor_model_name/''​. Also, symlinks using labels and uuids, similar to ''/​dev/​by-*''​ would be handy for scripting. Another problem: when replacing ''​sdx'',​ what will happen when a user inserts two media with the same vendor/​model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''/​media/​vendor_model_name/​1/​partitionn''​ or ''/​media/​vendor_model_name-1/​partitionn''​. - fixed. When a label is detected, a symlink is now created under ''/​media/​vendor_model_name/​label''​ that points to ''/​media/​vendor_model_name/​partitionn''​.
 +  * ''​nomagicpixel=''​ is unsupported in MiniDesktop-Mode and will be unsupported there forever, as it doesn'​t make sense for MiniDesktop-Mode (there is a task bar available, so a session that has been minimized accidentally can be re-selected by the users themselves). - unfixable.
 +  * volume control applet for MiniDesktop mode has been added  - fixed in github repo, soon in x2go repo (to save/​restore volume control settings, using the "​persistence"​ feature of live-build is probably the better way to go)
 <​note>​The live-config "​builtin"​ command ''​live-config.nottyautologin''​ does not do the same as our ''​nouser''​ command. ''​live-config.nottyautologin''​ means "​there'​s a login prompt, but you just need to enter username ''​user''​ and password ''​live''​ to login" - this is not what we want.  We need a solution to entirely block user logons. <​note>​The live-config "​builtin"​ command ''​live-config.nottyautologin''​ does not do the same as our ''​nouser''​ command. ''​live-config.nottyautologin''​ means "​there'​s a login prompt, but you just need to enter username ''​user''​ and password ''​live''​ to login" - this is not what we want.  We need a solution to entirely block user logons.
 </​note>​ </​note>​
  
doc/howto/tce.1543958019.txt.gz · Last modified: 2018/12/04 21:13 by stefanbaur