This is an old revision of the document!
This page is very much Work in Progess. Please leave a note on x2go-user@lists.x2go.org if you're interested in trying this out, so we can guide you along if something goes wrong.
If you are looking for installation instructions for the classic, NFS-filesystem-based X2Go-ThinClient, please go here
|
During the time of Debian Wheezy being Debian's stable release, we started developing a new ThinClientEdition then called TCE-Next Generation, or TCE-NG for short - one that is based on Debian-Live and thus does no longer rely on NFS (though NFS can still be used to deploy the image - but we do not recommend that approach). Instead, the entire image is loaded into the RAM of the ThinClient machine. To avoid confusion, and because it has since left the “NG” state, we now call it TCE-Live.
The disadvantage is that your ThinClient now needs at least 512 MB to 1 GB of RAM (see below). Working with 256 MB is possible when you use local storage instead of netbooting (don't use the toram
parameter, either), but not really recommended.
However, the huge advantage is that there no longer is a need for any high-availibility setup concerning NFS (nor HTTP/HTTPS/FTP). If you follow our advice of loading the entire image into the ThinClient's RAM, or using local storage, all you need is an HTTP (HTTPS optional for later stages) or FTP server with a dedicated IP, if you want to use netbooting. It is also possible to deploy the image to the ThinClient's local storage, if present, and have it update in the background.
Besides, making changes to/updating the classic, NFS-based TCE (henceforth referred to as TCE-Classic) with the entire filesystem, not just its compressed image, spread out over the NFS share was rather finicky - with the current TCE-Live, you build and deploy a new image every time you make a change, and you can test it on a single client without interrupting your production environment. The local storage feature can also be used to create a portable version of both X2Go-TCE and X2goClient for Windows, sharing the same configuration, on CD/DVD/USB media.
We've also received reports that TCE-Classic wouldn't work with Jessie, or at least it was very hard to get it to work. Our TCE-Live works just fine with Jessie, and we expect it to work in Stretch and hopefully in Buster (Stretch+1) as well. The one catch is that the live-build package in Debian/the Debian-Live project is currently looking for a new maintainer - so there is a slim chance that live-build might be removed from Debian Buster, especially if no new maintainer steps up and the live-build replacement that is currently in the works (called live-wrapper) contains all the required functionality of live-build by then.
httpfs=
or ftpfs=
instead of fetch=
, or netboot=nfs nfsroot=ip-of-your-server-here:/path/to/x2go-tce-filesystem.squashfs
when netbooting, but this will make you dependent on an uninterrupted network connection againsudo apt-get update
sudo apt-get install genisoimage git-core live-build live-config-doc live-manual-html live-boot-doc
#!/bin/bash # Select ONE of the following git reposities # this one loosely corresponds to "stable" export LBX2GO_CONFIG='git://code.x2go.org/live-build-x2go.git::feature/openbox-magic-pixel-workaround' # this one loosely corresponds to "heuler" #export LBX2GO_CONFIG='https://github.com/LinuxHaus/live-build-x2go::feature/openbox-magic-pixel-workaround' # NOTE: Add "-stretch" to the end of the LBX2GO_CONFIG string to create a stretch build # Select ONE of the following LBX2GO_ARCH lines and comment out the others # (feel free to use long or short options) # for 64-Bit builds, use: export LBX2GO_ARCH='-a amd64 -k amd64' # 32-Bit, larger memory footprint, but faster performance on i686 and newer # export LBX2GO_ARCH='-a i386 -k 686-pae' # 32-Bit, smallest memory footprint # export LBX2GO_ARCH='--architectures i386 --linux-flavours 586' # detect if the selected git repo is meant to build a stretch or jessie image if [ -z "${LBX2GO_CONFIG##*-stretch}" ] ; then export LBX2GO_DEBVERSION="stretch" else export LBX2GO_DEBVERSION="jessie" fi # newer versions of live-build use the plural form of this parameter if $(LANG=C lb config --help | grep -q bootloaders) ; then export LBX2GO_BOOTLOADERPARAMNAME="--bootloaders" else export LBX2GO_BOOTLOADERPARAMNAME="--bootloader" fi # set boot loader type - leave this unchanged unless you really know what you're doing export LBX2GO_BOOTLOADER="syslinux" # These options are meant to reduce the image size. # Feel free to adapt them after consulting "man lb_config" export LBX2GO_SPACE='--apt-indices none --apt-recommends false --cache false --checksums none --firmware-binary false --memtest none --win32-loader false' # fixing some peculiarities for Ubuntu here if $(lsb_release -i | grep -i ubuntu -q ) ; then [ -f /usr/lib/live/build/binary_rootfs ] || ln -s /usr/lib/live/build/lb_binary_rootfs /usr/lib/live/build/binary_rootfs export LBX2GO_MIRROR=" -m http://deb.debian.org/debian --mirror-chroot-security http://security.debian.org/debian/ --mirror-binary-security http://security.debian.org/debian/ --parent-mirror-chroot-security http://security.debian.org/debian/ --parent-mirror-binary-security http://security.debian.org/debian/" else export LBX2GO_UPDATES="--updates true" fi # These are default values that should not require tuning export LBX2GO_DEFAULTS="--backports true --firmware-chroot true --initsystem sysvinit --security true $LBX2GO_UPDATES $LBX2GO_MIRROR $LBX2GO_BOOTLOADERPARAMNAME $LBX2GO_BOOTLOADER --distribution $LBX2GO_DEBVERSION" export LBX2GO_ARCHIVE_AREAS="main contrib non-free" # This is for minidesktop builds and currently only adds firefox-esr language packs #export LBX2GO_LANG='de' # This is to optimize squashfs size, based on a suggestion by intrigeri from the TAILS team # note that this will permanently change /usr/lib/live/build/binary_rootfs sed -i -e 's#MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -comp xz"#MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K"#' /usr/lib/live/build/binary_rootfs # This removes documentation, locales and man pages # You can safely enable this if you intend to run X2GoClient in fullscreen mode all the time, or when building the ssh-only rescue image. # For all other uses of the TCE-Live image creator (i.e. Minidesktop), your results may vary ... use at your own risk. export LBX2GO_TCE_SHRINK="true" # This patches the squashfs file into the initrd. Only parsed when image type "netboot" is set. # Will require boot parameter live-media=/ instead of fetch=... # Both TFTP client and TFTP server must support file transfers >32MB for this to work, if you want to deploy this initrd via TFTP. # When using iPXE, you can use http instead of TFTP. # This is especially helpful if you want to netboot via http and cannot use the server's IP, but must specify a DNS name - as "fetch=..." only understands IPs. export LBX2GO_NOSQUASHFS="false" # Select ONE of the following LBX2GO_IMAGETYPE lines and comment out the others # to create an iso image: # export LBX2GO_IMAGETYPE='iso' # to create an iso image that can also be dd'ed to USB media: # export LBX2GO_IMAGETYPE='iso-hybrid' # to create a netboot-image: export LBX2GO_IMAGETYPE='netboot' # NOT RECOMMENDED: # to create an image that can be written to a hard disk (always results # in a "build failed" message, even though the build might have worked): # export LBX2GO_IMAGETYPE='hdd' # to create a tar file only (seems to be broken in live-build): # export LBX2GO_IMAGETYPE='tar'
This patch is required if you need USB mount capability on the ThinClient while Bug #1136 is still unresolved.
#!/bin/bash mkdir -p ./patch/includes.chroot/usr/lib/x2go/tce/ wget -O ./patch/includes.chroot/usr/lib/x2go/tce/x2gousbmount 'https://code.x2go.org/gitweb?p=x2gothinclient.git;a=blob_plain;f=usbmount/x2gousbmount;hb=c6106bd12ca0278b8706e87813ff782c0bbb6132' chmod 755 ./patch/includes.chroot/usr/lib/x2go/tce/x2gousbmount
Change to a directory where you want to save your builds, and run the following commands:
#!/bin/bash # Create Timestamp LBX2GO_TIMESTAMP=$(date +"%Y%m%d%H%M%S") # Set Directory name LBX2GO_TCEDIR=./live-build-x2go-$LBX2GO_TIMESTAMP if [ -z "$LBX2GO_ARCH" ] || [ -z "$LBX2GO_SPACE" ] || [ -z "$LBX2GO_CONFIG" ] || [ -z "$LBX2GO_DEFAULTS" ] || [ -z "$LBX2GO_DEBVERSION" ] || [ -z "$LBX2GO_IMAGETYPE" ] || [ -z "$LBX2GO_TIMESTAMP" ] || [ -z "$LBX2GO_BOOTLOADERPARAMNAME" ] || [ -z "$LBX2GO_BOOTLOADER" ] || [ -z "$LBX2GO_ARCHIVE_AREAS" ]; then echo -e "One or more of the following variables is unset:" echo -e "LBX2GO_ARCH: '${LBX2GO_ARCH}'" echo -e "LBX2GO_SPACE: '${LBX2GO_SPACE}'" echo -e "LBX2GO_DEFAULTS: '${LBX2GO_DEFAULTS}'" echo -e "LBX2GO_DEBVERSION: '${LBX2GO_DEBVERSION}'" echo -e "LBX2GO_CONFIG: '${LBX2GO_CONFIG}'" echo -e "LBX2GO_IMAGETYPE: '${LBX2GO_IMAGETYPE}'" echo -e "LBX2GO_TIMESTAMP: '${LBX2GO_TIMESTAMP}'" echo -e "LBX2GO_BOOTLOADERPARAMNAME: '${LBX2GO_BOOTLOADERPARAMNAME}'" echo -e "LBX2GO_BOOTLOADER: '${LBX2GO_BOOTLOADER}'" echo -e "LBX2GO_ARCHIVE_AREAS: '${LBX2GO_ARCHIVE_AREAS}'" echo -e "Please visit http://wiki.x2go.org/doku.php/doc:howto:tce" echo -e "and read up on the general prerequisites for X2Go-TCE" else # This will create a timestamped subdirectory for the build mkdir -p $LBX2GO_TCEDIR cd $LBX2GO_TCEDIR lb config $LBX2GO_ARCH $LBX2GO_SPACE $LBX2GO_DEFAULTS \ --config $LBX2GO_CONFIG --binary-images $LBX2GO_IMAGETYPE \ --archive-areas "$LBX2GO_ARCHIVE_AREAS" # This will copy any patches we have prepared if [ -d "../patch" ] ; then cp -a ../patch/* config/ fi # This enables an i386-only package in the sources.list file when an i386 build is requested if echo "$LBX2GO_ARCH" | grep -q -i "i386" ; then sed -i -e 's/# for i386 only #//' config/package-lists/desktop.list.chroot fi # This is for minidesktop builds only if [ -f config/package-lists/firefox-langpacks.list.chroot ] && [ -n "$LBX2GO_LANG" ]; then for LBX2GO_SINGLE_LANG in $(echo $LBX2GO_LANG | tr ';' ' '); do echo "LANG: '$LBX2GO_SINGLE_LANG'" sed -i -e 's/#firefox-esr-l10n-'$LBX2GO_SINGLE_LANG'$/firefox-esr-l10n-'$LBX2GO_SINGLE_LANG'/' config/package-lists/firefox-langpacks.list.chroot done fi if [ "$LBX2GO_TCE_SHRINK" = "true" ] ; then echo '#!/bin/sh' >./config/hooks/0112-remove-folders.hook.chroot echo 'set -e' >>./config/hooks/0112-remove-folders.hook.chroot echo '# Remove folders' >>./config/hooks/0112-remove-folders.hook.chroot echo 'rm -rf ./usr/share/doc/*' >>./config/hooks/0112-remove-folders.hook.chroot echo 'rm -rf ./usr/share/locale/*' >>./config/hooks/0112-remove-folders.hook.chroot echo 'rm -rf ./usr/share/man/*' >>./config/hooks/0112-remove-folders.hook.chroot [ "$LBX2GO_IMAGETYPE" != "netboot" ] && echo 'rm -rf ./var/lib/apt/lists/*' >>./config/hooks/0112-remove-folders.hook.chroot chmod 755 ./config/hooks/0112-remove-folders.hook.chroot fi if lb build ; then echo -e "Build is done: '$LBX2GO_TCEDIR'" ln ./binary/live/filesystem.squashfs ./x2go-tce-filesystem.squashfs if [ "$LBX2GO_IMAGETYPE" = "netboot" ] ; then ln ./tftpboot/live/vmlinuz ./x2go-tce-vmlinuz ln ./tftpboot/live/initrd.img ./x2go-tce-initrd.img if [ "$LBX2GO_NOSQUASHFS" = "true" ] ; then (cd binary; echo live$'\n'live/filesystem.squashfs |cpio -o -H newc | gzip --fast) >./x2go-tce-filesystem.cpio.gz cat ./x2go-tce-initrd.img ./x2go-tce-filesystem.cpio.gz >./x2go-tce-initrd-with-fs.img rm ./x2go-tce-filesystem.cpio.gz ./x2go-tce-filesystem.squashfs ./x2go-tce-initrd.img fi fi if [ "$LBX2GO_IMAGETYPE" = "iso" ] || [ "$LBX2GO_IMAGETYPE" = "iso-hybrid" ] ; then ln ./binary/live/vmlinuz ./x2go-tce-vmlinuz ln ./binary/live/initrd.img ./x2go-tce-initrd.img genisoimage -o ./x2go-tce-squashfs-only.iso -R -J -graft-points live/filesystem.squashfs=./x2go-tce-filesystem.squashfs [ -e ./live-image-amd64.hybrid.iso ] && ln ./live-image-amd64.hybrid.iso ./original-x2go-tce-live-image-amd64.hybrid.iso [ -e ./live-image-amd64.iso ] && ln ./live-image-amd64.iso ./original-x2go-tce-live-image-amd64.iso [ -e ./live-image-i386.hybrid.iso ] && ln ./live-image-i386.hybrid.iso ./original-x2go-tce-live-image-i386.hybrid.iso [ -e ./live-image-i386.iso ] && ln ./live-image-i386.iso ./original-x2go-tce-live-image-i386.iso mv ./x2go-tce-filesystem.squashfs ./original-x2go-tce-filesystem.squashfs fi # create timestamp file stat -c %Y ./config/includes.chroot/lib >./x2go-tce-timestamp touch -m -d @$(cat x2go-tce-timestamp) x2go-tce-timestamp lb clean rm -rf ./cache else # note that imagetype hdd always ends here, # due to a harmless error that can be safely ignored, but which sets the error code to != 0 echo -e "Build failed: '$LBX2GO_TCEDIR'" fi cd .. fi
fetch=
command. This is untested.export LBX2GO_IMAGETYPE='netboot
' (this should be the default)This is assuming you already have an existing, working PXE/TFTP and HTTP (with optional HTTPS) or FTP server setup.
Once you see the message “Build is done:”, go to the directory mentioned there, and copy x2go-tce-vmlinuz and x2go-tce-initrd.img to a suitable subdirectory under your TFTP root.
We suggest using ./x2go-tce.
cd $(mktemp -d) atftp your-tftp-server-ip-here tftp> get pxelinux.cfg/default tftp> get x2go-tce/x2go-tce-vmlinuz tftp> get x2go-tce/x2go-tce-initrd.img tftp> quit
Next, copy x2go-tce-filesystem.squashfs from the directory mentioned after “Build is done:” to a suitable subdirectory under your HTTP, HTTPS, or FTP root.
We suggest using ./x2go-tce.
cd $(mktemp -d) wget -Y off http://your-http-server-ip-here/ wget -Y off http://your-http-server-ip-here/x2go-tce/x2go-tce-filesystem.squashfs
In case of an FTP URL, replace http with ftp in the example above. Same goes for https when trying to get that to work.
Note that you MUST use an IP address. X2Go-TCE WILL NOT WORK with a DNS name, even though this test here will accept IPs and DNS names alike. The only exception is when a template actually spells out that you should input a DNS name.
Again, this is assuming you already have an existing, working PXE/TFTP server setup.
DEFAULT x2go-tce PROMPT 0 MENU TITLE Linux Boot Menu MENU COLOR TITLE 1 #ffffff #000000 std MENU COLOR SEL 0 #ffffff #444444 std MENU COLOR TABMSG 0 #999933 #000000 std MENU COLOR UNSEL 0 #aaaaaa LABEL x2go-tce TIMEOUT 50 MENU LABEL X2Go-TCE KERNEL x2go-tce/vmlinuz APPEND initrd=x2go-tce/initrd.img boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 silent quiet splash lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser fetch=http://your-http-server-ip-here/x2go-tce/x2go-tce-filesystem.squashfs FURTHER-OPTIONS-GO-HERE
Again, this is assuming you already have an existing, working HTTP or FTP server setup.
Again, this is assuming you already have an existing, working HTTP or FTP server setup.
Again, this is assuming you already have an existing, working HTTP or FTP server setup.
Again, this is assuming you already have an existing, working PXE/TFTP server setup in place.
AA-BB-CC-DD-EE-FF
.01-AA-BB-CC-DD-EE-FF
(note the extra “01-” at the beginning) pointing to x2go-tce.ls -lah default
default-before-x2go-tce
default
that points to x2go-tce
AA-BB-CC-DD-EE-FF
.01-AA-BB-CC-DD-EE-FF
(note the extra “01-” at the beginning) pointing to x2go-tce-whatever-name-you-chose.This section explains how to create images for local storage media.
Basically, proceed as shown for netboot above, but set LBX2GO_IMAGETYPE to iso-hybrid
(recommended) or iso
.
Do not select hdd or tar - even though we are creating a local storage media installation.
/boot/X2Go-live1
, /boot/X2Go-live2
, /boot/X2Go-live-download
./boot/X2Go-live1
, but you will be unable to use the autoupdater then../x2go-tce-vmlinuz
, ./x2go-tce-initrd.img
, and ./x2go-tce-squashfs-only.iso
to /boot/X2Go-live1/
(and to /boot/X2Go-live2/
, if present).The next step is to install a boot loader. Currently, there are three choices, GRUB-legacy, syslinux, and GRUB4DOS.
(mountpath)/boot/grub
apt-get -y install grub-legacy
# note this will remove grub2 from your system if it is installed, but will not cause any change to your boot sequence grub-install –recheck –root-directory=(mountpath) /dev/targetdevice
# entire device, not partition(mountpath)/boot/grub/device.map
grub-install –root-directory=(mountpath) /dev/targetdevice
# entire device, not partitionapt-get -y install grub2
# reinstall grub2 if that is what you were using before# sample grub-legacy menu.lst for booting X2Go-TCE from local media # Depending on your setup, this goes either into C:\menu.lst or C:\boot\grub\menu.lst, or /boot/grub/menu.lst. # C:\menu.lst is recommended for NTFS, /boot/grub/menu.lst for ext*. # Make sure you do not have menu.lst files at both locations. default 0 timeout 5 color cyan/blue white/blue # This says "password" in md5 password --md5 $1$v4.0xYdG$32uzkKsup9c1RsHZlzfQs1 title X2Go-live1 find /boot/X2Go-live1/x2go-tce-vmlinuz root kernel /boot/X2Go-live1/x2go-tce-vmlinuz boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser silent quiet splash findiso=/boot/X2Go-live1/x2go-tce-squashfs-only.iso FURTHER-OPTIONS-GO-HERE initrd /boot/X2Go-live1/x2go-tce-initrd.img title X2Go-live2 find /boot/X2Go-live2/x2go-tce-vmlinuz root kernel /boot/X2Go-live2/x2go-tce-vmlinuz boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser silent quiet splash findiso=/boot/X2Go-live2/x2go-tce-squashfs-only.iso FURTHER-OPTIONS-GO-HERE initrd /boot/X2Go-live2/x2go-tce-initrd.img
apt-get install -y syslinux mbr
syslinux –install /dev/targetpartition
# if that fails or media won't boot, try syslinux -s –install /dev/targetpartition
sfdisk -A number-of-target-partition /dev/targetdevice
install-mbr /dev/targetdisk
to fix this.menu title X2Go-TCE # This says "password" in md5 menu master passwd $1$v4.0xYdG$32uzkKsup9c1RsHZlzfQs1 UI menu.c32 default X2Go-live1 prompt 0 timeout 50 include X2Go-live1.cfg include X2Go-live2.cfg
label X2Go-live1 menu label X2Go-Live^1 menu default linux /boot/X2Go-live1/x2go-tce-vmlinuz initrd /boot/X2Go-live1/x2go-tce-initrd.img append boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser silent quiet splash findiso=/boot/X2Go-live1/x2go-tce-squashfs-only.iso FURTHER-OPTIONS-GO-HERE
label X2Go-live2 menu label X2Go-Live^2 menu default linux /boot/X2Go-live2/x2go-tce-vmlinuz initrd /boot/X2Go-live2/x2go-tce-initrd.img append boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser silent quiet splash findiso=/boot/X2Go-live2/x2go-tce-squashfs-only.iso FURTHER-OPTIONS-GO-HERE
Installing GRUB4DOS allows you to keep the original Windows bootloader installed. The method below also allows you to write-mount the NTFS file system and thus to deploy updates using the autoupdater. This is done by chainloading GRUB4DOS from the native Microsoft Windows Bootloader
C:\boot.ini
attrib -r -h -s C:\boot.ini
C:\boot.ini
and add an entry C:\grldr=“Start ThinClient”
somewhere below the section [operating systems]
[boot loader]
, change the line starting with default
to default=C:\grldr
attrib +r +h +s C:\boot.ini
@echo off setlocal set BCDEDIT=%SYSTEM%\bcdedit.exe if not exist %BCDEDIT% exit 1 for /f "tokens=3" %%A in ('%BCDEDIT% /create /d "PXE boot" /application bootsector') do set guid=%%A %BCDEDIT% /set %guid% device partition=%SystemDrive% %BCDEDIT% /set %guid% path \grldr.mbr REM you can use /addfirst instead, if you want %BCDEDIT% /displayorder %guid% /addlast REM this sets a 5 second timeout until the default entry is booted REM feel free to adjust to your needs, but NEVER set it to 0 or 1 REM in combination with using /default below unless you don't ever REM intend to boot back into Windows again. %BCDEDIT% /timeout 5 REM "bootsequence" means only the single, next reboot will default to this %BCDEDIT% /bootsequence %guid% /addfirst REM alternatively, you can uncomment this and make the ThinClient REM boot option the default boot option REM %BCDEDIT% /default %guid% endlocal
ntfs-uuid=
parameter with the Volume Serial Number listed in the output of vol c:
(Windows command) or with the UUID from the output of blkid /dev/targetpartition
# sample grub-legacy menu.lst for booting X2Go-TCE from NTFS-formatted local media # Depending on your setup, this goes either into C:\menu.lst or C:\boot\grub\menu.lst. # C:\menu.lst is recommended. # Make sure you do not have menu.lst files at both locations. default 0 timeout 5 color cyan/blue white/blue # This says "password" in md5 password --md5 $1$v4.0xYdG$32uzkKsup9c1RsHZlzfQs1 title X2Go-live1 find /boot/X2Go-live1/x2go-tce-vmlinuz root kernel /boot/X2Go-live1/x2go-tce-vmlinuz boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser silent quiet splash findiso=/boot/X2Go-live1/x2go-tce-squashfs-only.iso toram ntfs-uuid=xxxxxxxxxxxxx FURTHER-OPTIONS-GO-HERE initrd /boot/X2Go-live1/x2go-tce-initrd.img title X2Go-live2 find /boot/X2Go-live2/x2go-tce-vmlinuz root kernel /boot/X2Go-live2/x2go-tce-vmlinuz boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser silent quiet splash findiso=/boot/X2Go-live2/x2go-tce-squashfs-only.iso toram ntfs-uuid=xxxxxxxxxxxxx FURTHER-OPTIONS-GO-HERE initrd /boot/X2Go-live2/x2go-tce-initrd.img
export LBX2GO_IMAGETYPE=“iso-hybrid”
(recommended) or export LBX2GO_IMAGETYPE=“iso”
. export LBX2GO_DEFAULTS+=" --bootappend-live boot=live components noswap aufs rd.luks=0 rd.lvm=0 rd.md=0 rd.dm=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rd.driver.pre=loop rd.noverifyssl rd.skipfsck rd.live.overlay.check rd.live.overlay.reset rd.live.ram log_buf_len=1M quickreboot consoleblank=0 kernel.sysrq=1 keep_bootcon sysrq_always_enabled rootwait=120 silent quiet splash lang=de vconsole.keymap=de keyboard-layouts=de locales=de_DE.UTF-8 hostname=localhost noroot nouser live-media-path=live FURTHER-OPTIONS-GO-HERE
./original-x2go-tce-live-image-i386.hybrid.iso
after running the build script.live
containing a file filesystem.squashfs
. Adjust the value of live-media-path=
accordingly.
Use xorriso -as cdrecord -v dev=/dev/your-writer-device -dao ./original-x2go-tce-live-image-i386.hybrid.iso
or whatever cd burning software you like. See https://wiki.debian.org/BurnCd for some additional suggestions.
When using iso-hybrid, this file can be dd'ed straight to USB media, no need to unpack, format, fiddle with a boot loader, etc.
So just do dd if=./original-x2go-tce-live-image-i386.hybrid.iso of=/dev/targetdevice
and wait until it finishes.
Also, when using iso-hybrid and USB media, there are a few “cheats” to reclaim unused space on the USB media, and to turn it into a solution that allows you to run X2GoClient in portable mode on Windows, and boot it as X2Go-TCE, with a shared configuration file.
As there is no simple way to have individual, persistent SSH Host Keys per ThinClient, and sharing secret host keys across machines is a bad idea, too, the default behavior is to generate a new key pair upon boot. If you need to SSH into ThinClients often, this may soon become annoying.
Therefore, X2Go-TCE-Live comes with a script that, during the boot process, will scan for USB media and fixed disk media (with fixed disk media taking precedence, unlike the copysecring
boot parameter that copies SSH Client Private Keys when set) for a directory config/sshdkeys
. The volume must be labeled X2GO-TCE-LIVE
and may use any supported file system, though write support is required if you want to store the keys from within X2Go-TCE-Live. If you're booting from fixed disk media/internal flash, you may put the folder directly in the root directory of your boot drive - just don't forget to change the volume label to the “magic value” X2GO-TCE-LIVE
. If the directory exists, but is empty, all current SSH Host Keys will be copied into it (missing ones will be generated on the fly). Any SSH Host Keys found in the config/sshdkeys
directory will be copied into /etc/ssh/
(in the ramdisk), with proper permissions and ownerships for sshd, and sshd will be told to reload its config if required.
noroot
- do not allow the local user account on the ThinClient (named “user”) to become root, e.g. using sudo Always set this unless you are debugging an image and need to log in locally!nouser
- do not allow the local user account on the ThinClient (named “user”) to log in at the console or remotely (using password “live”) Always set this unless you are debugging an image and need to log in locally!=de
and =de_DE.UTF-8
should be set to match your desired country/locale settinghostname=localhost
as shown above.
If you remove hostname=localhost
entirely, all thin clients will share the hostname debian
, which is the Debian-Live default host name. Similarly, if you set hostname=someothervalue
, all thin clients booting this configuration will share the hostname someothervalue
.
broker-url=ssh://your-broker-address-here
- this allows you to specify an X2Go Session Broker instead of a sessions file (not limited to an ssh-based broker, works with an http-based broker as well)sessionsurl=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.sessions
- use this to specify a sessions file. You need this unless you are using a session broker. See below for how to add this file to your HTTP, HTTPS, or FTP server. Attention: Whoever manages to spoof the server name can inject rogue session config files into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.audioout=list
/ audioout=“alsa_card.something|output:something”
- use this to list all available audio outputs / select a particular audio output. Note that when selecting one, the parameter consists of two values (as displayed in the output on /dev/tty8 when specifying list
) that need to be separated with a |
, and the set of the two values needs to be enclosed in double quotes. Do not enclose each value in double quotes separately! Correct example: audioout=“alsa_card.pci-0000_00_1b.0|output:hdmi-stereo”
bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg
- use this to specify an SVG file to “brand” your X2Go-TCE with. It will replace the blue background theme of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.blank=n|n:n:n
- Will disable (blank=0
) or set screensaver timeout. Use blank=n:n:n
to set DPMS Standby/Suspend/Off values. Standby value equals screensaver timeout value. All values are given in seconds.blankdpmsfix
- This forces the TFT do black for a few seconds during the X startup phase, then forces it back on again. This fixes an occasional “black screen” issue that occurs with some flaky client/TFT hardware combinations when using DisplayPort connectors, and could otherwise only be remediated by manually turning the TFT off and back on again. (feature available via github repo, soon via x2go repo too)branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg
- use this to specify an SVG file to “brand” your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.copysecring
- this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: config/ssh
, 'ssh', .ssh
. The volume must be labeled X2GO-TCE-LIVE
or PORTABLEAPP
and may use any supported file system. Any SSH Secret Keys found there will be copied into /home/user/.ssh
(in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys). To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You should specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the FAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done.earlyblankdpmsfix
- This forces the TFT do black for a few seconds during the initial boot phase (right after the squashfs was downloaded), then forces it back on again. This fixes an occasional “black screen” issue that occurs with some flaky client/TFT hardware combinations when using DisplayPort connectors, and could otherwise only be remediated by manually turning the TFT off and back on again. Earlyblankdpmsfix can also be called as earlyblankdpmsfix=nnnn
, where nnnn
is the blanking time in milliseconds (so, earlyblankdpmsfix=1500
equals 1.5 seconds). (feature available via github repo, soon via x2go repo too)homepageurl=“URL1[|URL2|URLn]”
- this is only available in MiniDesktop mode. It allows you to specify one or more web pages that show up on Browser start/when clicking the “Home” icon. URLs need to be separated with a |
, and the set of URLs needs to be enclosed in double quotes. Do not enclose each URL in double quotes separately! Correct example: homepageurl=“https://www.google.de|https://wiki.x2go.org”
initrdblankdpmsfix
is the same as earlyblankdpmsfix
, only that it activates in the initial ramdisk already. Like earlyblankdpmsfix
, it can also be called as initrdblankdpmsfix=nnnn
. This parameter is useful if you are affected by the black screen at boot issue, and you are not combining squashfs and initrd into one file when netbooting. (feature available via github repo, soon via x2go repo too)ldap=ldap.example.com:389:cn=cngoeshere,dc=example,dc=com
- this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication, only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead.ldap1=ldap-backupserver-1.example.com:389
- this allows you to specify the first of up to two LDAP backup servers when using LDAP authenticationldap2=ldap-backupserver-2.example.com:389
- this allows you to specify the second of up to two LDAP backup servers when using LDAP authentication nodpms
- Will not touch DPMS settings at all (by default, blank=0
does both xset s off
and xset -dpms
). Use this along with blank=n
if you do want to blank the screen, but your screen is confused by DPMS settings.nomagicpixel=1
or nomagicpixel=2
- you should set nomagicpixel=1
while the “magic pixel” (clicking in the upper right corner of the screen will minimize a fullscreen session) is still active in thinclient mode (this feature is expected to be disabled at some point in the future). nomagicpixel=1
will disable the window manager when exactly 3 windows are detected (that's the usual situation when a fullscreen session is active). It will re-enable openbox whenever more or less than 3 windows are detected. If this fails for you, you can try nomagicpixel=2
, which will try to trigger on the window-minimize command and restore it to fullscreen (this will cause a short screen flickering effect). Note that nomagicpixel=2
will make your ThinClient unusable when trying to run the actual X2Go-TCE client as a virtual machine guest (the X2GoServer you connect to may be a VM guest, no problems there). To live with the magic pixel bug, simply do not add this option at all.ntp=“server1 server2 … servern”
- this allows you to specify your own NTP server. If this parameter is not used, time will be synced with standard Debian NTP servers. To disable NTP syncing entirely, use ntp=false
(feature available via github repo, soon via x2go repo too)pubkey=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.authorized_keys
- Allows you to add an ssh public key file to the ThinClient, so your administrators can log in remotely using SSH. Note that this file needs to be chmodded 644, not 600, on the web server. Attention: Whoever manages to spoof this server name will have root access to your ThinClients. Using HTTPS will mitigate this - an attacker would not only have to spoof the server name, but also the matching certificate.session=sessionname
- use this to specify a session by name that should be pre-selected on startup. The name must be listed in the sessions file and may only contain characters from the following charset: a-zA-Z0-9.:/ _- (We suggest naming the default session default
and using session=default
.) When using a session name with blanks, please enclose the sessionname in either single or double quotes, like so: session=“session name”
/ session='session name
'tcedebug
- this switches X2GoClient into debug mode and will also lead to increased logging to /var/log/x2goclient and to tty9tcpprint
- Will allow you to use local LPT/USB printers like “dumb” network printers (listening to port 9100 and above). Requires MAC→IP mapping in DHCP server (and optionally, DNS→IP mapping), or static IPs - else your print jobs will end up on random devices. This setup is preferred over the X2GoClient's built-in printing for locally attached printers if X2GoServer and ThinClients are on the same network. It is not recommended when your X2Go connection goes across the internet or when the ThinClient is actually a laptop roaming between different networks. Attention: When used without tcpprintonlyfrom
(see below), this means anyone that can reach your thin client via e.g. ping can also send print jobs to it! tcpprintonlyfrom=x.x.x.x
- Will allow you to specify which IP address may connect to Port 9100 and above for printing to a locally attached LPT/USB printer. This should be the IP of your CUPS server or whatever print server system you use. Understands the same syntax as xinetd
's only_from
. throttle=n|n:n:n:n:n
- Will throttle down- and upload speed (throttle=n
) or set throttling limits as follows: download:upload:smoothingtime:smoothinglength:latency. Defaults for up- and download are 10 (KiloBytes/s), 3.0 (seconds, using decimals is permitted) smoothingtime, 20 (KiloBytes), 0 (ms). for a detailed description of these parameters, see “man trickle”. You can use the first 1, 2, 3, 4 or all 5 parameters. To set down- and/or upload speed to unlimited, use the letter “u” instead of a numeric value.timezone=TIMEZONE
- can be used to define a timezone other than UTC, e.g. 'Europe/Berlin'. This especially makes sense for MATE-MiniDesktop, but is nice to have in regular TCE-Live as well, because the timestamp of the log messages will show the local time instead of UTC. This is a standard parameter of live-boot, and not specific to X2Go.x3270servers=“host[:port][|host[:port]…]”
- this is only available in MiniDesktop mode. It allows you to specify one or more hosts (with optional ports) for x3270 terminal emulation sessions that will be created as desktop shortcuts on the thinclient. For a default 3270 connection, the port is 23 (telnet) and does not need to be specified. For an SSL-encrypted connection (recommended), the port is 992. Hosts may be IP addresses or DNS names, and need to be separated with a |
. (feature available via github repo, soon via x2go repo too)x5250servers=“host[:port][|host[:port]…]”
- this is only available in MiniDesktop mode. It allows you to specify one or more hosts (with optional ports) for x5250 terminal emulation sessions that will be created as desktop shortcuts on the thinclient. For a default 5250 connection, the port is 23 (telnet) and does not need to be specified. For an SSL-encrypted connection (recommended), the port is 992. Hosts may be IP addresses or DNS names, and need to be separated with a |
. Note that x5250 support is currently not part of the standard image available via git, as there is no x5250 executable in Debian. You can try using x3270 instead, most modern IBM i (System i, iSeries, AS/400) systems support 3270-type connections as well. If you need native 5250 support, say, with a commercial, closed-source 5250 terminal emulator, please leave a message on the X2Go-User Mailing List and we'll tell you if and how you can integrate that into your build. (feature available via github repo, soon via x2go repo too)xinerama=left-of|right-of|above|below|same-as
- Allows you to specify how multiple screens are handled (same-as clones the primary screen to all secondary screens, the other commands will cascade and thus expand the screen). Note that the current implementation will enforce “same-as” if it detects a touch screen driver (wacom) and no other pointing device. This is so you won't get stuck being unable to log off, for example, due to your touch device being limited to one screen.xorg-driver=DRIVERNAME
- will skip graphics driver autodetection and force the specified driver instead. This is a standard parameter of live-boot, and not specific to X2Go.xorg-resolution=HRESxVRES
- will force the horizontal resolution to HRES and the vertical resolution to VRES, e.g. xorg-resolution=1280×1024
, useful if autodetection for the correct screen size fails, but you do get as far as seeing the X2Go GUI. This is a standard parameter of live-boot, and not specific to X2Go.xorgconfurl=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.xorg.conf
- when a client outright refuses to boot into the graphical X2Go login screen, but gets stuck at the console or a black screen instead, yet you can get the GUI to work using a regular Linux on the same hardware, you can disable the X Server's autodetection and force it to use the xorg.conf specified here. Note that you should use a more descriptive name for the file, as described below. Attention: Whoever manages to spoof the server name can inject rogue xorg config files into your ThinClients. To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate.xroot=[0xaabbcc|URI1[|URI2|…]]
- can be used to set a local desktop background image or color (in hex format, with leading 0x, not leading #). On the main screen, this is only visible during startup, while additional screens will display whatever is set for them when there is no active session. The background also becomes visible for a short moment when the optional local screensaver activates or deactivates. Specifying more than one image will cause the first image to show up on the first screen, the second image on the second screen, and so on (feature available via github repo, soon via x2go repo too).xrootmode=center|fill|scale|tile
can be used to determine how the local desktop background image(s) should be positioned. If the parameter has been set, but something is wrong, it will default to a grey mesh background. (feature available via github repo, soon via x2go repo too). (feature available via github repo, soon via x2go repo too)xsaveridletime=n
- this value determines how long the screen should have been idle before the local slideshow screensaver sets in (value given in seconds). We recommend using 60 seconds less than for the server-sided, locking screensaver. (feature available via github repo, soon via x2go repo too)xsaverimages=[URI1[|URI2|…]]
- if you want a local, non-locking slideshow screensaver, you can specify image URLs here. These Images will be downloaded once, at boot. That way, one can display a slideshow without having to push the images across the network every time. Especially for slow links, this is the recommended way of running a slideshow screensaver. For security, combine this with a locking screensaver on the server with only one slide or a black background. (feature available via github repo, soon via x2go repo too)xsaverimgtime=n
- this determines how long each slide of the local, non-locking screensaver will be shown. (feature available via github repo, soon via x2go repo too)bwlimit=nnn
- Will allow you to specify a bandwidth limit (valid values: 1-100) in percent for the backgrounded update task.ntfs-uuid=
- Will be required for updating images stored on NTFS filesystems. Full UUID as shown under /dev/disk/by-uuid/ is preferred, but can work with the volume serial number shown in the output of “vol c:” as well.updatesleep=nnnnn
- Will allow you to specify the upper limit (in seconds) of the update timer's randomizer. Allowed range for upper limit: 240-32767. Will default to 900 if unset or set to an out-of-range value. Lower limit is fixed at 120 seconds.updateurl=rsync|https|http|ftp://your-http-server-ip-or-dns-here/path-to-update-files
- Will allow you to update an image in the background when using local storage instead of PXE. Download task will start at a randomized interval to avoid unintentional dDOSing of the update server/network infrastructure. The updater will even work when using NTFS for local storage, but only if the toram boot option is used. Regardless of NTFS or not, the updater requires three directories: /boot/X2Go-live1, /boot/X2Go-live2, /boot/X2Go-live-download
. Attention: Whoever manages to spoof the server name can deploy rogue images to your ThinClients. Even though it is slower, using an HTTPS web server is the safer way of doing this. Be sure that your web server delivers a last-modified header for all files.
images built using the https://github.com/LinuxHaus/live-build-x2go::feature/openbox repository/branch after 2017-07-27 10:50 UTC will create a file /var/run/x2go-timestamps
.
A command like
ssh -A root@ThinClientIPorDNS 'cat /var/run/x2go-tce-timestamps'
will return a result like
--- BEGIN TIMESTAMPS --- 1501164001;X2Go-live1;X 1501160716;X2Go-live2; ---- END TIMESTAMPS ----
Which you can parse using grep, awk, and/or perl, for example.
The first field is the version number, the second field is the name of the instance, the third field, if set, indicates that this is the running instance.
“Tell me the version number of the currently running instance” could thus be queried like:
ssh -A root@ThinClientIPorDNS 'cat /var/run/x2go-tce-timestamps' | awk -F ';' '$3 == "X" { print $1 }'
This value can then be compared to the output of
curl http(s)://YourUpdateServerIPorDNS/path/to/image/x2go-tce-timestamp
→ If the number the curl command returns is higher than the one returned by the ssh command, the ThinClient is running an older version of X2Go-TCE and should be marked as requiring an update in whatever monitoring software you use.
→ This feature doesn't really make sense when you're netbooting, so it is only enabled when an updateurl=
boot parameter is present - for local installations and writable portable media, it will help you keep track of update rollout status.
pubkey=
boot parameter for this to work.
Determine the correct resolution for your screen and set boot parameter xorg-resolution=HRESxVRES
accordingly, e.g. to xorg-resolution=1280×1024
If the screen is entirely black, try pressing [Ctrl]+[Alt]+[F1] and see if that takes you to the text login screen.
If you end up at the text login, this means the X Server's autodetection failed. There's not much you can do from inside X2Go-TCE at this point. Make a note of the MAC address (the GREEN text), shut down the ThinClient and try to boot a different Linux distribution on it. Try, for example, KNOPPIX Live Linux, other Distribution's Live Images (a recent Fedora or Arch, maybe?).
If you can get X running in one of these, proceed as follows:
In the running Linux where you have a working X Server on that particular hardware:
Xorg :$(($(ps -C Xorg -o args= | awk ' $2 ~ /^:[0-9]/ { print $2 }' | tr -d ':' | sort -n)+1)) -configure
Xorg -configure
Next steps:
xorgconfurl=tftp|http|https|ftp://your-http-server-ip-here/x2go-tce/x2go-tce.xorg.conf.name-of-your-stubborn-hardware
First, check that the audio isn't simply muted (some cards/setups do this by default). Run pavucontrol
inside the X2Go session. Check the settings on the tabs Output Devices and Configuration. If that is the case, you probably need to create a script on the server that raises the volume/toggles the mute setting upon user login.
If that doesn't help, please boot with additional boot parameter audioout=list
and look at the output on /dev/tty8 (Hit Ctrl+Alt+F8) - it will give you a list of available audio output devices. This list also gets written to /tmp/audiolog
on the ThinClient.
You might have to pick a different one from the list, by using boot parameter audioout=
with a particular card/output value, like: audioout=“alsa_card.pci-0000_00_1b.0|output:hdmi-stereo”
(you need to copy the proper value from the list generated on your particular thinclient).
If you need different settings for different manufacturers, you can try to tell them apart by MAC address and set separate pxe boot configuration files for them.
X2Go-TCE comes with x11vnc installed. If you want to see what's on the ThinClient's X11 screen, before a server connection has been established, proceed as follows:
xvncviewer -listen 5500
ssh -R 5500:localhost:5500 root@thinclient 'x11vnc -display :0 -rfbport 0 -coe localhost
'vncclient.exe -listen 5500
x11vnc -display :0 -rfbport 0 -coe localhost
in the PuTTY window
To see what a user is doing once a connection has been established, connect to the X2GoServer yourself and use X2Go's built-in Desktop Sharing (session shadowing). Install package x2godesktopsharing
on the server, if you haven't done so already - this will deliver way better performance. See below for more.
Please see the Desktop Sharing (session shadowing) HowTo for details.
When you are unable to connect to the ThinClient, you might want to ascertain its MAC and/or IP address(es), to make sure you and the user you are trying to support are talking about the same machine. Tell the user to press [Ctrl]+[Alt]+[F1] and to read out
To return to the login screen, have the user press [Ctrl]+[Alt]+[F7] ([Alt]+[F7] should work, too), or, once you've successfully logged in over the network, issue the chvt 7
command.
There are several ways to check whether a ThinClient has detected any local printers:
ls -lah /etc/xinetd.d/jetdirect*
and examine the files listed there.cat /dev/vcs9
(you might have to pipe it through less
to see the entire screen).chvt 7
command.There are several ways to check a ThinClient's update status:
cat /dev/vcs10
(you might have to pipe it through less
to see the entire screen) when connected remotelychvt 7
command.This page is missing a section/subpage that explains how to use the content of the tar file located in the build directory if no PXE/TFTP/HTTP server is present yet.
Basically, debian-live/live/filesystem.squashfs becomes (webroot)/x2go-tce/x2go-tce-filesystem.squashfs and everything from tftpboot/ goes into the TFTP root directory. After that, one should proceed as described above regarding creation of files and symlinks.
Sample contents of live-image-i386.netboot.tar:
drwxr-xr-x root/root 0 2016-12-15 23:46 debian-live/ drwxr-xr-x root/root 0 2016-12-15 23:54 debian-live/live/ -rw-r--r-- root/root 271536128 2016-12-15 23:50 debian-live/live/filesystem.squashfs -rw-r--r-- root/root 11579 2016-12-15 23:52 debian-live/live/filesystem.packages -rw-r--r-- root/root 74 2016-12-15 23:52 debian-live/live/filesystem.packages-remove drwxr-xr-x root/root 0 2016-12-15 23:54 tftpboot/ drwxr-xr-x root/root 0 2016-12-15 23:54 tftpboot/live/ -rw-r--r-- root/root 31942749 2016-12-15 23:52 tftpboot/live/initrd.img -rw-r--r-- root/root 2831760 2016-12-15 23:52 tftpboot/live/vmlinuz drwxr-xr-x root/root 0 2015-04-28 14:01 tftpboot/pxelinux.cfg/ -rw-r--r-- root/root 57 2014-10-25 14:21 tftpboot/pxelinux.cfg/default -rw-r--r-- root/root 351 2016-12-15 23:54 tftpboot/live.cfg -rw-r--r-- root/root 116624 2015-08-19 15:17 tftpboot/ldlinux.c32 -rw-r--r-- root/root 270 2016-12-15 23:54 tftpboot/menu.cfg -rw-r--r-- root/root 26188 2015-08-19 15:17 tftpboot/vesamenu.c32 -rw-r--r-- root/root 268 2016-12-15 23:54 tftpboot/install.cfg -rw-r--r-- root/root 508 2016-12-15 23:54 tftpboot/stdmenu.cfg -rw-r--r-- root/root 34739 2016-12-15 23:54 tftpboot/splash.png -rw-r--r-- root/root 23480 2015-08-19 15:17 tftpboot/libutil.c32 -rw-r--r-- root/root 153 2016-12-15 23:54 tftpboot/advanced.cfg -rw-r--r-- root/root 182552 2015-08-19 15:17 tftpboot/libcom32.c32 -rw-r--r-- root/root 42988 2015-08-19 15:17 tftpboot/pxelinux.0 -rw-r--r-- root/root 164096 2015-08-19 15:17 tftpboot/hdt.c32
This page is missing a section/subpage that explains how to speed up the netboot process using iPXE.
Basically:
apt-get install ipxe cd /your-tftp-root mkdir -p {bios,uefi} ln -s /usr/lib/ipxe/undionly.kpxe ./bios/ ln -s /boot/ipxe.efi ./uefi/ FQDN=DNS-name-of-your-server-here IP_OF_FQDN=`dig $FQDN +short` cat <<EOF>x2go-tce-ipxe #!ipxe dhcp kernel http://$FQDN/x2go-tce-vmlinuz EVERYTHING-FROM-THE-LINE-STARTING-WITH-APPEND-IN-THE-X2GO-TCE-SAMPLE-FILE-ABOVE initrd http://$FQDN/x2go-tce-initrd.img boot EOF
After that, create a symlink/symlinks that point(s) from “default” or a part of the MAC or the entire MAC, or the UUID, or the hex-encoded IP to x2go-tce-ipxe.
Then add this to your dhcpd.conf
if substring ( option vendor-class-identifier , 19,1 ) = "0" { filename "bios/undionly.kpxe"; } else if substring ( option vendor-class-identifier , 19,1 ) = "7" { filename "uefi/ipxe.efi"; } else { log (info, concat ( "Unhandled vendor class Arch: ", substring ( option vendor-class-identifier , 19,1 ))); } if exists user-class and option user-class = "iPXE" { set hwmac = concat ( suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":", suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2) ); filename = concat( "http://DNS-name-of-your-server-here/", hwmac ); }
Document how to add second partition to USB media after dd'ing the iso-hybrid image, and how to add X2GoClient-Portable to it.
x2goclient.exe –portable –session-conf=sessions
).
Document that using updateurl
along with an rsync://FQDN/x2go-tce
URL is the most efficient way to deploy updates. Note that the syntax is rsync://FQDN/x2go-tce
, NOT rsync://FQDN::x2go-tce
.
RSYNC_ENABLE=true
in /etc/default/rsync
as well as an additional configuration file:lock file = /var/run/rsync.lock log file = /var/log/rsyncd.log pid file = /var/run/rsyncd.pid [x2go-tce] path = /var/www/x2go-tce # change this to the path where you intend to keep the images comment = X2Go TCE files uid = root gid = root read only = yes list = yes hosts allow = 192.168.0.0/255.255.0.0 # change this to your local subnet(s)
service rsync start
Some of the optional steps above could be moved to a separate subpage to reduce clutter.
The steps for the build process could probably streamlined into an x2go-tcebuilder.deb Debian package
Ideas:
autodetection for SSH Private Keys might need some more bells and whistles.
–broker-ssh-key
)copysecring
will copy all keys found to the live-user's homedir under .ssh:~/.ssh/keyfilename
as path and use copysecring
, orcopysecring
and use /media/vendor_model_name/sdxn/path/to/keyfile
(or /media/vendor_model_name/partlabel/path/to/keyfile
, if you assigned a partition label - which is recommended for this use case) as keyfile path/nameParsing the output of e.g.
udevadm info --query path /dev/sdb /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host2/target2:0:0/2:0:0:0/block/sdb cat /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/serial
allows to determine the serial number of a USB device. Those SHOULD be unique, but sadly, they aren't (and sometimes, they are missing entirely). Therefore, a USB serial number can't be used for authentication, but it could be used for “weak” identification - so it could be used to set a default user name or a default session, or to download a particular sessions file.
Authentification and “hard” identification could be implemented using OpenPGP cards, scdaemon
and a script based on /usr/share/doc/scdaemon/examples/scd-event
. For Status NOCARD
, suspend the session (kill x2goclient or send a signal that means “suspend”, if available, or maybe sighup nxproxy), for status USABLE
, run gpg –card-status 2>&1 | awk '$1==“Serial” && $2==“number” {print $4}
' to determine the card's serial number, then act based on that (pull new sessions file or set default user, for example, and restart x2goclient).
Automount script currently expects a LUKS password in /etc/keys/keystick.key
when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. Such a password file would have to be saved as ./patch/includes.chroot/etc/keys/keystick.key
(with the proper restrictive permissions) before starting the build. Adding a boot parameter instead of hardcoding it would allow for dynamic password files (by specifying an URI that points to a CGI script, for example - you could output a different password depending on the source IP range, thus locking media to a particular department, if your departments have different IP ranges), but on the other hand, would make it even easier to sniff out the password. It would only really make sense for Netboot installations, and also not for a MiniDesktop in any way, because you have to block the user from accessing the TCE's local environment/files. And you also have to make sure that people cannot boot rogue clients. This means a DHCP setup that is locked to known MAC addresses, and physically blocking access to the ThinClient and its network wiring - because the MAC is displayed during boot, and thus trivial to clone.
x2gocdmanager
is currently not part of the image, but should become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs.
pinentry-x2go
and x2gosmartcardrules
probably need further investigation to make smartcard authentication work.
Even though we set the hostname to localhost
using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debian.html
When building a stretch TCE you need to add kernel parameters net.ifnames=0 biosdevname=0
to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. For a jessie TCE, it is not required. This could be fixed for iso-hybrid and netboot in the buildscript, but it will only work if people are using the image 1:1 - as soon as they start using syslinux or grub manually (as actually recommended by us), they need to add these parameters themselves.
bg=
, branding=
, broker-url=
, ldap=
, ldap1=
, ldap2=
, session=
, throttle=
, are currently unsupported in MiniDesktop-Mode. This could be changed, given enough tuits. Probably the easiest way would be to have /lib/live/config/2900-x2go-thinclientconfig
exist in the MiniDesktop branches as well, make it aware of which environment it is running in (TCE/TCE-MMD), and have it patch the appropriate files.
all scripts accepting URLs in boot parameters should be taught to understand 2200-xserver-xorg-getxorgconf
file:///
URLs. Such files can be included in the image by placing them in the ./patch/includes.chroot/
directory (in a suitable subdirectory) and referencing them from there.
it would be cool if most of the TCE-specific boot parameters could be placed into a file that in turn can be specified as a boot parameter, to reduce clutter and boot parameter length. This could be aCGI script, even, thus making it possible to distribute different configs depending on the source IP of the ThinClient, rather than the MAC Address. Said file would then have to be sourced by the scripts, after they have extracted everything from /proc/cmdline. This will make adding the feature easier, by simply deciding that parameters from this file take precendence over boot parameters. One might argue that boot parameters should take precedence over the config file, but this sounds way more complicated to implement.
A smaller image size can be achieved by removing the following packages from the squashfs: libxapian30 libpcsclite1 libdbus-glib-1-2 libfuse2 libpipeline1 libusb-1.0-0 libxv1 xnest xserver-xephyr rdesktop freerdp-x11 traceroute screen net-tools less ntfs-3g fuse locales cifs-utils xterm libgssglue1 libntfs-3g871 libtalloc2 libtcl8.6 libtk8.6 libutempter0 libvncclient1 libvncserver1 libwbclient0 libxcb-xf86dri0 libxcb-xv0 samba-common tcl tcl8.6 tk tk8.6 xbitmaps nfs-common rpcbind atmel-firmware bluez-firmware dahdi-firmware-nonfree hdmi2usb-fx2-firmware iso-codes ixo-usb-jtag libc-l10n libnfsidmap2 libtirpc1 firmware* x11vnc* libfreerdp* libwinpr* libapparmor1 systemd apt-utils libapt-inst2.0 acpi-support-base* acpid* acpi-support* pm-utils* powermgmt-base* gnupg gnupg-agent whiptail vim* vim-common* vim-tiny* xxd* xinetd libcroco3* libcurl3* libexif12* libgdk-pixbuf2.0-0* libgdk-pixbuf2.0-common* libgif7* libid3tag0* libimlib2* libnghttp2-14* libobrender32v5* libobt2v5* libpango-1.0-0* libpangocairo-1.0-0* libpangoft2-1.0-0* libpangoxft-1.0-0* librsvg2-2* librtmp1* libssh2-1* libstartup-notification0* libxft2* libxss1* vim-runtime* xprintidle feh xdotool openbox rsync xserver-xorg-input-wacom* xserver-xorg-video-all* xserver-xorg-video-amdgpu* xserver-xorg-video-ati* xserver-xorg-video-nouveau* xserver-xorg-video-qxl* xserver-xorg-video-radeon* xserver-xorg-video-vmware* libdrm-amdgpu1* libdrm-nouveau2* libdrm-radeon1* libllvm3.9* libsensors4* libxatracker2*
- check if this could be turned into a build parameter. Note that this makes only sense for a netboot image that uses X2Go sessions only, and no NTFS media (neither fixed disk nor USB). Also, this causes an X startup failure during boot that needs to be worked around (by touching /home/user/.xsession).
Here's a script to do all of this automatically (needs to be run as root in the builddir:
#!/bin/bash -e if [ $UID -ne 0 ] ; then echo "Must be root." exit 1 fi unsquashfs x2go-tce-filesystem.squashfs mount --bind /proc squashfs-root/proc chroot squashfs-root apt purge -y acpi-support-base acpid acpi-support pm-utils powermgmt-base gnupg gnupg-agent whiptail vim vim-common vim-tiny xxd xinetd \ libcroco3 libcurl3 libexif12 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgif7 libid3tag0 libimlib2 libnghttp2-14 \ libobrender32v5 libobt2v5 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpangoxft-1.0-0 librsvg2-2 librtmp1 \ libssh2-1 libstartup-notification0 libxft2 libxss1 vim-runtime rsync xserver-xorg-input-wacom xserver-xorg-video-all \ xserver-xorg-video-amdgpu xserver-xorg-video-ati xserver-xorg-video-nouveau xserver-xorg-video-qxl \ xserver-xorg-video-radeon xserver-xorg-video-vmware libdrm-amdgpu1 libdrm-nouveau2 libdrm-radeon1 libllvm3.9 libsensors4 \ libxatracker2 xprintidle feh xdotool openbox libxapian30 libpipeline1 libnpth0 libksba8 libseccomp2 libsqlite3-0 libxdo3 \ libnewt0.52 libxmuu1 libxrandr2 libslang2 libxinerama1 libxcursor1 cpp cpp-6 keyutils libassuan0 libdatrie1 libevent-2.0-5 \ libisl15 libmpc3 libmpfr4 libthai-data libthai0 libxcursor1 pinentry-curses trickle libxapian30 libpcsclite1 \ libdbus-glib-1-2 libfuse2 libpipeline1 libusb-1.0-0 libxv1 xnest xserver-xephyr rdesktop freerdp-x11 traceroute screen \ net-tools less ntfs-3g fuse locales cifs-utils xterm libgssglue1 libntfs-3g871 libtalloc2 libtcl8.6 libtk8.6 libutempter0 \ libvncclient1 libvncserver1 libwbclient0 libxcb-xf86dri0 libxcb-xv0 samba-common tcl tcl8.6 tk tk8.6 xbitmaps nfs-common \ rpcbind atmel-firmware bluez-firmware dahdi-firmware-nonfree hdmi2usb-fx2-firmware iso-codes ixo-usb-jtag libc-l10n \ libnfsidmap2 libtirpc1 x11vnc x11vnc-data libapparmor1 systemd apt-utils libapt-inst2.0 libfreerdp-cache1.1 \ libfreerdp-client1.1 libfreerdp-codec1.1 libfreerdp-common1.1.0 libfreerdp-core1.1 libfreerdp-crypto1.1 libfreerdp-gdi1.1 \ libfreerdp-locale1.1 libfreerdp-primitives1.1 libfreerdp-rail1.1 libfreerdp-utils1.1 libwinpr-crt0.1 libwinpr-crypto0.1 \ libwinpr-dsparse0.1 libwinpr-environment0.1 libwinpr-file0.1 libwinpr-handle0.1 libwinpr-heap0.1 libwinpr-input0.1 \ libwinpr-interlocked0.1 libwinpr-library0.1 libwinpr-path0.1 libwinpr-pool0.1 libwinpr-registry0.1 libwinpr-rpc0.1 \ libwinpr-sspi0.1 libwinpr-synch0.1 libwinpr-sysinfo0.1 libwinpr-thread0.1 libwinpr-utils0.1 firmware-amd-graphics \ firmware-atheros firmware-bnx2 firmware-bnx2x firmware-brcm80211 firmware-cavium firmware-crystalhd firmware-intel-sound \ firmware-intelwimax firmware-ipw2x00 firmware-ivtv firmware-iwlwifi firmware-libertas firmware-linux firmware-linux-free \ firmware-linux-nonfree firmware-misc-nonfree firmware-myricom firmware-netxen firmware-qlogic firmware-realtek \ firmware-samsung firmware-siano firmware-ti-connectivity firmware-zd1211 chroot squashfs-root dpkg -P apt tasksel tasksel-data rm squashfs-root/etc/X11/Xsession.d/60x11-openbox-start squashfs-root/etc/X11/Xsession.d/60x11-spawn-configure-slideshow-screensaver (cd squashfs-root/usr/bin/ ; ln -sf ../../bin/false xsetwacom) mkdir -p squashfs-root/home/user touch squashfs-root/home/user/.xsession umount squashfs-root/proc if ! grep '^eval $THROTTLINGCOMMAND' squashfs-root/etc/X11/Xsession.d/61x11-start-x2goclient | grep -q -- ' --thinclient ' ; then sed -i -e 's#eval \$THROTTLINGCOMMAND x2goclient#eval \$THROTTLINGCOMMAND x2goclient --thinclient#g' \ squashfs-root/etc/X11/Xsession.d/61x11-start-x2goclient fi if [ -f binary/live/filesystem.squashfs ] ; then mv binary/live/filesystem.squashfs binary/live/filesystem.squashfs.old fi mkdir -p binary/live && mksquashfs squashfs-root binary/live/filesystem.squashfs -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K -noappend rm -rf squashfs-root ln binary/live/filesystem.squashfs x2go-tce-filesystem-stripped.squashfs (cd binary; echo live$'\n'live/filesystem.squashfs |cpio -o -H newc | gzip --fast) >./tce-filesystem-stripped.cpio.gz cat ./x2go-tce-initrd.img ./tce-filesystem-stripped.cpio.gz >./x2go-tce-initrd-with-fs-stripped.img rm ./tce-filesystem-stripped.cpio.gz
for MATE-MiniDesktop, it might make sense to teach the image how to do LDAP auth (preferably with LDAPS or LDAP+TLS) and use lightdm without the auto-login. That way, a local screensaver with locking functionality (prompting for the actual user's LDAP password) should be possible - and LDAP credential passthrough to X2GoClient should work, too (though that might require kerberos in addition to LDAP,we'll see).
Scripts triggered by if-up should check if a new download is really necessary.
in MiniDesktop mode, some local sound control features required (taskbar or app like pavucontrol; default volume via boot parameter), also, it seems that sound isn't really working in MiniDesktop mode, as seen when trying to use YouTube. Probably pulseaudio-related.
audioout=
, blank=
, *blankdpmsfix
, nodpms
, xinerama=
, are currently unsupported in MiniDesktop-Mode, but this is being worked on, by outsourcing them into scripts under /etc/X11/Xsession.d/
(currently, they reside in /lib/live/config/2900-x2go-thinclientconfig
- which doesn't exist in the MiniDesktop branches - and from there, they get written to ~/.xsession
- fixed in github repo, soon in x2go repoxroot=[0xaabbcc|URI1[|URI2|…]]
for the desktop background image/color, and a boot parameter xrootmode=center|fill|scale|tile
to determine how the image(s) should be positioned (if the parameter has been set, but something is wrong, it should default to the “grey mesh” background) - fixed in github repo, soon in x2go repoxsaverimages=[URI1[|URI2|…]]
, xsaveridletime=n
, xsaverimgtime=n
, for a local, non-locking slideshow screensaver (if no images are specified/downloaded by the time it activates, it should just blank the screen). That way, one could display a slideshow without having to push the images across the network every time - fixed in github repo, soon in x2go repoblankdpmsfix
and earlyblankdpmsfix
still leave the screen blank for too long, when used in netboot mode (especially over slow links). Two ways to solve this are to either use local storage, or to use the initrd with the squashfs merged into it. A third, new option would be a boot parameter initrdblankdpmsfix
, where the un-blanking code of earlyblankdpmsfix
is applied in the initrd already - fixed in github repo, soon in x2go repocopysecring
currently does not work in MiniDesktop-Mode, as it copies the keys to the wrong user's homedir. - fixed in github repo, soon in x2go repohomepageurl=
(only available in MiniDesktop-Mode) is currently undocumented. Supports multiple URLs separated with pipes. - fixed/media/vendor_model_name/sdxn
as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the x
in sdxn
may change any time. We should replace sdx
with partition
(or have corresponding symlinks created), but what should we do for superfloppies that only have sdx
with no partition number? We could mount them as /media/vendor_model_name/partition/
or directly at /media/vendor_model_name/
. Also, symlinks using labels and uuids, similar to /dev/by-*
would be handy for scripting. Another problem: when replacing sdx
, what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like /media/vendor_model_name/1/partitionn
or /media/vendor_model_name-1/partitionn
. - fixed. When a label is detected, a symlink is now created under /media/vendor_model_name/label
that points to /media/vendor_model_name/partitionn
.nomagicpixel=
is unsupported in MiniDesktop-Mode and will be unsupported there forever, as it doesn't make sense for MiniDesktop-Mode (there is a task bar available, so a session that has been minimized accidentally can be re-selected by the users themselves). - unfixable.live-config.nottyautologin
does not do the same as our nouser
command. live-config.nottyautologin
means “there's a login prompt, but you just need to enter username user
and password live
to login” - this is not what we want. We need a solution to entirely block user logons.