STREAMING UBUNTU Desktop (or streaming linux desktop), so:
- no local installation
- highly scalable
- high performance
- low cost in administration and hardware
- highly adaptable
NOTE:: this is work in progress to port from 9.10 to 10.04 LTS and later possibly newer versions of Ubuntu, document is currently being updated.
Goal
Offering a desktop based on Ubuntu GNU/Linux, booting over a local network from one single image. This image needs to be customized for our users at the Leiden University, The Netherlands. Current authentication is done via Kerberos and LDAP. The home directories are mounted over NFS.
Results
The test deployment has currently more than 75 clients desktops booting via PXE on a read-only squashfs image, served from a one single NFS/TFTP server (having a load of 0)
Audience
Unix admins:
- shell scripting (debugging/patching / diffing)
- ubuntu / debian experience for some time
understanding the "AS IS" section in the license .
- use this on a non production machine
- make backups, duh
- below in this page is my email address, use it wisely only, preferably for improvement and patches.
What is written here, will not work off the shelf. To make it work you have to customize it, in the end can save you a lot of time.
Set-up
Our set-up has to offer:
- NFS mounted home directories
- authentication/authorisation via Kerberos/LDAP
- tex / lyx / kyle
- mutt / pine / elm
- fully usable Gnome / KDE / Xfce4 / fluxbox
- access to Linux and Windows terminal servers
- large amount of fonts
Ubuntu Lucid 10.4.2 LTS (previous 9.10) is used as a base.
Documentation used:
https://help.ubuntu.com/6.10/ubuntu/installation-guide/hppa/linux-upgrade.html
http://syslinux.zytor.com/wiki/index.php/PXELINUX#Custom_Menu_Example_with_sub-menus
https://help.ubuntu.com/community/LiveCDCustomizationFromScratch
Environment:
- raid-1 Ubuntu NFS/PXE server
- raid-1 + raid-5 Ubuntu build/test host
- Gb network with several VLANs
about 100 ASRock nettop clients
The main focus is the staging environment, keeping staging and production separate. For this !How-To I won't describe the production server, since they are mostly the same. But as a habit, I never build on production servers since one error in the build script could give me, and some hundred users, a bad day. This actually happened, one day my build server did not reboot any more. The build script escaped to the root and the initrd.img was replaced.....
As a policy, we use LTS on servers.
IMHO this is not a beginners howto.
Server Set-up
Networks
192.168.1.0/24 => external (uplink)
192.168.2.0/24 => internal (pxeboot)
Installation
Install the build host with 3 raid1 partitions:
- raid1
- md0 /
- md1 swap
- md2 /tmp
- md3 /var/
- md4 /usr
- raid5
- md5 /data
Or choose another appropriate setup.
Packages
First install some packages
apt-get install dhcp3-server tftpd-hpa nfs-kernel-server syslinux debootstrap
Network Configuration
Content of /etc/network/interfaces:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.2 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 post-up iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE down iptables -t nat -D POSTROUTING 1 auto eth1 iface eth1 inet static address 192.168.2.1 netmask 255.255.255.0 network 192.168.2.0 broadcast 192.168.2.254
Content of /etc/dhcp3/dhcpd.conf:
DHCPDARGS=eth1; ddns-update-style none; option domain-name "test.example.com"; option domain-name-servers 192.168.1.1; default-lease-time 600; max-lease-time 7200; authoritative; log-facility local7; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.200; option routers 192.168.2.1; filename "pxelinux.0"; next-server 192.168.2.1; }
NAT and Forwarding
Content of /etc/sysctl.d/10-ip_forward.conf
# Enable packet forwarding for IPv4 net.ipv4.ip_forward=1
Content of /etc/exports:
/data/tftpboot/ *(no_subtree_check,ro,no_root_squash,async) /data/home/ *(no_subtree_check,rw,no_root_squash,async)
Content of /etc/default/tftpd-hpa:
RUN_DAEMON="yes" OPTIONS="-l -s /data/tftpboot"
Prepare Pxe Set-up
mkdir -p /data/tftpboot/pxelinux.cfg cp /usr/lib/syslinux/pxelinux.0 /data/tftpboot/ cp /usr/lib/syslinux/menu.c32 /data/tftpboot/ cp /usr/lib/syslinux/vesamenu.c32 /data/tftpboot/
Content of /data/tftpboot/pxelinux.cfg/default :
menu INCLUDE pxelinux.cfg/graphics.cfg DEFAULT vesamenu.c32 NOESCAPE 1 ALLOWOPTIONS 0 boot label in /data/tftpboot LABEL Karmic MENU LABEL new test MENU DEFAULT KERNEL new/vmlinuz APPEND quiet splash initrd=new/initrd.img boot=casper netboot=nfs raid=noautodetect root=/dev/nfs nfsroot=192.168.2.1:/data/tftpboot/new ip=dhcp rw --
Content of /data/tftpboot/pxelinux.cfg/graphics.cfg:
MENU TITLE PXE Menu menu color tabmsg 37;40 #80ffffff #00000000 menu color hotsel 30;47 #40000000 #20ffffff menu color sel 30;47 #40000000 #20ffffff menu color scrollbar 30;47 #40000000 #20ffffff MENU WIDTH 80 MENU MARGIN 20 MENU ROWS 20 MENU TABMSGROW 18 MENU CMDLINEROW 18 MENU ENDROW 2 MENU MASTER PASSWD vingerhoed MENU PASSWORDROW 24 MENU PASSWORDMARGIN 20 MENU PASSPROMPT Enter Password: MENU TIMEOUTROW 20 MENU TIMEOUTROW 13 MENU VSHIFT 3 NOESCAPE 1 ALLOWOPTIONS 0 PROMPT 0 TIMEOUT 60
Important
Keep an eye on the options, and make sure you understand the documentation! Setting bad options here may allow a user to escape from the loader menu and start a shell as root instead of invoking init. This would give one access to all user files on NFS, which would only make you popular to a very limited set of people (and not at all popular to many others).
NOESCAPE ALLOWOPTIONS PROMPT
Read more about PXELinux how to get nice menus and more.
Starting Services
/etc/init.d/tftpd-hpa restart /etc/init.d/nfs-kernel-server /etc/init.d/dhcp3-server
Local Mirror
Read this info and execute the next commands:
apt-get install apt-mirror apache2 vi /etc/apt/mirror.list # configure it to put every thing in /data/mirror/ like this: set base_path /data/mirror mkdir -p /data/mirror/skel /data/mirror/mirror /data/mirror/var
Run apt-mirror:
apt-mirror
Add it to cron:
vi /etc/cron.d/apt-mirror and remove the # from the last line
Add to apache: assuming everything is in /data/mirror/
Be sure you use the correct Alias and replace the XX for a working directory!
In /etc/apache2/sites-enabled/mirror:
Alias /ubuntu/ "/data/mirror/mirror/XX.archive.ubuntu.com/ubuntu/" <Directory "/data/mirror/mirror"> Options Indexes FollowSymLinks Order allow,deny Allow from all AllowOverride None </Directory>
Restart apache:
/etc/init.d/apache2 restart
Test the mirror:
apt-get install lynx lynx http://localhost/ubuntu/
Running a Build
No build scripts are available yet, but the picture
Boot-strap Lucid
apt-get install debootstrap mkdir build debootstrap lucid build
generally while chrooting into build environment set correct env and mounts
mount -o bind /dev/ build/dev chroot build export LANG=en_US.UTF-8 export HOME=/root export LC_ALL=C mount -t proc none /proc mount -t sysfs none /sys mount -t devpts none /dev/pts # do work here umount -lf /proc umount -lf /sys umount -lf /dev/pts exit umount -lf build/dev
Make a Suitable Kernel and Initrd
The kernel and initrd environment needs:
- nfs
- dhcp
- network-cards
- devtmpfs
- aufs
- squashf
- casper
There are two ways to build it, one is with a kernel package and the other is manual. I have found the manual manner more reliable.
1 For Both Ways
# prepare mount -o bind /dev/ build/dev chroot build export LANG=en_US.UTF-8 export HOME=/root export LC_ALL=C mount -t proc none /proc mount -t sysfs none /sys mount -t devpts none /dev/pts #do vi /etc/initramfs-tools/initramfs.conf #change in BOOT=local to BOOT=nfs apt-get update apt-get install casper linux-source libncurses5-dev cd /usr/src/ tar xvjf linux-source-2.6.32.tar.bz2 ln -s linux-source-2.6.32 linux cd linux make menuconfig # add network cards, dhcp, nfs, aufs, squashfs, devtmpfs
2a Manual
make make install make modules make modules_install mkinitramfs -o /initrd.img `ls /lib/modules` cp /boot/vmlinuz /vmlinuz # close umount -lf /proc umount -lf /sys umount -lf /dev/pts exit umount -lf build/dev
2b Kernel Package
This will create packages.
fakeroot make-kpkg clean fakeroot make-kpkg --initrd --append-to-version=-1 kernel-image kernel-headers # close umount -lf /proc umount -lf /sys umount -lf /dev/pts exit umount -lf build/dev
I found issues creating an initrd file, to solve this:
chroot built mkinitramfs -o /initrd.img `ls /lib/modules`
Adding Packages
- To-Do:
chroot build apt-get install <list>
- debconf
- get|set selections
Authentication + Storage
- To-Do:
- Auth:
- kerberos
- ldap
- Centralized Administration with gosa
- AD ?
- Storage:
- NFS (authenticated)
- CIFFS (?)
- application platforms:
- Ubuntu Server LTS
- FreeNAS
- Auth:
Automating the build (a tinderbox)
- To-Do
- Script a build for Lucid
- split configuation and script
- make script work for:
- version 10.4 10.10 11.4
- arch i386 and AMD64
Setting up Support
- online live images (http boot?)
- FAQ + #channel
- architecture paper (TOGAF-style with Archi+asciidoc)
- 2nd management paper
- commercial support for setup/administration and customized images
Previous Work (to be obsoleted)
Here a sample tarbal:
https://wiki.ubuntu.com/MartenVijn?action=AttachFile&do=get&target=ubuntu_pxe.desktop.0.0.128.tgz
Newer versions may exist here.
So download it and untar it.
Now you should be able to use the build-script:
IMPORTANT
Read and understand: * config.txt. * build.sh * LICENSE.txt Make sure are not on a production machine and you made backups
explanation of the files:
- config.txt
- A lot configuration options
- a error handling funtion
- build.sh builds:
- kernel
- initrd
- installation dir
- squashfs files
- preseed.txt.
- setting build environment for build tree
- dpkg*
- dpkg-set-selections_fastbuild.txt is a sample file
- dpkg-set-selections_full.txt is a sample file
- dpkg-set-selections.txt, file use by build.sh
- kernel.config is a sample kernel configation file, kernel must have
- initrd (casper)
- nfsroot
- able fetch an ipnumber by dhcp
- driver for networkcards.
Getting it to Work
With the TREE option you can add/utilize:
- logings + passwords
- kiosk functions
- root ssh keys
We add:
- ldap
- kerberos
- ssh-keys
- nfs mounts for homedirs
- nfs mounts for software
- printer settings
- postfix settings
Details of this are not public.
HELP
This is pre-alpha, meant as an example to feed unix admins creativity.
From you should be able the work yourself into it as you a unix admin.
Patches, Tips, better Ubuntu Practices are more than welcome.
send an email to mvn at math dot leidenuniv dot nl
Future plans
- liveusb-drives mounting over insecure networks
- booting over https