STREAMING UBUNTU Desktop (or streaming linux desktop), so:

NOTE:: this is work in progress to port from 9.10 to 10.04 LTS and later possibly newer versions of Ubuntu, document is currently being updated.

Goal

Offering a desktop based on Ubuntu GNU/Linux, booting over a local network from one single image. This image needs to be customized for our users at the Leiden University, The Netherlands. Current authentication is done via Kerberos and LDAP. The home directories are mounted over NFS.

Results

The test deployment has currently more than 75 clients desktops booting via PXE on a read-only squashfs image, served from a one single NFS/TFTP server (having a load of 0)

Audience

Unix admins:

  • shell scripting (debugging/patching / diffing)
  • ubuntu / debian experience for some time

  • understanding the "AS IS" section in the license .

  • use this on a non production machine
  • make backups, duh
  • below in this page is my email address, use it wisely only, preferably for improvement and patches.

What is written here, will not work off the shelf. To make it work you have to customize it, in the end can save you a lot of time.

Set-up

Our set-up has to offer:

  • NFS mounted home directories
  • authentication/authorisation via Kerberos/LDAP
  • tex / lyx / kyle
  • mutt / pine / elm
  • fully usable Gnome / KDE / Xfce4 / fluxbox
  • access to Linux and Windows terminal servers
  • large amount of fonts

Ubuntu Lucid 10.4.2 LTS (previous 9.10) is used as a base.

Documentation used:

Environment:

  • raid-1 Ubuntu NFS/PXE server
  • raid-1 + raid-5 Ubuntu build/test host
  • Gb network with several VLANs

  • about 100 ASRock nettop clients

The main focus is the staging environment, keeping staging and production separate. For this !How-To I won't describe the production server, since they are mostly the same. But as a habit, I never build on production servers since one error in the build script could give me, and some hundred users, a bad day. This actually happened, one day my build server did not reboot any more. The build script escaped to the root and the initrd.img was replaced.....

As a policy, we use LTS on servers.

IMHO this is not a beginners howto.

Server Set-up

Networks

  • 192.168.1.0/24 => external (uplink)

  • 192.168.2.0/24 => internal (pxeboot)

Installation

Install the build host with 3 raid1 partitions:

  • raid1
    • md0 /
    • md1 swap
    • md2 /tmp
    • md3 /var/
    • md4 /usr
  • raid5
    • md5 /data

Or choose another appropriate setup.

Packages

First install some packages 

apt-get install dhcp3-server tftpd-hpa nfs-kernel-server syslinux debootstrap

Network Configuration

Content of /etc/network/interfaces: 

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1 
        post-up iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
        down iptables -t nat -D POSTROUTING 1

auto eth1
iface eth1 inet static
        address 192.168.2.1
        netmask 255.255.255.0
        network 192.168.2.0
        broadcast 192.168.2.254

Content of /etc/dhcp3/dhcpd.conf: 

DHCPDARGS=eth1; 
ddns-update-style none;
option domain-name "test.example.com";
option domain-name-servers 192.168.1.1; 
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

subnet 192.168.2.0 netmask 255.255.255.0 {
        range 192.168.2.100 192.168.2.200;
        option routers 192.168.2.1;
        filename "pxelinux.0";
        next-server 192.168.2.1;
        }

NAT and Forwarding

Content of /etc/sysctl.d/10-ip_forward.conf 

# Enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Content of /etc/exports: 

/data/tftpboot/ *(no_subtree_check,ro,no_root_squash,async)
/data/home/ *(no_subtree_check,rw,no_root_squash,async)

Content of /etc/default/tftpd-hpa: 

RUN_DAEMON="yes"
OPTIONS="-l -s /data/tftpboot"

Prepare Pxe Set-up

mkdir -p /data/tftpboot/pxelinux.cfg
cp /usr/lib/syslinux/pxelinux.0 /data/tftpboot/
cp /usr/lib/syslinux/menu.c32 /data/tftpboot/
cp /usr/lib/syslinux/vesamenu.c32 /data/tftpboot/

Content of /data/tftpboot/pxelinux.cfg/default : 

menu INCLUDE pxelinux.cfg/graphics.cfg
DEFAULT vesamenu.c32
NOESCAPE 1
ALLOWOPTIONS 0
boot label in /data/tftpboot
LABEL Karmic 
        MENU LABEL new test
        MENU DEFAULT
        KERNEL new/vmlinuz
        APPEND quiet splash initrd=new/initrd.img boot=casper netboot=nfs raid=noautodetect root=/dev/nfs nfsroot=192.168.2.1:/data/tftpboot/new ip=dhcp rw --

Content of /data/tftpboot/pxelinux.cfg/graphics.cfg: 

MENU TITLE PXE Menu
menu color tabmsg 37;40      #80ffffff #00000000
menu color hotsel 30;47      #40000000 #20ffffff
menu color sel 30;47         #40000000 #20ffffff
menu color scrollbar 30;47   #40000000 #20ffffff
MENU WIDTH 80
MENU MARGIN 20 
MENU ROWS 20 
MENU TABMSGROW 18
MENU CMDLINEROW 18
MENU ENDROW 2
MENU MASTER PASSWD vingerhoed
MENU PASSWORDROW 24 
MENU PASSWORDMARGIN 20 
MENU PASSPROMPT Enter Password:
MENU TIMEOUTROW 20
MENU TIMEOUTROW 13
MENU VSHIFT 3 
NOESCAPE 1
ALLOWOPTIONS 0
PROMPT 0
TIMEOUT 60

Important

Keep an eye on the options, and make sure you understand the documentation! Setting bad options here may allow a user to escape from the loader menu and start a shell as root instead of invoking init. This would give one access to all user files on NFS, which would only make you popular to a very limited set of people (and not at all popular to many others). 

NOESCAPE 
ALLOWOPTIONS
PROMPT

Read more about PXELinux how to get nice menus and more.

Starting Services

/etc/init.d/tftpd-hpa restart
/etc/init.d/nfs-kernel-server
/etc/init.d/dhcp3-server

Local Mirror

Read this info and execute the next commands: 

apt-get install apt-mirror apache2
vi /etc/apt/mirror.list # configure it to put every thing in /data/mirror/
like this:
set base_path /data/mirror
mkdir -p /data/mirror/skel /data/mirror/mirror /data/mirror/var

Run apt-mirror: 

apt-mirror

Add it to cron: 

vi /etc/cron.d/apt-mirror 
and remove the # from the last line

Add to apache: assuming everything is in /data/mirror/

Be sure you use the correct Alias and replace the XX for a working directory!

In /etc/apache2/sites-enabled/mirror: 

Alias /ubuntu/ "/data/mirror/mirror/XX.archive.ubuntu.com/ubuntu/"
<Directory "/data/mirror/mirror">
        Options Indexes FollowSymLinks
        Order allow,deny
        Allow from all
        AllowOverride None
</Directory>

Restart apache: 

/etc/init.d/apache2 restart

Test the mirror: 

apt-get install lynx
lynx http://localhost/ubuntu/

Running a Build

No build scripts are available yet, but the picture

Boot-strap Lucid

apt-get install debootstrap
mkdir build
debootstrap lucid build

generally while chrooting into build environment set correct env and mounts 

mount -o bind /dev/ build/dev
chroot build
export LANG=en_US.UTF-8
export HOME=/root
export LC_ALL=C
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devpts none /dev/pts
# do work here
umount -lf /proc
umount -lf /sys
umount -lf /dev/pts
exit
umount -lf build/dev

Make a Suitable Kernel and Initrd

The kernel and initrd environment needs:

  • nfs
  • dhcp
  • network-cards
  • devtmpfs
  • aufs
  • squashf
  • casper

There are two ways to build it, one is with a kernel package and the other is manual. I have found the manual manner more reliable.

1 For Both Ways

# prepare
mount -o bind /dev/ build/dev
chroot build 
export LANG=en_US.UTF-8
export HOME=/root 
export LC_ALL=C 
mount -t proc none /proc 
mount -t sysfs none /sys 
mount -t devpts none /dev/pts 
#do 
vi /etc/initramfs-tools/initramfs.conf
#change in BOOT=local to BOOT=nfs
apt-get update
apt-get install casper linux-source libncurses5-dev
cd /usr/src/
tar xvjf linux-source-2.6.32.tar.bz2
ln -s  linux-source-2.6.32 linux
cd linux
make menuconfig 
# add network cards, dhcp, nfs, aufs, squashfs, devtmpfs

2a Manual

make
make install 
make modules
make modules_install
mkinitramfs -o /initrd.img `ls /lib/modules`
cp /boot/vmlinuz /vmlinuz
# close
umount -lf /proc 
umount -lf /sys 
umount -lf /dev/pts
exit 
umount -lf build/dev

2b Kernel Package

This will create packages. 

fakeroot make-kpkg clean
fakeroot make-kpkg --initrd --append-to-version=-1 kernel-image kernel-headers
# close
umount -lf /proc 
umount -lf /sys 
umount -lf /dev/pts
exit 
umount -lf build/dev

I found issues creating an initrd file, to solve this: 

chroot built
mkinitramfs -o /initrd.img `ls /lib/modules`

Adding Packages

  • To-Do:

    • chroot build apt-get install <list>

    • debconf
    • get|set selections

Authentication + Storage

  • To-Do:
    • Auth:
      • kerberos
      • ldap
      • Centralized Administration with gosa
      • AD ?
    • Storage:
      • NFS (authenticated)
      • CIFFS (?)
      • application platforms:
        • Ubuntu Server LTS
        • FreeNAS

Automating the build (a tinderbox)

  • To-Do
    • Script a build for Lucid
    • split configuation and script
    • make script work for:
      • version 10.4 10.10 11.4
      • arch i386 and AMD64

Setting up Support

  • online live images (http boot?)
  • FAQ + #channel
  • architecture paper (TOGAF-style with Archi+asciidoc)
  • 2nd management paper
  • commercial support for setup/administration and customized images

Previous Work (to be obsoleted)

Here a sample tarbal:

So download it and untar it.

Now you should be able to use the build-script:

IMPORTANT 

Read and understand:
 * config.txt. 
 * build.sh  
 * LICENSE.txt

Make sure are not on a production machine and you made backups

explanation of the files:

  • config.txt
    • A lot configuration options
    • a error handling funtion
  • build.sh builds:
    • kernel
    • initrd
    • installation dir
    • squashfs files
  • preseed.txt.
    • setting build environment for build tree
  • dpkg*
    • dpkg-set-selections_fastbuild.txt is a sample file
    • dpkg-set-selections_full.txt is a sample file
    • dpkg-set-selections.txt, file use by build.sh
  • kernel.config is a sample kernel configation file, kernel must have
    • initrd (casper)
    • nfsroot
    • able fetch an ipnumber by dhcp
    • driver for networkcards.

Getting it to Work

With the TREE option you can add/utilize:

  • logings + passwords
  • kiosk functions
  • root ssh keys

We add:

  • ldap
  • kerberos
  • ssh-keys
  • nfs mounts for homedirs
  • nfs mounts for software
  • printer settings
  • postfix settings

Details of this are not public.

HELP

This is pre-alpha, meant as an example to feed unix admins creativity.

From you should be able the work yourself into it as you a unix admin.

Patches, Tips, better Ubuntu Practices are more than welcome.

send an email to mvn at math dot leidenuniv dot nl

Future plans

  • liveusb-drives mounting over insecure networks
  • booting over https

CategoryInternet

Desktop/PXE (last edited 2014-06-23 22:17:44 by c-69-246-122-238)