IRC chat logs for #ltsp on irc.libera.chat (webchat)
Channel log from 11 February 2013 (all times are UTC)
| 00:00 | <markit> Phantomas: this is the but about epoptes assistance, maybe is for you ;P https://bugs.launchpad.net/epoptes/+bug/1117158
| |
| 00:01 | <Phantomas> markit: I've seen it! Just wondering if you talked about it with Alkis
| |
| 00:02 | <markit> Phantomas: he troubleshoot and told me to report the bug
| |
| 00:02 | is also cited in the bug report
| |
| 00:03 | Phantomas: "<alkisg> ...meh so the epoptes devs are too geeky to use the menus, that's where the problem was :P"
| |
| 00:03 | Phantomas: " <alkisg> markit: do file a bug in epoptes about that"
| |
| 00:04 | Phantomas: or does it work there?
| |
| 00:04 | <Phantomas> markit: I think it works for me in GNOME, though :-\
| |
| 00:04 | So it may be a KDE related issue
| |
| 00:04 | I'll check it ;)
| |
| 00:04 | <markit> thanks a lot
| |
| 00:05 | can we test?
| |
| 00:05 | I mean, alkisg has gnome too
| |
| 00:05 | he tried from command line and from menu probably
| |
| 00:06 | <Phantomas> Sure, I'll ask him
| |
| 00:06 | <markit> better, don't ever never trust me or my memory
| |
| 00:06 | expecially at late night ;P
| |
| 00:08 | <Phantomas> markit: btw, is this happening when opening a remote terminal, a local, or both?
| |
| 00:09 | I guess a local, right?
| |
| 00:09 | <markit> Phantomas: ? I want to assist you
| |
| 00:09 | so you open epoptes UI and here I do
| |
| 00:09 | $ xterm -e socat tcp-listen:5500,keepalive=1 stdio,raw,echo=0
| |
| 00:09 | in a console
| |
| 00:10 | then you select "remote assistance, textual", and enter my public IP
| |
| 00:10 | does it answer your question?
| |
| 00:10 | <Phantomas> Oh, completely forgot we had this feature :P :P
| |
| 00:10 | <markit> hahaha
| |
| 00:10 | it happens :) is late night there too
| |
| 00:10 | <Phantomas> I thought you were talking about the "Open terminal" feature
| |
| 00:11 | * markit does not know about THAT feature but bluffes | |
| 00:11 | <markit> no, not that one
| |
| 00:11 | ;P
| |
| 00:12 | <Phantomas> Clients → Execute → Open terminal
| |
| 00:14 | Anyway, consider it fixed ;)
| |
| 00:54 | <markit> btw, in chroot wouldn't be good set swappines to a low level like ?
| |
| 01:02 | adrianorg__ has left IRC (adrianorg__!~adrianorg@177.156.224.140, Read error: Connection reset by peer) | |
| 01:02 | adrianorg_ has joined IRC (adrianorg_!~adrianorg@177.156.57.122) | |
| 01:12 | markit has left IRC (markit!~marco@88-149-177-66.v4.ngi.it, ) | |
| 01:38 | Phantomas has left IRC (Phantomas!~Phantomas@ubuntu/member/phantomas) | |
| 02:18 | <Enslaver> found it, ldm is hardcoded to $(prefix)/lib and not $(libdir)
| |
| 02:31 | staffencasa has left IRC (staffencasa!~staffenca@8-220.ptpg.oregonstate.edu, Ping timeout: 255 seconds) | |
| 03:06 | vagrantc has left IRC (vagrantc!~vagrant@freegeek/vagrantc, Quit: leaving) | |
| 03:07 | oo-dragon has joined IRC (oo-dragon!~oo-dragon@d75-157-120-159.bchsia.telus.net) | |
| 03:08 | <oo-dragon> hi every one ^_^
| |
| 03:09 | I want to setup remote access to my LTSP server (edubuntu), but I don't want to mess up the SSH / terminal clients by doing so. Recommendations?
| |
| 03:11 | <Enslaver> sshd?
| |
| 03:17 | <oo-dragon> indeed, but its already setup for the terminals ... can i get a 2nd instance? or can i enable normal logins? I tried connecting to it before but it denied me
| |
| 03:17 | unless i'm wrong and its actually not running or something
| |
| 03:32 | <jammcq> you don't need a 2nd instance
| |
| 03:32 | it should just work
| |
| 03:32 | and if it's not running, then your thin clients wouldn't be able to log in either
| |
| 03:49 | <Enslaver> YAY, 32 bit and 64 bit client and server are working, NFS and NBD boots using unionfs COW mode on both through dracut, preparing rpm's and getting ready for testing
| |
| 04:04 | Phantomas has joined IRC (Phantomas!~Phantomas@ubuntu/member/phantomas) | |
| 04:08 | Parker955 is now known as Parker955_Away | |
| 04:18 | <oo-dragon> hmm odd... maybe its not binding to my 2nd nic then.. I'll look into that
| |
| 04:34 | oo-dragon has left IRC (oo-dragon!~oo-dragon@d75-157-120-159.bchsia.telus.net, Quit: Leaving) | |
| 04:38 | jammcq has left IRC (jammcq!~jam@c-69-245-75-255.hsd1.mi.comcast.net, Quit: leaving) | |
| 04:55 | sha has joined IRC (sha!~sha@e177117008.adsl.alicedsl.de) | |
| 04:59 | sha_ has left IRC (sha_!~sha@e177118150.adsl.alicedsl.de, Ping timeout: 252 seconds) | |
| 05:15 | berg_aliv has left IRC (berg_aliv!~bergaliv@ip-75-6-72-178.dialup.ice.net, Ping timeout: 248 seconds) | |
| 05:20 | berg_aliv has joined IRC (berg_aliv!~bergaliv@ip-39-223-230-46.dialup.ice.net) | |
| 05:26 | Phantomas has left IRC (Phantomas!~Phantomas@ubuntu/member/phantomas, Ping timeout: 240 seconds) | |
| 07:30 | berg_aliv has left IRC (berg_aliv!~bergaliv@ip-39-223-230-46.dialup.ice.net, Ping timeout: 260 seconds) | |
| 07:35 | trimor has joined IRC (trimor!~trimor@bba185579.alshamil.net.ae) | |
| 07:36 | <trimor> Hi, I need help, i am running ubuntu based ltsp server with microsoft dhcp. my client machine is one other subnet and during the pxe-boot i am dropped to busybox after error that setting up nbd-client Error: socket failed: network is unreachable any clues guys
| |
| 07:38 | berg_aliv has joined IRC (berg_aliv!~bergaliv@ip-39-223-230-46.dialup.ice.net) | |
| 07:39 | <trimor> Hi, I need help, i am running ubuntu based ltsp server with microsoft dhcp. my client machine is one other subnet and during the pxe-boot i am dropped to busybox after error that setting up nbd-client Error: socket failed: network is unreachable any clues guys
| |
| 07:39 | trimor has left IRC (trimor!~trimor@bba185579.alshamil.net.ae, Client Quit) | |
| 07:40 | trimor has joined IRC (trimor!~trimor@2.50.138.22) | |
| 07:40 | trimor has left IRC (trimor!~trimor@2.50.138.22) | |
| 07:40 | trimor has joined IRC (trimor!~trimor@2.50.138.22) | |
| 07:40 | <trimor> ne one active ?
| |
| 07:43 | bauerski has joined IRC (bauerski!~witekb@frodo.psp.opole.pl) | |
| 07:44 | dievel has joined IRC (dievel!~dievel@2-229-104-66.ip196.fastwebnet.it) | |
| 07:47 | <trimor> ne one active ?
| |
| 07:48 | trimor has left IRC (trimor!~trimor@2.50.138.22, ) | |
| 07:48 | <knipwim> no, i'm active :)
| |
| 07:53 | <muppis> :D
| |
| 07:55 | <elias_a> Seems like a dchp prob to me.
| |
| 07:56 | <muppis> Yeah.
| |
| 07:57 | <elias_a> Let's hope he gets back.
| |
| 07:59 | <warren> Enslaver: how does nbd cow work? two nbd devices?
| |
| 08:00 | Enslaver: https://bitbucket.org/hirofuchi/xnbd/wiki/Home
| |
| 08:01 | Enslaver: this looks interesting... an alternative nbd server implementation
| |
| 08:02 | Enslaver: scenario 2 looks interesting
| |
| 08:02 | Enslaver: "xNBD can also work as a proxy server to another target server. This feature is used for distributed Copy-on-Write NBD disks; one read-only disk image is shared among multiple clients, and updated disk data is saved at each proxy."
| |
| 08:02 | although the latter would be better to just throw away
| |
| 08:16 | Enslaver: how's nbd cow performance?
| |
| 08:21 | Enslaver: good work finding the TTY and libdir issues
| |
| 08:25 | work_alkisg is now known as alkisg | |
| 08:27 | <alkisg> Hyperbyte: around?
| |
| 08:34 | <warren> Enslaver: looks like I removed the K12LINUX flag from ldm.spec in 2011
| |
| 08:34 | Enslaver: I'd say just rip out the K12LINUX code from ldm. it doesn't work and nobody has time to fix it.
| |
| 08:38 | sep has joined IRC (sep!~sep@40.211.jostedal.no) | |
| 08:44 | meamy has joined IRC (meamy!~hannes@pd95cdee4.dip0.t-ipconnect.de) | |
| 08:55 | <Hyperbyte> alkisg, around!
| |
| 08:55 | <alkisg> Hyperbyte: there's an error in one location, it's in turkey instead of greece... how could we change it?
| |
| 08:56 | <Hyperbyte> Have the link?
| |
| 08:56 | gvy has joined IRC (gvy!~mike@altlinux/developer/mike) | |
| 08:56 | <alkisg> http://www.ltsp.org/stories/viewstory/?story_id=171&secret=7bc4f0
| |
| 08:56 | Should go to: 38.322788,23.320456
| |
| 08:56 | <Hyperbyte> I meant the link to edit it. :-)
| |
| 08:57 | LTSP underwater!
| |
| 08:57 | <alkisg> No, I don't have those links
| |
| 08:57 | <Hyperbyte> How awesome.
| |
| 08:57 | <alkisg> :)
| |
| 08:57 | Also, is there a way to get a count of greek entries in the map?
| |
| 08:59 | <Hyperbyte> Sure
| |
| 08:59 | http://www.ltsp.org/stories/
| |
| 09:00 | Can you PM me which e-mail address is associated with that story?
| |
| 09:00 | Because I can't find it by name....
| |
| 09:01 | Oh wow
| |
| 09:01 | No I did find out
| |
| 09:01 | *it
| |
| 09:01 | By accident
| |
| 09:01 | You have the edit link as a private message
| |
| 09:02 | <alkisg> Hyperbyte: thanks!!! :)
| |
| 09:02 | <Hyperbyte> Welcome. :)
| |
| 09:02 | You found the Greek schools count? :P
| |
| 09:02 | <alkisg> Hyperbyte: about the greek location count?
| |
| 09:02 | Nope
| |
| 09:03 | <Hyperbyte> http://www.ltsp.org/stories/
| |
| 09:03 | <alkisg> Just the percentage
| |
| 09:03 | <Hyperbyte> Hover over the big blue blob that is Greece on the pie chart.
| |
| 09:03 | <alkisg> Ty again :)
| |
| 09:03 | <Hyperbyte> I don't see how you can find the percentage and not the count. :P
| |
| 09:03 | You must've overlooked it. :)
| |
| 09:05 | <alkisg> I have a touch screen, no mouse handy :P
| |
| 09:05 | <ogra_> warren, with nbd cow the nbd server creates the writable file on the server side ... which indeed means more network traffic and slowness
| |
| 09:05 | <alkisg> That's a good thing though, it saves client RAM
| |
| 09:06 | The problem with nbd cow is that squashfs is read-only
| |
| 09:06 | <ogra_> sure sure, and you can have it created in a tmpfs so disk IO wont matter
| |
| 09:06 | but you still will have extra network traffic
| |
| 09:06 | <alkisg> So ext or (compressed) btrfs should be used instead
| |
| 09:06 | It's good traffic, it's disc traffic that shouldn't end up in RAM
| |
| 09:06 | <ogra_> i guess for this thats fine, but you wouldnt want to run a fat client that way
| |
| 09:07 | <alkisg> E.g. if the client need to write 500 mb, they'd better go in the server side than in client side
| |
| 09:07 | <ogra_> s/this/thin/
| |
| 09:07 | <alkisg> Thins and fats blend a bit with localapps
| |
| 09:07 | <ogra_> alkisg, well, a tmpfs on the client is definitely lots faster than a disk image on a server
| |
| 09:07 | <alkisg> If an update cron job runs, it quickly exchausts the client RAM
| |
| 09:07 | <ogra_> well, depends on the client
| |
| 09:08 | <alkisg> It's the equivalent of `apt-get update`, many mb of traffic
| |
| 09:15 | Gremble has joined IRC (Gremble!~Ben@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com) | |
| 09:23 | bauerski has left IRC (bauerski!~witekb@frodo.psp.opole.pl, Ping timeout: 260 seconds) | |
| 09:39 | bauerski has joined IRC (bauerski!~witekb@frodo.psp.opole.pl) | |
| 09:42 | bauerski has left IRC (bauerski!~witekb@frodo.psp.opole.pl, Client Quit) | |
| 09:49 | dievel has left IRC (dievel!~dievel@2-229-104-66.ip196.fastwebnet.it, Ping timeout: 246 seconds) | |
| 09:52 | <meamy> hi all, I'm searching for a way do enable Lockscreens on fat clients but since they dont cache the authentication I'm a bit in a dead end. Is there a solution for that problem?
| |
| 09:52 | bauerski has joined IRC (bauerski!~witekb@frodo.psp.opole.pl) | |
| 09:54 | cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Remote host closed the connection) | |
| 10:03 | <Hyperbyte> meamy, yes. LDAP.
| |
| 10:06 | dievel has joined IRC (dievel!~dievel@2-229-104-66.ip196.fastwebnet.it) | |
| 10:08 | cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg) | |
| 10:09 | ltspuser_86 has joined IRC (ltspuser_86!53a5fdb5@gateway/web/freenode/ip.83.165.253.181) | |
| 10:11 | <ltspuser_86> hi
| |
| 10:11 | You can put a client in a Windows domain and set the user's personal folder on the thin client
| |
| 10:13 | cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Ping timeout: 246 seconds) | |
| 10:13 | dobber has joined IRC (dobber!~dobber@89.190.199.210) | |
| 10:13 | <ltspuser_86> hi
| |
| 10:14 | You can put a client in a Windows domain and set the user's personal folder on the thin client
| |
| 10:16 | ltspuser_86 has left IRC (ltspuser_86!53a5fdb5@gateway/web/freenode/ip.83.165.253.181, Quit: Page closed) | |
| 10:18 | <meamy> Hyperbyte: ok than i have to to this, it is i good idear anyway (for that problem it's a bit oversized but it's mybe usfull for a bunch of other things). My solution in mind was more a bit a Screensaver hack with ssh as authentication backend, but ldap is the correct way i guess
| |
| 10:19 | <Hyperbyte> meamy, LDAP is never overkill.
| |
| 10:19 | (oversized)000
| |
| 10:20 | Think of it like this: where would you rather store your user account credentials? In two plain text files (/etc/passwd and /etc/shadow), or in a secure database?
| |
| 10:21 | dievel has left IRC (dievel!~dievel@2-229-104-66.ip196.fastwebnet.it, Ping timeout: 252 seconds) | |
| 10:22 | * alkisg would definately prefer the text files wrt security :D | |
| 10:22 | <Hyperbyte> alkisg, why?
| |
| 10:23 | <alkisg> It's more easy to hack into "more" software layers than into "less" software layers
| |
| 10:24 | <Hyperbyte> I agree.
| |
| 10:24 | <alkisg> But sure LDAP has a lot of other reasons to be selected over plain text files
| |
| 10:24 | <Hyperbyte> But there's more to hacking than just software layers. More important is the amount of interfaces one has to access data.
| |
| 10:24 | <meamy> Hyperbyte: yep specially if you deploy a large installation, I just have to finde out how ldap plays together with the ltsp-cluster environment? but it shut be fine i hope.
| |
| 10:25 | <Hyperbyte> Once I managed to hack a server by obtaining the /etc/passwd and /etc/shadow files via a broken PHP script.
| |
| 10:25 | I would argue that there's hundreds of ways to obtain /etc/passwd... there's only one way to get to LDAP, namely port 389.
| |
| 10:25 | <alkisg> meamy: one alternative would be to patch ldm to store the password hash into /etc/shadow
| |
| 10:26 | That one could even be accepted upstream, we've talked about it
| |
| 10:26 | <Hyperbyte> meamy, LDAP doesn't need to work with LTSP-Cluster. LDAP works with PAM and NSS, that's enough.
| |
| 10:26 | <alkisg> The other devs just don't want that option to be the default
| |
| 10:28 | <meamy> plaintext files are not so pad in security reason, the problem is that there are on the appserver witch is not realy secure at all (by design ) so to source this data out to a safer place is a good way to minimize the risk
| |
| 10:29 | <alkisg> If people get root access to your app server it'll be a piece of cake to get the user passwords no matter where you store them then
| |
| 10:29 | But anyways /me doesn't care at all about security :)
| |
| 10:30 | <Hyperbyte> alkisg, not if your LDAP server is seperate.
| |
| 10:30 | <alkisg> Hyperbyte: you think installing keyloggers is hard? :)
| |
| 10:30 | <Hyperbyte> alkisg, well - okay. I'll give you that.
| |
| 10:30 | But
| |
| 10:31 | You still won't have "all" my user accounts/passwords, just the ones that have been used
| |
| 10:31 | <meamy> alkisg: keylogger on the appsever? if you using fat clients thats not a problem
| |
| 10:31 | <alkisg> Right, but remember that I can also install my own ldap clients in your software stack :)
| |
| 10:32 | <Hyperbyte> meamy, as if you couldn't install the keylogger in the chroot. :-)
| |
| 10:32 | Or better, hack LDM to just mail you the password.
| |
| 10:32 | alkisg, you still won't have -all- my passwords.
| |
| 10:33 | <alkisg> It depends, but ok, let's say you have a balance of having more ways to penetrate a system (more app servers, more applications) vs having less hacked passwords
| |
| 10:33 | cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg) | |
| 10:33 | <alkisg> I don't know much about ldap, but the ldap servers I've seen support queries
| |
| 10:34 | <Hyperbyte> LDAP is a query protocol, yes
| |
| 10:34 | <alkisg> So if a school wants to see the passwords of its students, it has access to do so
| |
| 10:34 | But students can't see other student's passwords, ok
| |
| 10:34 | <Hyperbyte> LDAP stores passwords hashed.
| |
| 10:34 | You can't see LDAP passwords.
| |
| 10:34 | <alkisg> That's the same as /etc/shadow
| |
| 10:35 | <Hyperbyte> I know that.
| |
| 10:35 | <alkisg> No difference there, you need brute analysis after you get the hash
| |
| 10:35 | <Hyperbyte> I'm not sure what kind of hashing algorithm LDAP uses, but it's probably comparable.
| |
| 10:35 | <alkisg> Yeah I imagine some sha* method, it should be configurable in both ldap and /etc/shadow
| |
| 10:36 | Anyways, /me really isn't interested about security, so will stop there :)
| |
| 10:36 | <Hyperbyte> Either way, LDAP isn't about security. I just think it's a nice bonus.
| |
| 10:36 | <meamy> alkisg: you can log how often passwords are requestet so you can detect if some trys to steal your data. to detect if sombody copy your shadow file is hard to detect
| |
| 10:36 | <alkisg> meamy: pam already logs authentication attempts to /var/log/auth.log
| |
| 10:37 | <Hyperbyte> For me, biggest advantage is syncronizing 1 account accross four servers, one of which is over 600 kilometers away. :)
| |
| 10:37 | <alkisg> If someone has access to ldap, he can query other user's hashes
| |
| 10:37 | Anyways /me really stops wrt the security topic
| |
| 10:38 | <Hyperbyte> Today I had to create a user account for a new employee
| |
| 10:38 | <meamy> alkisg: but you can log this events you cant log if somebody just copy a file on an already pwnd server
| |
| 10:38 | <Hyperbyte> They need access to:
| |
| 10:38 | <alkisg> If it's pwnd then what prevents him from copying the database files themselves?
| |
| 10:39 | <meamy> alkisg: because they are on a diffrent maschine
| |
| 10:39 | <Hyperbyte> - network server (unix) - terminal server (unix) - asterisk (voip server) - mail server (remotely) - php application
| |
| 10:39 | I created 1 account in LDAP... that's it. :-)
| |
| 10:39 | <meamy> hyperbyte so true
| |
| 10:40 | <alkisg> Right, that's one of ldap main advantages
| |
| 10:40 | <Hyperbyte> That was my main reason for deploying LDAP. I was sick of the whole business of creating/removing/updating accounts everywhere continuously, as well as the problems that arise when user ID's get mismatched and you synchronize files
| |
| 10:40 | <alkisg> Not that it wouldn't be possible to write php authentication plugins for /etc/shadow, they just haven't done so
| |
| 10:41 | <Hyperbyte> alkisg, http://pecl.php.net/package/PAM
| |
| 10:41 | :)
| |
| 10:41 | I just never got that idea until I started using LDAP. :P
| |
| 10:42 | Or maybe it didn't exist when I deployed LDAP.
| |
| 10:42 | <alkisg> Yup, but that's not for remote systems
| |
| 10:42 | <Hyperbyte> That's true.
| |
| 10:42 | <alkisg> While ldap can be for remote systems too
| |
| 10:42 | dievel has joined IRC (dievel!~dievel@2-229-104-66.ip196.fastwebnet.it) | |
| 10:43 | <alkisg> Hyperbyte: so anyway, are you configuring ldap on the chroot?
| |
| 10:43 | Or just on the appserver?
| |
| 10:43 | <Hyperbyte> alkisg, over here (thin clients) only on the terminal server
| |
| 10:43 | At the radiostation (fat) also on the clients.
| |
| 10:43 | There I also use NFS mounted /data where users store files, in different folders with different group permissions
| |
| 10:44 | <alkisg> Do you have any notes for ltsp server + fat chroot ldap configuration?
| |
| 10:44 | <Hyperbyte> That's where LDAP becomes especially useful for me.
| |
| 10:44 | <meamy> yep that would be very interesting
| |
| 10:44 | <Hyperbyte> alkisg, not really. I've never used OpenLDAP, only 389-DS on Fedora.
| |
| 10:44 | <alkisg> But you have an ubuntu chroot, don't you?
| |
| 10:45 | Or the client side is very easy?
| |
| 10:45 | <Hyperbyte> My network servers or virtual hosts are always Fedora. Ubuntu runs seperately or inside a virtual machine.
| |
| 10:45 | The client side is a piece of cake really.
| |
| 10:46 | LDAP configuration with 389-DS is a little bit easier I believe. I think they're actually also porting it to Debian/Ubuntu.
| |
| 10:46 | <alkisg> Yeah, slowly...
| |
| 10:46 | What I hate about ldap is that the usual user management tools don't work with it
| |
| 10:46 | <meamy> the docs
| |
| 10:46 | <Hyperbyte> Client configuration is here: https://help.ubuntu.com/community/LDAPClientAuthentication
| |
| 10:47 | <alkisg> And that there's no standard way to configure it
| |
| 10:47 | <Hyperbyte> alkisg, what do you mean "standard way to configure it"?
| |
| 10:47 | <alkisg> The schemas or however else they're called
| |
| 10:47 | So that I could just do "apt-get install ldap" and it would just replace /etc/passwd without me doing anything else
| |
| 10:48 | <Hyperbyte> alkisg, ldap doesn't replace /etc/passwd
| |
| 10:48 | But I get what you mean. On Fedora there's system-config-auth
| |
| 10:48 | <alkisg> Sure it provides an alternative means for storing contacts or whatever configuration or other data the user wants
| |
| 10:49 | <Hyperbyte> alkisg, no, I mean - LDAP functions -on top of- /etc/passwd
| |
| 10:49 | <alkisg> The package I'm talking about could be called "ldap-shadow-emulator"
| |
| 10:49 | And PAM etc etc I got that part
| |
| 10:49 | <Hyperbyte> Your /etc/passwd file still works. I have a few local guest accounts on my terminal server, which are not in LDAP but in /etc/passwd
| |
| 10:49 | <alkisg> But as far as the plain user is concerned, a simple package could exist that would automate all of those changes
| |
| 10:50 | <Hyperbyte> Well, it exists in Fedora....
| |
| 10:50 | I believe also in Ubuntu
| |
| 10:50 | Or at least I've seen it.
| |
| 10:50 | <alkisg> gnome-users still doens't work with ldap in fedora
| |
| 10:50 | <Hyperbyte> You apt-get install some package, it asks for LDAP server URI and other server details and sets it up
| |
| 10:50 | <alkisg> And neither does useradd
| |
| 10:50 | <Hyperbyte> I've seen it, just not a clue which package it was.
| |
| 10:51 | alkisg, well, gnome-users I don't know. It could support LDAP maybe, not sure. Never used it. But "useradd" shouldn't work with LDAP. If it does, you can never add people to /etc/passwd again
| |
| 10:51 | <alkisg> useradd --target=shadow
| |
| 10:51 | That could be very easily solved
| |
| 10:52 | berg_aliv has left IRC (berg_aliv!~bergaliv@ip-39-223-230-46.dialup.ice.net, Ping timeout: 264 seconds) | |
| 10:52 | <Hyperbyte> Well the real solution would be that PAM has not only central authentication, but also central user management
| |
| 10:52 | And that there's pam_useradd or pam_useredit or whatever
| |
| 10:53 | <alkisg> Sounds good, yeah
| |
| 10:54 | <Hyperbyte> useradd are the tools made for /etc/passwd... it's supposed to not work like ldap. I wouldn't want ldapadd to work with /etc/passwd either. :)
| |
| 10:54 | *like -> with
| |
| 10:55 | <alkisg> OK my problem isn't how the tool would be called, or if it would be derived from the useradd code base or from some other code base, it's that the existing tools don't work with ldap
| |
| 10:55 | gnome-users doesn't, I've tried that
| |
| 10:56 | And it's silly for user management front ends to have to support multiple protocols
| |
| 10:56 | That's a job for backends
| |
| 10:57 | <Hyperbyte> I agree, so what you're addressing is a PAM issue. :)
| |
| 10:57 | Meanwhile, you could just install one of the graphical LDAP management tools.
| |
| 11:01 | berg_aliv has joined IRC (berg_aliv!~bergaliv@ip-39-223-230-46.dialup.ice.net) | |
| 11:04 | * alkisg is thinking of telling Phantomas to support LDAP in our sch-scripts user management tool | |
| 11:04 | <alkisg> We have things like mass user creation (based on classrooms) that no other tools offer
| |
| 11:09 | <Hyperbyte> :)
| |
| 11:09 | cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Quit: cyberorg) | |
| 11:11 | administrator has joined IRC (administrator!51ba11de@gateway/web/freenode/ip.81.186.17.222) | |
| 11:11 | <administrator> alkisg
| |
| 11:11 | <alkisg> Hello
| |
| 11:11 | administrator is now known as Guest61634 | |
| 11:11 | <alkisg> administrator: /j #ts.sch.gr
| |
| 11:12 | <Guest61634> alkisg: ola kala;
| |
| 11:12 | alkisg: orestis edo
| |
| 11:12 | <alkisg> Ναι, γράψε /j #ts.sch.gr για να μπεις στο ελληνικÏŒ κανάλι, εδÏŽ είναι το ΑγγλικÏŒ
| |
| 11:12 | <Guest61634> ok
| |
| 11:13 | Guest61634 is now known as orestis123 | |
| 11:13 | <Hyperbyte> Oh no, the Greeks are invading again. :)
| |
| 11:15 | <meamy> !ltsp translate
| |
| 11:15 | <ltsp> Error: "ltsp" is not a valid command.
| |
| 11:15 | <meamy> !translate
| |
| 11:15 | <ltsp> Error: "translate" is not a valid command.
| |
| 11:18 | cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg) | |
| 11:19 | <Hyperbyte> meamy, LTSP translations are done via launchpad.
| |
| 11:22 | <meamy> Hyperbyte: thanks but it was more like a joke if the bot could please translate the greek letters for me :D
| |
| 11:23 | <Hyperbyte> Ah
| |
| 11:23 | Straight over my head.
| |
| 11:30 | orestis123 has left IRC (orestis123!51ba11de@gateway/web/freenode/ip.81.186.17.222) | |
| 11:30 | <alkisg> We've put #ltsp as the support channel for epoptes... so many teachers come here and think they can talk in Greek, so I tell them to join the greek channel instead :)
| |
| 11:33 | <effenberg> fu ldap, there should be a tool like 'ap' in linux
| |
| 11:34 | <Hyperbyte> effenberg, explain.
| |
| 11:35 | <effenberg> ap provides a simple method of propagating user account profiles
| |
| 11:35 | between machines.
| |
| 11:36 | ap is not part of any currently supported standard; it is an
| |
| 11:36 | extension of AT&T System V provided by The Santa Cruz Operation,
| |
| 11:36 | Inc.
| |
| 11:37 | <Hyperbyte> Right.
| |
| 11:45 | <effenberg> Aljex wrote a shell script some years ago, afair
| |
| 11:45 | yeah he did
| |
| 11:46 | http://www.aljex.com/bkw/linux/aap
| |
| 11:49 | alkisg is now known as work_alkisg | |
| 12:01 | joshu has joined IRC (joshu!4e4597e6@gateway/web/freenode/ip.78.69.151.230) | |
| 12:03 | <joshu> hi i'm trying to understand if ltsp is what I'm looking for. I have a few laptops which I want to convert to thin clients, but they should connect to a windows terminal server via rdp. I have evaluated a commercial solution called IGEL Universal Desktop Converter but it has too many limitations. Is ltsp suitable?
| |
| 12:09 | <effenberg> it is
| |
| 12:10 | http://www.youtube.com/watch?v=zJmMcNPBgig
| |
| 12:14 | <ogra_> joshu, ltsp can use windows appservers ... but uses wired networking for booting (no PXE booting in WLAN)
| |
| 12:16 | <joshu> effenberg: thanks for the link I just watched it.
| |
| 12:16 | let me provide some more details of what I need to accomplish
| |
| 12:19 | the laptops will be located in remote locations at all times. what that means is that by themselves the users can't do anything other than power them on and view a very simplified locked down desktop. in order to access the windows terminal server they need to connect to a local LAN network or alternatively via 3G usb modem. The next step is connecting via Cisco VPN to the corporate network and finally via RDP. Now they can start working
| |
| 12:20 | <warren> ogra_: thin clients do very little writing
| |
| 12:20 | of / at least
| |
| 12:20 | maybe in /home
| |
| 12:20 | but that's sshfs
| |
| 12:21 | <ogra_> warren, well, they need to boot at a usable speed at least :)
| |
| 12:24 | <joshu> does ltsp still make sense for the usage I described?
| |
| 12:31 | <ogra_> joshu, that sounds more like you want a minimal OS and login manager that do a remote connection ... (so not the netbooting part of LTSP) ... i would take a look at ubuntu lightdm remote desktop feature
| |
| 12:31 | it offers exactly that
| |
| 12:38 | <joshu> ok because i've been searching for options the last few days and i was contemplating doing something like ubuntu minimal with fxce etc...but i haven't been able to figure out how i could manage configuration changes and updates in a central way similar to commercial solutions with a management server.
| |
| 12:39 | <ogra_> well, you dont install a local desktop ... just have the option of the login manager ...
| |
| 12:39 | and you manage your users on the server side centralized ... as you would do with ltsp
| |
| 12:40 | (that indeed requires your users to be online while working, but this doesnt differ from ltsp)
| |
| 12:43 | <joshu> yes the users are managed by active directory, but i meant the laptop thin clients themselves...have you used IGEL Universal Desktop Converter?
| |
| 12:49 | <ogra_> nope
| |
| 12:50 | <effenberg> maybe you'd stick your own suitable linux together and deploy it with clonezilla
| |
| 12:55 | <joshu> effenberg I'll have a look at clonezilla...
| |
| 12:56 | here's a video showing the IGEL thing I mentioned if you're interested http://vimeo.com/37578730
| |
| 12:56 | <ogra_> that what i mean when proposing a minimal ubuntu with just lightdm remote desktop :)
| |
| 12:56 | *that's
| |
| 13:00 | cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Remote host closed the connection) | |
| 13:04 | Gremble has left IRC (Gremble!~Ben@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com, Quit: I Leave) | |
| 13:09 | Nadeem has joined IRC (Nadeem!~netrunner@117.197.16.226) | |
| 13:09 | <Nadeem> hi
| |
| 13:10 | Need some help regarding ltsp
| |
| 13:11 | I installed edubuntu 12.04.1 on a system in my lab, at the time of installing, i selected ltsp.
| |
| 13:14 | did a custom installation and made it dual boot with Windows 7, Installation finished, booted. Now when boothing other systems in the lab, they just no boot from lan
| |
| 13:15 | The system had only 1 NIC, and I skipped in installation,did that mess it up. Or am I doing something wrong?
| |
| 13:24 | <joshu> ogra_ in your last message you're referring to the video?
| |
| 13:24 | <ogra_> no, to clonezilla
| |
| 13:24 | (which is just SW to clone PC installs)
| |
| 13:31 | Nadeem has left IRC (Nadeem!~netrunner@117.197.16.226) | |
| 13:31 | <joshu> ok i follow. so i should research using ubuntu mini.iso installing that adding things like cisco vpn client and freerdp client. then add lightdm.
| |
| 13:32 | the user boots the system and is greeted with a login prompt and when the user credentials are entered behind the scene a it would check whether on lan or a usb modem needs to be connected and once that is established use the user's credentials to connect via cisco vpn and finally present the user with the rdp session?
| |
| 13:36 | <ogra_> well, it kind of relies on the fact that the user is online ... and that the user selects the right session
| |
| 13:36 | but that doesnt differ from ltsp as i said above
| |
| 13:39 | <joshu> so lightdm itself only provides the login prompt which once the user enters his/her details will launch an rdp session. however as you say the use must be online so that logic is not something that lightdm handles, correct?
| |
| 13:39 | <ogra_> no, it provides also the rdp and cisco vpn backend communication
| |
| 13:40 | lightdm just runs network manager/ modem manager, it sits in your panel like on a normal desktop
| |
| 13:40 | buut it will indeed only connect to something if a connection is up
| |
| 13:41 | <joshu> i guess i need to see it in action to understand how it would work as i've never done anything like this before....
| |
| 13:42 | ogra_ what would you suggest that i do to get something working quickly for proof of concept?
| |
| 13:45 | <ogra_> what you said above, mini.iso, then install the "xorg, lightdm and unity-greeter" packages
| |
| 13:45 | that should give you all you need
| |
| 13:45 | bauerski has left IRC (bauerski!~witekb@frodo.psp.opole.pl, Quit: Leaving.) | |
| 13:45 | <ogra_> (and then clone that install with clonezilla if you like)
| |
| 13:47 | bauerski has joined IRC (bauerski!~witekb@frodo.psp.opole.pl) | |
| 13:47 | <joshu> ok i will try to set it up as you've suggested...thanks so much for your patience and help for now ;)
| |
| 13:58 | meamy has left IRC (meamy!~hannes@pd95cdee4.dip0.t-ipconnect.de, Quit: meamy) | |
| 14:07 | dead_inside has joined IRC (dead_inside!~dead_insi@76.75.3.174) | |
| 14:23 | bauerski has left IRC (bauerski!~witekb@frodo.psp.opole.pl, Quit: Leaving.) | |
| 14:29 | jammcq has joined IRC (jammcq!~jam@c-69-245-75-255.hsd1.mi.comcast.net) | |
| 14:48 | bobby_C has joined IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at) | |
| 15:01 | sbalneav has left IRC (sbalneav!~sbalneav@mail.legalaid.mb.ca, Remote host closed the connection) | |
| 15:04 | hays_ has joined IRC (hays_!~quassel@unaffiliated/hays) | |
| 15:05 | designbybeck has joined IRC (designbybeck!~quassel@x176y051.angelo.edu) | |
| 15:06 | dberkholz_ has joined IRC (dberkholz_!~dberkholz@smtp.gentoo.org) | |
| 15:06 | dberkholz_ has joined IRC (dberkholz_!~dberkholz@gentoo/developer/dberkholz) | |
| 15:07 | mgariepy has left IRC (mgariepy!mgariepy@ubuntu/member/mgariepy, Ping timeout: 276 seconds) | |
| 15:07 | hays has left IRC (hays!~quassel@unaffiliated/hays, Ping timeout: 276 seconds) | |
| 15:07 | monteslu has left IRC (monteslu!~monteslu@ip68-109-174-213.ph.ph.cox.net, Ping timeout: 276 seconds) | |
| 15:07 | dberkholz has left IRC (dberkholz!~dberkholz@gentoo/developer/dberkholz, Ping timeout: 276 seconds) | |
| 15:07 | mgariepy has joined IRC (mgariepy!mgariepy@nat/revolutionlinux/session) | |
| 15:07 | mgariepy has joined IRC (mgariepy!mgariepy@nat/revolutionlinux/x-ztweyflfzdlfyxwi) | |
| 15:07 | monteslu_ has joined IRC (monteslu_!~monteslu@ip68-109-174-213.ph.ph.cox.net) | |
| 15:07 | mgariepy has left IRC (mgariepy!mgariepy@nat/revolutionlinux/x-ztweyflfzdlfyxwi, Changing host) | |
| 15:07 | mgariepy has joined IRC (mgariepy!mgariepy@ubuntu/member/mgariepy) | |
| 15:12 | meamy has joined IRC (meamy!~hannes@pd95cdee4.dip0.t-ipconnect.de) | |
| 15:24 | staffencasa has joined IRC (staffencasa!~staffenca@8-220.ptpg.oregonstate.edu) | |
| 15:29 | meamy has left IRC (meamy!~hannes@pd95cdee4.dip0.t-ipconnect.de, Quit: meamy) | |
| 16:32 | alkisg has joined IRC (alkisg!~alkisg@ubuntu/member/alkisg) | |
| 16:35 | mmetzger has left IRC (mmetzger!~mmetzger@99-71-214-196.lightspeed.mdldtx.sbcglobal.net, Ping timeout: 264 seconds) | |
| 16:36 | mmetzger has joined IRC (mmetzger!~mmetzger@99-71-214-196.lightspeed.mdldtx.sbcglobal.net) | |
| 16:41 | Gremble has joined IRC (Gremble!~Ben@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com) | |
| 16:41 | sbalneav has joined IRC (sbalneav!~sbalneav@mail.legalaid.mb.ca) | |
| 16:42 | dobber has left IRC (dobber!~dobber@89.190.199.210, Remote host closed the connection) | |
| 16:43 | <knipwim> sbalneav: hey Scott, you gonna be at the meeting tonight?
| |
| 16:47 | <Enslaver> warren: xNBD looks interesting, i might consider it for the next release, but eventually want to move away from NBD all together. It's application isn't very form fitting in todays world whereas iscsi is pretty much adopted by everyone. That opens up the possibility of using a NAS to store the NBD images and letting the NAS handle any types of overlays, by configurable option of course. NBD cow isn't too bad of a performance hit, alt
| |
| 16:47 | hough I haven't found a way to tell it where to place its overlay (.diff) files it creates, by default in the images folder. Shoot me a message when you are up, I think we have a dev meeting in 2 hours, its 6:47 HST now.
| |
| 16:48 | <alkisg> "letting the NAS handle any types of overlays" ==> NAS can do overlays?
| |
| 16:48 | <Enslaver> NAS can do anything your server can
| |
| 16:49 | Heck, i think net app even uses linux kernel
| |
| 16:49 | <alkisg> So why not make it do nbd? :P
| |
| 16:49 | <Enslaver> Not to mention there is freeNAS / openNAS / openfiler
| |
| 16:49 | <alkisg> Is iscsi a kernel module?
| |
| 16:49 | Or AoE?
| |
| 16:49 | <Enslaver> Yes
| |
| 16:50 | iscsi is in the kernel, dracut supports it
| |
| 16:50 | the issue is wether jumbo frames must be enabled on the switch dependent on the size of the image i guess
| |
| 16:50 | bobby_C has left IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at, Ping timeout: 244 seconds) | |
| 16:51 | <Enslaver> Also want to move away from the BSD iscsi target implementation, dragging iscsi down
| |
| 16:51 | <alkisg> And is it as easy to configure as nbd-server/nbd-client?
| |
| 16:52 | <Enslaver> not as easy
| |
| 16:52 | you have a target and initiator
| |
| 16:52 | the initiator goes out and scans for targets
| |
| 16:53 | the good thing about that is it doesn't limit you to a squashed filesystem, you can actually share a physical block device, fibre or LUN
| |
| 16:55 | <alkisg> NBD doesn't limit you to squashfs either
| |
| 16:55 | I've shared ext, btrfs, .vdi's, partitions and physical disks with NBD
| |
| 16:55 | <Enslaver> right, uses the same concept as iscsi, creating a block device that is sharable over the network based on your specifications
| |
| 16:56 | <alkisg> If we're to use a block device, I think having a server where we can send patches is a good thing
| |
| 16:56 | xnbd sounded good but the nbd maintainer said they weren't very interested in cooperation
| |
| 16:57 | Having the cow part on the server sounds very good, we don't even need a custom initramfs that way
| |
| 16:58 | <Enslaver> yeah that would open up a ton of very fun possibilities
| |
| 16:58 | <alkisg> Ideally, what I'd like to have is:
| |
| 16:59 | when the "ltsp-server" daemon starts, it would get a btrfs snapshot of the "server" disk (be it a real ltsp server or just a template client that hosts nbd-server)
| |
| 16:59 | And remove any sensitive information from that, and export it via nbd to LAN
| |
| 17:00 | With compressed btrfs, we'd be able to have all nbd benefits without any of the drawbacks
| |
| 17:01 | Anyways, those are very far in the future... btrfs isn't production ready yet
| |
| 17:01 | <Enslaver> Like what kind of sensitive information? /home?
| |
| 17:01 | <alkisg> What ltsp-cleanup does now
| |
| 17:01 | home, accounts, db passwords, whatever
| |
| 17:03 | <Enslaver> All well and good for flat files, I see that having issues with databases
| |
| 17:03 | <jammcq> seems too easy to expose sensitive information
| |
| 17:03 | Phantomas has joined IRC (Phantomas!~Phantomas@ubuntu/member/phantomas) | |
| 17:04 | <jammcq> ie, the default would be to expose EVERYTHING unless it's been added to the cleanup script
| |
| 17:06 | <Enslaver> well conceptually isn't the concept of the target image a throw away generic file structure with sensitive data layered on top?
| |
| 17:09 | Parker955_Away is now known as Parker955 | |
| 17:09 | <ogra_> yeah, not a very good security model
| |
| 17:10 | <jammcq> Enslaver: yes, but if he's talking about taking the server as the base, then you'd get whatever is on the server
| |
| 17:10 | * ogra_ would still keep a chroot fo rteh clients | |
| 17:11 | <ogra_> mixing the installs just asks for trouble in the long run
| |
| 17:18 | <alkisg> jammcq: you can have a template client to serve as the "server"
| |
| 17:18 | It only needs to have the `ltsp-update-image` or similar script, and ltsp-client
| |
| 17:19 | So for schools etc that don't care much about security, the server itself can be used, and wherever security is an issue, a template client
| |
| 17:21 | A template client holds no more sensitive data than a chroot... and even a chroot needs to be "cleaned up"
| |
| 17:22 | And separating nbd-server from authentication+appserver also helps in network traffic balancing
| |
| 17:28 | <ogra_> schools dont care about security ?
| |
| 17:29 | you mean they dont do exams on the clients ?
| |
| 17:29 | * ogra_ remembers a case where students sniffed the XDMCP traffic to cheat in exams | |
| 17:29 | <ogra_> with old LTSP
| |
| 17:29 | tewlz has joined IRC (tewlz!~tewlz@c-71-207-173-175.hsd1.al.comcast.net) | |
| 17:30 | <tewlz> what's up
| |
| 17:30 | <ogra_> dont underestimate the yound ones and their creativity ;)
| |
| 17:30 | *young
| |
| 17:30 | <tewlz> meeting going on nowish?
| |
| 17:33 | adrianorg__ has joined IRC (adrianorg__!~adrianorg@177.204.77.121.dynamic.adsl.gvt.net.br) | |
| 17:34 | <jammcq> tewlz: not for another hour
| |
| 17:35 | adrianorg_ has left IRC (adrianorg_!~adrianorg@177.156.57.122, Ping timeout: 244 seconds) | |
| 17:37 | highvoltage has left IRC (highvoltage!~highvolta@ubuntu/member/highvoltage, Ping timeout: 252 seconds) | |
| 17:38 | * jammcq doesn't understand the "don't care about security" thing | |
| 17:38 | <tewlz> jammcq: thanks
| |
| 17:40 | <ogra_> jammcq, because they have so much money, so it doesnt matter if a botnet runs on all their clients eating the bandwith
| |
| 17:40 | <jammcq> heh
| |
| 17:40 | * jammcq would argue that it's not the teachers/administrators decision to make whether they pay attention to security or not | |
| 17:41 | <ogra_> that too
| |
| 17:41 | <jammcq> poor security affects us all
| |
| 17:44 | <tewlz> any cheap thin clients you guys would reccomend? I see a bunch of cheap geode based thin clients that I've read here and there that ltsp doesn't get along with them well.
| |
| 17:46 | <Enslaver> tewlz: raspberry pi
| |
| 17:46 | <tewlz> Enslaver: yea? isn't that arm based?
| |
| 17:46 | <Enslaver> yes, there is a ltsp port called berryterm
| |
| 17:47 | <tewlz> Enslaver: cool, I'll for sure check it out.
| |
| 17:47 | <Enslaver> cant beat a $35 thin client
| |
| 17:48 | <tewlz> Enslaver: heck no. Especially if I can support open source hardware at the same time!
| |
| 17:49 | <Enslaver> especially if you donated the rest of what it would of cost you to the developers of the ltsp project =0
| |
| 17:49 | <tewlz> I'm trying to hook my mom's tutor/homeschool out with a nice setup. I'm excited to get this up and running:)
| |
| 17:50 | Enslaver: Well, I can't promise much as a recently laid off just starting my own business/freelancing webdev. but I won't hesitate to contribute where and when I can :)
| |
| 17:51 | <alkisg> (07:38:30 μμ) ***jammcq doesn't understand the "don't care about security" thing ==> well if one's server is a simple 5 year old PC and the clients 12 year old PCs, he just has to live with LDM_DIRECTX=True, and just notify his students about it. It's not an option, it's "insecure and usable" or "secure and unusable".
| |
| 17:51 | joshu has left IRC (joshu!4e4597e6@gateway/web/freenode/ip.78.69.151.230) | |
| 17:52 | <alkisg> And that's way more secure than the windows 98 without antivirus solution he was using prior to LTSP.
| |
| 17:52 | <ogra_> alkisg, well, LDM_DIRECTX is quite different to "export the servers rootfs to the clients and have some scripts care for security"
| |
| 17:53 | * jammcq shouldn't throw stones. after all, i'm the guy that started this whole mess :) | |
| 17:53 | <ogra_> haha
| |
| 17:53 | <alkisg> ogra_: it depends on how good the scripts are, it might be worse or better
| |
| 17:53 | <ogra_> its all scotties fault anyway
| |
| 17:53 | :)
| |
| 17:54 | komunista has joined IRC (komunista!~slavko@adsl-195-168-244-224.dynamic.nextra.sk) | |
| 17:54 | <ogra_> alkisg, no, the point is that this is flawed by design, no matter how good your scripts are, you always have the potential that you miss a change a package did and suddenly have security relevant stuff on the client
| |
| 17:55 | and its a helll lot of work to alwys monitor every change
| |
| 17:55 | Parker955 is now known as Parker955_Away | |
| 17:55 | <ogra_> but indeed ltsp has so many idly developers ... :P
| |
| 17:56 | Gremble has left IRC (Gremble!~Ben@cpc35-aztw23-2-0-cust207.18-1.cable.virginmedia.com, Quit: I Leave) | |
| 17:57 | <ogra_> for ubuntu i would just have a script that pulls the ubuntu-core tarball from cdimage, and installs the few needed ltsp bits in it (thats even faster than debootstrap)
| |
| 17:57 | and use that for the clients
| |
| 17:58 | <alkisg> ogra_: using a template client is much more simple than using a chroot and has no security drawbacks
| |
| 17:58 | * ogra_ doubts that | |
| 17:58 | <alkisg> E.g. "how do you install a GUI java app in the chroot"?
| |
| 17:58 | <ogra_> why would i ?
| |
| 17:58 | <alkisg> Or, drivers that need access to the hw device?
| |
| 17:58 | Because you want a fat chroot
| |
| 17:59 | <ogra_> (speaking only of thin clients here)
| |
| 17:59 | <alkisg> OK, let's say a smartboard then
| |
| 17:59 | How would you install the proprietary smartboard that needs access to the hardware while installing it?
| |
| 17:59 | *driver
| |
| 17:59 | <ogra_> how would you do it now ?
| |
| 18:00 | wouldnt be different
| |
| 18:00 | <alkisg> I'd install it on the template client following the manufacturer's how-to
| |
| 18:00 | I wouldn't need to worry about exporting a chroot via NFS to a client that has the smartboard connected
| |
| 18:00 | <ogra_> and how would that differ from doing the same inside a chroot ?
| |
| 18:00 | ??
| |
| 18:00 | * ogra_ doesnt get that | |
| 18:00 | <jammcq> if the default is to use a chroot as the template, I could see it. but i'd never want the default to be the root of the server
| |
| 18:00 | <alkisg> Sample instructions:
| |
| 18:01 | <ogra_> didnt that conversation start with you wanting to export the servers trootfs ?
| |
| 18:01 | <alkisg> "open a gnome terminal, run ./install-my-driver, and follow the GUI instructions"
| |
| 18:01 | "it will require that your smartboard is connected to be installed"
| |
| 18:01 | <ogra_> (by whatever technology ... where does NFS come from now)
| |
| 18:01 | <alkisg> And I don't have the smartboard connected to the ltsp server
| |
| 18:01 | So, to do that, I'd boot a client, mount the chroot via NFS,
| |
| 18:02 | mount --bind /dev etc, chroot there,
| |
| 18:02 | <ogra_> sure. so you do it on the running client
| |
| 18:02 | <alkisg> forward X inside the chroot,
| |
| 18:02 | <ogra_> but thats wasnt my concern
| |
| 18:02 | <alkisg> and then be able to follow the GUI instructions
| |
| 18:02 | By design, that's much much harder than it needs to be
| |
| 18:02 | <ogra_> my concern is that you fiddle with the servers rootfs
| |
| 18:02 | instead of keeping the client locked in a safe environment
| |
| 18:02 | <alkisg> As I said, then one can use a template client
| |
| 18:03 | If he's concerned about cleaning up the server rootfs
| |
| 18:03 | <ogra_> geez
| |
| 18:03 | that sounds scary hackish
| |
| 18:03 | <alkisg> Why so?
| |
| 18:03 | <Enslaver> along those lines, has a NX script been written for screen.d?
| |
| 18:03 | <alkisg> You install whatever you want in a client, you don't put any sensitive information there
| |
| 18:03 | <ogra_> mixing environments just calls for trouble
| |
| 18:03 | as i said before
| |
| 18:04 | <alkisg> You just maintain a chroot graphically
| |
| 18:04 | <ogra_> you said you use the servers rootfs
| |
| 18:04 | <alkisg> No, I said there are 2 options
| |
| 18:04 | <ogra_> and export that with some scripts that care for a blacklist/whitelis
| |
| 18:04 | or did i misunderstand that
| |
| 18:04 | <alkisg> One, to export the server rootfs, for those that don't care much about security (or have reviewed their cleanup scripts)
| |
| 18:04 | Two, to use a template client, for those that have security concerns
| |
| 18:05 | The cleanup script runs in both cases, but on the second case the sysadmin has no security concerns
| |
| 18:05 | * ogra_ would never allow 1 and even refuse to merge code supporting that | |
| 18:05 | <alkisg> It's upstream already, ltsp-pnp
| |
| 18:05 | <ogra_> but indeed up to you guys :)
| |
| 18:05 | <alkisg> More than 500 installations are using it
| |
| 18:05 | <ogra_> scary
| |
| 18:05 | <alkisg> Necessary though
| |
| 18:06 | <ogra_> not really
| |
| 18:06 | <alkisg> Many teachers complained about "I cannot maintain a chroot"
| |
| 18:06 | And they don't have sysadmins
| |
| 18:06 | <ogra_> that could have been implemented in a secure way too
| |
| 18:06 | but whatever
| |
| 18:06 | <alkisg> If they care, they can use a "template VM" instead of a client
| |
| 18:06 | The technology is the same
| |
| 18:06 | Instead of `ltsp-update-image --cleanup /`, they'd just run `ltsp-update-image --cleanup /path/to/vm`
| |
| 18:07 | <ogra_> right, are they aware of the insecure and hacky stuff they do at least ?
| |
| 18:07 | or is that the default ?
| |
| 18:07 | <alkisg> that's the default, and most do know about it, yeah
| |
| 18:07 | And it's not insecure with the default apps
| |
| 18:08 | * ogra_ usually doesnt mind giving people the gun to shoot their feet, but surelys wouldnt make that a default | |
| 18:08 | <alkisg> As the scripts remove all sensitive data
| |
| 18:08 | <ogra_> oh my
| |
| 18:09 | leio has left IRC (leio!~leio@gentoo/developer/leio, Read error: Operation timed out) | |
| 18:10 | <alkisg> It's basically the same concept that the ubuntu desktop cd uses
| |
| 18:10 | That too clones an installed system and tries to take care to remove any security issues
| |
| 18:10 | E.g. regenerate ssh keys or dbus machine id and whatever
| |
| 18:10 | vagrantc has joined IRC (vagrantc!~vagrant@c-98-232-129-196.hsd1.or.comcast.net) | |
| 18:10 | vagrantc has joined IRC (vagrantc!~vagrant@freegeek/vagrantc) | |
| 18:11 | leio has joined IRC (leio!~leio@gentoo/developer/leio) | |
| 18:11 | <alkisg> Anyways, /me goes to help his daughter with math, bbl for the meeting...
| |
| 18:32 | highvoltage has joined IRC (highvoltage!~highvolta@ubuntu/member/highvoltage) | |
| 18:34 | <knipwim> highvoltage: the meeting just started :)
| |
| 18:34 | <vagrantc> stgraber, mgariepy: ping
| |
| 18:35 | <tewlz> meeting take place on here, or is there a g+ hangout or anything as well?
| |
| 18:35 | <vagrantc> it's on #ltsp-meeting
| |
| 18:35 | <tewlz> thanks
| |
| 19:16 | tc00 has joined IRC (tc00!~chatzilla@vtelinet-66-220-236-183.vermontel.net) | |
| 19:17 | tc00 is now known as sligett | |
| 19:39 | bobby_C has joined IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at) | |
| 20:13 | Parker955_Away is now known as Parker955 | |
| 20:23 | sligett has left IRC (sligett!~chatzilla@vtelinet-66-220-236-183.vermontel.net, Remote host closed the connection) | |
| 20:28 | vagrantc has left IRC (vagrantc!~vagrant@freegeek/vagrantc, Quit: leaving) | |
| 20:57 | <Enslaver> does debain/ubuntu others have the 'which' command? Im not at home and cant look at my vms
| |
| 20:57 | <knipwim> probably
| |
| 20:57 | <alkisg> Yes, and also there's the "type" build-in if you need it
| |
| 20:57 | <Enslaver> service=$(which service)
| |
| 20:57 | oh nice
| |
| 20:58 | <alkisg> $ dpkg -S /usr/bin/which
| |
| 20:58 | debianutils: /usr/bin/which
| |
| 20:58 | vagrantc has joined IRC (vagrantc!~vagrant@75-150-46-245-Oregon.hfc.comcastbusiness.net) | |
| 20:58 | vagrantc has joined IRC (vagrantc!~vagrant@freegeek/vagrantc) | |
| 21:01 | <Enslaver> $(which service) "$@"
| |
| 21:01 | sounds like it should work right?
| |
| 21:02 | <knipwim> not on gentoo
| |
| 21:02 | not sure what you want to accomplish
| |
| 21:02 | <Enslaver> standard command structure
| |
| 21:02 | without having to call lsb
| |
| 21:04 | <knipwim> gentoo doesn't have the service command to call the init service
| |
| 21:04 | but rc-service
| |
| 21:05 | in that case, for ltsp-config, it's solved in a gentoo-specific function
| |
| 21:06 | so service can be called in ltsp-config, but the default function is overlayed with the gentoo one, calling rc-service $@
| |
| 21:12 | <Enslaver> gentoo have lsb hooks for starting daemons?
| |
| 21:18 | Parker955 is now known as Parker955_Away | |
| 21:21 | <Enslaver> what im confused on is how to restart service such as dhcpd, one distro calls it isc-dhcp-daemon and another calls it dhcpd
| |
| 21:22 | yalu has left IRC (yalu!~yalu@11.90-64-87.adsl-dyn.isp.belgacom.be, Read error: Operation timed out) | |
| 21:23 | <vagrantc> Enslaver: distro overrides...
| |
| 21:24 | yalu has joined IRC (yalu!~yalu@91.176.237.173) | |
| 21:25 | <knipwim> i don't think we have lsb hooks
| |
| 21:28 | anunnaki has left IRC (anunnaki!~anunnaki@c-174-54-115-236.hsd1.pa.comcast.net, Remote host closed the connection) | |
| 21:30 | F-GT has left IRC (F-GT!~phantom@ppp59-167-136-109.static.internode.on.net, Quit: Leaving) | |
| 21:42 | <Enslaver> vagrantc: ok to code in lsb hooks first then have distro over rides for those who dont use lsb?
| |
| 21:45 | \
| |
| 21:46 | <vagrantc> Enslaver: sounds reasonable
| |
| 21:48 | <alkisg> Enslaver: what do you mean by "lsb hooks"?
| |
| 21:48 | To call lsb compliant executables or functions?
| |
| 21:49 | <Enslaver> Yes
| |
| 21:49 | <alkisg> OK, I thought hook == callback
| |
| 21:50 | Is there an lsb reference somewhere?
| |
| 21:51 | <Enslaver> Yah sorry I refer to a hook as a function called from a library
| |
| 21:52 | LSB has some good docs, I forget website URL
| |
| 22:04 | anunnaki has joined IRC (anunnaki!~anunnaki@174.54.115.236) | |
| 22:09 | alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Quit: Leaving.) | |
| 22:18 | komunista has left IRC (komunista!~slavko@adsl-195-168-244-224.dynamic.nextra.sk, Quit: Leaving.) | |
| 22:23 | jammcq has left IRC (jammcq!~jam@c-69-245-75-255.hsd1.mi.comcast.net, Quit: leaving) | |
| 22:31 | yalu has left IRC (yalu!~yalu@91.176.237.173, Ping timeout: 248 seconds) | |
| 22:33 | yalu has joined IRC (yalu!~yalu@109.134.181.221) | |
| 22:46 | dead_inside has left IRC (dead_inside!~dead_insi@76.75.3.174, Quit: Computer has gone to sleep.) | |
| 22:56 | bobby_C has left IRC (bobby_C!~bobby@85-124-22-227.teleworker.xdsl-line.inode.at, Ping timeout: 252 seconds) | |
| 23:01 | designbybeck has left IRC (designbybeck!~quassel@x176y051.angelo.edu, Remote host closed the connection) | |
| 23:31 | Phantomas has left IRC (Phantomas!~Phantomas@ubuntu/member/phantomas) | |
| 23:44 | yalu has left IRC (yalu!~yalu@109.134.181.221, Ping timeout: 245 seconds) | |
| 23:45 | yalu has joined IRC (yalu!~yalu@119.166-64-87.adsl-dyn.isp.belgacom.be) | |
| 23:46 | ltspuser_72 has joined IRC (ltspuser_72!440304c7@gateway/web/freenode/ip.68.3.4.199) | |
| 23:46 | <ltspuser_72> hello
| |
| 23:46 | can someone help me with linux
| |
| 23:49 | hello
| |
| 23:50 | ltspuser_72 has left IRC (ltspuser_72!440304c7@gateway/web/freenode/ip.68.3.4.199, Client Quit) | |