so, it really depends on exactly what you're doing with the vpn, how the vpn is normally configured, etc.
I'll have to give fat-clients a try. Would I be able to "manage" them as easily as thin clients? say modify/update images, /etc/skel?
btw, thank you for your help!!
the homedirs are exported from the server with fatclients, so sure.
updating images is a little harder, as every time you install an application, you needto update the images.
with thin clients, you simply install the imag on the server, no need to update the image.
er, install the application on the server, no need to update the image with thin clients
vagrantc: LDM_HASHTMP will by my environ variable which will be passed to the script
hm.. not sure what that is... but I think i'm on the right path now. I'll play around with fat-clients
and yes, sounds good! seems like I'd still be able to update fat-client machines from the server, without having to go to each fat-client machine
Thank you for your super fast help and response.
Guest51018: good luck!
bennabiy: my gut reaction to the variable name isn't good, but heh.
gotta run anyways
|00:14||* vagrantc waves|
|00:14||vagrantc has left IRC (vagrantc!~vagrant@freegeek/vagrantc, Quit: leaving)|
|00:20||Guest51018 has left IRC (Guest51018!ad24c407@gateway/web/freenode/ip.18.104.22.168, Quit: Page closed)|
|02:38||jaskaran has joined IRC (firstname.lastname@example.org)|
|03:59||jaskaran has left IRC (email@example.com, Read error: Connection reset by peer)|
|04:04||vagrantc has joined IRC (vagrantc!~vagrant@freegeek/vagrantc)|
|04:15||jaskaran has joined IRC (firstname.lastname@example.org)|
|04:28||alkisg has joined IRC (alkisg!~alkisg@ubuntu/member/alkisg)|
|04:36||jaskaran has left IRC (email@example.com, Quit: Ex-Chat)|
|04:41||Andymeows has left IRC (Andymeows!~Andymeows@unaffiliated/andymeows, Killed (sendak.freenode.net (Nickname regained by services)))|
|04:57||Phantomas has joined IRC (Phantomas!~phantomas@ubuntu/member/phantomas)|
|06:00||kwmiebach_ has left IRC (kwmiebach_!sid16855@gateway/web/irccloud.com/x-zwdptpmpjfhbtaov, Read error: Connection reset by peer)|
|06:05||kwmiebach_ has joined IRC (kwmiebach_!sid16855@gateway/web/irccloud.com/x-airribcjioxjjboc)|
vagrantc, bennabiy: hi guys
|06:11||* alkisg is mostly on vacations these days, but I'll be online for a couple of days now|
I vote for (1) ldm writing the hash to /etc/passwd itself, or if that's not easy, (2) using stdin or an environment variable to pass the hash from ldm to the shell scripts
Using a tmp file doesn't sound more secure to me, so I don't see why we should involve disk or network IO...
alkisg: the one advantage i see with the temp file is you can actually remove the file, whereas with the hash in ram, it's floating around in the environment
Nevertheless, if a tmp file is to be used, why not created it in /var?
but i guess it's stored in /etc/shadow anywways, so hm.
vagrantc: removing the password from the file is the same as removing it from ram
I.e. one would have to zero-fill it to be sure it's not re-allocated to other programs, but noone does that...
alkisg: well, the password doesn't have subproccesses where the environment variable might linger
We can remove it from the environment
Just unset the variable...
Then all subprocesses won't inherit it
you can remove it from the environment for subsequent processes, but not processes called before
Sure, so we just make sure it's the first script to be called at that phase
but it needs to be called after the localapps stuff, no?
How about this?
We let localapps do its stuff, and if we find the user entry in shadow, we replace/add the hash from ldm.c
Is there a need to pass the hash to shell scripts?
i think it was only a timing issue
alkisg: the one problem i see with that is if you have identical usernames with multiple ldm servers for users that should have different passwords...
the localapps stuff happens after ldm.c is run...
vagrantc: do localapps support that, currently?
I think that if you try to do a second login, the first user will be erased
in the sense that it cleans the environment between logins
so we'd have to also clean /etc/shadow ...
|06:21||kwmiebach_ has left IRC (kwmiebach_!sid16855@gateway/web/irccloud.com/x-airribcjioxjjboc, Ping timeout: 240 seconds)|
AFAIK for each login, the initial shadow is used
So if 2 users try to login, the first user is deleted from passwd, shadow etc
OK I see the timing issue, it's because X01-localapps and X95-run-x-session is in the same step, "X"...
But, X01-localapps is the script that's supposed to read the hash from stdin or the environment
|06:24||alexxtasi has joined IRC (alexxtasi!~alex@unaffiliated/alexxtasi)|
So it can remove it before any subprocesses start
vagrantc: for example, now the has is visible from the command line: sed -e "$sedshad" -i /etc/shadow
|06:28||kwmiebach_ has joined IRC (kwmiebach_!sid16855@gateway/web/irccloud.com/x-tjvwutrxzldsfkqm)|
So a local non-root user running `ps` in a loop can see it...
yeah, not so great.
And the sedshad variable lingers on for all X* scripts
It's not exposed in the environment though, so no subprocesses see it
well, i knew you'd have good commentary on the matter :)
OK here's a quick way because as you said, trying to be perfect many times gets no work done at all:
LDM writes the hash in a file in /var, so that it can have a standard name
(to the same dir where we cache shadow etc)
It writes it in "sed" form though, a complete line to be passed to sed with its "-e script, --expression=script" option
Sorry, I meant: -f script-file, --file=script-file
So, X01-localapps will only need to check if the file is there, and if it is, to call sed -f that-file, and then remove it
That way the hash is never available to shell scripts, only sed reads it from that file
/var/cache/ltsp/$USER.passwd or something...
sounds like a reasonable compromise
and also backwards compatible
i.e. if the file isn't there, nothing changes
although for the feature to work, both ldm and ltsp-client* would need to be sufficiently new versions
Hmm better if it has a really standard name like /var/cache/ltsp/user.passwd, so that if we have a newer ldm, and an older ltsp that doesn't use/remove that file, we won't have multiple $USER.passwd files staying around indefinately...
The last one without the "user" part somehow... e.g. shadow-sedscript or sedscript.shadow?
|07:11||mealstrom has left IRC (mealstrom!~Thunderbi@22.214.171.124, Ping timeout: 260 seconds)|
|07:36||mealstrom has joined IRC (mealstrom!~Thunderbi@126.96.36.199)|
|07:49||vagrantc has left IRC (vagrantc!~vagrant@freegeek/vagrantc, Quit: leaving)|
Yup, .sed is a common extension for sed scripts, e.g. ldm-trunk/po/quot.sed
bennabiy: so, /var/cache/ltsp/shadow.sed
|07:58||alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Ping timeout: 245 seconds)|
|08:00||bennabiy has left IRC (bennabiy!~bennabiy@unaffiliated/bennabiy, Read error: Connection reset by peer)|
|08:01||bennabiy has joined IRC (bennabiy!~bennabiy@unaffiliated/bennabiy)|
|08:26||telex has left IRC (firstname.lastname@example.org, Read error: Connection reset by peer)|
|08:28||telex has joined IRC (email@example.com)|
|08:36||uXus has left IRC (uXus!~uXus@188.8.131.52, Quit: ail bi bek)|
|08:39||uXus has joined IRC (uXus!~uXus@184.108.40.206)|
|08:42||mealstrom has left IRC (mealstrom!~Thunderbi@220.127.116.11, Remote host closed the connection)|
|08:48||alkisg has joined IRC (alkisg!~alkisg@ubuntu/member/alkisg)|
|08:50||alkisg1 has joined IRC (alkisg1!~alkisg@ubuntu/member/alkisg)|
|08:53||alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Ping timeout: 250 seconds)|
|08:55||mealstrom has joined IRC (mealstrom!~Thunderbi@18.104.22.168)|
|08:56||alkisg1 is now known as alkisg|
|09:30||Phantomas1 has joined IRC (Phantomas1!~phantomas@ubuntu/member/phantomas)|
|09:31||Phantomas has left IRC (Phantomas!~phantomas@ubuntu/member/phantomas, Ping timeout: 260 seconds)|
|10:43||Phantomas1 has left IRC (Phantomas1!~phantomas@ubuntu/member/phantomas, Ping timeout: 245 seconds)|
|10:43||Phantomas has joined IRC (Phantomas!~phantomas@ubuntu/member/phantomas)|
|10:44||alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Ping timeout: 250 seconds)|
alkisg, vagrantc: I read the conversation. Seems good to me, to write to a standard filename, which would be user-unrelated. that is only a few lines of code changed.
and it should not be hard to put together the sed script. Alkisg: would that script need to have #!/bin/sed at the top?
or just the $s: line
|11:58||cyberorg has left IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg, Remote host closed the connection)|
|12:14||cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg)|
|12:17||cyberorg has joined IRC (cyberorg!~cyberorg@opensuse/member/Cyberorg)|
|12:37||Phantomas has left IRC (Phantomas!~phantomas@ubuntu/member/phantomas, Ping timeout: 260 seconds)|
|12:38||Phantomas has joined IRC (Phantomas!~phantomas@ubuntu/member/phantomas)|
|12:55||staffencasa_ has joined IRC (firstname.lastname@example.org)|
|12:58||staffencasa has left IRC (email@example.com, Ping timeout: 264 seconds)|
|14:02||Phantomas1 has joined IRC (Phantomas1!~phantomas@ubuntu/member/phantomas)|
|14:02||Phantomas has left IRC (Phantomas!~phantomas@ubuntu/member/phantomas, Ping timeout: 255 seconds)|
|14:04||Faith has joined IRC (Faith!~paty@unaffiliated/faith)|
|14:17||flo1546796 has joined IRC (flo1546796!~flo154679@unaffiliated/flo1546796)|
|14:17||mealstrom has left IRC (mealstrom!~Thunderbi@22.214.171.124, Read error: Connection reset by peer)|
|14:17||mealstrom has joined IRC (mealstrom!~Thunderbi@126.96.36.199)|
|14:18||gbaman has joined IRC (firstname.lastname@example.org)|
|14:32||Gremble has joined IRC (Gremble!~Ben@host-92-27-135-217.static.as13285.net)|
|14:33||Gremble is now known as Guest47565|
|14:43||alexxtasi has left IRC (alexxtasi!~alex@unaffiliated/alexxtasi)|
|14:44||flo1546796 has left IRC (flo1546796!~flo154679@unaffiliated/flo1546796, Quit: Quitte)|
|14:48||staffencasa_ is now known as staffencasa|
|14:57||mealstrom has left IRC (mealstrom!~Thunderbi@188.8.131.52, Ping timeout: 260 seconds)|
|15:13||mealstrom has joined IRC (mealstrom!~Thunderbi@184.108.40.206)|
|15:16||championofcyrod1 has joined IRC (email@example.com)|
|15:36||FrozenZia has left IRC (FrozenZiafirstname.lastname@example.org, Ping timeout: 240 seconds)|
|15:42||alkisg has joined IRC (alkisg!~alkisg@ubuntu/member/alkisg)|
Hi bennabiy :)
Did you see the irc logs?
yes, just about to work on it
been helping others troubleshoot why their computer theme is not right
after trying to get nvidia-prime working
alkisg: when using a sed -f file, does it need to be headed with #!/bin/sed ?
bennabiy: no, but do output a comment that mentions what that file is
# Generated by LTSP, to be used by X01-localapps etc etc
sed files respect comments?
AFAIK yes, do google it to be sure
ok, let me just get a little code hammered, and we can do a trial run. Did you notice that launchpad was failing to build now?
I saw it but didn't have time to look into it
Ask in #launchpad
they are working on it
so do we still want to have this opt-outable?
|16:16||Phantomas1 is now known as Phantomas|
|16:25||vagrantc has joined IRC (vagrantc!~vagrant@freegeek/vagrantc)|
bennabiy: I don't mind either way, ask vagrantc...
|16:28||alkisg has left IRC (alkisg!~alkisg@ubuntu/member/alkisg, Remote host closed the connection)|
|16:28||* vagrantc waves|
|16:28||* bennabiy waves|
ok, so hash is now stored in sed file, /var/cache/ltsp/shadow.sed
updated rc.d file
time for lunch. See you in a little bit
I still need to incorporate the opt out, but trying to determine the best way to do that
|16:39||matts has joined IRC (matts!411abcf6@gateway/web/freenode/ip.220.127.116.11)|
Since enable by default, should I just check if LDM_NOHASH is set?
or something like that?
think about it and let me know
|16:40||matts is now known as Guest26794|
alkisg put that in your court
|16:42||Guest26794 has left IRC (Guest26794!411abcf6@gateway/web/freenode/ip.18.104.22.168, Client Quit)|
|16:43||matt___ has joined IRC (matt___!411abcf6@gateway/web/freenode/ip.22.214.171.124)|
|16:54||FrozenZia has joined IRC (FrozenZiaemail@example.com)|
|17:02||Phantomas has left IRC (Phantomas!~phantomas@ubuntu/member/phantomas, Remote host closed the connection)|
vagrantc: did you see the update?
|17:18||FrozenZia has left IRC (FrozenZiafirstname.lastname@example.org, Ping timeout: 240 seconds)|
bennabiy: use boolean_is_true or ! boolean_is_true
I do not see a c definition for that
bennabiy: just checking if it's set gives unexpected behavior if you set to false.
Is that in c? or script?
we definitely had it in both at one point... hrm.
|17:21||* vagrantc wonders if someone switched it all to gboolean|
I notice a lot of gboolean use
but I remember seeing boolean_is_true in scripts
ah, there we go
where is that defined?
bennabiy: haven't looked over the updates, but will in a bit
vagrantc: So should I use the variable LDM_NOHASH?
to indicate that you need to opt out
|17:40||Guest47565 has left IRC (Guest47565!~Ben@host-92-27-135-217.static.as13285.net, Remote host closed the connection)|
|17:43||Ark74 has joined IRC (Ark74!~Ark74@126.96.36.199.cable.dyn.cableonline.com.mx)|
bennabiy: no hash what? :P
bennabiy: i'd recommend LDM_PASSWORD_HASH true/false, defaults to true
bennabiy: negation variables are mentally difficult
tell me about it
bennabiy: i.e. NO_FOO=true ... NO_FOO=false ... it gets confusing fast.
especially when dealing with boolean compare
seems launchpad patched the issue now, ldm built fine for me
so, let me just get the boolean patched in, and it should be "good"
Quick question, in stgraber's pics of bts, was that you in the debian hat, with long hair?
vagrantc: I am thinking I will want to add to the struct definition of SSHInfo to make an entry for ldm_password_hash
I will see if I can squeeze it in within hashpass
and make sure that the password gets freed, no matter what
bennabiy: i do have a debian hat, and i do have hair.
bennabiy: yeah, the password freeing was my last question
http://photos.stgraber.org/Conf/2013-ltsp-by-the-sea/ the first pic
bennabiy: your log entries need to be updated for the new sed script instead of /tmp/foo
ah, I knew I was forgetting something!
bennabiy: and remove the commented out g_free tuff
bennabiy: i think you found me, yes. looks like my braids were in disorder
How long has it been since you last cut your hair?
bennabiy: haven't cut it this millenia
|18:08||championofcyrodi has left IRC (email@example.com, Quit: Leaving.)|
|18:21||championofcyrod1 has left IRC (firstname.lastname@example.org)|
Hello All, i am very new to LTSP and thin clients in general, been working with them off and on a few weeks to get some thin/fat clients working off an existing ubuntu 12.04 server and have had varied success and was wondering if i could pick some of your brains for some help
ask: Don't ask to ask a question, simply ask it, and if someone knows the answer, they'll respond. Please hang around for at least a full hour after asking a question, as not everybody constantly monitors the channel.
matt___: ^^ :)
just trying to see if i can repurpose some old dells sitting around collecting dust
Can they boot to network ?
|18:33||metaf5 has left IRC (email@example.com, Remote host closed the connection)|
vagrantc: It seems I am going to have to do some shuffling of booleans anyway, because if it is true by default, but not set, then it would not return true if I did ldm_getenv_bool
well i guess thye question i have on my head right now, is where does the image pull its user prefrences? for example i was trying to get local apps working and seemed to mess something up and the client wouldn't boot anymore, so i complete removed it and created a new one but it had background that i set
so i guess i just know enough to be dangerous
|18:39||championofcyrodi has joined IRC (firstname.lastname@example.org)|
|18:40||Parker955 is now known as Parker955_Away|
vagrantc: Does that make sense?
matt___: can you give a little more details about your environment?
ubuntu 12.04 server, no gui, install the ltsp-server, using dnsmasq to leave the dhcp in our router, and trying to test thin/fat clients for old dell 2400's
pretty much used the walkthrough here UbuntuLTSP/ProxyDHCP
and that question was more out of curiosity in how the thin client image works
so that i can customize it
|18:59||Ark74 has left IRC (Ark74!~Ark74@188.8.131.52.cable.dyn.cableonline.com.mx, Read error: Connection reset by peer)|
|19:06||Parker955_Away is now known as Parker955|
vagrantc: I could do a setenv with overwrite disabled, and then test for the env variable
that might be the easiest
bennabiy: you can test if it's set, and assume true if not
surely there's example code in there...
|19:15||adrianorg has left IRC (email@example.com, Ping timeout: 256 seconds)|
|19:17||adrianorg has joined IRC (firstname.lastname@example.org)|
|19:18||Ark74 has joined IRC (Ark74!~Ark74@184.108.40.206.cable.dyn.cableonline.com.mx)|
ok here is a question, why does a vm boot any size image but the old dell pc gives an error the the exported image is too big?
vagrantc: Here goes... pushed new code
matt___: how much ram does it have?
matt___: also, is the image you are exporting the same architecture as the machine booting it?
i think the one i've tested the most with only has 512
matt___: how are you generating the image?
and on what type of machine?
what architecture is the server?
so when you do your ltsp-build-client, are you doing --arch i386 ?
|19:35||Faith has left IRC (Faith!~paty@unaffiliated/faith, Ping timeout: 245 seconds)|
yes i used the --arch i386
and the client will actually boot and i can log into the ldm session and its functional
so which pc is giving the error?
|19:38||Andymeows has joined IRC (Andymeows!~Andymeows@unaffiliated/andymeows)|
|19:38||vagrantc has left IRC (vagrantc!~vagrant@freegeek/vagrantc, Quit: leaving)|
the server is a xeon quad core 8gb ram w/ a supermicro board so i'm sure the server should run several thin clients right?
at least 4 or so
but possibly not 4 running youtube and such
but for general use, yes
more than 4
Hello, are there any special instructions for compiling a new kernel inside a chroot/image?
yeah its for a small office, i'm just testing to see if turning the old equipment into thin clients will improve performance or if they just need to upgrade hardware
|19:42||Faith has joined IRC (Faith!~paty@unaffiliated/faith)|
Andymeows: any particular reason you want to recompile a kernel?
bennabiy: my graphics chipset is apparently only supported in 3.16 kernel. (as per the folks in #intel-gfx)
|19:49||FrozenZia has joined IRC (FrozenZiaemail@example.com)|
so just pull in the 3.16 kernel
no need to compile it
debian. but the backports version is 3.12
ah, look for vagrantc, he should be able to give you a little more help
I need to go now
vagrantc: do not merge yet, something is not working right
vagrantc: the X script is not actually running now
|20:15||Ark_74 has joined IRC (Ark_74!~Ark74@220.127.116.11.cable.dyn.cableonline.com.mx)|
vagrantc: for some reason the X01-localapps-ldm is not getting installed in the client when I manually install the ldm and ldm-server packages
even if it is in the source.
Also, I will need to test why it is not getting the environment variable properly
Is there somewhere I need to tell it to look for and get that variable from?
I have to go now, but I will be back tomorrow.
|20:19||Ark74 has left IRC (Ark74!~Ark74@18.104.22.168.cable.dyn.cableonline.com.mx, Ping timeout: 272 seconds)|
|20:29||mealstrom1 has joined IRC (mealstrom1!~Thunderbi@22.214.171.124)|
|20:32||mealstrom has left IRC (mealstrom!~Thunderbi@126.96.36.199, Ping timeout: 272 seconds)|
|20:51||epoptes_user2 has joined IRC (epoptes_user2!59e793a5@gateway/web/freenode/ip.188.8.131.52)|
so i hit an error building the chroot inside docker... of course mounting the proc folder
mount: permission denied
the HOST is CentOS, so I'm not so sure mounting the /proc folder to the container will help
reading -> http://tuhrig.de/how-to-know-you-are-inside-a-docker-container/
which discusses /proc a bit
|21:10||Andymeows has left IRC (Andymeows!~Andymeows@unaffiliated/andymeows, Ping timeout: 264 seconds)|
what does ltsp do with /proc when attempting to build the chroot?
|21:35||gbaman has left IRC (firstname.lastname@example.org, Remote host closed the connection)|
|21:36||gbaman has joined IRC (email@example.com)|
|21:40||gbaman has left IRC (firstname.lastname@example.org, Ping timeout: 240 seconds)|
|21:40||Andymeows has joined IRC (Andymeows!~Andymeows@unaffiliated/andymeows)|
|21:46||gbaman has joined IRC (email@example.com)|
|21:50||vagrantc has joined IRC (vagrantc!~vagrant@freegeek/vagrantc)|
bennabiy: it looks like your latest commit unconditionally sets the variable to true, regardless of it it was already set?
|22:32||Faith has left IRC (Faith!~paty@unaffiliated/faith, Quit: Saindo)|
|23:09||gbaman has left IRC (firstname.lastname@example.org, Ping timeout: 245 seconds)|
|23:10||Phantomas has joined IRC (Phantomas!~phantomas@ubuntu/member/phantomas)|
|23:25||gbaman has joined IRC (email@example.com)|
vagrantc: It is not supposed to overwrite the variable if it exists(that is what that last 0 means)
But it should set the variable if it is not set.
|23:34||Ark_74 is now known as Ark74|
vagrantc: I can try it a adifferent way though
bennabiy: ah, perfect, then.
but... something is not working. so I wonder if it is doing what it is supposed to
bennabiy: technically, we typically set defaults like that in ltsp_config.d/foo
Although my install also did not put the rc.d script in place, so I wonder if other things are funny about it
bennabiy: i think it would actually be better if it checked if the variable wasn't set, rather than setting the variable.
That is the issue with just doing a ldm_getenv_bool because it returns false for null or false, which is NOT what we want
that is partly why I wanted the negative environment to have to set having the opt out as true
I was trying to make ldm_getenv_bool to have an environmental set one way or another, but something backfired
bennabiy: just do ldm_getenv_bool || "LDM_PASSWORD_HASH" == ""
not exactly sure how to check for that, but that should work.
I think I need to have an intermediary variable, and have it set to true unless ldm_getenv_bool = false
if you can do it in shell, surely it can be done in C :)
yes, just takes longer :)
that could work, too.
you already have an intermediary variable...
the do_hash ...
not functioning as one yet though
could default to true, check if the variable is set, if it is, set do_hash to the value ldm_getenv_bool sets
yes, something like that. I cannot work on it tonight much more, but tomorrow morning I should be able to
i could also implement it, since i'm the one insisting on it
If you want.
I wont say no :)
I just did something because no one else was doing anything yet :)
Really, if you wanted it to not get set, you could just delete the file through shell, without running sed
yeah, let's stop my feature requests from blocking this...
we should take out the variable check then first
you go ahead and implement a working setup, and i'll implement the variable checks
I vote we handle the opt out at the script level
but the main reason to opt out would be to not have the hash floating around
so opt out shouldn't generate the hash at all
so handling it in X01-localapps-ldm seems like a mistake
pass a variable to ssh_hashpass which is either bool true or false