|00:33||we6jbo has joined IRC (email@example.com)|
|01:15||vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20, Quit: leaving)|
|04:35||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|04:39||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Client Quit)|
|04:40||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|04:44||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Client Quit)|
|04:45||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|04:46||we6jbo has left IRC (firstname.lastname@example.org, Remote host closed the connection)|
|04:49||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Client Quit)|
|04:50||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|04:54||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Client Quit)|
|04:55||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|05:04||we6jbo has joined IRC (email@example.com)|
|06:29||we6jbo has left IRC (firstname.lastname@example.org, Remote host closed the connection)|
|06:38||woernie has joined IRC (email@example.com)|
|06:46||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Ping timeout: 255 seconds)|
|07:06||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|07:44||ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)|
|08:23||alkisg_irc has left IRC (alkisg_irc!~Thunderbi@srv1-dide.ioa.sch.gr, Ping timeout: 256 seconds)|
|08:24||alkisg_irc has joined IRC (alkisg_irc!~Thunderbi@2a02:587:744e:8500:c24a:ff:fe02:bc1e)|
|08:31||fiesh has left IRC (fiesh!~fiesh@2003:fb:1018::21, Read error: Software caused connection abort)|
|08:31||fiesh has joined IRC (fiesh!~fiesh@2003:fb:1018::21)|
|08:33||highvoltage has left IRC (firstname.lastname@example.org, Read error: Software caused connection abort)|
|08:33||highvoltage has joined IRC (email@example.com)|
|08:52||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Remote host closed the connection)|
|08:56||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|09:20||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
|09:49||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|09:53||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Remote host closed the connection)|
|09:54||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|10:08||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Ping timeout: 255 seconds)|
|10:22||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|11:37||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
|12:02||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|12:08||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
|12:34||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|13:09||we6jbo has joined IRC (firstname.lastname@example.org)|
|13:26||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
|13:54||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
|14:18||we6jbo has left IRC (email@example.com, Ping timeout: 260 seconds)|
|14:30||we6jbo has joined IRC (firstname.lastname@example.org)|
|14:55||we6jbo has left IRC (email@example.com, Remote host closed the connection)|
|15:34||john has joined IRC (firstname.lastname@example.org)|
|15:34||john is now known as Guest3221|
Hi, total beginner at admin and servers. I have read about LTSP and plan to use it to setup a computer lab. I had two questions.
1. If I have a lab of laptops where I install Ubuntu onto them (on their own harddrives) what would be best to use to boot my LTSP image, chroot or VM? Does VM mean I need to install a VM software on the laptops or how does it boot from the VM image? I feel the docs don't go into details what these are, I suppose they assume people are familiar
what VM and chroot is
2. How easy is it to install a software and make sure every computer can use that software? Will software be "streamed" or are they run locally on the image?
The typical LTSP setup would be like this:
Suppose you have 12 laptops. You completely ignore the hard drive of 11 of them. You don't install anything there. No OS. Or just throw the hard drive outside the window.
Then you label one of them as the "ltsp server", even if it's no different than the others. You install e.g. Ubuntu MATE 22.04 there.
And then you follow the https://ltsp.org/docs/installation/ page, the chrootless paragraph, and that way a clone of that single hard disk installation is published to the local network
You don't need any VMs or chroots; just do that ^
It takes 1 minute to run that commands, then 10 minutes of waiting, and the other laptops can then netboot over the network
First of all, thank you so much!
Ah, and I can then setup user accounts for different users so they have their own home folder where they can put their work? And all software that are installed on the ltsp server will be available on the client machines? Do they need to be restarted or turned off while changes are made on the server?
You setup user accounts and software on the ltsp server. To make them available to the network, you need to run `ltsp initrd` for new accounts (=1 second), or `ltsp image` for new software (=10 minutes)
You can do that while the clients are used normally. But to get the changes, they'll need to be rebooted
All home directories will be stored on the server /home/username
The users will access them using "sshfs" (or nfs) over the network
Okay! Sounds like chrootless is the way to go for me then. What is a typical usage where chrootless would not be a good way or not possible?
If your server is PC and the clients are Raspberries
Do they need to actually use commands like "sshfs"? The usage is for computer illiterate students that can barely use keyboard and mouse.
If you server has webmin, ldap, apache, and a lot of other services, is headless etc, and you want the clients to be normal desktops
These setup is optimized for schools, we're using it here in Greece in more than 1000 schools. Administrators are IT teachers (not sysadmins), and users are kids from 5 to 18 years old
So no, not even teachers need to use commands like sshfs
Okay, I suppose I'll try installing it and see how intuitive it is to use. But I doubt using commands will be nice. Would be better if the home folder was mounted for each user by default
That's good to hear
Yes, the home folder is automatically mounted by just logging in
What makes Raspberry Pis unsuited for chrootless?
You can login with either a password, or with a single click, or even autologin
PC is x86_64 architecture, raspberry pi is armhf or arm64. They can't be booted from the same installation
Ahh I see! Thank you, then I understand the limitation there.
I suppose controlling the server remotely should be no issue either with ssh. And with epoptes I can issue commands to turn off computers if I'd like to service the image on the server?
Sure, but you don't need to turn them off while managing the server image
The clients can keep working normally while you do image maintenance
There's the "current image" and the "new image", they can coexist
Ah, then I can force them to restart instead after servicing. What would be a typical usage for VM image then? Would that be a PC which should be used as a regular desktop and also virtualize the ltsp image to control both in the same environment?
Guest3221: no. In the VM image case, you maintain the VM, then you shut it off, then you run `ltsp image`. The VM doesn't need to be running for the clients to boot
You should only use a VM when the server installation is veeeeery different than the client installation
Eg. if the server is a headless rack mounted thing and the clients are desktops
I see. Then for my case chrootless is best! Thank you, your help is really really useful and easy to understand
For example, teachers here use the ltsp server as their desktop PC, and they control the client PCs from there. There's no need to use a VM for that.
Could a teacher logon to one of the clients with their credentials and access epoptes or is that run only on server-computer?
There are two ways to do that, I documented them there ^
Seems the remote is more flexible. In the other scenario the "epoptes-pc" is vulnerable and more valuable in an environment where the possible adminstrators are also quite computer illiterate.
In your experience, is the remote way slow or decent speed?
It's decent if you have gigabit lan
Okay. Good I will make sure to implement gigabit bandwidth
I take it you are pretty active in developing LTSP and epoptes. Thank you so much for your contributions. This will be put to good use.
With this chrootless setup; configuring software or setting backgrounds is possible thanks to tmpfs I suppose, but when the users restart the computer and login again, or login to another computer, are their preferences such as settings for software and screen wallpaper saved?
|16:45||vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20)|
|18:21||Guest3221 has left IRC (Guest3221email@example.com, Quit: Client closed)|
Guest3221: tmpfs/overlayfs/squashfs are for the / root file system; there's nothing tmpfs about /home, it's sshfs
Change are immediately reflected to the server
|19:11||woernie has left IRC (firstname.lastname@example.org, Remote host closed the connection)|
|19:54||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Remote host closed the connection)|
|19:55||Vercas63 has joined IRC (Vercas63!~Vercas@gateway/tor-sasl/vercas)|
|20:14||eu^broadband-46- has joined IRC (email@example.com)|
Hello guys. Does somebody have experience with 2FA authentication based on LSTP?
|20:17||NickolayZaytsev[ has joined IRC (NickolayZaytsev[!~madcmk2ma@2001:470:69fc:105::2:be6f)|
2 chats for the same room. That's interesting)
|20:18||eu^broadband-46- has left IRC (firstname.lastname@example.org, Client Quit)|
irc and matrix, from what i recall?
bridged together somehow...
It would be a huge help, if you'll gave me some information about it. Thanks in anyway
i only use the irc interface, so no idea really
looks pretty much the same since i started using it in 2005 or 2006 ... before matrix was even an inkling of an idea :)
FYI. This is my question form the matrix: "Hello guys. Does somebody have experience with 2FA authentication based on LSTP?"
Any help will be appreciate
yeah, saw it
but not experience with it
NickolayZaytsev[: that said, LTSP basically just uses pam authentication ... so if you can hook into pam with whatever 2FA you're doing ... that ought to work fine.
although it depends on what you're trying to use 2FA for
e.g. logging into the clients themselves, or using remote sites requiring 2FA ?
in any case, shouldn't be much different from just configuring it on a "regular" computer.
Nickolay Zaytsev: AFAIK you can e.g. enable google-authenticator and it'll show up in the DM login screen; indeed the same as on a non-ltsp installation
Let come up from the other side: Is there any easy way, to change amount and content of visible on thin client side X-windows?
The standard flow is "username" windows, "password" after that and you are logged in.
But can I add some extra X-windows? Like an input for special "code" after "password", before logging in?
PAM is not username/password. PAM is a "stdin/stdout chat". It can keep asking questions and questions for ages if needed.
So yeh the google authenticator pam module hooks there and is displayed in the login screen
I would suggest that you test something like this: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04
...on a non-ltsp installation first, to see how 2FA and PAM works; then the same will also work in LTSP
Sry, I'm new in PAM/LTSP topics.
So if I will add a google authenticator pam module, extra X-window will appears automaticly, when the time has come to input the code?
Yes. It's not a new x-window, the same text box is reused throught the PAM conversation
> <@alkis:matrix.org> I would suggest that you test something like this: https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-20-04
> ...on a non-ltsp installation first, to see how 2FA and PAM works; then the same will also work in LTSP
Almost. Buyt we are using our own module. So if I understand you correct, all I need is create PAM module and add it to the flow
And the inputs will be controlled in the PAM module
Right, if you create a PAM module then it will hook into the login process, either the DM window or even the vt2 text login
And all that is unrelated to LTSP; it's just how PAM works
That's amazing! I thought it is only for the bash console conversation, not for the desktop things at all
alkisg: Thank you very much. You help me a lot.
Can I come back with some more complex questions, if I'll failure with my tries?)
Sure, although if they're PAM (=non LTSP) questions, it might be best to locate some PAM-related support channel...
pamltsp is just a python script, it's not a fully fledged pam module; these are typically written in C
alkisg: I see. I guest the last one question, is there any specialties in installation PAM modules for the LTSP clients? Or all I need is add apropriate PAM module to the client image (chroot folder) and correct the pma settings?
Sorry if I sound stupid
As long as your pam module is registered properly, like these ^, then it will play well with all the others,like pamltsp
While hand-made changes to /etc/pam.d usually don't fare so well when more pam modules are added
Many tutorials on the internet skip the "correct configuration for pam-auth-update" step; make sure you use pam-auth-update
|20:45||Vercas63 has left IRC (Vercas63!~Vercas@gateway/tor-sasl/vercas, Quit: Ping timeout (120 seconds))|
For the better understanding: "pamltsp" is the special PAM module? He is like initializer and must be the first one?
|20:46||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|
* the special kind of the PAM module?
alkisg: I'm comfused a little bit. Where I need to call "pam-auth-update" if I changing the client image? I thought it's just files, that I need to prepare in the proper way. All of the magic will be done while thin client will start. I'm wrong?
PAM is a stack of modules. They are organized in /usr/share/pam-configs/. Then pam-auth-update is called, and it generates /etc/pam.d/* files
So when LTSP boots, it injects a file in /usr/share/pam-configs/ and then calls pam-auth-update
When you'll create your own module, you'll do that same task inside the chroot/image/whatever you're preparing, you don't need to do it on boot
pamltsp is a "small" pam module written in python, using pam_exec. It's like other pam modules, but it doesn't have many abilities. The goal was to make it interpreted, so as to be able to inject it in any chroot of any architecture
You won't have that limitation, so you should use proper C code, not python
alkisg: Still confused about client/server folders. If I will call "pam-auth-update" at any place at the server, does it affect /usr only server folder, not the client one? Ot LTSP will merge it for me before client start?
> <@alkis:matrix.org> When you'll create your own module, you'll do that same task inside the chroot/image/whatever you're preparing, you don't need to do it on boot
* Still confused about client/server folders. If I will call "pam-auth-update" at any place at the server, does it affect only /usr folder of the server, not the client's one? Or LTSP will merge it for me before client start?
Are you using chrootless ltsp, or a chroot, or a VM image?
chrootless. Sry for disinformation
You said chrootless and then you mentioned a chroot :)
What command are you using to build the image?
ltsp image /? ltsp image i386? ltsp-update-image?
That's a tricky question, cause I'm the guy how has deal with already builded image)
I gues ltsp image i386
In LTSP5 it was `ltsp-update-image i386`, in the new ltsp it's `ltsp image x86_64`, but anyway, I assume you're using a chroot
That then means that you do your changes inside the chroot
Then you run ltsp image i386, then you reboot the clients
We are using old version of LTSP, I gues. Cause it's for Debian 8 (Jessie)
The old ltsp isn't using PAM, so all this conversation was inappropriate :)
Using PAM was one of the basic reasons for rewriting LTSP
Oh, really? So it's only for the new versions?
Yes, although the new LTSP version does work on Jessie
You just need to add the PPA
alkisg: And swicth from Jessie to the something new, right?
No, the PPA supports Jessie
It's up to you if you want something newer or not
Ah, "does", not "doesn't"
|21:04||oh207 has joined IRC (email@example.com)|
Ok. Let me summorize our conversation please. I need to do following steps:
1. Add the PPA and update LSTP for the new one rewritted version
2. Seach for the proper command for the create the image
3. Add needed PAM modules. Or maybe I can just edit pamltsp, the python script
4. Do the image update
And it must works after all of it. Right?
heh. i sometimes forget the old-style LTSP is still used by some people :)
even though i worked with that for many more years and was more involved, i'm not sure i know it better than the new stuff :)
Nickolay Zaytsev: sounds good. What are you going to use for 2FA, what will your module actually do?
vagrantc: do you maintain any ltsp installations currently?
alkisg: no ... did a little consult with someone late last year
which actually was working with new, old and ancient versions of LTSP
i think we finally got them to drop ltsp 4.2
by ... supporting some ancient debian version with ltsp 5.x
...I'm afraid to ask what was the initial kernel they were running!
it's actually interesting ... not too hard to support ltsp 4.x, ltsp 5.x and modern ltsp all side-by-side
other than how hard it is to support ltsp 4.x at this poitn
<alkisg> "Nickolay Zaytsev: sounds good..." <- It will added another layer or login/password.
Let me explain it. We have LTSP installation with a few fixed login/passes. That logins is unpersonal, they are shared. Now we need to add some personalization for them. So every user will be needed add his personal ID and specal code after the login/pass, from the mobile application (like Google Authenticatior)
So shred login/pass, personal ID + code from mobile app
.... And why don't you switch to personalized logins with different accounts instead?
Is Virtual Box good enogh to create test environment for the LTSP installation? Or there is easy way?
Virtualbox is fine
alkisg: Smae question. But the answer is deadly horrible - it's business thing. And we can't do anighting with it :(
|21:35||oh207 has left IRC (firstname.lastname@example.org, Quit: Konversation terminated!)|
So it's a fixed context for us. Like Jessie at the mometn
|21:35||oh207 has joined IRC (email@example.com)|
alkisg: Thank you. Thank you for the conversation, Creator)
But if a user logins to a shared account then they have access to the authenticator secrets. It's completely unsafe
* - it's a business thing.
Anyway it's late here good night and good luck
alkisg: Why? Secrets will be stored on the server. One secret per eash user, in safe zone
alkisg: Yeah. Thank you again. And good night. I'll share with you my expirience after the success)
|22:02||ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)|
|22:58||Vercas6 has left IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas, Ping timeout: 255 seconds)|
|23:24||oh207 has left IRC (firstname.lastname@example.org, Ping timeout: 256 seconds)|
|23:29||Vercas6 has joined IRC (Vercas6!~Vercas@gateway/tor-sasl/vercas)|