Distributions/Configurations For Specific Uses?

Page writes "My college (UMPI) is currently reviewing a proposal to collect old hardware from small businesses and assemble machines for those who do not have a PC. The issue came up as to what linux distro to use that will allow us ease of both setup and ability to lock down the machine so once they are out in the field, they cant be tinkered with by accident (thus preventing problems later). These will be used solely for the purpose of web activities (surfing/mail), and word processing and *THATS IT*. Does anyone have suggestions and an idea about how to go about a standardized (or a sort of embedded) configuration across variable hardware?"

We did this once...

[ites]

(But for a standardized hardware platform)
(and for an industrial application...)
Using DHCP and BOOTP, we loaded the OS and the applications across the network.
The PC had no hard disk, no drives.
The boot server was itself booted from a CDROM.
So there was nothing to break or mess with.
For word processing you'd have to use a network drive but that makes sense for backups anyhow.
Modern Linuxes are pretty good at detecting existing and especially legacy hardware.
So this approach would work for your problem.

LiveCD a-la Gentoo setup?

[Hobart]

You might want to take a look at how Gentoo Linux puts together their "LiveCD" for installation purposes...

Since you don't want these people to be able to change any configurations, just have a web browser and word processor, getting them to where their setup boots off of a read-only CD that has the tools they need may be the solution.

Of course, this is a large amount of work, but perhaps the time you save putting it together will outweigh the time you might loose if they mess with and break their configurations. ;)

Re:LiveCD a-la Gentoo setup?

[ianaverage]

I am using Gentoo right now, and I think that it is great, but I doubt that it is going to be what they are looking for. I could be mistaken, but I do not think that gentoo meets the ease of setup requirement.

You have to configure your partitions and the soundcard and any pretty much any other hardware yourself....and I doubt that the IT department is going to want to do that. They would have to develop a different CD for each system. It seems to me that the way things are going these days is to standardize software for both maintainability and security reasons.

To contradict myself, I could be wrong about all of this though :). I am not sure how it works, and have not used it, but Gentoo has produced a self-booting UT2003 demo disk that supposedly takes care of everything. If you could figure out how they managed to whip this up, maybe this would be the solution to your problem.

FireCast Linux

[wirespring]

My company WireSpring Technologies makes a custom version of Linux called FireCast that's designed specifically for remotely managed terminals like kiosks, public terminals, and the like. We've got some customers in the education industry who are doing exactly what you mention, on hardware that they were set to abandon before they found us. Even if you don't go with our software, you might get some ideas from the interactive demo. Good luck!

Knoppix -- bootable CD with Moz, Open Office, etc.

[Chuck+Messenger]

Knoppix sounds like it would be perfect. It's a bootable Linux CD, which includes lots of useful software, including Moz and Open Office. So, users couldn't accidentally screw it up. It did a nice job with the 2 computers I tried it on. It can access an attached hard drive or floppy, for storing files. Not sure how it deals with Moz profiles, for setting up email. But you could always set them up with web mail.

A machine that's locked down today....

[i0chondriac]

May not be "locked down" tomorrow. Keeping the machines secure, whether or not they are a server or desktop, requires maintenance.

It is for this very reason I recommend SuSE on the desktop, as they offer free and easy updates via YaST, and SuSE boxen are extrememely easy to set up. The SuSE personal firewall is fairly nice and intuitive for the average user as well. Additionally, it comes bundled with Open Office and a slew of browsers and email apps.

Re:Ghost

[i0chondriac]

or you could check out systemimager

http://systemimager.org/

We've successfully cloned hundreds of linux boxes with it, and it supports reiserfs and ext3

the guys on the mailing list are extrememly helpful as well.

kiosk mode

[jd142]

Do a search on google for Kiosk mode linux. There are a couple of projects out there. The idea with a kiosk is that it is a public machine dedicated to web surfing only, which would include using web based e-mail. It should be locked down really tightly, because people love to play with public machines.

I would suggest using icewm as a window manager. It runs fast on slower machines and the configuration files are easy to read and understand even before your read the fine manuals. I would also suggest mozilla as your web browser. You can really restrict it by changing lines in the .js and .rdf files.

Depends

[dr.Flake]

Depends on how "closed"do you want you're machine to be.

What kind of people will be using them? the guy who wrote the slapper worm while he is in jail, college students, or members of staff who you can slap on the wrist???

the point is:

any machine you can fysically access can be tampered with. period. If you make it a thin client you'll still be able to remove the bootP, put in a harddisk and make it your own.

So de level of security and effort you put into this depends more on the public thats going to use them than on the distribution you use.

thin clients are very easy to maintain, have few rotating parts, are not very attractive for theft and can be replaced pretty quick.

Sounds like you need JWZ's kiosk.

[faster]

http://www.dnalounge.com/backstage/src/kiosk/

There are several

[vadim_t]

I'm not completely sure about Knoppix because I never used it, but I've heard it's very good. Debian looks like another good choice. Some things that are great about it is that stable is *stable* and security fixes are easy to automate, for example apt-get upgrade in cron using your own source to install only tested patches, and in general its configuration is very simple. Unlike Mandrake and other fancy distributions, Debian has very simple boot scripts and configuration, which makes it much easier to adapt it to your needs. It also has some great tools like make-kpkg that make it much easier to compile a kernel that will be installed on several computers.

Re:Ghost - HELL NO!

Norton Ghost is the equivelent of 2 commands in linux: (Aside from mkfs)
First, make your image(s):
dd if=/dev/hda bs=512 of=/somepath/bootsector
dd if=/dev/hda1 of=/somepath/diskimage

Then copy it to a machine:
(format you fiel system using mkfs)
dd of=/dev/hda bs=512 if=/somepath/bootsector
dd of=/dev/hda1 if=/somepath/diskimage

Re:Knoppix -- bootable CD with Moz, Open Office, e

[Unholy_Kingfish]

I think that Knoppix would be a good stating point. Set up accounts for all the users(which most universities already do), and give them XXmb of storage for saving documents. You can ad some scripts that would make their default that space. (moding the Knoppix CD) That CD would be used to boot form on all the systems, you _could_ even skip using a hard drive in the system, but it would be slow without the swap file. Now all systems would have the SAME setup, same menus, everything. Each user would have his/her own name and pw to get into the network and their storage. When it is time to update the software you just send out new CD's to each user and they replace the old one. So lets say as the project continues you can make a more specific install with more or less programs, custom programs whatever. Do a test release to one floor in a dorm and see how it goes... tweak and tweak and tweak.... ________________________________ Michael Alexander

Re:Ghost

The problem with Ghost is their licensing scheme..Norton expects you to pay them per computer that the image is transferred to. No joke. Transfer the image to 2000 computers? Pay for them too. I have yet to see any company or educational institution making heavy use of Norton Ghost even own a copy of the program..one of them even had a cracked .EXE and accompanying .NFO file in the same shared network directory that Ghost was installed in.

A plethora of options

[j_kenpo]

There are actually plenty of ways of doing this... the two best ways are a Linux based terminal running as a X-Terminal, or a Windows based Terminal Server setup. Both have their pros and cons of course. The Windows setup has the more familiar user interface and setup. The Linux setup would be free, secure and have plenty of alternatives for applications to choose from. Both are pretty slow as Terminals however. You could go with a easier local installation of either Linux or Windows, both can be locked down pretty tightly. With Windows you can manage the policies, get a setup you like, and image or use Nortons Ghost to copy to different machines. If I had to choose however, I would go with a Linux setup that would boot off an image on a server, so that no matter what changes were made it would always go back to the original setup. Keep it light and have NFSed directories with the applications, having the permissions set so that users could not modify. If you were really crafty, you could even set it up so that if there were compiles to be done, it could distribute the process acorss multiple machines...

Kawaii Linux

[MsGeek]

This is what the Kawaii Linux project is all about. The idea is to create a graphical Linux distribution that will run on everything from 486DX on up. Right now we're looking at doing this with Debian and an installer currently being developed by an Australian developer which will smooth out the usually cryptic Debian install process to a better extent than even the Progeny installer.

The target for Kawaii Linux is people who are refurbishing old computers for distribution to charities and underprivileged kids. A secondary target is those who want to play with Debian but are intimidated by the usual install process, although Xandros and the Progeny Installer address those issues too.

This will be a K.I.S.S. distro in the tradition of Lycoris. The goal is a fast install with the best of breed amongst lightweight applications. If you are interested in the project, email me.

Re:Well... LindowsOS is out of the question

[ites]

Yes, just tried another LindowsOS install on a random box here. Insert CDROM, boot, click 'Ok', 'Next', 'Ok', 'Next', enter root password, confirm root password, click 'Ok', and wait for 4 minutes as it formats the disk and installs at the same time.
And that's it. Every device correctly detected, network and a firewall correctly installed, and the OS updated via Debian's apt and the network.
It is almost as fast to install from scratch as to boot a normal PC.
So, you can 'lock down' the PC simply by reinstalling at will. Say every Monday morning, at 6am. I'm sure this could be automated. :)

I'd install NetBSD

[Faggot]

NetBSD (at version 1.6 now) is a wonderful and lean operating system which can be tailored to specific needs quite easily. Unlike bloated Linux distros (Red Hat, Mandrake, SuSE... basically everything but Slack) it installs only the bare necessities, and the rest can be installed via the kickass package system. You don't have to worry about security holes popping up every six days either -- everything just runs. I'm sure NetBSD could serve the poster's needs 100%.

We're doing this as well

[Raleel]

Only our LUG got approached by a nonprofit.

Several of the people here have made itneresting suggestions, but I doubt they really read the question. There are several things that can be inferred from your statement.

1) These machines are going out into "the field", meaning network will be, at best, occasionally dial up.

2) You are getting hardware dicarded by businesses. My guess is that this is pentium 2 hardware at best, and probably mostly pentiums. and probably less than 128 megs of ram...likely 32 and 64.

We have this exact problem. We have a mess of older hardware and want to get as many machines as we can out to the people.

So what's our solution? We are still exploring, Currently, though, the front runner is gentoo compiled on another faster box (but with optimizations for the target platform, a pentium) and then image the discs with mondo-rescue. mandrake is also in there, as well as (of all things) corel.

What are we currently running for software?
1) abiword
2) opera (static, free download version)
3) gnumeric
4) gnucash
5) icewm (with the Pure95/Windows 95 theme)
6) rox (with the pinboard enabled for desktop control)
7) sylpheed
8) tuxtype (need for a typing tutor)
9) gaim (I am a firm believer in instant messaging)

And there are several "support" programs as well.
Currently, it's taking up nearly 1.5 gigs, but I compiled it rather fat...with all the library support. We lefted 1/2 a gig for home and 128 meg for swap.

And so I tested it out on my athlon, but I turned myself down to 32 megs of ram, and it's still pretty damn fast on my desktop. Probably be just fine when i get it imaged out there. My intention will be to configure it with standard svga drivers in some lower resolution that almost any card will support (800x600, 16 bit color) and try to be as standard as I can with the sound. I compiled the kernel fat as hell (1.4M, 90% of everything actually compiled in, not as modules :-O ) but everything works, which is a bonus.

email me (musashi@owt.com) or contact our lug (3clug@3clug.org) and we'll swap notes.

done this - chroot

[Permission+Denied]

I've done this. Basically, set up public email/web kiosks.

1. Password-protect the BIOS. People will mess with this.
2. Be careful with the boot manager. Make sure people can't pass kernel arguments (eg "linux init=/bin/sh"). Grub allows you more options than lilo in this direction.
3. Modify all boot scripts to ensure there is no way to get an interactive shell at boot.
4. Use some filesystem that's resilient to reboots. People will reboot the machines (unplug them) all the time, so use ReiserFS or ext3.
5. You'll probably have more than one person managing these machines. Try looking into pam_ldap, or pam_krb5 (whatever is appropriate for your organization) along with pam_listfile, so that only two or three people know the root password.
6. Browsers aren't meant to do this. For instance, you can type in a URL like "file:///" and use the browser as a file manager. Prevent this by running the web browser in a chrooted environment.
7. Disk space may be low on older machines, so don't copy files to the chrooted environment - hard link them instead (hard links work across chrooted environments). Basically, what you do is "ldd browser" and hard link all those libraries into the chrooted environment. Then run the browser, see what files it requires (eg, /etc/resolv.conf, any shared libraries it loads itself using dlopen(3), and so on), hard link those files and continue until you have a working environment.
8. Also on the browser end, you may have difficulties finding a browser that will run quickly enough on older hardware. Mozilla and Konqueror are sluggish on my Athlon XP 1800+, so they are quite out of the question. I also had little success with Opera, and I'll tell you now that Netscape 4.x may be your only viable choice.
9. I wrote my own window manager custom to the task. I would recommend that you run a window manager that you KNOW won't launch any other programs unless you specifically make it do so. Look into wm2, and then modify it (it's very clean code) so that it will never start up xterm and so the root menu shows a list of allowed programs (browser, ssh to read mail, etc).
10. You may also want to allow people to read mail using SSH. Remember to disable the "escape" character for ssh so people can't drop into a shell. I wrote a small front-end to ssh that pops up a GUI asking for username and password (and I modified SSH to take the username and password from the GUI using unix domain sockets). People really appreciated the little GUI, but there are some issues involved in this and you need to be experienced in Unix/C (openssh nowadays comes with its own program that pops a GUI asking for password, but it behaves in such an unfamiliar way (eg, not like Windows or MacOS where you two text boxes asking for username and password at once and the password field shows you how many characters you've typed) that it's completely useless for this situation).
11. I used tar to image the machines. I couldn't use a dedicated IDE drive duplicator since the drives were different sizes and I NEEDED all the space I could get on the drives. It basically goes like this: put src and target drives in machine, boot off src, fdisk/format target, mount target on /mnt, and then do cd /; tar -cf - bin usr var lib etc | (cd /mnt ; tar -xvf -). Make sure you don't specify proc or any other directories you don't need and then remember to create /mnt, /tmp, and so on the target drive. This doesn't take long and you can train a plentiful non-unix person to help you do it.
12. Don't expect great success. Most of your users (especially those that don't have computers) will have never seen anything that's not MacOS or Windows and they won't like the systems simply because they look unfamiliar.

Anyway, I'm a coder, not admin, at heart, so I ended up doing a lot of custom code (custom window manager, SSH front-end, stuff to get netscape to start up chrooted, etc) and it was a big time sink for the little benefit that it provided (people didn't like using the kiosks). Have fun.

Re:Client/Server

[TheLoneCabbage]

If you layer the network it should work fine.

first off 100mbit switches are not expensive, and 100mb suposedly can support upto 30 machines (the terminals them selves can have 10mb NICs). So use one Server per 30 terminals, and the Servers have two network cards w/o hard drives allowing them access to a central Boot Server. Maintenance should ammount to replacing dumb terminals, rebooting "servers". All administration can be done on the central boot server.

Pentium one class PCs with monitors are running less than $60 now. And they do pretty well at drawing pretty pictures on the screen. You can buy them up my the dozens and replace them just as easily. Especialy good when your dealing with college kids that tend to be rough on public equipment. (Imagine the faces of some moron who tries to steal one!!)

Pee Wee Linux!!!

I can't believe no one has mentioned Pee Wee Linux.

It rocks!

Everything is run in a ramdisk, so you can really tell the hardware "hands off" of the permanent storage. With the addition of a simple watchdog timer you can have a system that resets itself in the event of any mucking.

Here's the link:

• http://www.peeweelinux.org/

Spreadsheet?

[JstSumSchmuck]

I'd consider adding a spreadsheet program to the list of accessible software. I honestly can't imagine not having a spreadsheet to put ideas where I can look at them (monotonous calculations magically solved on the fly).
Old hardware rules out OpenOffice, but maybe something a little slimmer. Anybody know of a good "lightweight" spreadsheet? I guess it depends on what "old hardware" means too. PII's are probably "old" to some companies, and gnumeric or kspread would work fine.

Re:Client/Server

[vadim_t]

You're thinking of a hub. Hubs are essentially repeaters and work at the lowest common speed. If you plug 10 and 100Mbps devices into a hub it will work at 10. Hubs also send the traffic to every cable, because they're dumb.

Switches, on the other hand, are smart and direct traffic only to the machine that's receiving it. This frees a lot of network resources and means there can be much more than 100Mbps passing through a switch. A hub won't let you have 5 computers talking to 5 other computers at 100Mbps, but a switch will. The 100Mbps ones are also able to handle different speeds. In a home network that means that if you have 5 computers at 100Mbps and an ADSL/cable router at 10Mbps your network won't slow down, and you'll be able to transfer data at 100Mbps between your computers.

In this case what it means is that the server computer can have a fast network card because it sends data to everybody, but since the clients don't need so much bandwidth they can use a 10Mbps card. It's also even somewhat safer because a single client can't saturate the server's connection due to bugs or mischevous students.

You don't need to provide downloads of Linux

[0x0d0a]

The GPL says that if you give someone a binary copy of a program, you need to also provide source upon request, at no more than a reasonable packaging fee.

There is absolutely no requirement to make a distro of Linux downloadable -- as a matter of fact, I believe SuSE does *not* let people download CD images (or at least they have a major lag time between shelf releases and ISO releases).

The *only* requirement is that if someone purchases a copy of your Linux distro *and* if they ask for a copy of the source, you have to get them a copy of your source at a low price. That's it. You can sell source CDs instead of allowing downloads if you want.

Remember, Linux is free as in speech. Any beer freeness is incidental.