Distributions/Configurations For Specific Uses?

Page writes "My college (UMPI) is currently reviewing a proposal to collect old hardware from small businesses and assemble machines for those who do not have a PC. The issue came up as to what linux distro to use that will allow us ease of both setup and ability to lock down the machine so once they are out in the field, they cant be tinkered with by accident (thus preventing problems later). These will be used solely for the purpose of web activities (surfing/mail), and word processing and *THATS IT*. Does anyone have suggestions and an idea about how to go about a standardized (or a sort of embedded) configuration across variable hardware?"

Client/Server

[qurob]

If it's possible, why not just set up terminals?

Whether a machine is a P166 or AMD 2000+ it'll be pretty much the same. Most colleges have networked dorms and such anyhow.

You might as well go with RedHat or your favorite distro, but when you're piecing computers together you can't do much about standards. Just hope for the best!

Re:Client/Server

[TheLoneCabbage]

If you layer the network it should work fine.

first off 100mbit switches are not expensive, and 100mb suposedly can support upto 30 machines (the terminals them selves can have 10mb NICs). So use one Server per 30 terminals, and the Servers have two network cards w/o hard drives allowing them access to a central Boot Server. Maintenance should ammount to replacing dumb terminals, rebooting "servers". All administration can be done on the central boot server.

Pentium one class PCs with monitors are running less than $60 now. And they do pretty well at drawing pretty pictures on the screen. You can buy them up my the dozens and replace them just as easily. Especialy good when your dealing with college kids that tend to be rough on public equipment. (Imagine the faces of some moron who tries to steal one!!)

We did this once...

[ites]

(But for a standardized hardware platform)
(and for an industrial application...)
Using DHCP and BOOTP, we loaded the OS and the applications across the network.
The PC had no hard disk, no drives.
The boot server was itself booted from a CDROM.
So there was nothing to break or mess with.
For word processing you'd have to use a network drive but that makes sense for backups anyhow.
Modern Linuxes are pretty good at detecting existing and especially legacy hardware.
So this approach would work for your problem.

LiveCD a-la Gentoo setup?

[Hobart]

You might want to take a look at how Gentoo Linux puts together their "LiveCD" for installation purposes...

Since you don't want these people to be able to change any configurations, just have a web browser and word processor, getting them to where their setup boots off of a read-only CD that has the tools they need may be the solution.

Of course, this is a large amount of work, but perhaps the time you save putting it together will outweigh the time you might loose if they mess with and break their configurations. ;)

But what about printing?

[billmaly]

I'll guarantee you, once you get these machines out into the world, people will want to print with them. Printers fail and are changed, how will the plans for locked down systems affect the users ability to actually create something? Otherwise, I like the concept.

Re:But what about printing?

[afidel]

have generic queue's that arent specific to a piece of hardware? I know at least one university I attended did this with one queue per floor and then had one to four printers doing the work. This may not work well without something like a study lounge with a printer on each floor of a dorm if these are to go to students in the dorm though.

FireCast Linux

[wirespring]

My company WireSpring Technologies makes a custom version of Linux called FireCast that's designed specifically for remotely managed terminals like kiosks, public terminals, and the like. We've got some customers in the education industry who are doing exactly what you mention, on hardware that they were set to abandon before they found us. Even if you don't go with our software, you might get some ideas from the interactive demo. Good luck!

Knoppix -- bootable CD with Moz, Open Office, etc.

[Chuck+Messenger]

Knoppix sounds like it would be perfect. It's a bootable Linux CD, which includes lots of useful software, including Moz and Open Office. So, users couldn't accidentally screw it up. It did a nice job with the 2 computers I tried it on. It can access an attached hard drive or floppy, for storing files. Not sure how it deals with Moz profiles, for setting up email. But you could always set them up with web mail.

Anything should work.

[halftrack]

Any distro should work (choose Debian.) Most distro feature some form of automated installation.

PCI hardware is rarely a problem with newer kernels/distros, but if you're talking P100s and 486s with isa cards you may run into problems requiring custom setups (might be fun.)

Linux distros are by default (I'm going to regret saying this) locked down, but (I'm regretting) should be tweaked with boot passwords, firewalls (and updates.)

If possible running the machines as thin clients is a option to considere. (Although you would need to add a few strong servers which will add to your sofar 0$ budget.)

LTSP / K12LTSP

I agree with the previous posts about netbooting. Take a gool look at the LTSP / K12LTSP projects. The boot images that are assigned can be modified for specific machines based on MAC address, allowing you to configure lesser hardware to use the processing power of the server, and newer hardware to use its own processing power, with network storage of all ./home directories and apps. You can even use a modified version of DHCPd and an appropreate MacOS image to boot most Mac computers this way.

Word of warning, do not try and place the LTSP servers in a "server farm", spread them out over the network.

By having the computers as diskless workstations you can greatly simplify the long-term IT overhead of these systems, while at the same time accomplishing your goals.

For LTSP See:
k12ltsp.org
ltsp.org

For the modified DHCPd to do Mac NetBooting:
staff.harrisonburg.k12.va.us/~rlinewe aver/macnb/

kiosk mode

[jd142]

Do a search on google for Kiosk mode linux. There are a couple of projects out there. The idea with a kiosk is that it is a public machine dedicated to web surfing only, which would include using web based e-mail. It should be locked down really tightly, because people love to play with public machines.

I would suggest using icewm as a window manager. It runs fast on slower machines and the configuration files are easy to read and understand even before your read the fine manuals. I would also suggest mozilla as your web browser. You can really restrict it by changing lines in the .js and .rdf files.

Depends

[dr.Flake]

Depends on how "closed"do you want you're machine to be.

What kind of people will be using them? the guy who wrote the slapper worm while he is in jail, college students, or members of staff who you can slap on the wrist???

the point is:

any machine you can fysically access can be tampered with. period. If you make it a thin client you'll still be able to remove the bootP, put in a harddisk and make it your own.

So de level of security and effort you put into this depends more on the public thats going to use them than on the distribution you use.

thin clients are very easy to maintain, have few rotating parts, are not very attractive for theft and can be replaced pretty quick.

There are several

[vadim_t]

I'm not completely sure about Knoppix because I never used it, but I've heard it's very good. Debian looks like another good choice. Some things that are great about it is that stable is *stable* and security fixes are easy to automate, for example apt-get upgrade in cron using your own source to install only tested patches, and in general its configuration is very simple. Unlike Mandrake and other fancy distributions, Debian has very simple boot scripts and configuration, which makes it much easier to adapt it to your needs. It also has some great tools like make-kpkg that make it much easier to compile a kernel that will be installed on several computers.

QNX web demo and Yahoo mail services.

[teamhasnoi]

That would be fast as hell, secure (no hard drive) and (free, free and free). You can type all you want in the notepad on Yahoo.

Community Service for Geeks

I've thought of starting something similar to this at my university in Orlando. Me and my friends alone have enough less-than-beefy parts left over from upgrades to make machines. And one computer, even if it's only 400 MHz, could make a real difference to some kid whose family can't afford to expose him to computing.

Not having tech skills can be a real blow to class mobility. There's reasons why geeks are frequently thought of as elitist. We're not known as the most socially or financially generous group. We don't tend to help others up, just people within our own community. The hardware races we engage in seem like a flagrant waste to people that can't pay their power bills as we whine for more RAM. Contributing refurbished machines to needy families could go a long ways towards improving our social stigmas. It could also help to ensure that struggling families can add some valuable skills to their resumes without investing money they don't have; giving them skills gives them better earning potential, and a way to improve their situation.

Even aside from that, it's just cool to watch a 6-year-old learn how to work a computer. It's undeniably cute.

Is there a counrty-wide group that does this that we could hook into? It'd be nice if we could get requests and need lists from more than just the university community.

Re:Knoppix -- bootable CD with Moz, Open Office, e

[Unholy_Kingfish]

I think that Knoppix would be a good stating point. Set up accounts for all the users(which most universities already do), and give them XXmb of storage for saving documents. You can ad some scripts that would make their default that space. (moding the Knoppix CD) That CD would be used to boot form on all the systems, you _could_ even skip using a hard drive in the system, but it would be slow without the swap file. Now all systems would have the SAME setup, same menus, everything. Each user would have his/her own name and pw to get into the network and their storage. When it is time to update the software you just send out new CD's to each user and they replace the old one. So lets say as the project continues you can make a more specific install with more or less programs, custom programs whatever. Do a test release to one floor in a dorm and see how it goes... tweak and tweak and tweak.... ________________________________ Michael Alexander

Kawaii Linux

[MsGeek]

This is what the Kawaii Linux project is all about. The idea is to create a graphical Linux distribution that will run on everything from 486DX on up. Right now we're looking at doing this with Debian and an installer currently being developed by an Australian developer which will smooth out the usually cryptic Debian install process to a better extent than even the Progeny installer.

The target for Kawaii Linux is people who are refurbishing old computers for distribution to charities and underprivileged kids. A secondary target is those who want to play with Debian but are intimidated by the usual install process, although Xandros and the Progeny Installer address those issues too.

This will be a K.I.S.S. distro in the tradition of Lycoris. The goal is a fast install with the best of breed amongst lightweight applications. If you are interested in the project, email me.

Normal install + cleanup login script

[InodoroPereyra]

There were a couple similar requests in Slashdot recently, please do a search for more. The simplest idea I read at the time was the following. Do a basic install, configure a simple desktop for a typical user, save the corresponding "/home/user" somewhere as root so nobody can mess it up. Set the PC up only for one user. Then let people login, but make sure that when they log out the only home directory in the machine gets wiped out and the original setup is copied back from the place where it is backed up.

You will need to probably run a very lightweight desktop such as Xfce, if your hardware is very old. If you use Mandrake, you can play around choosing a minimal set of packages in the install, and then save the packages list on a floppy so that you only need to do the selection once. Installing in the rest of the machines will be much faster. Probably half an hour or so per machine if you do a light install.

Good luck, and thank you for choosing GNU/Linux :-)

Re:Well... LindowsOS is out of the question

[ites]

Yes, just tried another LindowsOS install on a random box here. Insert CDROM, boot, click 'Ok', 'Next', 'Ok', 'Next', enter root password, confirm root password, click 'Ok', and wait for 4 minutes as it formats the disk and installs at the same time.
And that's it. Every device correctly detected, network and a firewall correctly installed, and the OS updated via Debian's apt and the network.
It is almost as fast to install from scratch as to boot a normal PC.
So, you can 'lock down' the PC simply by reinstalling at will. Say every Monday morning, at 6am. I'm sure this could be automated. :)

Too much bandwidth/effort

[ColGraff]

Two problems with graphical terminals: One, they'll need extra bandwidth, and a lot of colleges (like mine until this year) are only 10 mbit. Also, the whole idea here is to turn out a solution that the techs will never, ever have to touch again. Terminal/server systems would be the responsibility of the techs.

We're doing this as well

[Raleel]

Only our LUG got approached by a nonprofit.

Several of the people here have made itneresting suggestions, but I doubt they really read the question. There are several things that can be inferred from your statement.

1) These machines are going out into "the field", meaning network will be, at best, occasionally dial up.

2) You are getting hardware dicarded by businesses. My guess is that this is pentium 2 hardware at best, and probably mostly pentiums. and probably less than 128 megs of ram...likely 32 and 64.

We have this exact problem. We have a mess of older hardware and want to get as many machines as we can out to the people.

So what's our solution? We are still exploring, Currently, though, the front runner is gentoo compiled on another faster box (but with optimizations for the target platform, a pentium) and then image the discs with mondo-rescue. mandrake is also in there, as well as (of all things) corel.

What are we currently running for software?
1) abiword
2) opera (static, free download version)
3) gnumeric
4) gnucash
5) icewm (with the Pure95/Windows 95 theme)
6) rox (with the pinboard enabled for desktop control)
7) sylpheed
8) tuxtype (need for a typing tutor)
9) gaim (I am a firm believer in instant messaging)

And there are several "support" programs as well.
Currently, it's taking up nearly 1.5 gigs, but I compiled it rather fat...with all the library support. We lefted 1/2 a gig for home and 128 meg for swap.

And so I tested it out on my athlon, but I turned myself down to 32 megs of ram, and it's still pretty damn fast on my desktop. Probably be just fine when i get it imaged out there. My intention will be to configure it with standard svga drivers in some lower resolution that almost any card will support (800x600, 16 bit color) and try to be as standard as I can with the sound. I compiled the kernel fat as hell (1.4M, 90% of everything actually compiled in, not as modules :-O ) but everything works, which is a bonus.

email me (musashi@owt.com) or contact our lug (3clug@3clug.org) and we'll swap notes.

done this - chroot

[Permission+Denied]

I've done this. Basically, set up public email/web kiosks.

1. Password-protect the BIOS. People will mess with this.
2. Be careful with the boot manager. Make sure people can't pass kernel arguments (eg "linux init=/bin/sh"). Grub allows you more options than lilo in this direction.
3. Modify all boot scripts to ensure there is no way to get an interactive shell at boot.
4. Use some filesystem that's resilient to reboots. People will reboot the machines (unplug them) all the time, so use ReiserFS or ext3.
5. You'll probably have more than one person managing these machines. Try looking into pam_ldap, or pam_krb5 (whatever is appropriate for your organization) along with pam_listfile, so that only two or three people know the root password.
6. Browsers aren't meant to do this. For instance, you can type in a URL like "file:///" and use the browser as a file manager. Prevent this by running the web browser in a chrooted environment.
7. Disk space may be low on older machines, so don't copy files to the chrooted environment - hard link them instead (hard links work across chrooted environments). Basically, what you do is "ldd browser" and hard link all those libraries into the chrooted environment. Then run the browser, see what files it requires (eg, /etc/resolv.conf, any shared libraries it loads itself using dlopen(3), and so on), hard link those files and continue until you have a working environment.
8. Also on the browser end, you may have difficulties finding a browser that will run quickly enough on older hardware. Mozilla and Konqueror are sluggish on my Athlon XP 1800+, so they are quite out of the question. I also had little success with Opera, and I'll tell you now that Netscape 4.x may be your only viable choice.
9. I wrote my own window manager custom to the task. I would recommend that you run a window manager that you KNOW won't launch any other programs unless you specifically make it do so. Look into wm2, and then modify it (it's very clean code) so that it will never start up xterm and so the root menu shows a list of allowed programs (browser, ssh to read mail, etc).
10. You may also want to allow people to read mail using SSH. Remember to disable the "escape" character for ssh so people can't drop into a shell. I wrote a small front-end to ssh that pops up a GUI asking for username and password (and I modified SSH to take the username and password from the GUI using unix domain sockets). People really appreciated the little GUI, but there are some issues involved in this and you need to be experienced in Unix/C (openssh nowadays comes with its own program that pops a GUI asking for password, but it behaves in such an unfamiliar way (eg, not like Windows or MacOS where you two text boxes asking for username and password at once and the password field shows you how many characters you've typed) that it's completely useless for this situation).
11. I used tar to image the machines. I couldn't use a dedicated IDE drive duplicator since the drives were different sizes and I NEEDED all the space I could get on the drives. It basically goes like this: put src and target drives in machine, boot off src, fdisk/format target, mount target on /mnt, and then do cd /; tar -cf - bin usr var lib etc | (cd /mnt ; tar -xvf -). Make sure you don't specify proc or any other directories you don't need and then remember to create /mnt, /tmp, and so on the target drive. This doesn't take long and you can train a plentiful non-unix person to help you do it.
12. Don't expect great success. Most of your users (especially those that don't have computers) will have never seen anything that's not MacOS or Windows and they won't like the systems simply because they look unfamiliar.

Anyway, I'm a coder, not admin, at heart, so I ended up doing a lot of custom code (custom window manager, SSH front-end, stuff to get netscape to start up chrooted, etc) and it was a big time sink for the little benefit that it provided (people didn't like using the kiosks). Have fun.

Linux is wrong way to go.

[foo+fighter]

Given your new used computers are running at least a Pentium 133, have 64 MB RAM and a 2GB hard disk:

1. Pirate a copy of Windows 2000.
2. Install it on the first computer using the NTFS file system. Install your pirated copy of Office 2000.
3. Change the permissions on C:\, making sure permissions are inherited by child objects:
4. 
   
   • SYSTEM: Full Control
   • CREATOR OWNER: Full Control
   • Administrators: Full Control
   • Authenticated Users: Read & Execute, Read, List
   
   
   
5. Use Computer Management administration tool to create a new user who is a member of Users group. Use Users and Passwords control panel to automatically log that user into the system.
6. Use sysprep to image this disk to the rest of the computers.
7. Bonus points if you pirate Windows 2000 Server, set up a simple Active Directory, and control group policy for the systems from there.

Linux is horrible for centralized administration and locking down the desktop. My way you don't have to network anything which saves time and money. You don't have to worry about someone stealing the CD you are booting from. And since you are pirating the software Microsoft doesn't get any money.

Despite the naysayers, Windows 2000 runs great on a P133 with 64 megs o' ram, especially when all you are doing is word processing or surfing the Internet.

NIST has a great guide for securely configuring a Windows 2000 workstation. It takes you step by step through each of the items you will need to configure. If you want to get a bit more jiggy than my 6 point solution above, check this out: http://csrc.nist.gov/itsec/download_W2Kpro.html

Re:Not possible I'm afraid [Was Re:Client/Server]

[dan+the+person]

I think you a dreaming if you expect people to run OpenOffice and mozilla on old machines.

Mozilla is just bearable on my K6-200 with 96Mb of ram. OpenOffice just crawls.

As much as i hate to use MS products, on p100 class machines win95+IE5.5+Office95 really is considerably more usable than the linux alternatives.

Newer versions of MS Office might be OK too, i dunno i haven't used windows much for many years.

You don't need to provide downloads of Linux

[0x0d0a]

The GPL says that if you give someone a binary copy of a program, you need to also provide source upon request, at no more than a reasonable packaging fee.

There is absolutely no requirement to make a distro of Linux downloadable -- as a matter of fact, I believe SuSE does *not* let people download CD images (or at least they have a major lag time between shelf releases and ISO releases).

The *only* requirement is that if someone purchases a copy of your Linux distro *and* if they ask for a copy of the source, you have to get them a copy of your source at a low price. That's it. You can sell source CDs instead of allowing downloads if you want.

Remember, Linux is free as in speech. Any beer freeness is incidental.

Re:Not possible I'm afraid [Was Re:Client/Server]

[AvitarX]

For word prossessing in Linux, Abiword is the way to go. It is super cool, and really small. I would also suggest using knoppix as a starting point. It has all the driver stuff fairly worked out, and it automounts CDs (probably floppies too). For the word prossessing you need to add either a standard print driver already setup, so they can print. Or preconfigure AbiWord to save as rtf by default. The rtf's it puts out are sufficient for esseys, btu I don't know how well it can format them for formal papers. You probably could get a deal on printers from the vendor though. I bet those cheapy, 50.00 dollor printers, at office max could be gotten for free for a good cause (they really like more people buying ink).
as far as internet, you really can't configure that on a CD, so you would nead a small hard drive and an easy internet configuration tool. I would imagine a clean GUI over wvdial would work great, and be easily chopped together with expect and any random /TK language.