Recently I was asked to assist a co-worker find a good locked down Kiosk solution for a local coffee shop. The project requirement was small – mostly just a simple browser.

There seems to have been a LOT of Linux based Kiosk projects out there, most of them now deprecated. After a bit of searching, I came across a good one – WebConverger.

Webconverger

Webconverger is a Live Debian build, created and maintained by Kai Hendry using the Debian Live-builder packages. The LiveCD includes the lightweight  Dynamic Window Manager (DWM) , the IceWeasel browser with Webconverger kiosk extension (to lock things down), and… well that’s about it.

Kai has excellent documentation on rolling your own Webconverger LiveCD using his GIT repository, although being pressed for time I opted to go the BraindeadProjects route: Just modify his already released ISO.

To begin modifying it in this manner, first mount the iso using a loopback device:

#mkdir /mnt/webconverger
#mount -o loop webc-7.2.iso /mnt/webconverger

Next mount the SquashFS image, also using a loopback device:

#mkdir /mnt/webconverger-filesystem
#mount -o loop -t squashfs /mnt/webconverger/live/filesystem.squashfs \
/mnt/webconverger-filesystem

As these two mounts are readonly, we need to create editable copies of each.

#mkdir /devel/isolinux
#rsync -av /mnt/webconverger/ /devel/isolinux/

#mkdir /devel/squashfs
#rsync -av /mnt/webconverger-filesystem/ /devel/squashfs/

Now we can go about modifying these two directories. Changing out the ISOLINUX boot splash image is an easy start. The image found under /devel/isolinux/isolinux/splash.png is actually an LSS16 image. To replace it, take or create an image 640×480 in size, and convert it to 14 indexed colors. (In GIMP, these options are under Image/Index)

Indexing Colors in Gimp

Once complete, save your image in PPM format.

Next, you’ll need the syslinux package installed on your machine. The syslinux package includes a handy utility to convert PPM to LSS16 (for use as a bootsplash image)

#ppmtolss16 < /tmp/myimage-boot.ppm > splash.png

Since you’re already working on the ISOLINUX side of things, I recommend looking at and revising your boot menu. Once I have an image that I’m happy with, I set the following options to prevent someone from rebooting the Kiosk and tampering with boot parameters:

menu background /isolinux/splash.png
default /isolinux/vesamenu.c32
noescape 1
nocomplete 1
prompt 0
timeout 15
allowoptions 0

While you can nest a number of ISOLINUX boot configs together, I generally keep it to one file that includes the above directives. Dont’ forget to include at least one label for a kernel to boot.

After updating the Boot Splash screen, have a look at /devel/squashfs/home/webc/pb.sh. This script is what causes IceWeasel to start, restart if closed, and sets the desktop background image (amongst other things). This script also downloads a background image from your homepage at boot – which can come in handy if you want to rotate daily ads.  I’ve personally modified my installation to always load the same background image, and fullscreen that image.

The webpage that appears each time IceWeasel starts is passed as kernel boot parameter (homepage). To update the homepage, simply edit the labels in the ISOLINUX  directory.

You will notice that when pressing the home button in the browser however, that you’re actually taken to an about: page that gives details about the current IceWeasel build. To configure this homepage, look at /usr/lib/iceweasel/browserconfig.properties

browser.startup.homepage=www.braindeadprojects.com

I personally like to lock things down a bit more than the standard release. For that reason I also add the following to /etc/iceweasel/pref/local.js

pref(“network.protocol-handler.external.snews”, false);
pref(“network.protocol-handler.external.news”, false);
pref(“network.protocol-handler.external.irc”, false);
pref(“network.protocol-handler.external.mail”, false);
pref(“network.protocol-handler.external.mailto”, false);

Another thing that may prove beneficial is to remove any and all remnants of xterm. As xorg does depend upon xterm, it will have to be forceably removed. This is best done in a chroot environment

#chroot /devel/squashfs/ /bin/bash
#dpkg –force-all -p xterm
#exit

Once you have your modifications complete, you will want to re-squash the squash filesystem. To do this, you’ll need squashfs-tools version 4 (Centos is currently distributing version 3, so do keep that in mind). Squashing using version 3 of the tools will result in a non-bootable kiosk.

#mksquashfs /devel/squashfs/ /tmp/webc.squashfs
#mv /tmp/webc.squashfs /devel/isolinux/live/filesystem.squashfs
#cd /devel/isolinux/
#mkisofs -o /tmp/my-webc.iso -b -r -J -l -cache-inodes -allow-multidot -no-emul-boot \
-boot-load-size 4 -boot-info-table -b  isolinux/isolinux.bin -c isolinux/boot.cat \
/devel/isolinux

Finally, isohybrid your ISO:

isohybrid /tmp/my-webc.iso

I highly recommend testing your ISO image in VirtualBox. Using VirtualBox (or any other virtualization option), saves you from constantly burning an image to  a CD or USB drive. Be mindful that you can skip the isohybrid step and test with VirtualBox, although you won’t be able to install it later using dd.

Once you have an image that you’re happy with, use dd to copy the ISO onto the hard drive of your Kiosk machine. Personally, I copy my ISO to a USB thumbdrive running the Gentoo Based  System Rescue CD, boot into it and then install onto the harddrive:

dd if =/livemnt/boot/kiosk/my-kiosk.iso of=/dev/sda

Of course, one could save time and simply use the WebConverger Customization Service… but why not use this as an opportunity to sharpen one’s skills.

Coming soon to – a walkthrough on how to build and customize a WebConverger ISO from Kai’s GIT repository (as opposed to re-rolling his ISO).

Recently (don’t ask me why, seriously) I had to migrate a physical Redhat 9 server to a virtualized platform (KVM).

Yes, ideally one rebuilds the deprecated server anew, but due to time-constraints and a number of other issues that wasn’t a possibility. Unfortunately, sometimes you just have no choice but to kick the can down the street.

The migration from physical to virtual is simple – create the virtual guest, create an LVM logical volume for the disk,  format it and rsync the contents from the physical to the virtual drive. After that, install grub on the guest and voila – you’re done.

Keeping some consistency (although unnecessary), I went with an EXT3 filesystem on the “new” guest. Unfortunately, I came across the following snags:

• The inode size used in Redhat 9 is 128 bytes, but modern systems (ie: the host I formatted the partitions from ) use 256 bytes.
• There’s a number of attributes that weren’t present in Redhat 9.

Here’s the output of tune2fs on a Redhat 9 EXT3 partition:

# tune2fs -l /dev/hda1
tune2fs 1.32 (09-Nov-2002)
Filesystem volume name:   /boot
Last mounted on:          <not available>
Filesystem UUID:          9e6fa853-18bc-4c08-bb7c-51c74e0c11ae
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal filetype needs_recovery  sparse_super
Default mount options:    (none)
Filesystem state:         clean
Errors behavior:          Continue
Filesystem OS type:       Linux
Inode count:              8032
Block count:              32096
Reserved block count:     1604
Free blocks:              17451
Free inodes:              7982
First block:              1
Block size:               1024
Fragment size:            1024
Blocks per group:         8192
Fragments per group:      8192
Inodes per group:         2008
Inode blocks per group:   251
Filesystem created:       Tue Oct 26 12:48:49 2010
Last mount time:          Thu Oct 28 15:58:10 2010
Last write time:          Thu Oct 28 15:58:10 2010
Mount count:              11
Maximum mount count:      28
Last checked:             Tue Oct 26 12:48:49 2010
Check interval:           15552000 (6 months)
Next check after:         Sun Apr 24 12:48:49 2011
Reserved blocks uid:      0 (user root)
Reserved blocks gid:      0 (group root)
First inode:              11
Inode size:               128
Journal UUID:             <none>
Journal inode:            8
Journal device:           0×0000
First orphan inode:       0

The following is output from a Centos 5.5 formatted EXT3 filesystem:

# tune2fs -l /dev/mapper/VolGroup00-LogVol00
tune2fs 1.39 (29-May-2006)
Filesystem volume name:   <none>
Last mounted on:          <not available>
Filesystem UUID:          7384cac8-b098-4c85-be6d-643443ae3d3d
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super large_file
Default mount options:    user_xattr acl
Filesystem state:         clean
Errors behavior:          Continue
Filesystem OS type:       Linux
Inode count:              6809088
Block count:              6807552
Reserved block count:     340377
Free blocks:              6204875
Free inodes:              6752521
First block:              0
Block size:               4096
Fragment size:            4096
Reserved GDT blocks:      1022
Blocks per group:         32768
Fragments per group:      32768
Inodes per group:         32736
Inode blocks per group:   1023
Filesystem created:       Thu Oct 28 13:31:34 2010
Last mount time:          Thu Oct 28 17:43:57 2010
Last write time:          Thu Oct 28 17:43:57 2010
Mount count:              2
Maximum mount count:      -1
Last checked:             Thu Oct 28 13:31:34 2010
Check interval:           0 (<none>)
Reserved blocks uid:      0 (user root)
Reserved blocks gid:      0 (group root)
First inode:              11
Inode size:               128
Journal inode:            8
Default directory hash:   tea
Directory Hash Seed:      42eb54b3-8f66-4aef-8578-388c9863423c
Journal backup:           inode blocks

As you can see, some basic features and the inode size has changed in 10+ years. The solution:  format the “new” guest  to match the specs of the old:

#mke2fs -O has_journal,filetype,sparse_super,^ext_attr,^resize_inode,^dir_index \
-I 128 -j /dev/sda$disk

And that’s it- rysnc the files over to the guest VM, install grub, verify your fstab is good, and voila – you’ve transferred a physical server to a virtual one.

Recently, I noticed someone using one of the QuickSearch toolbars included in Firefox as a place to temporarily paste something while working on their desktop.

Put it here temporarily?

It makes sense, you need to place to hold something for a moment – it’s right there and readily available. And since you’re not pressing the Enter key, it’s not going to be sent anywhere right?

Well, actually it is. After you stop typing, it immediately sends an HTTP POST request to it’s target (Google in this case). And while the search does takes place, it doesn’t update your browser (so you might not realize it even happens). Here’s a copy of the content in the packet:

GET /complete/search?output=firefox&client=firefox&hl=en-US&q=mysuperleetpassword HTTP/1.1
Host: suggestqueries.google.com
User-Agent: <omitted>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Does this matter? That depends on what you put there. You probably wouldn’t pick up the phone and call Google (or Yahoo!, or BING, etc) and tell the receptionist “Hey, my Facebook username is … and my password is …”, but you can very easily do this by simply pasting ANYTHING in that handy little search bar.

Here’s a quick video of me running a packet capture and typing something into the search area. Again, I only moved my cursor – never did I press Enter (View it fullscreen for better detail).

I wonder how much garbage accidentally falls into search engine pits like this. I’m also curious as to how many sites log mistyped passwords (think of it this way – you accidentally type your webmail password into Facebook or vice versa).

All the misguided traffic reminds me of  the pollution problem of 1.0.0.0/8.

Following a recent update to my Gentoo installation at work, I found myself pestered by PinEntry acting as my new SSH Authentication Agent. Formerly, I used the normal ssh-agent, as it’s console only and doesn’t steal focus on the terminal window I’m currently working in.

Popups Must Die

A quick look at the process-list shows why:

gillespiem@kovacs2 ~ $ ps axu | grep gpg-agent
30847 ?        Ss     0:00 gpg-agent –daemon –enable-ssh-support –write-env-file /home/gillespiem/.cache/gpg-agent-info

The GPG-Agent is being run with the –enable-ssh-support flag. Here’s how you can turn it off if you’re using XFCE4:

The script /etc/xdg/xfce4/xinitrc handles chosing the correct authentication agent at line 129:

129 # launch gpg-agent or ssh-agent if enabled.
130 ssh_agent_enabled=`xfconf-query -c xfce4-session -p /startup/ssh-agent/enabled 2> /dev/null`
131 if test “$ssh_agent_enabled” != “false”; then
132     # if the user has pam_ssh installed, it will start ssh-agent for us, but
133     # of course won’t start gpg-agent.  so, if ssh-agent is already running,
134     # but we want gpg-agent (and that’s not running yet) start gpg-agent
135     # without ssh support
136
137     ssh_agent_type=`xfconf-query -c xfce4-session -p /startup/ssh-agent/type 2> /dev/null`
138     if test -z “$ssh_agent_type”; then
139         if which gpg-agent >/dev/null 2>&1; then
140             ssh_agent_type=gpg-agent
141         else
142             ssh_agent_type=ssh-agent
143         fi
144     fi

To pass the first test (line 130), set ssh-agent to be enabled by running this (it only needs to be run once):

xfconf-query -n -t bool -c xfce4-session  -p /startup/ssh-agent/enabled -s true

To pass the second test (line 137), set /startup/ssh-agent/type to … well, pretty much anything will do, as it only tests that it’s a non-zero length string – I’m setting it to “ssh-agent”:

xfconf-query -n -t string -c xfce4-session  -p /startup/ssh-agent/type -s ssh-agent

If you’re currently in XFCE4, kill gpg-agent and restart XFCE. You’ll find when you return, ssh-agent will act as your SSH Authentication Agent, and gpg-agent will handle GPG specific transactions.

Not much has happened project-wise in the last few weeks. Any free time I’ve had has gone to updating the wireless firmware to capture MAC addresses and pass them off to an Elgg plugin I’ve written. I’m still waiting on a box of 10 Servo’s from China to continue my RC Car modification project.

I’ve also got plenty of work to do around the house until May.

But now, after almost 4 years, I’ve decided it’s time to spruce up BrainDeadProjects.com.  I’m retiring the  glowing brains that have been the personification of BrainDeadProjects for these past few years. Sure, remnants will probably remain (the favicon for instance)… but now let me introduce you to “Tin Can Head“:

Tin Can Head is the work of LogoDesignCreation.com. Give them your idea, and for a modest amount  (under $60), they’ll propose a few design ideas for you. Turnaround is fast, Wired.com gave them a good grade, and overall I have to say that I’m pretty satisfied.

More project updates soon, in the meantime stare at the glowing brains of Tin Can Head.