jabawok.net scratchpad

User Tools

Site Tools

Trace:
porteus-kiosk

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
porteus-kiosk [2017/09/20 16:51] – created snargporteus-kiosk [2017/09/20 17:08] (current) snarg
Line 1: Line 1:
 +This page was created due to lack of sufficient documentation about the PXE Boot process on the official Porteus Kiosk web site. Porteus-Kiosk maintainers: please feel free to use my work to improve the official documentation.
 +
 It is possible to run Porteus-Kiosk on machines with no local storage, booting via PXE. Config is retrieved from the pxe server over http during bootup. This is NOT possible using the official remote management feature, as detailed below. It is possible to run Porteus-Kiosk on machines with no local storage, booting via PXE. Config is retrieved from the pxe server over http during bootup. This is NOT possible using the official remote management feature, as detailed below.
  
-=== Creating a porteus kiosk config === +==== Porteus customisation and boot methods primer ==== 
-  * Create a new VM with 2G memory and a small hard disk (4G?),  +=== How porteus kiosk official remote management operation works ===
-  * boot the iso,  +
-  * run through the wizard - install porteus to the hard disk +
-  * boot knoppix or similar +
-  * mount the "ISO" partition (sda2) and extract via scp the docs/kiosk.sgn encrypted settings file. +
- +
-=== Porteus customisation and boot methods primer === +
-== How porteus kiosk official remote management operation works ==+
 This requires local storage (a hard disk in the client machine) This requires local storage (a hard disk in the client machine)
   * The client boots from local media    * The client boots from local media 
Line 17: Line 12:
 For this reason the remote management feature in porteus kiosk wont work on PXE - there's no way for the client to "reburn" it's configuration once it checks for remote management, as it has no local storage. For this reason the remote management feature in porteus kiosk wont work on PXE - there's no way for the client to "reburn" it's configuration once it checks for remote management, as it has no local storage.
  
-== How porteus-kiosk works from PXE ==+=== How porteus-kiosk works from PXE ===
   * The kernel, initrd and initrd.xz and initrdpxe.xz (network modules) need loading via pxelinux.    * The kernel, initrd and initrd.xz and initrdpxe.xz (network modules) need loading via pxelinux. 
   * The initrd script initialises network, then downloads via http the docs/kiosk.sgn (encrypted config) and xzm modules (see kernel parameters for location).   * The initrd script initialises network, then downloads via http the docs/kiosk.sgn (encrypted config) and xzm modules (see kernel parameters for location).
   * Boot continues normally (xzm modules unpacked and overlaid etc)   * Boot continues normally (xzm modules unpacked and overlaid etc)
  
-Porteus-Kiosk settings are stored in the docs/kiosk.sgn file which is encrypted with an unknown private key. This was briefly investigated but the developer appears to have made the questionable decision to obscure this method. A head start to further investigations would be a string search for "first_run", "/opt/scripts/extras" and the /opt/scripts directory in general.+Porteus-Kiosk settings are stored in the docs/kiosk.sgn file which is encrypted with an unknown private key. This was briefly investigated but the developers appear to have made the questionable decision to obscure this method. A head start to further investigations would be a string search for "first_run", "/opt/scripts/extras" and the /opt/scripts directory in general. @fanthom: please document this method in the open on the porteus kiosk web site documentation, so it can be properly audited. Security through obscurity is not security at all.
  
-== Porteus-Kiosk encrypted config file kiosk.sgn details ==+=== Porteus-Kiosk encrypted config file kiosk.sgn details ===
 This file is generated by the kiosk wizard that runs when the original ISO is booted. This welcome wizard then generates an ISO file with the kiosk.sgn burnt in, which can optionally be "installed" on local storage or saved for transfer to the PXE server. To extract the kiosk.sgn file after "installing" porteus, simply boot up an alternate live distro, mount the second partition, and take a copy of /docs/kiosk.sgn This file is generated by the kiosk wizard that runs when the original ISO is booted. This welcome wizard then generates an ISO file with the kiosk.sgn burnt in, which can optionally be "installed" on local storage or saved for transfer to the PXE server. To extract the kiosk.sgn file after "installing" porteus, simply boot up an alternate live distro, mount the second partition, and take a copy of /docs/kiosk.sgn
 This should then be copying into the http structure of the PXE server. This should then be copying into the http structure of the PXE server.
  
-=== Implementation notes ===+==== Creating a porteus kiosk config ==== 
 +  * Create a new VM with 2G memory and a small hard disk (4G?),  
 +  * boot the iso,  
 +  * run through the wizard - install porteus to the hard disk 
 +  * boot knoppix or similar 
 +  * mount the "ISO" partition (sda2) and extract via scp the docs/kiosk.sgn encrypted settings file. 
 + 
 +==== Implementation notes ====
  
   * The http component should be served from a custom port on the web server (eg 8088) as the document root. This should contain the file structure from the iso, with replaced kiosk.sgn and any additional xzm modules required.   * The http component should be served from a custom port on the web server (eg 8088) as the document root. This should contain the file structure from the iso, with replaced kiosk.sgn and any additional xzm modules required.
   * The tftp portion for pxe boot should be served from a directory under the tftproot. An additional initrd file is required for pxe booting and the pxelinux config should look something like this:    * The tftp portion for pxe boot should be served from a directory under the tftproot. An additional initrd file is required for pxe booting and the pxelinux config should look something like this: 
-<nowiki>KERNEL /opac-porteus-4.5.0/vmlinuz +<code>KERNEL /porteus-kiosk-4.5.0/vmlinuz 
-APPEND initrd=/opac-porteus-4.5.0/initrd.xz,/opac-porteus-4.5.0/initrdpxe.xz http_server=10.2.100.32:8088</nowiki>+APPEND initrd=/porteus-kiosk-4.5.0/initrd.xz,/porteus-kiosk-4.5.0/initrdpxe.xz http_server=10.2.100.32:8088</code>
   * A custom splash screen can be created in docs/default.jpg on the web server   * A custom splash screen can be created in docs/default.jpg on the web server
- 
  
  
porteus-kiosk.1505897471.txt.gz · Last modified: 2017/09/20 16:51 (external edit)