[K12OSN] How to enable USB devices in K12LTSP

Discussion:

Alain Reguera Delgado

2015-01-02 21:58:48 UTC

Hello,

Thank you very much for LTSP. I am using it on my work through K12LTSP
distribution which is based on CentOS 5 (updated to CentOS 5.11). The
thin clients boot fast and everything looks nice, except that USB
memories don't get available when they are plugged in in the thin
client. I've tried a few things but got nothing.

Could you please point out the correct way of debugging this issue or
any related solution?

I have to say that I first tried CentOS 6 and LTSP from EPEL
repository. It installed well on the server but the thin clients
didn't boot up. They reported an error message saying: processor not
supported. Very old hardware the one I have, I guess.

Here are some of the references I've tried:

- https://fedorahosted.org/k12linux/wiki/RHEL5Server
- https://www.redhat.com/archives/k12linux-devel-list/2008-November/msg00050.html
- http://k12osn.redhat.narkive.com/YoZTZwcE/plans-for-k12linux-el6-and-future-fedora

Best regards,
al.

Barry R Cisna

2015-01-02 23:40:19 UTC

Permalink

Alain,

On the server you need to go into Users and Groups GUi and add each user
to the group ,,, fuse.
Log out of client and log back into client.
The usb sticks should now show up as an icon on desktop.

Barry

Alain Reguera Delgado

2015-01-03 20:57:35 UTC

Permalink

Post by Barry R Cisna
On the server you need to go into Users and Groups GUi and add each user
to the group ,,, fuse.

Barry, thank you for the quick response.

On the server, with all clients down, I did the following:

usermod -G fuse al

Then, turned on one of the clients and plugged in the USB memory in it
and it didn't work. The device icon didn't appear on the desktop.

The username I am using for testing is "al". And the output of "id al"
command looks like the following:

uid=500(al) gid=500(al) grupos=500(al),101(fuse)
context=user_u:system_r:unconfined_t

After testing, and having no USB icon in the desktop, I installed the
k12linux-temp-release-5-1.el5 repository, and did a yum update. The
action updated the dkms-fuse package to 2.7.3-0. Made some tests, and
it didn't worked either. So downgrade the dkms-fuse pacakge to k12ltps
orginal version and removed k12linux-temp-release from the system.

I installed the yum priorities plugin and set the following configuration:

/etc/yum.repos.d/CentOS-Base.repo:[base]
/etc/yum.repos.d/CentOS-Base.repo:priority=10

/etc/yum.repos.d/CentOS-Base.repo:[updates]
/etc/yum.repos.d/CentOS-Base.repo:priority=10

/etc/yum.repos.d/CentOS-Base.repo:[extras]
/etc/yum.repos.d/CentOS-Base.repo:priority=10

/etc/yum.repos.d/k12ltsp.repo:[k12ltsp]
/etc/yum.repos.d/k12ltsp.repo:priority=40

/etc/yum.repos.d/k12ltsp-macromedia.repo:[macromedia]
/etc/yum.repos.d/k12ltsp-macromedia.repo:priority=50

/etc/yum.repos.d/epel.repo:[epel]
/etc/yum.repos.d/epel.repo:priority=60

All other repos are disabled.

Another test was editing the file /etc/udev/rules.d/99-fuse.rules to
change the line:

KERNEL=="fuse", NAME="%k", MODE="0666",OWNER="root",GROUP="root"

to

KERNEL=="fuse", NAME="%k", MODE="0666",OWNER="root",GROUP="fuse"

but the USB memory icon didn't appear on the desktop, either. So,
changed it back to the first line.

Something I've noticed is the existence of a /home/al/Drives directory
that is automatically created when I plug the memory in. This looks
like a good sign to me (the USB is somehow detected and actions taken
when a device is plugged in). However, such directory is empty.

I've also noticed, that /opt/ltsp/i386/etc/lts.conf.readme mentions
something about adding HOTPLUG = Y on /opt/ltsp/i386/etc/lts.conf so I
did, but again the USB icon didn't appear on the desktop.

In all tests I've made, SELinux has been in enforcing mode and I
haven't seen any denial there, so far.

Is there anything else I could try. I truly would like to understand
what's going on here. Your help and suggestions are very much
appreciated.

Best Regards,
al.

Barry R Cisna

2015-01-04 03:13:51 UTC

Permalink

Alain,

You have tried 2 or 3 usb sticks on a client,correct?
Also disable SeLinux and reboot server.
You do have iptables turned off at boot correct?

Providing you have user al added(which it looks like al is in fuse
group) to the fuse group usb sticks should show an icon on desktop
when plugged in.

One other thing.
You did have a group fuse without manually adding this group to the
server,correct?

Let us know your progress.

Barry

Alain Reguera Delgado

2015-01-04 21:30:11 UTC

Permalink

Post by Barry R Cisna
You have tried 2 or 3 usb sticks on a client,correct?

That is correct. The usb sticks I am using for testing purposes work
in the server as expected. They also worked as expected on the thin
clients when the server had K12Linux (based on Fedora 10) installed.

Post by Barry R Cisna
Also disable SeLinux and reboot server.

Done for testing purposes.

Post by Barry R Cisna
You do have iptables turned off at boot correct?

No I didn't, but done now for testing purposes. To do this, I first
unplugged the external interface cable.

Post by Barry R Cisna
Providing you have user al added(which it looks like al is in fuse
group) to the fuse group usb sticks should show an icon on desktop
when plugged in.

I really wish it does, but it doesn't.

Post by Barry R Cisna
One other thing.
You did have a group fuse without manually adding this group to the
server,correct?

Yes. That is correct. The fuse group was there right after installing
the system. There is no fuse user, just a fuse group.

Post by Barry R Cisna
Let us know your progress.

No USB icon in the desktop so far after plug a memory stick in a thin
client where I've successfully logged in with a username that is in
the fuse group. I've made the same tests in different clients (of
identical model) and nothing. So, I set SELinux to enforcing mode
again and enabled IPtables at boot time again. Then restarted the
server and plugged the external interface cable in to send this
message.

Beyond testing purposes, is there any particular reason to fully
disable SELinux (or even put it in permissive mode) when no denial
message is reported in the /etc/audit/audit.log file?

Beyond testing purposes, is there any particular reason to fully
disable IPtables when the internal interface is accepting everything
from the internal network, and thin clients boot up and allow users to
do login successfully on them?

As far as I know, the local devices' mount process takes place through
fuse, which is executed as the root user. If this is correct, and
SELinux doesn't report any issue, there must not be any user-related
permission issue, I guess. Some of the directories that might be
affected by any type of user/selinux-related permission issue could be
the following (or, could them be others?):

drwx------ al al system_u:object_r:user_home_dir_t /home/al
drwxr-xr-x al al user_u:object_r:user_home_t /home/al/Drives/
drwxr-xr-x root root system_u:object_r:mnt_t /media/

In the package filtering side of things, I've configured IPtables to
ACCEPT all the packages in the INPUT of the internal interface (eth0)
where the thin clients are connected to. However, I am DROPing all
packages in the INPUT of the external interface (eth1) except those
packages that have been generated from the host itself. In the case of
OUTPUT and FORWARD rules they are both ACCEPTed for internal and
external interfaces. See the output of iptables -L -n -v command
below:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1348 1733K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
2281 1722K ACCEPT all -- eth0 * 0.0.0.0/0
0.0.0.0/0
144 30506 Internet_services all -- eth1 * 0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1348 1733K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
2438 2668K ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
83 12176 ACCEPT all -- * eth1 0.0.0.0/0
0.0.0.0/0

Chain Internet_services (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
23 19604 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
121 10902 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited

Would it be in the /etc/exports file?

## LTSP-begin ##
#
# The lines between 'LTSP-begin' and 'LTSP-end' were added
# on: vie ene 2 15:18:15 2015, by the ltspcfg configuration tool.
# For more information, visit the LTSP homepage
# at http://www.LTSP.org
#

/opt/ltsp 192.168.0.0/255.255.255.0(ro,no_root_squash,sync)
/var/opt/ltsp/swapfiles 192.168.0.0/255.255.255.0(rw,no_root_squash,async)

## LTSP-end ##

Would it be in the /opt/ltsp/i386/etc/ltsp.conf file (comments and
empty lines removed from output)?

[Default]
SERVER = 192.168.0.254
XRAMPERC = 90
XSERVER = "auto"
X4_MODULE_01 = glx
X_MOUSE_PROTOCOL = "auto"
X_USBMOUSE_PROTOCOL = "auto"
X_MOUSE_DEVICE = "/dev/psaux"
X_USBMOUSE_DEVICE = "/dev/input/mice"
X_MOUSE_RESOLUTION = 400
X_USBMOUSE_RESOLUTION = 400
X_MOUSE_BUTTONS = 3
X_USBMOUSE_BUTTONS = 3
USBEMULATE_3_BUTTONS = "off"
XkbSymbols = "us(pc101)"
XkbModel = "pc101"
XkbLayout = "us"
USE_XFS = N
LOCAL_APPS = N
SCREEN_01 = startx
LOCAL_STORAGE = Y
LTSPFSD_OPTIONS=""
HOTPLUG = Y
SOUND = Y
SOUND_DAEMON = "esd"
VOLUME = 75
[ws002]
PRINTER_0_DEVICE = /dev/lp0
PRINTER_0_PORT = 9100

Somewhere else?