13 votes

Kiosking Ubuntu computers

Posted by teaearlgraycold
Tags: linux, ubuntu, ask.advice

I recently set up some public computers with Ubuntu at a hackerspace. People kept logging into their Gmail etc. and forgetting to log out. For their own benefit I changed the computers to use overlayfs so on reboot all changes from the base filesystem (Ubuntu 24.04 + packages + updates) are lost. I'm looking for tips on configuration. Keep in mind that because our users tend to be fairly technical I am not attempting to outright prevent changes, just prevent them by default.

Here are the current details:

  • The machines have a wallpaper warning users that all changes are wiped on reboot
  • The normal automatic update system is disabled (updates through it won't persist)
  • I install updates and reboot on a cronjob at 5am every day (this uses overlayroot-chroot)
  • The overlay is implemented as an encrypted filesystem on a separate partition, with the key generated on boot and held in memory
  • Documentation is taped to the desktop computer itself educating users on how to make persistent changes

8 comments

  1. d32
    Link
    Hmm you can get some improvement with setting up browser so it runs in a private mode by default, doesn't restore sessions and clears everything on close. See here for the first option. Other than...

    Hmm you can get some improvement with setting up browser so it runs in a private mode by default, doesn't restore sessions and clears everything on close.
    See here for the first option.

    Other than that, the proper solution would probably be with implementing temporary user accounts which would be wiped after logoff and logoff would be done automatically after some idle time. This should be doable in Ubuntu.

    7 votes
  2. overbyte
    Link
    If the computers will be unmanned (e.g self service counters), setup the BIOS settings to make it boot when it receives power. Also setup SSH so we can have someone troubleshoot it from behind the...

    If the computers will be unmanned (e.g self service counters), setup the BIOS settings to make it boot when it receives power. Also setup SSH so we can have someone troubleshoot it from behind the booth instead of being in view of the conference-going public.

    For the desktop session, you can setup GNOME Kiosk to boot you into a session with no window decorators.

    From there you can setup a script to say, launch Firefox in kiosk mode and private mode to persist a particular URL. Something like this to relaunch the browser if it ever exits:

    #!/bin/sh

if [ ! "$(pidof firefox)" ]
then
   firefox -kiosk -private-window $URL
fi

sleep 1.0
exec "$0" "$@"

    If the kiosk won't have a mouse, you can install unclutter to hide the idle cursor.

    3 votes
  3. [5]
    ShroudedScribe
    Link
    What type of persistent changes are being made? You could take these suggestions a step further and run each kiosk instance of Firefox in a docker container, and have some kind of custom prompt...

    What type of persistent changes are being made?

    You could take these suggestions a step further and run each kiosk instance of Firefox in a docker container, and have some kind of custom prompt that will kick them out and reboot the container if they don't extend their session.

    That might be overkill but it's an option. Could even run those containers remotely, or set up remote monitoring, etc.

    1 vote
    1. [4]
      teaearlgraycold
      Link Parent
      It’s not Firefox that’s the kiosk. The whole computer is. Users need access to everything, including the installation of new software. Perhaps kiosk isn’t the best word for our use case.

      It’s not Firefox that’s the kiosk. The whole computer is. Users need access to everything, including the installation of new software. Perhaps kiosk isn’t the best word for our use case.

      1 vote
      1. json
        Link Parent
        If it's got a gpu, instead of just igpu: It might be plausible to have a desktop OS in a vm with gpu and usb pass through providing the screen and peripherals. Have the host reset the vm from...

        If it's got a gpu, instead of just igpu:

        It might be plausible to have a desktop OS in a vm with gpu and usb pass through providing the screen and peripherals.

        Have the host reset the vm from snapshot every few hours.

      2. [2]
        vord
        Link Parent
        Like a LAN center or Internet Cafe of old, or perhaps a library? Internet Cafes were possibly one of the best cyberpunk moments we had in the late 90s.

        Like a LAN center or Internet Cafe of old, or perhaps a library?

        Internet Cafes were possibly one of the best cyberpunk moments we had in the late 90s.

        1. teaearlgraycold
          Link Parent
          Like this. It is one of the best things happening in San Francisco.

          Like this. It is one of the best things happening in San Francisco.

          2 votes
  4. xk3
    Link
    Your plan seems pretty solid to me! But you could also have it reboot on logout (maybe systemctl kexec?)

    Your plan seems pretty solid to me! But you could also have it reboot on logout (maybe systemctl kexec?)