Recently I was asked to assist a co-worker find a good locked down Kiosk solution for a local coffee shop. The project requirement was small – mostly just a simple browser.
There seems to have been a LOT of Linux based Kiosk projects out there, most of them now deprecated. After a bit of searching, I came across a good one – WebConverger.
Webconverger is a Live Debian build, created and maintained by Kai Hendry using the Debian Live-builder packages. The LiveCD includes the lightweight Dynamic Window Manager (DWM) , the IceWeasel browser with Webconverger kiosk extension (to lock things down), and… well that’s about it.
Kai has excellent documentation on rolling your own Webconverger LiveCD using his GIT repository, although being pressed for time I opted to go the BraindeadProjects route: Just modify his already released ISO.
To begin modifying it in this manner, first mount the iso using a loopback device:
#mkdir /mnt/webconverger
#mount -o loop webc-7.2.iso /mnt/webconverger
Next mount the SquashFS image, also using a loopback device:
#mkdir /mnt/webconverger-filesystem
#mount -o loop -t squashfs /mnt/webconverger/live/filesystem.squashfs \
/mnt/webconverger-filesystem
As these two mounts are readonly, we need to create editable copies of each.
#mkdir /devel/isolinux
#rsync -av /mnt/webconverger/ /devel/isolinux/#mkdir /devel/squashfs
#rsync -av /mnt/webconverger-filesystem/ /devel/squashfs/
Now we can go about modifying these two directories. Changing out the ISOLINUX boot splash image is an easy start. The image found under /devel/isolinux/isolinux/splash.png is actually an LSS16 image. To replace it, take or create an image 640×480 in size, and convert it to 14 indexed colors. (In GIMP, these options are under Image/Index)
Once complete, save your image in PPM format.
Next, you’ll need the syslinux package installed on your machine. The syslinux package includes a handy utility to convert PPM to LSS16 (for use as a bootsplash image)
#ppmtolss16 < /tmp/myimage-boot.ppm > splash.png
Since you’re already working on the ISOLINUX side of things, I recommend looking at and revising your boot menu. Once I have an image that I’m happy with, I set the following options to prevent someone from rebooting the Kiosk and tampering with boot parameters:
menu background /isolinux/splash.png
default /isolinux/vesamenu.c32
noescape 1
nocomplete 1
prompt 0
timeout 15
allowoptions 0
While you can nest a number of ISOLINUX boot configs together, I generally keep it to one file that includes the above directives. Dont’ forget to include at least one label for a kernel to boot.
After updating the Boot Splash screen, have a look at /devel/squashfs/home/webc/pb.sh. This script is what causes IceWeasel to start, restart if closed, and sets the desktop background image (amongst other things). This script also downloads a background image from your homepage at boot – which can come in handy if you want to rotate daily ads. I’ve personally modified my installation to always load the same background image, and fullscreen that image.
The webpage that appears each time IceWeasel starts is passed as kernel boot parameter (homepage). To update the homepage, simply edit the labels in the ISOLINUX directory.
You will notice that when pressing the home button in the browser however, that you’re actually taken to an about: page that gives details about the current IceWeasel build. To configure this homepage, look at /usr/lib/iceweasel/browserconfig.properties
browser.startup.homepage=www.braindeadprojects.com
I personally like to lock things down a bit more than the standard release. For that reason I also add the following to /etc/iceweasel/pref/local.js
pref(“network.protocol-handler.external.snews”, false);
pref(“network.protocol-handler.external.news”, false);
pref(“network.protocol-handler.external.irc”, false);
pref(“network.protocol-handler.external.mail”, false);
pref(“network.protocol-handler.external.mailto”, false);
Another thing that may prove beneficial is to remove any and all remnants of xterm. As xorg does depend upon xterm, it will have to be forceably removed. This is best done in a chroot environment
#chroot /devel/squashfs/ /bin/bash
#dpkg –force-all -p xterm
#exit
Once you have your modifications complete, you will want to re-squash the squash filesystem. To do this, you’ll need squashfs-tools version 4 (Centos is currently distributing version 3, so do keep that in mind). Squashing using version 3 of the tools will result in a non-bootable kiosk.
#mksquashfs /devel/squashfs/ /tmp/webc.squashfs
#mv /tmp/webc.squashfs /devel/isolinux/live/filesystem.squashfs
#cd /devel/isolinux/
#mkisofs -o /tmp/my-webc.iso -b -r -J -l -cache-inodes -allow-multidot -no-emul-boot \
-boot-load-size 4 -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat \
/devel/isolinux
Finally, isohybrid your ISO:
isohybrid /tmp/my-webc.iso
I highly recommend testing your ISO image in VirtualBox. Using VirtualBox (or any other virtualization option), saves you from constantly burning an image to a CD or USB drive. Be mindful that you can skip the isohybrid step and test with VirtualBox, although you won’t be able to install it later using dd.
Once you have an image that you’re happy with, use dd to copy the ISO onto the hard drive of your Kiosk machine. Personally, I copy my ISO to a USB thumbdrive running the Gentoo Based System Rescue CD, boot into it and then install onto the harddrive:
dd if =/livemnt/boot/kiosk/my-kiosk.iso of=/dev/sda
Of course, one could save time and simply use the WebConverger Customization Service… but why not use this as an opportunity to sharpen one’s skills.
Coming soon to – a walkthrough on how to build and customize a WebConverger ISO from Kai’s GIT repository (as opposed to re-rolling his ISO).