Gbaman
Posts: 155
Joined: Mon Jan 21, 2013 2:43 pm

Re: kitting out a classroom

Mon Mar 17, 2014 8:07 pm

morphy_richards might perhaps slightly interest you. I have been working on also using LTSP with Raspberry Pis but with a different approach, down the fat client road.

For those reading this that don't know what a fat (or called thick client in some textbooks?) client is, it is basically similar to a thin client setup, but instead of all the processing being done on the server and students just remoting into it, fat clients do all the processing locally. Basically their filesystem is stored on the server instead of the SD card. Means you also don't need a very powerful server.

This means students can use the GPIO pins, camera board and any other local hardware connected to the Raspberry Pi.
It runs just as fast as off an SD card once booted (boot takes a little longer) as long as a decent network is used (gigabit switches for more than 5-10 pis) and your server has a decent speed HDD.

Over a normal classroom set of pis, this brings a few major advantages.

1. As the OS is stored on the server, if the teacher wants to make a change (install a package for example?), then make the change as normal on the server (to the virtual Pi filesystem) and reboot the Raspberry Pis and poof, that change is now on that Raspberry Pi. No more fragmented classrooms that need 30+ SD cards reflashed every 3-6 months to keep everyone up to date.

2. The system uses LTSPs rather nice user system. This means a student can sit down and log in to any Raspberry Pi in the classroom and have access to their files, settings etc as it is stored centrally on the server.

3. As user files are stored centrally on the server, it means there is a single place to back up and all your files are safe. No need to back up every kids SD card.

All of this is included in a nice whiptail fronted BASH management script.

An SD card is still required, but only with boot partition, meaning only 30mb is required on the SD card. The installation script also generates the boot partition for you. It comes with a mini boot manager that lets you select to boot off the local SD card normally or boot via the network. (This is done in an initramfs)

I will admit using LDAP is a smarter system, especially if there is 100s of students, but for my solution it uses the built in Debian users as the users for the system.
Also I have not been working on any failover stuff, which I know LDAP can do nicely.
Another big disadvantage of using fat clients is large applications do take a long as they normally do on a Pi, which for stuff like libreoffice is 20-30 seconds. Is usable though.

Do let me know what you think, is rather easy to set up, just download and run the script as root on a Debian (Wheezy) machine.

Documentation on it though is a little light, that is what I am working on currently.

https://github.com/gbaman/RaspberryPi-LTSP
and here is a video of the system being tested in a school https://www.youtube.com/watch?v=qfKyQe1Bfr0
Lead developer of PiNet, a free and opensource centralised user accounts and file storage system for Raspberry Pi classrooms used in over 200 schools across the world.
http://pinet.org.uk

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Nov 19, 2014 4:08 pm

Using LDAP authentication there is an issue

When a user tried to change password form a client r-pi, it does not work. Documented bug here

Attempting to fix this I update a file
etc/pam.d/common-password as so

Code: Select all

# here are the per-package modules (the "Primary" block)
password        [success=3 default=ignore]      pam_unix.so obscure sha512
password        [success=2 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

To

Code: Select all

# here are the per-package modules (the "Primary" block)
password        [success=3 default=ignore]      pam_unix.so obscure sha512
password        [success=2 default=ignore]      pam_winbind.so use_authtok try_first_pass
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass            
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
ie. remove use_authtok references

Testing... will update after reboot

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Nov 19, 2014 4:18 pm

Partial success.

I am able to change a password now but on changing password my home directory no longer mounts.
(mount.c:72):mount error (13) permission denied
(pam_mount.c:522):mount of sr failed
No directory, logging in with HOME=/
After changing my password back to the original value, logging out and in again, my home directory then mounts as per.

Flummoxed. Well out of my comfort zone.

Posting query in networking section and then going home.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Nov 19, 2014 7:58 pm

Gbaman » 17 Mar 2014 20:07
The system uses LTSPs rather nice user system. This means a student can sit down and log in to any Raspberry Pi in the classroom and have access to their files, settings etc as it is stored centrally on the server.
Thanks for this.
I did try going down the LTSP route although ran into a few load related snags, in the end I began to see that given the number of concurrent users I had, it was better for me to use the pis as distinct computers in their own right.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Thu Nov 20, 2014 9:03 am

morphy_richards wrote:Partial success...
It occurred to me that there is no need to get the passwd working and able to change the users LDAP password on the remote raspberry pi.
The user can simply ssh into the LDAP server itself and issue the passwd command from there. Not quite as neat but still it works perfectly well and anyway I like it from a teaching perspective as it reinforces the notion that although their files and settings seem to be on the computer they are using, in reality they are actually somewhere else.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Thu Mar 05, 2015 11:55 am

Now that my network is maturing, student ldap/samba logins are beginning to expire after 1 year.
Where I have bulk created logins, they are expiring en-masee too.

I have to then manually reset passwords but to at least slow this down I've used the command:

Code: Select all

 samba-tool domain passwordsettings set --max-pwd-age=999
Which bulk sets expiry to the maximum of 999 days.

I could also make a script to run samba-tool user setexpiry username --noexpiry on every user. It should be simple it I just do something like

while there is a line
list each folder in /home line by line
use this as username in the above command

:?:

User avatar
PiPete
Posts: 9
Joined: Tue Mar 31, 2015 7:28 pm
Location: Cambridge, UK
Contact: Website

Re: kitting out a classroom

Tue Mar 31, 2015 7:54 pm

I'm just starting out on this Pi journey but in a primary school setting. I have an after-school programming club with about 50 children. Is there any simple way to avoid having to but separate screens and keyboards to program pi? We have 60 very new laptops with screens and keyboards already. I have tried the Meltwater approach on my own latop with no joy at all. Is there a particular forum dedicated to this problem? Any help fully appreciated.
KS2 Class Teacher

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Apr 01, 2015 8:46 am

I / we* would love to help in any way we can.
I've just seenMeltwater's approach can you describe where it goes wrong for you?

Are you connected to the internet already with your laptop via wifi and also using the network cable plugged in to pi and laptop?

Have you tried this method?
I / we
* I am not the queen or Golum, I just mean the people here, generally.

User avatar
PiPete
Posts: 9
Joined: Tue Mar 31, 2015 7:28 pm
Location: Cambridge, UK
Contact: Website

Re: kitting out a classroom

Wed Apr 01, 2015 7:46 pm

I'm trying at home before attempting in school. Both laptop and pi have wireless working fine. I plug in Ethernet cable and set IP address on pi as per very simple long instructions. I then try to ping, as I have monitor etc for this test pi and get no response from laptop. The instructions don't mention setting IP address for laptop but I assumed I need to.

I'm so keen to get pi going in our school but I know we have no VGA monitors just laptops. Failing this Xwindow approach, that might be too complex for us, can you recommend decent small keyboars and screens to look at? Thanks for your help.
KS2 Class Teacher

User avatar
PiPete
Posts: 9
Joined: Tue Mar 31, 2015 7:28 pm
Location: Cambridge, UK
Contact: Website

Re: kitting out a classroom

Wed Apr 01, 2015 8:04 pm

Just read the Remote Desktop approach. Coul this be feasible in classroom of 15 pis? The network cable approach did appeal because I ima gin end it being simple and scalable to whole class w both 15 pis .
KS2 Class Teacher

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Apr 01, 2015 8:42 pm

Your laptop is already configured to connect to a network via WiFi. When you plug a pi into your laptop's network port you are trying to create a second , different network on the same computer. While its not impossible, it is complicated to do that.

Instead, try plugging your pi's network cable into a network plug on the back of your WiFi router and see if that gets you anywhere. It should show up in network places on your laptop and you should be able to find the ip address and connect to it.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Apr 01, 2015 8:55 pm

...
In school you could achieve the same result by connecting all your pis to an 'unmanaged' network switch and then connecting that to the school network but you must get your network manager / IT technician to help as just plugging in a dumb switch to a managed network can mess things up.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Wed Apr 01, 2015 9:02 pm

... Or if you have WiFi working on both pi and laptop you should be able to just ditch the cable altogether because they are both already in the same network. If you have WiFi in your classroom too that would be a good solution as you could have each laptop and pi next to each other on the desk and also your network manager will not need to change anything.

You can also change a script on each pi (/etc/network/interfaces) so they have a static, unchanging ip address to make it easier to connect to them.

Remote desktop / VNC is very good for working on pis on different computers like laptops.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Mon Jun 08, 2015 9:07 am

I've just found that I cant access theZentyal forum page that describes how to configure LDAP and SMB settings on the Raspbian so that you can allow logins and remote home dirs managed by Zentyal server (It's a bit like Windows server, easier to use IMHO, it's Linux (Ubuntu) but with big buttons with names like "Gateway", "User Management", etc so that even numptys like me can do it)

New school proxy settings are preventing general access to the site so copying the details here for ease of access and for redundancy.
This is all by a user called Udo over on Zentyal. He is a really great guy. His original thread is linked above.
Installation - just side notes regarding what I did:
Raspbian via BerryBoot, no Desktop, with SSH
"old" Raspberry with 256MiB RAM
apt-get update && apt-get dist-upgrade
some additional but irrelevant tools: screen, byobu, molly-guard, jed, mc
Network: DHCP with Zentyal as DNS-Server
Ldap - accept all defaults on all prompts:

Code: Select all

apt-get install libnss-ldap libpam-ldap libpam-mount winbind smbclient cifs-utils ldap-utils
fill /etc/ldap/ldap.conf with correct data for your system. Example:

Code: Select all

base dc=neo,dc=lan                                                                                                                                                     
uri ldap://10.1.100.1:390                                                                                                                                              
                                                                                                                                                                       
binddn cn=zentyalro,dc=neo,dc=lan                                                                                                                                      
bindpw asdfasdfasdf 
                                                                                                                                                                       
scope sub                                                                                                                                                              
bind_policy soft                                                                                                                                                       
ldap_version 3                                                                                                                                                         
pam_password md5                                                                                                                                                       
                                                                                                                                                                       
nss_base_passwd         ou=Users,dc=neo,dc=lan?one                                                                                                                     
nss_base_passwd         ou=Computers,dc=neo,dc=lan?one                                                                                                                 
nss_base_shadow         ou=Users,dc=neo,dc=lan?one                                                                                                                     
nss_base_group          ou=Groups,dc=neo,dc=lan?one                                                                                                                    
nss_schema              rfc2307bis                                                                                                                                     
nss_map_attribute uniqueMember member                                                                                                                                  
nss_reconnect_tries 2                                                                                                                                                  
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,cc,colord,daemon,davfs2,debian-spamd,dhcpd,dirmngr,dnsmasq,games,gdm,gnats,hplip,irc,kernoops,landscape,libu$
                                                                                                                                                                       
# TLS certificates (needed for GnuTLS)                                                                                                                                 
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
Force some links to make other tools use the same information:

Code: Select all

ln -sf /etc/ldap/ldap.conf  /etc/pam_ldap.conf
ln -sf /etc/ldap/ldap.conf  /etc/libnss-ldap.conf
Name Service Switch edit /etc/nsswitch.conf :

Code: Select all

Code: [Select]
passwd:         files ldap                                                                                                                                        
group:          files ldap                                                                                                                                        
shadow:         files ldap
nscd needs to get restarted:

Code: Select all

# /etc/init.d/nscd restart 
Restarting Name Service Cache Daemon: nscd.
Test:

Code: Select all

id kb
uid=2006(kb) gid=1901(__USERS__) 
pam_mount add some lines like this to /etc/security/pam_mount.conf.xml:

Code: Select all

<volume user="*" fstype="cifs" server="10.1.100.1" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" />
Test:

Code: Select all

ssh [email protected] pwd
[email protected]'s password: 
/home/kb
Best regards
« Last Edit: July 25, 2013, 08:49:13 pm by UdoB »

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Thu Jul 02, 2015 7:05 am

Some quite interesting developments are imminent.
UK schools are supposed to get their ICT equipment refreshed every 5 years or so. My department's refresh is long overdue but is occuring this August.
There is a hidden cost involved, disposal of the old equipment. Safe data destruction of hard disks that may have student data is a child protection issue and so forth.

My cost cutting solution,
Leave all the old computers in place. The new ones will be some kind of newfangled tiny box thing that take next to no room. The old ones can have windows 10, Linux, whatever, installed. By not leaving site they save us a truck load of money and I get proper desktop PCs.

They will run in parallel with the raspberry pis at first, on the same special network. When everything works properly the pis will be removed and used for two purposes.
40 or so will be kept back to make physical computing class sets.
The remaining ones will be issued on long term loan to students (with breadboard, jumper sets, leds and whatnot)

Hopefully this will be just in time to tie in with the BBC microbits giveaway.

User avatar
DougieLawson
Posts: 35784
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: kitting out a classroom

Thu Jul 02, 2015 7:30 am

Hard disk cleaning is easy. Burn a copy of DBAN on a CD boot that and 24 hrs later there's no trace of data (unless you give the drive to NSA or GCHQ).
http://www.dban.org
I used to use that when IBM wanted an old laptop back.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

W. H. Heydt
Posts: 10741
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: kitting out a classroom

Thu Jul 02, 2015 7:06 pm

Not a solution for this instance, but it *is* a way to do a pretty good job of wiping an HDD...

My niece used to work for a steel fabrication company near Portland, OR. When they replaced a bunch of PCs, they decided to wipe to old drives. They took all the drives out in the "yard", laid them on the ground, and brought over the 50 ton rated electromagnetic crane, lowered the "hook" (the electromagnet) over the drives and turned it on. According those observing, the drives all stood up on end and waved back and forth. Testing a drive afterwards showed there was *nothing* on it (not even basic formatting).

plugwash
Forum Moderator
Forum Moderator
Posts: 3439
Joined: Wed Dec 28, 2011 11:45 pm

Re: kitting out a classroom

Thu Jul 02, 2015 7:52 pm

W. H. Heydt wrote: My niece used to work for a steel fabrication company near Portland, OR. When they replaced a bunch of PCs, they decided to wipe to old drives. They took all the drives out in the "yard", laid them on the ground, and brought over the 50 ton rated electromagnetic crane, lowered the "hook" (the electromagnet) over the drives and turned it on. According those observing, the drives all stood up on end and waved back and forth. Testing a drive afterwards showed there was *nothing* on it (not even basic formatting).
What kind of testing? just throwing them in a PC and seeing if anything was readable or low-level data recovery analysis on the platters?

W. H. Heydt
Posts: 10741
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: kitting out a classroom

Fri Jul 03, 2015 2:25 am

plugwash wrote:
W. H. Heydt wrote: My niece used to work for a steel fabrication company near Portland, OR. When they replaced a bunch of PCs, they decided to wipe to old drives. They took all the drives out in the "yard", laid them on the ground, and brought over the 50 ton rated electromagnetic crane, lowered the "hook" (the electromagnet) over the drives and turned it on. According those observing, the drives all stood up on end and waved back and forth. Testing a drive afterwards showed there was *nothing* on it (not even basic formatting).
What kind of testing? just throwing them in a PC and seeing if anything was readable or low-level data recovery analysis on the platters?
Probably the former. The drive contents weren't in a "burn before reading" category. If an OS thinks it needs to do a low level format before using a drive, it's going to take q fair bit of work to get anything off it, and the contents probably aren't the cost of the effort.

Obviously if the contents are really important, the sort of stuff that gets top level security ratings, the best thing to do is to pull the drives apart and chuck the platters into a furnace and melt them down.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Fri Jul 03, 2015 9:45 am

:lol:
This is all very well and good but I'm really excited about the prospect of getting 120 odd perfectly good PCs to do as I please with in my department, my main argument was that it would be cheaper to let me keep them than the school get paying to get the data safely wiped and then scrapping them.
If anyone realises all they needed to do was get a 50 ton crane with an electromagnet down the A406, into the playground and then dangle it over our classrooms with the power on full for a few hours then I lose out big time!
Shush! ;)

User avatar
DougieLawson
Posts: 35784
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: kitting out a classroom

Fri Jul 03, 2015 11:44 am

Build a stack of DBAN CD roms (burn ten copies) and you'll have 50 clean hard drives at the end of a week.

Label them very carefully with a RED Sharpie, DBAN CDs are dangerous in the hands of the amateur. Answer "yes" to the "Are you sure it's your weapon with your round pointed at your foot?" question and you've got a large cleanup job to undo the damage even before DBAN has finished running.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Fri Jul 03, 2015 2:57 pm

Just going totally totally totally off topic for a bit.
Why can I not just mount all the hard drives each with a single partition and then just write "I am a fish" over and over again until every one of them is full?
Not that I'm going to do any of that, just curious.

User avatar
DougieLawson
Posts: 35784
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: kitting out a classroom

Fri Jul 03, 2015 3:25 pm

morphy_richards wrote:Just going totally totally totally off topic for a bit.
Why can I not just mount all the hard drives each with a single partition and then just write "I am a fish" over and over again until every one of them is full?
Not that I'm going to do any of that, just curious.
Because the bad guys can un-write that data and make the original data re-appear.

DBAN does multiple passes of writing random data so that trying to undo it becomes not worth the cost (unless your name is Julian Assange).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Mon Sep 07, 2015 1:08 pm

Disabling the "greeter" in Ubuntu versions 14+ to allow LDAP students to login using own typed credentials rather than selecting from a list:
http://askubuntu.com/questions/451950/h ... untu-14-04

User avatar
morphy_richards
Posts: 1603
Joined: Mon Mar 05, 2012 3:26 pm
Location: Epping Forest
Contact: Website

Re: kitting out a classroom

Fri Nov 27, 2015 3:06 pm

We are almost a term into the current phase of our CS network.

(It wasn't supposed to unfold like this, we were supposed to be using our known to be good raspberry pi network and slowly phasing in replacement desktop PCs and phasing out the pis, but an over zealous IT provider got a bit over zealous ... anyway...)

The raspberry pis have all been removed. They are now being loaned out to students to take home. Good!
The PCs all have edubuntu installed. We are still using the same old zentyal network server to handle logins.

It's not going well ... machines hang on login inexplicably. Sometimes deleting .cache and .config fixes this sometimes not ...
New users work fine for a while and then also hang on login, no one on Ubuntu forums seems able to suggest a cause so ...

I'm coming to the conclusion that Ubuntu is, indeed, just a broken version of Debian.

I've come acrossskolelinux.org - which is "Debian Edu" and it looks good. For a while I have been unhappy that I have 3 separate machines at the heart of my network.

One is a gateway to provide internet to my network from school network.
One is a login/file(zentyal) server
One is a raspberry pi based DNS and DHCP system.

I like that Debian Edu / Skole Linux promises an out of the box configuration either for the server that will handle everything form gateway to logins as well as for individual workstations.

We will still be using Raspberry Pis in class too, I am keeping back 30 Pi B+s for physical computing, (although the pi zero is faster, the bigger form factor of the B+ is still an advantage for this sort of thing)

Anyway, all a good excuse for playing with a new operating system.
Hurrah
Last edited by morphy_richards on Fri Nov 27, 2015 3:57 pm, edited 1 time in total.

Return to “Staffroom, classroom and projects”