OpenBSD developer Robert Nagy writes in to tell us about how they use OpenBSD at work:
In most areas thin clients are being used in offices where there can be a central server which is used by the clients to boot using pxeboot for example. In this case every time the machine gets rebooted, a clean environment will be provided for the users. Our goal was to create a thin client which can be updated and managed over the internet, but still keeping the ability to have a clean environment after a reboot. In order to achieve this we have modified the rc(8) system of OpenBSD to use memory file systems on the those parts of the system where writing data somewhere is necessary.
In our setup /tmp, /home, /var/log and /var/db is always a memory filesystem. All of these memory filesystems are created on boot to have a clean start except for /var/db which gets synchronized with the on-disk data before it is being used by anything.
After the filesystem setup we make sure that we populate the /home directory properly for the “thin” user, which is being used by the thin client to launch an X server and the thin client software itself.
ttyC5 "/usr/bin/su - thin -c /usr/X11R6/bin/xinit" xterm on secure
install -d -o thin -g users -m 750 /home/thin
cat < /home/thin/.xinitrc
xsetroot -cursor_name left_ptr
(cd /usr/local/thinclient; ./thinclient)
As you can see the rc.local can be used to populate the home directory for the thin user to have all the necessary configuration files. After rc.local has finished running, the rc(8) script makes the whole / filesystem read-only because we do not need to write to it at all.
Doing this also ensures that if the machine gets reset there will be no need to run fsck(8) and that our system will always be consistent with what we want.
The thin client software is really simple and by default it includes support for three default applications: OpenNX, Remmina and Chromium. These are the most commonly used application types on a thin client because most of the time users only use these clients to connect to other machines or just to browse the internet.
The client also has two indicators so that the user can see if the network connection and a VPN connection are up (if configured). The client regularly watches network traffic on the configured interface and also checks IPSec flows to indicate if there is a VPN tunnel running:
The client also includes a clock and a date indicator and support for rebooting and shutting the thin client down.
We have chosen OpenNX and Remmina to support remote connections to other machines because these programs include basically all needed protocols: NX, RDP, VNC and so on.
In the background a puppet client is running checking a master server over the internet using the machine’s UUID to authenticate itself to the puppet master server in order to get updates over the internet.
Since the / filesystem is mounted read-only each time an update has to be applied the filesystem gets remounted read-write so that the changes can be made and then it gets remounted read-only to protect the consistency of the system.