diff --git a/Dockerfile b/Dockerfile index 6ef5f9d..fdfd13b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ #use armv7hf compatible base image -FROM balenalib/armv7hf-debian:stretch +FROM balenalib/armv7hf-debian:buster #dynamic build arguments coming from the /hooks/build file ARG BUILD_DATE @@ -14,76 +14,90 @@ LABEL org.label-schema.build-date=$BUILD_DATE \ RUN [ "cross-build-start" ] #version -ENV HILSCHERNETPI_DESKTOP_HDMI_VERSION 1.2.2 - +ENV HILSCHERNETPI_DESKTOP_HDMI_VERSION 1.3.0 #labeling LABEL maintainer="netpi@hilscher.com" \ version=$HILSCHERNETPI_DESKTOP_HDMI_VERSION \ description="Desktop (HDMI) for netPI" +#set user credentials ENV USER=testuser ENV PASSWD=mypassword -#copy files -COPY "./init.d/*" /etc/init.d/ - -#do user -RUN apt-get update \ - && useradd --create-home --shell /bin/bash $USER \ - && echo $USER:$PASSWD | chpasswd \ - && adduser $USER tty \ - && adduser $USER video \ - && adduser $USER sudo \ - && adduser $USER input \ - && echo $USER " ALL=(root) NOPASSWD:ALL" >> /etc/sudoers.d/$USER \ - && chmod 0440 /etc/sudoers.d/$USER - +#update source lists, keys +RUN echo "deb http://archive.raspberrypi.org/debian/ buster main" | tee -a /etc/apt/sources.list \ + && gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-key 82B129927FA3303E \ + && gpg -a --export 82B129927FA3303E | apt-key add - \ + && apt update \ +#create testuser + && useradd --create-home --shell /bin/bash $USER \ + && echo $USER:$PASSWD | chpasswd \ + && adduser $USER tty \ + && adduser $USER video \ + && adduser $USER sudo \ + && adduser $USER input \ + && echo $USER " ALL=(root) NOPASSWD:ALL" >> /etc/sudoers.d/$USER \ + && chmod 0440 /etc/sudoers.d/$USER \ + && apt install -y \ #install ssh -RUN apt-get update \ - && apt-get install -y openssh-server \ - && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \ - && sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd \ - && mkdir /var/run/sshd - + openssh-server \ + && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config \ + && sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd \ + && mkdir /var/run/sshd \ #install xserver, desktop, login manager, ALSA sound driver -RUN apt-get install --no-install-recommends xserver-xorg \ - && apt-get install --no-install-recommends xinit \ - && apt-get install xfce4 xfce4-terminal \ - && mkdir /etc/X11/xorg.conf.d \ - && chmod u+s /usr/bin/Xorg \ - && chown -c $USER /etc/X11/xorg.conf.d \ - && apt-get install xserver-xorg-input-evdev \ - && apt-get install gnome-icon-theme tango-icon-theme \ - && apt-get install alsa-oss alsa-tools alsa-tools-gui alsa-utils alsamixergui mpg123 \ - && touch /home/$USER/.Xauthority \ - && chmod 777 /home/$USER/.Xauthority - + && apt install -y \ + xserver-xorg \ + xinit \ + xfce4 \ + xfce4-terminal \ + && mkdir /etc/X11/xorg.conf.d \ + && chmod u+s /usr/bin/Xorg \ + && chown -c $USER /etc/X11/xorg.conf.d \ + && apt install -y \ + xserver-xorg-input-evdev \ + gnome-icon-theme tango-icon-theme \ + alsa-oss alsa-tools alsa-tools-gui alsa-utils alsamixergui mpg123 \ +# && touch /home/$USER/.Xauthority \ +# && chmod 777 /home/$USER/.Xauthority \ + && rm -rf /var/lib/apt/lists/* + +#install userland raspberry pi tools (needed vor VNC) +RUN apt-get update && apt install -y \ + git \ + && git clone --depth 1 https://github.com/raspberrypi/firmware /tmp/firmware \ + && mv /tmp/firmware/hardfp/opt/vc /opt \ + && echo "/opt/vc/lib" >/etc/ld.so.conf.d/00-vmcs.conf \ + && /sbin/ldconfig \ + && rm -rf /opt/vc/src \ + && apt install -y \ #install VNC -RUN apt-get install x11vnc \ - && mkdir /home/$USER/.vnc \ - && chown $USER:$USER /home/$USER/.vnc \ - && x11vnc -storepasswd "$PASSWD" /home/$USER/.vnc/passwd \ - && chown $USER:$USER /home/$USER/.vnc/passwd - + realvnc-vnc-server \ #install pulseaudio -RUN apt-get install dbus-x11 pulseaudio \ - && sed -i -e 's;load-module module-console-kit;#load-module module-console-kit;' /etc/pulse/default.pa \ - && usermod -a -G audio $USER \ - && usermod -a -G pulse $USER \ - && usermod -a -G pulse-access $USER - + dbus-x11 pulseaudio \ + && sed -i -e 's;load-module module-console-kit;#load-module module-console-kit;' /etc/pulse/default.pa \ + && usermod -a -G audio $USER \ + && usermod -a -G pulse $USER \ + && usermod -a -G pulse-access $USER \ + && apt install \ #install chromium browser -RUN apt-get install wget \ - && wget -O key.pgp https://bintray.com/user/downloadSubjectPublicKey?username=bintray \ - && apt-key add key.pgp \ - && echo "deb http://dl.bintray.com/kusti8/chromium-rpi jessie main" | tee -a /etc/apt/sources.list \ - && apt-get update \ - && apt-get install chromium-browser \ - && rm key.pgp + chromium-browser \ +#install screensaver + xscreensaver \ +#install anydesk + && apt install -y \ + wget \ + && wget https://download.anydesk.com/rpi/anydesk_5.1.1-1_armhf.deb -P /tmp/ \ + && dpkg -i /tmp/anydesk_5.1.1-1_armhf.deb || apt install -f \ + && apt install libgles2* \ + && rm -rf /tmp/* \ + && apt remove wget git \ + && apt autoremove \ + && apt upgrade \ + && rm -rf /var/lib/apt/lists/* -#installe screensaver -RUN apt-get install xscreensaver +#copy files +COPY "./init.d/*" /etc/init.d/ #set the entrypoint ENTRYPOINT ["/etc/init.d/entrypoint.sh"] diff --git a/README.md b/README.md index a6a605b..e28ef40 100644 --- a/README.md +++ b/README.md @@ -7,17 +7,23 @@ Made for [netPI](https://www.netiot.com/netpi/), the Raspberry Pi 3B Architecture based industrial suited Open Edge Connectivity Ecosystem -### Debian with X.org display server, desktop Xfce, VNC and ALSA audio +### Container features -The image provided hereunder deploys a container with installed Debian, display server, desktop environment and ssh server. +The image provided hereunder deploys a container with installed Debian, display server, desktop environment, virtual network computing, remote desktop software and ssh server. -Base of this image builds [debian](https://www.balena.io/docs/reference/base-images/base-images/) with installed display server [X.org](https://en.wikipedia.org/wiki/X.Org_Server) enabling the device's HDMI port plus the desktop environment [Xfce](https://www.xfce.org/?lang=en) turning the device in a desktop computer with mouse and keyboard support. Additonally it embeds the [ALSA](https://wiki.debian.org/ALSA) Audio Sound package for sending the sound across HDMI. Also the [x11vnc](https://en.wikipedia.org/wiki/X11vnc) server is installed to access to the desktop screen from remote via VNC clients. +Base of this image builds [debian](https://www.balena.io/docs/reference/base-images/base-images/) with installed HDMI display server [X.org](https://en.wikipedia.org/wiki/X.Org_Server) and a desktop environment [Xfce](https://www.xfce.org/?lang=en) turning the device in a desktop PC. The [ALSA](https://wiki.debian.org/ALSA) audio sound package outputs on HDMI. The [REALVNC](https://www.realvnc.com/) server enables the access from remote via VNC clients, while the [AnyDesk](https://anydesk.com/) server the access over the internet. -#### Container prerequisites +#### Container setup + +##### Port mapping, network mode + +The container needs to run in `host` network mode. + +Using this mode makes port mapping unnecessary since all the used container ports (like 22) are exposed to the host automatically. ##### Host devices -The following host devices need to be exposed to the container +The secured netPI Docker requires adding ALL needed devices manually (even in privileged mode). The following host devices need to be added to the container * **for HDMI support** the devices `/dev/tty0`,`/dev/tty2`,`/dev/fb0` * **for mouse and keyboard support** the device `/dev/input` @@ -29,15 +35,7 @@ The privileged mode option needs to be activated to lift the standard Docker enf netPI's secure reference software architecture prohibits root access to the Host system always. Even if priviledged mode is activated the intrinsic security of the Host Linux Kernel can not be compromised. -##### Host network - -The container needs the Docker "Host" network stack to be shared with the container. - -Hint: Using this mode makes port mapping unnecessary since all the container's used ports are exposed to the host. This is why the container's used SSH server port `22` and VNC port `5900` are getting available on the host without a discrete port mapping. - -#### Getting started - -##### On netPI +#### Container deployment STEP 1. Open netPI's website in your browser (https). @@ -61,21 +59,35 @@ STEP 4. Press the button *Actions > Start/Deploy container* Pulling the image may take a while (5-10mins). Sometimes it may take too long and a time out is indicated. In this case repeat STEP 4. -#### Accessing +#### Container access + +Make sure you have a mouse and keyboard connected before you start the container else they are not recognized. + +A HDMI monitor in general will only be recognized if it was already connected during netPI's boot sequence else the screen remains black. + +The container starts the desktop over HDMI, the SSH server, the VNC server and AnyDesk automatically when deployed. + +##### ssh + +Login to the container with an SSH client such as [putty](http://www.putty.org/) using netPI's IP address at port `22`. Use the credentials `testuser` as user and `mypassword` as password when asked and you are logged in as user testuser. + +##### VNC + +Control the desktop with any VNC client over port `5900`. The [REALVNC viewer](https://www.realvnc.com/en/connect/download/viewer/) works right away. For others like [UltraVNC](https://www.uvnc.com/downloads/ultravnc.html) change the authentication method in the server/options/security/authentication settings from `UNIX password` to `VNC password`. -The container starts the desktop, the SSH server and VNC server automatically when started. +##### AnyDesk -In desktop mode make sure you have a mouse and keyboard connected before you start the container, else they will not be recognized. A HDMI monitor will only be recognized if it was already connected during netPI's boot sequence, else its screen remains black. For simple tests use Chromium to do some web page visits. +Control the desktop over the internet with [AnyDesk software](https://anydesk.com/en). Use the `This Desk ID` shown on the desktop in the AnyDesk software `Remote Desk ID` field to connect. Accept the connection on the desktop afterwards. -Alternatively login from remote via a VNC client such as [uVNC](https://www.uvnc.com/) to netPI's IP address at port `5900` to display the screen on another computer. Use the password `mypassword` when asked in your client. +#### Container tips & tricks -Another alternative is to login to the container with an SSH client such as [putty](http://www.putty.org/) using netPI's IP address at port `22`. Use the credentials `testuser` as user and `mypassword` as password when asked and you are logged in as user testuser. +For additional help or information visit the Hilscher Forum at https://forum.hilscher.com/ -#### Automated build +#### Container automated build The project complies with the scripting based [Dockerfile](https://docs.docker.com/engine/reference/builder/) method to build the image output file. Using this method is a precondition for an [automated](https://docs.docker.com/docker-hub/builds/) web based build process on DockerHub platform. -DockerHub web platform is x86 CPU based, but an ARM CPU coded output file is needed for Raspberry systems. This is why the Dockerfile includes the [balena](https://balena.io/blog/building-arm-containers-on-any-x86-machine-even-dockerhub/) steps. +DockerHub web platform is x86 CPU based, but an ARM CPU coded output file is needed for Raspberry Pi systems. This is why the Dockerfile includes the [balena](https://balena.io/blog/building-arm-containers-on-any-x86-machine-even-dockerhub/) steps. #### License diff --git a/init.d/entrypoint.sh b/init.d/entrypoint.sh index adc7f3e..42a93c5 100755 --- a/init.d/entrypoint.sh +++ b/init.d/entrypoint.sh @@ -1,32 +1,32 @@ #!/bin/bash +e # catch signals as PID 1 in a container -pidpulse=0 - # SIGNAL-handler term_handler() { - echo "terminating VNC ..." - sudo /usr/bin/x11vnc -R stop - - echo "terminating dbus ..." - sudo /etc/init.d/dbus stop - - echo "terminating pulseaudio ..." - if [ $pidpulse -ne 0 ]; then - kill -SIGTERM "$pidpulse" - wait "$pidpulse" - fi - - echo "terminating ssh ..." - sudo /etc/init.d/ssh stop - + + echo "stopping x server ..." + pidxserver=$(pidof "Xorg") + + sudo kill -SIGTERM "$pidxserver" + tail --pid=$pidxserver -f /dev/null + exit 143; # 128 + 15 -- SIGTERM } +#remove locks in case desktop crashed +rm /tmp/.X0-lock &>/dev/null || true +sudo rm -fr ~/.Xauthority +touch ~/.Xauthority +chmod 777 ~/.Xauthority + +#set environment variables +export DISPLAY=:0.0 +export XAUTHORITY=~/.Xauthority +export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket + # on callback, stop all started processes in term_handler trap 'kill ${!}; term_handler' SIGINT SIGKILL SIGTERM SIGQUIT SIGTSTP SIGSTOP SIGHUP - # add input devices and their events to X11 configuration if test -f /etc/X11/xorg.conf.d/10-input.conf then @@ -60,10 +60,6 @@ sudo amixer cset numid=1 100% echo "starting pulseaudio ..." sudo pulseaudio --system --high-priority --no-cpu-limit -v -L 'module-alsa-sink device=plughw:0,1' >/dev/null 2>&1 & -pidpulse="$!" - -echo "starting dbus ..." -sudo /etc/init.d/dbus start echo "starting ssh ..." sudo /etc/init.d/ssh start @@ -76,12 +72,15 @@ sudo chmod -R 777 /dev/snd sudo chmod -R 777 /dev/input sudo chmod -R 777 /dev/fb0 -echo "starting X ..." -/usr/bin/startx & - -echo "starting VNC after 10 seconds..." +echo "starting X on display 0 ..." +/usr/bin/startx -- :0 & sleep 10 -/usr/bin/x11vnc -usepw -forever -display :0 -bg + +echo "starting VNC ..." +/usr/bin/vncserver-x11 & + +echo "starting anydesk ..." +/usr/bin/anydesk & # wait forever not to exit the container while true