Chef practices for "kiosk" desktops in insecure environments?


#1

Hi all. First time poster, please be kind.

I’ve just volunteered to maintain desktop Linux computers (presently running Lubuntu) on donated 32-bit 2GRAM computers in all homeless shelters and SRO hotels across San Francisco. I use and enjoy working with Chef in my day jobs, and am investigating if this is an apporopriate computing environment to use Chef to automate configuration, and perhaps, provisioning (with chef-provisioner?).

The present setup is a bare, almost virgin Lunbuntu install, and we have clients use the “guest” account created by Lubuntu to try to give a semblance of privacy to the clients. These computers most likely will be in volatile network environments, and I want to make sure I’m using Chef in the most secure manner.

I am a Lazy Sysadmin, so I try to max out on Cookbooks on GitHub/Supermarket before doing any hand-coding.

Given the above, what should I be looking at in a Chef environment here? If I use chef-zero, how do I push/pull updates to chef code to these machines? And, how do I ensure secure communication between these hosts and Chef Server, if that is the better option? More broadly, are there projects already in use to create “kiosk” computers running Linux using Chef?

Just for an example, the first task I’m doing is configuring postfix (for sending mail only) and Logwarch on these hosts. I’d like to use chef recipies/cookbooks to manage this deployment and configuration.

Thanks so much for your help!

Cheers,

Jesse Adelman
Volunteer,
http://partimus.org/
San Francisco, CA


#2

Just connect to the Chef Server over SSL and don’t disable certificate checking and you should be fine. If the machine is connected to (for example) a wifi network that’s hijacking DNS to force acceptance of TOS or whatever, Chef will just fail, which is fine; it will work when it has working network later.

There are a fair number of folks using Chef to configure workstations of all flavors, but I think it’s more common that these are developer machines in a company.

Good luck!


#3

I’d use PXE to bootstrap the OS the machine every time it would reboot, then hand off to chef to do the configuration.

That way it’s a fresh install every time a reboot happens and if your IT work is literally “Have you tried turning it off and on again?”

The pxe_dust cookbook has the primitatives that you’ll need.