This guide utilizes Raspbian Stretch with Desktop as a base to create a kind of kiosk that loads preset pages in different tabs to enable a secure way of monitoring our Redis cluster. Still the user could open new tabs and go to other websites. The Chromium browser is default installed in this Raspbian release. We need to apply some levels of security because for example the users will leave the device unattended. The security in place is there to prevent unwanted actions on the device that is connected to the enterprise network.

The reason we are going to use a Rasberry PI for this setup is the inital price and easiness of setting up the device by the product teams themselves. If we would choose to use the default enterprise Windows computers, we've to wait weeks before getting one while we wouldn't be as flexibile as we're with this setup. The expierence so far is that the Raspberry platform does well. The only downside noticable of this Rasberry is the limitation of the availability of memory (maximum of 1Gb and when full it means a system freeze) and the lack of speed of the SD card.

The guide is written based on own investigation and some handy information I've found on the internet. I will list the sources in the appendix.

Raspberry behind screen

Step 1: Download Raspbian & burn to SD card

Download Raspbian "Strech with Desktop" image from the Raspberry website and unzip the file.

If you're a OSX user you can create the image the easy way by downloading Etcher and burn the image to the SD card. Or you could choose to use dd for this, if you don't want to install this handy tool called Etcher. dd is also available on Linux environments.

Using DD

  1. Run $ diskutil list after inserting your SD card to find the correct path to your card. Be absolutely sure to get this right because dd will destroy everying it writes over, and there are no limits to where it can write.
  2. Unmount the SD card $ diskutil unmountDisk /dev/disk2
  3. Create bootable SD card from the 2017-11-29-raspbian-stretch.img and put it to the SD card: $ sudo dd if=/home/current-user/Download/2017-11-29-raspbian-stretch.img of=/dev/disk2 bs=1M status=progress

Your SD card should now be ready to boot and configre as a kiosk.

Step 2: Boot Raspbian for the first time

Insert the SD card into the Raspberry PI and boot it up. Raspbian will first rezise the SD card and reboot. After that it will automatic start and login into the LXDE desktop environment. Here we got security risk "1" and we'll solve this later.

We're need to set the locale, timezone and keyboard layout. This is based on your personal situation. I'm from the Netherlands and that's why I've set ever Open terminal and run the raspi configuration tool:

$ sudo raspi-config

Change the following configurations:

  1. Set locale "nl_NL"
  2. Set timezone "Amsterdam"
  3. Set wifi country "NL"
  4. Set up keyboard layout
  5. run update of the system
  6. exit

After changes made, these setting need to enabled which requires a reboot of the system.

$ sudo reboot now

After the reboot of the system all settings should stay the same. If they are rolled back to the default settings please ensure you set them correctly next time. Invalid settings will result in for example the time not updating correctly.

Step 4: Clean Raspbian default installed packages

You'll experience that the Raspbian image is rich of tools and features we don't need for the our purpose of the Raspberry PI. Therefore we are cleaning up. The result after the cleanup is that you'll save ~1230,6Mb of space and dropped plenty of processes eating RAM plus process capacity, which we can use more efficient. Open the terminal again and continue execute the following commands:

$ sudo apt purge wolfram-engine libreoffice* claws-mail bluej nodered nuscratch scratch scratch2 sonic-pi python-pygame minecraft-pi geany greenfoot -y
$ sudo apt clean
$ sudo apt autoremove -y

the -y options is to automatic answer questions as "yes"

To remove the python games (not installed with apt):

$ sudo rm -rf python_games

After the clean up of the packages we need to reboot the sytem (just to be sure).

$ sudo reboot now

Step 5: Disable screen sleep:

Raspian will bring the screen into sleep after 15 minutes of inactivity and this will make the screen go dark. Obviously this is something we don't want, becuase we want to keep any eye ont the screen to see what happening. To disable sceen sleep we need to do the following:

$ sudo nano /etc/lightdm/lightdm.conf

Add the following lines to the [SeatDefaults] section:

#don't sleep the screen

xserver-command=X -s 0 dpms

After adding we need

$ sudo reboot now

Step 6: The X transparent screen lock

The solve the second security issue.

$ git clone git://github.com/leonnnn/python3-simplepam.git
$ cd python3-simplepam
$ sudo python3 setup.py install

On Raspbian stretch pyxdg is already available.

$ git clone git://github.com/leonnnn/pyxtrlock.git
$ cd pyxtrlock
$ sudo python3 setup.py install

If you would like to automatically lock your screen after some idle time, we recommend the xautolock tool. Just add something like

$ sudo apt install xautolock numlockx

to your X autostart file to lock the screen with pyxtrlock after 5 minutes idle time. xautolock has many other useful features, see its documentation. Most distributions provide an xautolock package with a man page.

Before testing the locking system first check and update PAM:

$ sudo pam-auth-update

Then check pyxtrlock:

$ pyxtrlock

and then test xautolock after one minute:

$ xautolock -locker pyxtrlock -time 1

If all test are sucessful you can continue to the next step.

Step 7: The kiosk user

It's not smart to run the kiosk mode under the root user. We want that the kiosk is running with a kiosk user and in a group that can be seen as save. The next step is to create the kiosk user, add a password and add this user to the www-data usergroup:

$ sudo useradd kiosk
$ sudo passwd kiosk
$ sudo usermod -a -G www-data kiosk 

Validate the user by typing and check the group the user belongs to:

$ id kiosk

The output should look like this:

UID=1001(kiosk) GID=1001(kiosk) groepen=1001(kiosk),33(www-data)

Step 8: Setup the Kiosk xsession

So far we've installed & setup Raspbian, added functionality to keep the screen on and functionality to lock the screen. All the functionalities are not working together yet. To apply all required setting we're going to create a new file called .xsession for the kiosk user.

$ sudo nano /home/kiosk/.xsession

Copy the codeblock from below and paste this into the editor (usually shift-ctrl-v):

#!/usr/bin/env bash

# Set your app's URL below:
# SPA_URL="http://www.mynameisvolker.com"

xset s off
xset -dpms
xset s noblank
sed -i 's/"exited_cleanly": false/"exited_cleanly": true/' ~/.config/chromium/Default/Preferences
numlockx on

#Lock out right-click and menu button on keyboard
xmodmap -e "pointer = 1 2 32 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31"
xmodmap -e "keycode 135 ="

#Lock out other special keys
xmodmap -e "keycode 64 ="       #L-alt
xmodmap -e "keycode 108 ="      #R-alt
xmodmap -e "keycode 37 ="       #L-ctrl
xmodmap -e "keycode 105 ="      #R-ctrl
xmodmap -e "keycode 133 ="      #L-windows (meta key)
xmodmap -e "keycode 134 ="      #R-windows (meta key)
xmodmap -e "keycode 107 ="      #print-screen
xmodmap -e "keycode 127 ="      #page-break
xmodmap -e "keycode 77 ="       #num-lock
xmodmap -e "keycode 78 ="       #scroll-lock
xmodmap -e "keycode 118 ="      #insert
xmodmap -e "keycode 9 ="        #esc
xmodmap -e "keycode 67 ="       #F1
xmodmap -e "keycode 68 ="       #F2
xmodmap -e "keycode 69 ="       #F3
xmodmap -e "keycode 70 ="       #F4
#xmodmap -e "keycode 71 ="       #F5
xmodmap -e "keycode 72 ="       #F6
xmodmap -e "keycode 73 ="       #F7
xmodmap -e "keycode 74 ="       #F8
xmodmap -e "keycode 75 ="       #F9
xmodmap -e "keycode 76 ="       #F10
xmodmap -e "keycode 95 ="       #F11
xmodmap -e "keycode 96 ="       #F12

# Lock the screen after 3 minutes of inactivity
xautolock -secure -time 3 -locker pyxtrlock &

# Optional: Restart chromium after 10 minutes of inactivity (this helps with page reloads, etc.)
#xautolock -secure -time 10 -locker /home/kiosk/kill_chromium.sh &

# Auto-detect resolution and store in variables
res=$(xdpyinfo -d :0 | grep dimensions | sed -r 's/^[^0-9]*([0-9]+x[0-9]+).*$/\1/')
resx=$(echo $res | awk '{split($0,array,"x")} END{print array[1]}')
resy=$(echo $res | awk '{split($0,array,"x")} END{print array[2]}')

while true; do
  # chromium-browser --incognito --noerrdialogs --window-size=$resx,$resy --window-position=0,0 --kiosk $SPA_URL;
  sleep 1s;
done

Save the file by pressing ctrl-x , then y and enter. This xsession configuration will be applied after login of the kiosk user. The script will disable all kind of keys, right mouse clicks, etc and then it will start a ingconito chrome browser preloading the set website.

Optional you could decide to restart Chrome after a variable amount of minutes. In the applied configuration it is disabled. Create a simple script to kill Chromium: $ echo "pkill chromium" | sudo tee /home/kiosk/kill_chromium.sh

Make the script executable: $ sudo chmod +x /home/kiosk/kill_chromium.sh

After you made the scritpt executable, restart Rasbian in the way you would prefer.

Sources: