Oli Warner About Contact Oli on Twitter Subscribe

Building a kiosk computer with Ubuntu 14.04 and Chrome

Thursday, 24 July 2014 kiosk security ubuntu

Single-purpose kiosk computing might seem scary and industrial but thanks to cheap hardware and Ubuntu, it’s an increasingly popular idea. I’m going to show you how and it’s only going to take a few minutes to get to something usable.

Hopefully we’ll do better than the image on the right.

We’re going to be running a very light stack of X, Openbox and the Google Chrome web browser to load a specified website. The website could be local files on the kiosk or remote. It could be interactive or just an advertising roll. Of course you could load any standalone application. XBMC for a media centre, Steam for a gaming machine, Xibo or Concerto for digital signage. The possibilities are endless.

The whole thing takes less than 2GB of disk space and can run on 512MB of RAM.

Update: If you’ve already installed, read this companion tutorial if you want to convert an existing Ubuntu Desktop install to a kiosk.

Step 1: Installing Ubuntu Server

I’m picking the Server flavour of Ubuntu for this. It’s all the nuts-and-bolts of regular Ubuntu without installing a load of flabby graphical applications that we’re never ever going to use.

It’s free for download. I would suggest 64bit if your hardware supports it and I’m going with the latest LTS (14.04 at the time of writing). Sidebar: If you’ve never tested your kiosk’s hardware in Ubuntu before it might be worth download the Desktop Live USB, burning it and checking everything works.

Just follow the installation instructions. Burn it to a USB stick, boot the kiosk to it and go through. I just accepted the defaults and when asked:

After you reboot, you should be looking at a Ubuntu 14.04 LTS ubuntu tty1 login prompt. You can either SSH in (assuming you’re networked and you installed the SSH server task) or just log in.

The installer auto-configures an ethernet connection (if one exists) so I’m going to assume you already have a network connection. If you don’t or want to change to wireless, this is the point where you’d want to use nmcli to add and enable your connection. It’ll go something like this:

sudo apt install network-manager
sudo nmcli dev wifi con <SSID> password <password>

Later releases should have nmtui which will make this easier but until then you always have man nmcli :)

Step 2: Install all the things

We obviously need a bit of extra software to get up and running but we can keep this fairly compact. We need to install:

We’ll start by adding the Google-maintained repository for Chrome:

sudo add-apt-repository 'deb http://dl.google.com/linux/chrome/deb/ stable main'
wget -qO- https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

Then update our packages list and install:

sudo apt update
sudo apt install --no-install-recommends xorg openbox google-chrome-stable pulseaudio

If you omit --no-install-recommends you will pull in hundreds of megabytes of extra packages that would normally make life easier but in a kiosk scenario, only serve as bloat.

We also need to make sure your user is in the audio group. This will allow PulseAudio to start up and manage sound for applications. This part is optional and many kiosks won’t need sound but I’ve had a lot of comments about it:

sudo usermod -a -G audio $USER

Step 3: Loading the browser on boot

I know we’ve only been going for about five minutes but we’re almost done. We just need two little scripts.

Run sudoedit /opt/kiosk.sh first. This is going to be what loads Chrome once X has started. It also needs to wipe the Chrome profile so that between loads you aren’t persisting stuff. This in incredibly important for kiosk computing because you never want a user to be able to affect the next user. We want them to start with a clean environment every time. Here’s where I’ve got to:

# !/bin/bash

xset -dpms
xset s off
openbox-session &
start-pulseaudio-x11

while true; do
rm -rf ~/.{config,cache}/google-chrome/
google-chrome --kiosk --no-first-run 'https://thepcspy.com'
done

When you’re done there, Control+X to exit and run sudo chmod +x /opt/kiosk.sh to make the script executable. Then we can move onto starting X (and loading kiosk.sh).

Run sudoedit /etc/init/kiosk.conf and this time fill it with:

start on (filesystem and stopped udevtrigger)
stop on runlevel [06]

console output
emits starting-x

respawn

exec sudo -u user startx /etc/X11/Xsession /opt/kiosk.sh --

Replace user with your username. Exit, Control+X, save.

X still needs some root privileges to start. These are locked down by default but we can allow anybody to start an X server by running sudo dpkg-reconfigure x11-common and selecting “Anybody”.

After that we should be able to test. Run sudo start kiosk (or reboot) and it should all come up.

One last problem to fix is the amount of garbage it prints to screen on boot. Ideally your users will never see it boot but when it does, it’s probably better that it doesn’t look like the Matrix. A fairly simple fix, just run sudoedit /etc/default/grub and edit so the corresponding lines look like this:

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=0
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""

Save and exit that and run sudo update-grub before rebooting.
The monitor should remain on indefinitely.

Final step: The boring things…

Technically speaking we’re done; we have a kiosk and we’re probably sipping on a Martini. I know, I know, it’s not even midday, we’re just that good… But there are extra things to consider before we let a grubby member of the public play with this machine:

You can mitigate a lot of the security issues by having no live network (just displaying local files) but this obviously comes at the cost of maintenance. There’s no one good answer for that.

Photo credit: allegr0/Candace