From d4c29ec5bda488445b0180d3ac2623574d65854f Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 5 Mar 2021 14:44:09 +0100
Subject: [remote-access] Handle INT TERM differently from EXIT

Trapping INT or TERM doesn't yield an implicit exit
---
 core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver b/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver
index 4e58cc3b..01b8bade 100755
--- a/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver
+++ b/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver
@@ -35,7 +35,8 @@
 			copy="$( mktemp )"
 			cat "$XAUTHORITY" > "$copy"
 			export XAUTHORITY="$copy"
-			trap 'rm -f -- "$copy"' EXIT INT TERM
+			trap 'exit 1' INT TERM
+			trap 'rm -f -- "$copy"' EXIT
 		fi
 		fails=0
 		while true; do
-- 
cgit v1.2.3-55-g7522


From 3819938d62a3eb4b84777bf4efe9c53aa4ccc791 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 5 Mar 2021 15:11:30 +0100
Subject: [remote-access] Make VNC port configurable

---
 .../data/etc/X11/Xsetup.d/50-launch-vncserver      | 23 ++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver b/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver
index 01b8bade..e6e7f568 100755
--- a/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver
+++ b/core/modules/remote-access/data/etc/X11/Xsetup.d/50-launch-vncserver
@@ -3,7 +3,9 @@
 [ -z "$SLX_KCL_SERVERS" ] && . /opt/openslx/config
 
 [ "$DISPLAY" = :0 ] && [ -n "$SLX_REMOTE_VNC" ] && {
-	# TODO GET
+	# TODO If we support multiple parallel sessions in the future, we need dedicated
+	# ports for each session for both, the VNC and the RPC port.
+	vnc_port="${SLX_REMOTE_VNC_PORT:-5900}"
 	srchost="$SLX_REMOTE_HOST_ACCESS"
 	if [ -n "$srchost" ]; then
 		# IPTABLES
@@ -11,11 +13,9 @@
 		if ! [ -e "$rule" ]; then
 			(
 				echo "#!/bin/sh"
-				echo "iptables -A INPUT -s "'"'"$srchost"'"'" -p tcp --dport 5900 -j ACCEPT"
-				echo "iptables -A INPUT -s "'"'"$srchost"'"'" -p tcp --dport 5901 -j ACCEPT"
+				echo "iptables -A INPUT -s "'"'"$srchost"'"'" -p tcp --dport $vnc_port -j ACCEPT"
 				echo "iptables -A INPUT -s "'"'"$srchost"'"'" -p tcp --dport 7551 -j ACCEPT"
-				echo "iptables -A INPUT -p tcp --dport 5900 -j DROP"
-				echo "iptables -A INPUT -p tcp --dport 5901 -j DROP"
+				echo "iptables -A INPUT -p tcp --dport $vnc_port -j DROP"
 				echo "iptables -A INPUT -p tcp --dport 7551 -j DROP"
 			) > "$rule"
 			chmod +x "$rule"
@@ -28,7 +28,9 @@
 	printf "%s" "$passwd" > "/tmp/vnc-passwd"
 	url="http://${SLX_PXE_SERVER_IP}/slx-admin/api.php?do=remoteaccess"
 	curl -s -S -L --retry 4 --retry-connrefused --max-time 3 --retry-max-time 10 \
-		--data-urlencode "password=$passwd" "$url" > /dev/null
+		--data-urlencode "password=$passwd" \
+		--data-urlencode "vncport=$vnc_port" \
+		"$url" > /dev/null
 	(
 		# Make a copy of xauth, so if the xserver restarts, we'll use the old one and fail to connect
 		if [ -n "$XAUTHORITY" ]; then
@@ -42,7 +44,7 @@
 		while true; do
 			s="$( date +%s )"
 			# skip keycode stuff fixes altgr for vmware
-			x11vnc -rfbport 5900 -shared -forever -noxrecord -xkb -capslock -skip_keycodes 92,187,188 -remap DEAD=gac,U20AC-EuroSign -passwd "$passwd"
+			x11vnc -rfbport "$vnc_port" -shared -forever -noxrecord -xkb -capslock -skip_keycodes 92,187,188 -remap DEAD=gac,U20AC-EuroSign -passwd "$passwd"
 			e="$( date +%s )"
 			d="$(( e - s ))"
 			if [ "$d" -gt 5 ]; then
@@ -59,7 +61,8 @@
 	vmvnc=false
 	idle=0
 	# In case of stale entry
-	iptables -t nat -D PREROUTING -p tcp --dport 5900 -j REDIRECT --to-ports 5901
+	# TODO: This sucks anyways performance-wise for VMware, maybe remove?
+	iptables -t nat -D PREROUTING -p tcp --dport "$vnc_port" -j REDIRECT --to-ports 5901
 	while [ -d "/proc/${vncpid}" ]; do
 		sleep 5
 		if netstat -tn | awk 'BEGIN{ e=1 } { if ($4 ~ /:590[0123]$/) e=0 } END{ exit e }'; then
@@ -83,13 +86,13 @@
 			if ! $vmvnc; then
 				killall x11vnc
 				usleep 10000
-				iptables -t nat -I PREROUTING 1 -p tcp --dport 5900 -j REDIRECT --to-ports 5901
+				iptables -t nat -I PREROUTING 1 -p tcp --dport "$vnc_port" -j REDIRECT --to-ports 5901
 			fi
 			vmvnc=true
 		else
 			# disable
 			if $vmvnc; then
-				iptables -t nat -D PREROUTING -p tcp --dport 5900 -j REDIRECT --to-ports 5901
+				iptables -t nat -D PREROUTING -p tcp --dport "$vnc_port" -j REDIRECT --to-ports 5901
 			fi
 			vmvnc=false
 		fi
-- 
cgit v1.2.3-55-g7522


From d79120836bc9f1b75fb0852896640f10202feff7 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 10 Mar 2021 14:01:18 +0100
Subject: [kiosk-chromium] Need libnss3-tools for certutil

---
 core/modules/kiosk-chromium/module.conf.ubuntu | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/modules/kiosk-chromium/module.conf.ubuntu b/core/modules/kiosk-chromium/module.conf.ubuntu
index 708eac72..f5d87627 100644
--- a/core/modules/kiosk-chromium/module.conf.ubuntu
+++ b/core/modules/kiosk-chromium/module.conf.ubuntu
@@ -2,6 +2,7 @@
 REQUIRED_CONTENT_PACKAGES="
 	jq
 	xbindkeys
+	libnss3-tools
 "
 REQUIRED_INSTALLED_PACKAGES="$REQUIRED_CONTENT_PACKAGES"
 REQUIRED_BINARIES=""
-- 
cgit v1.2.3-55-g7522