Hi, > > But one major problem I found is that the new system of building the > > image from the main server's root filesystem is prone to building > > images that contain far too much – reaching from dhcpd to freeradius > > and other services that should not be in the image, to a full copy of > > the LDAP data directory, Kerberos database keys, the GOSa secret, and > > everything else that should by all means not be shipped to random > > netboot clients over the network. > > Most probably forgotten to exclude. There's a list of excludes > (/etc/ltsp/image-local.excludes) prepended by a FIXME.
This file is empty, both on the upgraded and on the freshly installed combined server. > > I installed a fresh Debian Edu 11 combined server in a test > > environment and can reproduce that issue, meaning that in my opinion, > > Debian Edu 11 **must not be used with LTSP in a production > > environment** without taking very much care to mitigate this issue. > > ATM I don't have a test environment. Feel free to fix the script after > testing with an extended exclude list for the main server. > > That said, it would be best (for setups managed by professionals) to use > separate LTSP servers anyway - like recommended in the manual: > https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Architecture#Services_running_on_the_main_server Yes, that would be the desirable case. Nonetheless, using a combined server should not expose security-relevant data and keys to the public. I will try my best to find out how to fix that. In any case, should we warn users? -nik -- Dominik George (1. Vorstandsvorsitzender, pädagogischer Leiter) Teckids e.V. — Digitale Freiheit mit Jugend und Bildung https://www.teckids.org/
