Linux Exercise: Install and configure X11

Install X11

    Important: These exercises need to be executed on the console of your Linux system. They don't work if you are logged in via, for instance, SSH.

  1. Login as root to the console. Use yum to install the group "GNOME Desktop" (RH/CentOS7) or "Workstation" (RH/CentOS8+), if you have not done so before.
    • Red Hat/CentOS 7:
      # yum -y groupinstall "GNOME Desktop"
    • Red Hat/CentOS 8 or 9:
      # yum -y groupinstall "Workstation"
      Depending on the speed of your internet connection, this may take quite some time. Also, depending on how much hard disk space you started out with, you may need to extend the size of your Logical Volume that contains your root filesystem.
  1. Verify that a few important components of the GUI have now been installed, including the X.org server itself, the mutter Window Manager and various gnome-* utilities.
    • # which X
    • # ls -l /usr/bin/X
    • # rpm -qif /usr/bin/Xorg
    • # which mutter
    • # rpm -qif /usr/bin/mutter
    • # which gnome-terminal
    • # rpm -qif /usr/bin/gnome-terminal
    • # rpm -qa | grep ^gnome

Start X

  1. Make sure that your system is in the "multi-user" and not the "graphical" systemd target.
    • ONLY if your system is currently displaying a graphical login prompt or a graphical desktop:
    • # systemctl set-default multi-user
    • # reboot
    • Login as root
  1. Start the X.org server exclusively. (Do not start the full desktop environment.)
    • # X -retro
      This will start a grey screen with a diagonal X as your mouse cursor. Because no window manager has been started, it's not possible to click on anything with your mouse. And as no application is running that could get focus, your keyboard is also pretty useless. Your virtual terminals are active though, so with Ctrl-Alt-F1 through Ctril-Alt-F7 you can switch between graphical and text terminals. Also, from a different system (or from your host if you are using Linux in a virtualized environment, you can still connect to the system using SSH.
  1. End the X.org server.
    • There are several ways you can achieve this:
    • If the X environment is currently on your screen: Ctrl-Alt-Backspace
    • If you are in the text terminal where you started the X command: Ctrl-C
    • If you are in another text terminal, or logged in (as root) via the network: killall X
  1. Start the X server with the desktop environment.
    • # startx
      You will now see the complete desktop of the user.
  1. End the desktop environment
    • You can use all three methods described earlier. This will cause the X server to end itself. The X clients, including the window manager, then lose their connection to the server and will die as well. Alternatively, you can use the menu structure of the window manager to stop the desktop environment.
  1. Configure your system so that the desktop environment starts up automatically after a reboot. Reboot your system.
    • # systemctl set-default graphical
    • # reboot

X11 Configuration (optional)

Important: The current LPI exams were written in a time when the X11 server still required extensive configuration. Since then, most of the hard-core code has moved into the Linux kernel, and the Linux kernel is able to autodetect your graphical adapter and monitor. This has reduced the amount of configuration required for the X.org server to virtually nothing.

This section looks at the configuration files and programs that are mentioned in the LPI requirements. But you will see that they don't really add any value to a modern Linux system anymore.

  1. Try to look at the contents of the file /etc/X11/xorg.conf. Does this file exist?
    • # cat /etc/X11/xorg.conf
  1. Look at the contents of the directory /etc/X11/xorg.conf.d. Does this contain a lot?
    • # ls /etc/X11/xorg.conf.d
    • # cat /etc/X11/xorg.conf.d/00-keyboard.conf
      Modern X.org implementations need very little configuration. This is done automatically together with the kernel. Most client-side configuration will be handled through the client interface, and for instance stored in the GNOME Configuration Manager.
  1. See which display manager your system is using.
    • # ps aux | grep dm
      The display manager that's most often used is gdm, which is part of the GNOME project.

Accessibility

  1. Look at some of the accessibility features that are described on pages 410-413 of your book. You will find the settings of these features under Settings; Universal Access.

X applications over a network (optional)

This is not an LPI requirement

You can only perform this exercise if you have at least two Linux systems installed. One, your "client system", needs to have X up and running. The other system, the "server system", needs to have X installed at a minimum, but it doesn't have to be running. If you don't have two systems you can also use your one system to login to the graphical environment and then SSH to "loopback", so you login as a diffent user on your own system. That login session is then considered to be on the server.

For the hints, the client system will be called "sys1" and the server system "sys2". You can look at the prompt to see whether a command needs to be executed on the client or the server.

We will first examine the old methods using xhost and xauth, and then use SSH to make our life a lot easier.

  1. Login to the graphical environment of your client system.
  1. Login to the server system. Verify that the xterm application is installed. If not, install it. Logout from the server system.
    • sys1# ssh user@sys2
    • sys2# which xterm
    • If xterm is not installed:
      sys2# yum -y install xterm
    • sys2# logout
  1. On the client system, look at the contents of the $DISPLAY variable.
    • sys1# echo $DISPLAY
      Most often you'll be using ":0", which means the first X server on the system.
  1. Look at which sockets are in use by the X server.
    • sys1# netstat -ap | grep Xorg
      X clients and servers can communicate with each other using two different communications channels:
      • Via a so-called "UNIX Socket": An inode in the filesystem that looks like a file, but has type "s" and allows two-way communication between two processes. Xorg typically uses UNIX sockets located in /tmp/.X11-unix.
      • Via a TCP/IP network port. These start to count at port 6000 for ":0", 60001 for ":1", and so forth.
      For security reasons, most distributions only enable the UNIX socket. The network port is then not used. (Note that the SSH method which we're going to use later on, does not require the network port to be open. It uses the UNIX socket, despite the fact that we're doing X over the network.)
  1. If your X server is not listening on port 6000, enable this. You do this by adding the following line to /etc/gdm/custom.conf, in the [security] section: DisallowTCP = false After this, you need to restart gdm. Although it is possible to do this without a reboot, rebooting your system is the easiest option.
    • sys1# vi /etc/gdm/custom.conf 
      ...
[security]
...
DisallowTCP = false
...
    • sys1# reboot
    • sys1# netstat -ap | grep Xorg
      Xorg should now be listening on TCP port 6000 as well.
  1. Login to the graphical environment. Open up your environment for connections from the server system. Also, you may need to stop your firewall so that it doesn't block any connections. Login to the other system, set the $DISPLAY variable properly and start xterm. This should now be displayed on your client system.
    • sys1# xhost +sys2
    • sys1# systemctl stop firewalld
    • sys1# ssh user@sys2
    • sys2# export DISPLAY=sys1:0
    • sys2# xterm
      You should now see an xterm window. The code that runs this window is running on sys2, but the display happens on sys1.
    • Stop the xterm.
    • sys2# exit
    • sys1# xhost -sys2
  1. Using the xhost + command is not really secure. It allows all connections from that particular server, even from users logged into different accounts. Also, it makes you vulnerable to IP spoofing. A better method would be to use the xauth mechanism. For this you need to extract your X Authentication Cookie on the client system, merge it on the server system, and then run the xterm application again.
    • sys1# xauth list
      Look at the list of cookies. If everything is correct you should be seeing at least two: One for the UNIX socket and one for the TCP socket. They normallyhave the same cryptographic value.
    • sys1# xauth extract my-cookie :0
      You now have a file my-cookie with the X Authentication Cookie for :0.
    • sys1# scp my-cookie user@sys2:
    • sys1# ssh user@sys2:
    • sys2# xauth merge my-cookie
    • sys2# xauth list
      This list now contains the cookie for sys1:0
    • sys2# export DISPLAY=sys1:0
    • sys2# xterm
      Once again, you should see the xterm being displayed locally.
    • Stop the xterm.
    • sys2# xauth remove sys1:0
    • sys2# exit
  1. The xauth method is a lot more secure, because you only allow the owners of your X Authentication Cookie to connect to the system. But the communication between the client and the server still uses a port which is normally closed and firewalled, and is passed around in plain text. Plus, exchanging the cookie is quite a bit of work. Fortunately the SSH protocol has support built-in to exchange the cookie, and to tunnel the X traffic over the SSH connection itself.
    Enable your firewall again, disable the TCP X socket, and then logon to the server with ssh -X. Look at the contents of your cookie file again
    • sys1# systemctl start firewalld
    • sys1# vi /etc/gdm/custom.conf
      Remove or comment out the "DisallowTCP" line.
    • sys1# reboot
    • sys1# netstat -ap | grep Xorg
      Xorg should no longer be listening on TCP port 6000.
    • sys1# ssh -X user@sys2
    • sys2# xauth list
    • sys2# echo $DISPLAY
      The variable will most likely be set to ":10". This means that a local X server is listening on port 6010, and any X clients should connect to this.
    • sys2# netstat -anutp | grep 6010
      You should see that it's the local SSH daemon that's is listening to port 6010. This daemon will forward any incoming traffic over the existing SSH connection to the SSH client. The client, obviously, uses the local $DISPLAY variable (set to :0 or pointing to the local UNIX socket) to forward the traffic to the local X server.
    • sys2# xterm
    • Stop the xterm.
    • sys2# exit

Using VNC (optional)

VNC is not an LPI requirement.

For this exercise you will need two systems. One is your Linux system running the graphical desktop, the other can be another Linux system with a graphical desktop, or a Windows system. From the second system you're going to access the display of the first system using VNC.

  1. On your Linux system, make sure you are logged in under GNOME. Go to Settings; Sharing. Make Screen Sharing active, and enter a password.
  2. On our other Linux system, or on your Windows system, start a VNC viewer. On Windows, you will probably have to install a product such as TightVNC or RealVNC. Connect to your Linux systems IP address. Does this work?
    Note: If you get an error message about encryption, then most likely this means that the VNC server and VNC client could not agree on an encryption protocol. The easiest solution is to disable encryption. Within GNOME, open a terminal window and type the following command: gsettings set org.gnome.Vino require-encryption false. At the client side, you may also need to change a setting (for instance under System; Preferences) so that the client allows unencrypted connections.

Setup a display manager

Although an LPI requirement, the KDM (the KDE Display Manager) is no longer available in Red Hat 7/Centos 7. The same applies to the traditional X11 Display Manager, XDM. However you can install LightDM from the EPEL (Extra Packages for Enterprise Linux). LightDM is also available in the EPEL repository for Red Hat 8/CentOS 8 but there seems to be a missing dependency so this package cannot be installed. LightDM is not available at all for Red Hat 9/CentOS 9.

For this reason, this part of the exercises can only be done on a Red Hat 7/CentOS 7 system.

  1. CentOS 7 users: Install the epel-release RPM from the CentOS repository.
    • # yum install epel-release
  2. Red Hat 7 users: Install the epel-release RPM from the EPEL website.
    • # wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    • # rpm -ivh epel-release-latest-7.noarch.rpm
  3. Install LightDM
    • # yum install lightdm
  4. Disable GDM and enable LightDM. Then reboot your system. Do you see a difference?
    • # systemctl disable gdm.service
    • # systemctl enable lightdm.service
    • # reboot

Install KDE (optional)

  1. Install KDE
    • # yum -y groupinstall "KDE Plasma Workspaces"
      Logout, login and choose KDE - typically using a small button in the right upper corner of your screen. Do you see a difference?
End of exercise