Translation(s): Português Brasileiro

LTSP5 How To

Upstream documentation with official, detailed information about installing LTSP is at

Installating and configuring LTSP5 using the chrootless method


As the linux terminal server project (ltsp) has matured there are a number of options in its configuration to consider: chrootless or a separate chroot, all one subnet or a separate subnet for the clients, a local dns cache using dnsmasq or not, network block device (nbd) or network file system (nfs) or some of one with the other, 32 bit (i386) or 64 bit (amd64). In this howto the chrootless method is layed out in steps using the commandline and some steps are particular for one of the other options so that they could be skipped. The version of ltsp is labeled ltsp5 to distinguish it from the latest version ltsp19 which is in alpha at the time of writing.

The chrootless model (once known as ltsp-pnp) is less flexible than having a separate chroot since the clients must run the same version of distribution and platform as the server. The upside is that the model is easier to maintain. In the event that all clients can run the 64bit version this is recommended. This howto has been created using amd64. Otherwise a 32bit version is suggested (just make certain that everywhere this howto writes "amd64" replace it with "i386".) After creating a server that uses the nbd boot method there are a few additional steps at the end so that the squashfs image is served to the clients by nfs giving greater stability and speed.

The use of dnsmasq provides an easy way of providing useful features. It will act as the tftp server, the local dns cache and the handling of dhcp-proxy or dhcp-server proper.

Also in this model no static addresses will be used. NetworkManager will be configured to use the router's dhcp server and other options.

At the time of writing (August 19, 2019) the versions of LTSP and other relevant packages in Debian Buster are:


server information:
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

server packages:
ii ldm 2:2.18.06-1
ii ldm-server 2:2.18.06-1
ii ldm-themes 18.02.1
ii ltsp-client 5.18.12-3
ii ltsp-client-core 5.18.12-3
un ltsp-docs <none>
ii ltsp-server 5.18.12-3
ii ltsp-server-standalone 5.18.12-3
un ltsp-utils <none>
ii ltspfs 1.5-2
ii ltspfsd 1.5-2
ii ltspfsd-core 1.5-2

found image: /opt/ltsp/images/amd64.img

Other relevant tools:
ii  kernel                    4.19.0-5-amd64
ii  epoptes                   1.0.1-2
ii  dnsmasq                   2.80-1
ii  network-manager           1.14.6-2
ii  network-manager-gnome     1.8.20-1.1
ii  nfs-kernel-server         1:1.3.4-2.5
ii  nbd-server                1:3.19-3

All config files need to be edited using root privileges. In this documentation the sudo command is used but it is also possible to use su to become root if your system is so configured.

Basic first steps for all scenarios

1. Update the server, and check the files /etc/hostname and /etc/hosts are as desired.

2. Install these 8 packages ltsp-server-standalone dnsmasq epoptes epoptes-client ltsp-client network-manager-gnome dnsutils rsync (and if you haven't already a desktop environment installed) a desktop environment of your choice.

3. Once epoptes is installed one must add the server's user (in the example "administrator") to the new epoptes group. This command will do it:

sudo usermod -G epoptes -a administrator

Note that this new membership will only be activated in the next login.

4. Often there is no such line but check in /etc/NetworkManager/NetworkManager.conf for a line with the dns= key. If it is there comment out the line.

In case step 5 is confusing, here is an explanation. Often Debian configurations are setup so that the following file deals with the network device. Most of the time the active use of this file means that network manager will not deal with the network device. In this howto network-manager will be used. Step 5 allows the configuration to be changed if necessary.

5. Check the file /etc/network/interfaces for possible lines similar to

# The primary network interface allow-hotplug <the network device> iface <the network device> inet <method>

“method” here is often “dhcp” or “static” but there are others.

If such lines are not present (or they are commented out with the symbol #) then network-manager will be in control so go on to step 6. Otherwise these lines need to be commented out by adding the hash symbol # in front of each line. Then save this edited config file. However, the system must be rebooted before control can be passed on to network-manager otherwise step 6 cannot be done. Be careful, once the server is rebooted the Internet may be temporarily unavailable until step 6 is done. So take care to copy down somewhere all of step 6 and complete it so the Internet is restored.

If the server is to use two network interfaces jump down to step 6(dual)

Steps for the one network interface scenario

6(single). To edit NetworkManager's configuration launch nm-connection-editor from the command line. After launching: Choose the Wired connection and double click it. This opens it for editing. Click on the IPv4 Settings tab. Choose 'Automatic (DHCP) addresses only' instead of just 'Automatic (DHCP)'. In the DNS servers field enter first to allow dnsmasq to cache (otherwise leave it out) followed by one or two external DNS servers, separated by spaces (e.g. Now click on the General tab and make sure that both lines are enabled: "Connect automatically with priority" and "All users may connect to this network" then save these settings and close the window.

Restart Network Manager with

sudo systemctl restart network-manager.service

If the Internet was not available this should restore it.

7(single). Create a default configuration file for dnsmasq with the command

sudo ltsp-config dnsmasq

8(single). To activate dnsmasq to serve as the local dns cache, in addition to step 5 part (b) you must edit the file /etc/dnsmasq.d/ltsp-server-dnsmasq.conf and comment out the line: #port=0 Otherwise commenting this line out, dnsmasq will run perfectly fine but will not serve as the local dns cache.

9(single). The other part to edit has to do with whether the server is going to use the router as its dhcp server (as is usually the case) so that dnsmasq is configured with dhcp proxy. To do this see if the line dhcp-range=x.y.z.0,proxy corresponds to this subnet. If this is correct comment out the other range line #dhcp-range=,,8h and save the file. If instead you want the server to use dnsmasq as the dhcp server then comment out the proxy line and set the dhcp-range=x.y.z.20,x.y.z.250,8h as appropriate.

Then restart dnsmasq with the command

sudo systemctl restart dnsmasq.service

Skip down to step 10

Steps for the two network interfaces scenario

Note that the local area network (lan) device should be a gigabit (or faster) device and connected to a gigabit switch (or a gigabit port) with a category 6 (or faster) cable. The wide area network (wan) device may even be wireless.

6(dual). To edit NetworkManager's configuration launch nm-connection-editor from the command line. After launching you should see two wired connections, one for the wide area network (wan) that faces the router and the other for the local area network (lan) that faces the ltsp clients. Edit the wan connection as described above. Edit the lan connection as follows:

Click on the IPv4 Settings tab. Choose the method 'Shared to other computers’ and in the ‘Address (optional) section add the address and netmask 24 but leave the gateway blank. Now click on the General tab and make sure that both lines are enabled: "Connect automatically with priority" and "All users may connect to this network" Save these settings and close the window. Network manager will now provide ip-forwarding and iptable nat rules on the lan interface without needing you to do anything else, once the server has been rebooted.

Restart Network Manager with

sudo systemctl restart network-manager.service

Note To verify that iptable nat rules are in force run the command

sudo iptables -L

which should produce some rules that mention

7(dual). Create a default configuration file for dnsmasq with the command

sudo ltsp-config dnsmasq

8(dual). To activate dnsmasq to serve as the local dns cache, in addition to step 5 part (b) you must edit the file /etc/dnsmasq.d/ltsp-server-dnsmasq.conf and comment out the line: #port=0

Otherwise leaving this line as it is, dnsmasq will run perfectly fine but will not serve as the local dns cache.

9(dual). Check to see if the line dhcp-range=x.y.z.0,proxy corresponds to the wan subnet and the other range line dhcp-range=,,8h corresponds to the lan subnet. Leave both lines active (without the # symbol.)

Thus dnsmasq will be the dhcp server for the lan, i.e. subnet with the clients.

Final basic steps for any scenario

Note, as mentioned above, steps 10 and 11 are only necessary if dhcp proxy is NOT wanted. So they can be skipped because the ltsp configuration defaults to IPAPPEND 3 for proxyDHCP so skip to step 12.

10. If the router is NOT going to be a DHCP server for the ltsp server then edit the config file /etc/ltsp/update-kernels.conf and add the line IPAPPEND=2

11. After doing step 10 this change needs to be put in the initd. The version of the kernel running on the server can be determined with the command uname -r Note that at the time of writing the kernel was 4.19.0-5-amd64 thus the command is

sudo dpkg-reconfigure linux-image-4.19.0-5-amd64

This reports update-initramfs: Generating /boot/initrd.img-4.19.0-5-amd64 adding the change from step 10.

12. Inspect and edit as desired /etc/ltsp/ltsp-update-image.excludes as some software running on the server will not be appropriate for the clients.

13. Once the server has been updated and any additional software has been installed a new client filesystem image must be created in order for the clients to also have these updates. This is the command

sudo ltsp-update-image --cleanup /

Note: if instead of an image being created the system reports: "Your system seems to be using NFS to serve LTSP chroots. If you're absolutely certain you want to switch to NBD, run:

run the command

apt purge nfs-kernel-server

and then repeat step 13. The package nfs-kernel-server must be installed only later in step 16.

This builds the latest squashfs image for nbd in /opt/ltsp/images and puts the latest kernel into /var/lib/tftboot/ltsp/amd64.) It triggers "ltsp-config nbd-server" to create (if needed) the files /etc/nbd-server/conf.d/swap.conf and /etc/nbd-server/conf.d/ltsp_amd64.conf. Check to see if both are there. It also creates /etc/nbd-client.

14. Then, create the default configuration file for the clients with the command

sudo ltsp-config lts.conf

15. At this point the ltsp server is ready to serve the clients the squashfile image with NBD. If this is desired then skip to the last step 19.

16. Install some additional packages with

sudo apt install nfs-kernel-server

17. Set up nfs with its export file

sudo ltsp-config nfs

18. Remove the symbolic link /var/lib/tftpboot/ltsp/amd64/pxelinux.cfg/default

sudo rm -iv /var/lib/tftpboot/ltsp/amd64/pxelinux.cfg/default

19. Create a file (not a symbolic link)


with these 8 lines (note the append line is long:)

default ltsp-NFS

ontimeout ltsp-NFS

label ltsp-NFS

menu label LTSP, using NFS

kernel vmlinuz-amd64

append ro initrd=initrd.img-amd64 init=/sbin/init-ltsp forcepae root=/dev/nfs nfsroot=/opt/ltsp/images ltsploop=amd64.img

ipappend 3

20. Lastly reboot the server so that all changes are active including the user's membership in the group epoptes.

Final notes

The lts.conf file should be studied and edited as appropriate. Note that all headings (written between square brackets) should have at least one entry each so don't leave any empty. This file plays a role similar to xorg.conf for xorg and there are many options for it to choose from. One is worth mentioning here: Under [Default] the option LDM_DIRECTX = True (the default is false) allows one to turn off the encrypted X tunnel via SSH, and instead run a less secure, but much faster unencrypted tunnel. If speed is important and security is less so then it is recommended. In this model note that lts.conf is in/var/lib/tftpboot/ltsp/amd64/ which among other things means that changes made to this file do NOT require a re-creation of the squashfs image. When ready to try ltsp don't forget to create users as appropriate for the clients. This also does NOT require a re-creation of the squashfs image.

The following changes DO require a re-creation of the squashfs image: When the server is updated. Software is added to the server that is desirable for clients.

This means one repeats the step:

On the commandline run

sudo ltsp-update-image --cleanup /

Once running the server with clients the command

sudo showmount -a

will verify that the clients are connected by nfs.

To test whether local dns caching is enabled, run the following command:


If it reports: Server: Address:

then the local dns cache is enabled.