Meta Kiosk: How to run multiple different types of kiosk modes on a Sun Ray Server/FOG

"One Kiosk to Rule Them All"...

One of the coolest features of the Sun Ray platform is "Kiosk Mode". Sadly, it typically only gets associated with running a "Library" type locked down session with a web browser, or when a Windows deployment takes advantage of it to deliver Windows based sessions, be it from Terminal Services or VDI.

It is very common in demo environments and even in many production environments to have the need of presenting multiple different types of Kiosks served from the same infrastructure, which can be easily achieved by associating the token presented to the Sun Ray to the particular context required for the token. For example, you may want a number of users to get a session from a Windows Terminal Server, some others to get a Linux desktop, some users to leverage a VDI desktop, some Sun Rays in public areas to present a controlled desktop with a web browser for leasurely access and a Sun Ray in the foyer permanently running a presentation to a large LCD display. And of course, the administrator may want access to his Windows Vista desktop on a casual basis without having to rely on the Sun VDI broker. All of this from the Sun Ray Server or FOG.

In my experience, it has been mighty useful to have a fixed framework I can use at PoCs and demos for a variety of things. The piece of work presented here is an aggregation of some of the work that grew from a requirement at a large PoC in South Australia when Sun VDi wasn't around and also from the current demo environment shown to customers at the Sydney Sun Solution Centre.  There is a WOW factor that still grips the imagination of most people when they see the Sun Ray platform in full action. I mean, who's ever seen a handful of different desktops presented on the same screen in less than 10 seconds???

The purpose of this "Meta Kiosk" (or Kiosk Broker) is to provide multiple kiosk capabilities to the Sun Ray platform, which is typically constrained by the use of a single kiosk mode across the board. One day, Engineering may give me a pull down in the Token Administration GUI for me to choose what the token is supposed to do, but for now, this is the next best thing.

So, how does this "Meta Kiosk" come together? Meta Kiosk leverages the "Other Info" field of any token (a smartcard ora  pseudo token of a Sun Ray) by letting you specify a string to identify what type of session that token is entitled to, for example UTTSC, JDSKIOSK, VDA, VDANOCARD, VNC, etc. Additionally, you can specify a default kiosk mode for non-registered tokens, by changing  the UNREG_TOKEN_ACTION variable in the script. After the script decides what Kiosk the token is entitled to, it actually instantiates that particular kiosk mode, as if it had been called naturally by the Sun Ray kiosk framework. Should the first string in the "Other Info" field not be recognised, the action indicated by the variable DEFAULT_ACTION will be undertaken (which can also modify. DEFAULT_ACTION for registered tokens in the script is to use VDA, which is convenient as the VDA script also makes use of this field as the placeholder for the poolname the token owner is entitled to from the available SOE pools.

The only caveat to this is that typically, the arguments passed to the kiosk session are defined in the Sun Ray Admin GUI setup for the system-wide kiosk mode you choose, but since Meta Kiosk calls upon a large number of kiosks itself, this is no longer useful. To work around this, the script assumes that the parameteres you want for a specific kiosk mode are actually contained in the relevant "kiosk.conf file for that particular kiosk, typically found in /etc/opt/SUNWkio/sessions. For example, if I wanted to enable Full Screen to all the uttsc kiosk sessions, I would simply edit /etc/opt/SUNWkio/sessions/uttsc.conf and type something like KIOSK_SESSION_ARGS="-t 1800 -- -m mywindowsterminalserver".

What options can I enter in the "Other Info" field of a Sun Ray token?
Below are the different options available "out of the box" with the present release of Meta Kiosk, along with some of the features, that you can specify in the "Other Info" field of your tokens - and don't forget you can add any of your own easily by editing the script at /etc/opt/SUNWkio/sessions/meta-kiosk/meta-kiosk-session (and if you do and you consider it useful, please share it with me!):

: for the traditional Solaris based locked down Sun Ray kiosk mode
"Other Info" field specs: JDSKIOSK

: to make a call upon a specified Windows (or RDP capable) system, whether it is a physical PC, a VM, a WTS or a session directory server or the console of a VirtualBox VM with VRDP...
"Other Info" field specs: UTTSC [username [target system]]
UTTSC can leverage the main system name passed in the uttsc.conf file, presented as the last field of KIOSK_SESSION_ARGS. If username is present, then this name will appear in the login box (where possible). If "target system" is specified this field will be stripped from the uttsc.conf definition and replaced by that found at "Other Info". Note that when you configure the uttsc kiosk mode, it is expected that you enter a system name at the end of the string. As such, Meta Kiosk expects this too.

: In case you need or want to register it. Note that the script will treat this as the default mode for any \*registered\* token anyway.
"Other Info" field specs: VDA
the VDA kiosk script will later re-read and interpret this field as a pool name, so typing  any parameters would be useless! If this is used with VDA, then a default pool called VDA can be setup, unless you have already assigned the username a permanent virtual machine.

: In case you need or want to register an existing token or  pseudo-token to use Dirk Grobler's "Non Card VDI for Sun Ray".
"Other Info" field specs: VDANOCARD

: In case you want to use VMware's broker in your environment separately. You will need to download the Sun Ray connector for VMware Virtual Desktop Manager and install it (guess what - it's a kiosk mode too!)
"Other Info" field specs: VDM

The next options are not not defined typically as kiosks. Their code is contained within the Meta Kiosk script itself:

: Experimental at this point, useful mostly for MACs (not that you couldn't use with Solaris/Linux or even Windows), by way of leveraging  a VNC server or similar (the builtin ARD server does NOT work with standard VMC clients)
"Other Info" field specs: VNC [system-name [password]]
Both parameters are optional, although you can't specify password if you don't  specify a system name. Password will get written to a file and then the argument  passed through, and although this is not dramatically secure, it allows for a  quick demo of a MAC on a Sun Ray. A good VNC server to use is Vine. You may need to pass the port to the VNC service on the server as part of the system name, e.g. mymac:5901   

: Let's you run a specified Solaris app, but take heed, there will be no Window manager for it. Otherwise, simply use JDSKIOSK and specify the app there.
"Other Info" field specs: APPLICATION command-name <parameters>
For example, you could run a full screen presentation on a dedicated Sun Ray like this, like we do at the foyer of the Sydney Sun Solution Centre:
APPLICATION /usr/bin/staroffice -invisible - nologo -show /presentations/sunray-presso.od

UTSWITCH: Need a token to get redirected without AMHG? This is it!
"Other Info" field specs: UTSWITCH sunray-server-hostname
Beware that the Sun Ray will remain attached to that other Sun Ray server when you pull the smartcard or disconnect the session, so it's important to remember to STOP-A the Sun Ray at the end of the session.

: An Xsession. This will run Xnest within the Sun Ray X session canvas.
"Other Info" field specs: X11 servername [geometry]
NOTE: On your Sun Ray server, you may have to execute this: chmod 04755 /usr/openwin/bin/Xnest ulness Xephyr is available.

: An X term (xterm) on the Sun Ray server. Good for testing!
"Other Info" field specs: XTERM
It also starts twm as the window manager. Just good to have...

Meta Kiosk Workflow - how does a kiosk mode get chosen?
The following diagram depicts the default actions chosen by the script based on the token conditions, i.e. Token registered or not and "Other Info" field contents:

Putting it all into action
The requirements are quite simple:

  • DOWNLOAD "Meta Kiosk" (TAR file)

  • Unpack the downloaded file on a Solaris Sun Ray server: the files are created from the root directory, straight into /etc/opt/SUNWkio/sessions.

  • Under the Sun Ray Web Admin go to Advanced -> Kiosk Mode.

  • Choose "Meta Kiosk Broker Session" from the kiosk options pull down.

  • Pick any Solaris apps you desire to run under the JDS kiosk mode (if at all) as part of the Meta Kiosk, instead of JDS.

  • For EACH and ALL kiosk modes you will be employing that requires it, make sure you edit the associated ".conf" file in /etc/opt/SUNWkio/sessions and include the parameters you want to regularly use: simply type them in for that kiosk mode under KIOSK_SESSION_ARGS (see example above for UTTSC.)

  • Pick the default action you desire for unregistered tokens (if your policy allows) by editing /etc/opt/SUNWkio/sessions/meta-kiosk/meta-kiosk-session and assigning it to UNREG_TOKEN_ACTION (see Flow Chart above.)
    NOTE: By default the script assumes that unregistered tokens get JDSKIOSK as the default, and if this is what you want, make sure you specify something like Firefox as a Critical app under the Meta Kiosk app pane.

  • Pick the default action you desire for registered tokens that do not present an identifiable string in "Other Info" by editing /etc/opt/SUNWkio/sessions/meta-kiosk/meta-kiosk-session and assigning it to DEFAULT_ACTION (see Flow Chart above.)
    NOTE: By default the script assumes this to be VDA, the Sun VDI broker

  • Don't forget you need to have the token registered AND set as a Kiosk token for any of this to work.

  • If you want to assign a kiosk mode to a Sun Ray without using  a smartcard, simply register the pseudo token of the Sun Ray through the Web Admin GUI. The token is always "pseudo.<MAC address>" of the Sun Ray you need. This is often done under VDA to present the same Windows VM to the same person at the same desk all the time (much like ... your PC.)

Enjoy and make sure you share any other worthwhile uses you can think of...

UPDATE 19/02/2009:
Made some improvements on the X11 kiosk - it now works with Centos and OpenSolaris, thanks to the use of Xephyr on Solaris 10 x86

UPDATE 02/07/2009:
For a pure and supported methodology on assigning different kiosk sessions to different tokens, there's a new feature available since SRS 4.1 that allows individual Kiosk session assignment to different tokens. For more info, please visit Jörg Barfurth's blog entry "Using different Kiosk Sessions for different tokens". Thanks Jörg! While I'm on this subject, could engineering please deploy a kiosk selection pull-down on the token administration page in the Sun Ray web admin? Ta :)


Thanks a lot !! This is super useful for us. We have several customers that need TS and VDI at the same time.

Posted by Patrick Bateman on February 06, 2009 at 01:24 PM EST #

Good one!!!!! I was looking for something like that. I dont know why Sun didnt add something like this directly to the server.
I would like refer this article on my own blog translate to Spanish, there is any problem?

Posted by Juan Jose Vidanez on February 06, 2009 at 06:10 PM EST #

Juan Jose,

Please feel free to translate (I should do that...) abd when you're done, let me know so that I can post a link to the translation in the spanish version of ThinkThin.

Muchas gracias por tu comentario tan positivo!!!


Posted by Daniel Cifuentes on February 10, 2009 at 02:55 PM EST #

I would try /usr/X11/bin/Xephyr instead of Xnest. Guess that you have to run the Newest SRRS to use Xnewt. Because it's an X11 app.

Posted by Jan Holzhüter on February 10, 2009 at 03:14 PM EST #

This is really useful, thanks. I've been using utkioskoverride but its settings are prone to disappearing if anyone goes near the Kiosk page in the web GUI.

Posted by Ceri Davies on February 11, 2009 at 11:44 PM EST #

All too true. And because of this, I've uploaded a new version that checks whether Xephyr is available and if so, it uses it instead of Xnest, because it does work like a charm.

Thanks Jan!

Posted by Daniel Cifuentes on February 13, 2009 at 10:27 AM EST #

Great blog entry. Kiosk modes are good, but touch screen capabilities of SunRay would be better...

Posted by Bruno Joho on March 02, 2009 at 11:01 PM EST #

Very cool indeed!
We ran into this through a customer contact, and have done a bit of tinkering to adapt it to our IP Phone to Sun Ray integration (aims the kiosk at our special session type). Works a charm... Also help us avoid having to configure register-token-only access policy for some use cases -- nice. Next will be to aim different users to different virtual desktop types.

Just want to check we are indeed OK to use this for real customers. I see copyright Sun stuff, but nothing about whether it is OK to use and modify. Can we assume it is indeeed OK? Since it is on a Blog, assume so.

Posted by Peter Blatherwick on April 09, 2009 at 08:07 PM EST #

Hi Daniel, you make a very good contribution. Thanks!!

I have a question, how can I pass other parameters to UTTSC keyword like "-a application", "-r drive" which are supported by the original uttsc connector?

Thanks in advance

Posted by Diego on June 04, 2009 at 04:58 PM EST #

Do you have this kiosk script for Redhat Linux implementation for Sun Ray?

Posted by Green Data Centre on June 09, 2009 at 12:05 AM EST #

I can't say I have tested the script outside of Solaris, but on Red Hat...
- It should work as is (famous last words)
- If not, small adjusments could be required
- If you succeed, share your findings and I will post them!

Posted by Daniel Cifuentes on June 09, 2009 at 08:23 AM EST #

Hi Daniel, great work from you!
I need to know if this release of Meta Kiosk works with version 3.0x of Sun VDI?

Your script will save me a lot of work!

Thanx in advance

Posted by Lars Bækmark on June 15, 2009 at 08:49 PM EST #

Thanks a lot for your work ! really cool
I also need to know if it works with SUN VDI 3?
Thanks again

Posted by Johan THOMAS on June 23, 2009 at 04:37 PM EST #

What's the reason why Xephyr works without needing the setuid bit turned on while Xnest needs to be setuid?

If the answer is simply that a non-setuid Xnest exits after complaining that it can't open all possible transports (it can't create pipe and Unix-domain socket endpoints because it doesn't have sufficient privilege in the directories where those things live) then a much better answer than 'chmod 04755' is to invoke Xnest with the '-pn' option, which tells it that it's OK to proceed even if some transports can't be established.

Posted by ottomeister on July 11, 2009 at 06:06 AM EST #

I am looking for a way to present a different home page and bookmarks in the firefox browser in the default sun desktop.
I understand how to add bookmarks, but don't know if this can be a variable with the meta-kiosk. Maybe using firefox command lines?
Thanks Rob

Posted by Rob on August 25, 2009 at 09:54 PM EST #


Great script!

How would one implement a SSH session using this to another machine?

What I am hoping for is a menu option that a user can choose that then asks the the user to input his/her username and then click "Connect to X Linux Machine" and then they get a SSH session on the other Linux box that asks for the password (as a normal SSH session does).



Posted by guest on July 07, 2011 at 01:07 AM EST #

I am using this feature to run two kiosk browser sessions on a single server. I have created two firefox profiles that have two different home pages. I use the meta kiosk APPLICATION feature and in the other info field of the token I enter APPLICATION path firefox -P default for one profile and APPLICATION path firefox -P southern for the other profile

How do ensure that the browser page fits the full screen of a Sun Ray 270

Regards Michael

Posted by guest on December 20, 2012 at 11:37 PM EST #

Post a Comment:
  • HTML Syntax: NOT allowed

A thin thinker down under


« April 2014