The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,949 other followers

Archive for May 28th, 2021

“FIPS mode initialized” when you ssh out of an ESXi box

Posted by jpluimers on 2021/05/28

The once per console/shell logon output of FIPS mode initialized to stderr when you ssh out of an ESXi box seems to be something new since ESXi 6.7.

Since I hardly do this, it took a while to reproduce and track back the version where it was introduced and to realise why it is on stderr.

stderr in retrospect is logical: if you need to parse stdout of a job running across an ssh channel, you do not want it to get interfered with “side channel” output, hence stderr.

For a longer explanation see, for instance [WayBack] ssh “FIPS mode initialized” message to stderr – Why? – Unix and Linux | DSLReports Forums:

Keep in mind that “ssh” is used to transport a stream, as with “rsync”. What you put on “stdout” becomes part of the stream. That’s why this sort of informational message needs to go to “stderr”.

Parsing is hard, so bugs like [WayBack] Git fetcher fails on machine with FIPS enabled machines · Issue #3664 · inspec/inspec · GitHub got [WayBack] fixed in [WayBack] pull request like [WayBack] not parsing stderr, but checking for exitstatus.

Stock OpenSSH portable does not contain FIPS support

Finding back when and how FIPS support for OpenSSH was introduced provide a bit harder than I hoped for.

It appears that stock [WayBack] OpenSSH: Portable Release does not support FIPS. But there are patches on top of these files:

Many (most?) Linux distributions include a patched version like [WayBack] ssh.c in openssh located at /openssh-5.9p1 (git://

They integrate the patches like [WayBack] File openssh.spec of Package openssh – openSUSE Build Service.

Patches for instance look like [WayBack] openssh/openssh-5.3p1-fips.patch at master · gooselinux/openssh · GitHub which is more than a decade old (see the 2009 message [WayBack] rpms/openssh/devel openssh-5.3p1-fips.patch, NONE, 1.1 openssh-5.3p1-mls.patch, NONE, 1.1 openssh-5.3p1-nss-keys.patch, NONE, 1.1 openssh-5.3p1-selabel.patch, NONE, 1.1 openssh-5.3p1-skip-initial.patch, NONE, 1.1 .cvsignore, 1.24, 1.25 openssh.spec, 1.170, 1.171 sources, 1.24, 1.25 openssh-3.8.1p1-krb5-config.patch, 1.1, NONE openssh-4.7p1-audit.patch, 1.2, NONE openssh-5.1p1-mls.patch, 1.1, NONE openssh-5.1p1-skip-initial.patch, 1.1, NONE openssh-5.2p1-fips.patch, 1.6, NONE openssh-5.2p1-nss-keys.patch, 1.3, NONE openssh-5.2p1-selabel.patch, 1.2, NONE).

The patches seem to originate at the (now defunct) WayBack Index of /export/openssh of .

In the end I found [WayBack] Mailing List Archive: OpenSSH FIPS 140-2 support using OpenSSL FIPS modules? having these quotes:

vanilla OpenSSH doesn’t support running OpenSSL in FIPS-140 mode. Some
downstream providers patch OpenSSH they deliver with their distributions
with changes to enable FIPS-140 mode.

[WayBack] Secure Shell and FIPS 140-2 – Managing Secure Shell Access in Oracle® Solaris 11.4 explains a bit of background of them.

ESXi 6.7

Binary searching for the version where this was introduced could have been a lot shorter if I had done a “FIPS mode initialized” “ESXi” – Google Search, resulting in for instance:

The final two links made me discover XSIBackup

They see be one of the few (only one?!) free backup solutions for the bare ESXi:

In addition, they have a binary for rsync version 3.1.0: [WayBack] 33HOPS | Rsync for VMWare Backup, so lees need to go to Source: ESXi 5.1 and rsync –


Posted in *nix, *nix-tools, ESXi6.5, ESXi6.7, Power User, ssh/sshd, Virtualization, VMware, VMware ESXi | Leave a Comment »

Wondering about the flavours of Tumbleweed ISO images

Posted by jpluimers on 2021/05/28

The Tumbleweed ISO images have many flavours, none yet covered in a comprehensive list.

I found [WayBack] Get openSUSE , which only explains part of the puzzle:

  • Installation: x86_64, i586, aarch64, ppc64le (for DVD/NET)
  • Kubic x86_64 aarch64 (for DVD)
  • Live x86_64 i686 (for )

I do get the processor/architectures:

README files:

These all have the same content:

These ISO files are published automatically once a new snapshot finished.
They haven't seen any kind of testing before publishing, so download on your
own risk and cost.

Most of the time they work, but there are times when they are broken.

So visit (and edit if you reported a bug severe enough)

But I could not find a single page explaining the difference between all these (and why some of them are not prefixed with Tumbleweed):

flavour media name architectures: x86 architectures: ARM architectures: PowerPC architectures: Z Systems
openSUSE-Kubic DVD x86_64 aarch64
openSUSE-MicroOS DVD x86_64
openSUSE-Tumbleweed DVD i586, x86_64 aarch64 ppc64, ppc64le s390x
openSUSE-Tumbleweed-GNOME Live i686, x86_64
openSUSE-Tumbleweed-KDE Live i686, x86_64
openSUSE-Tumbleweed NET i586, x86_64 aarch64 ppc64, ppc64le s390x
openSUSE-Tumbleweed-Rescue CD i686, x86_64
openSUSE-Tumbleweed-XFCE Live i686, x86_64

I do not get why:

  • some have a media name (especially not DVD: all of them are iso files, right?)
  • the architecture lists is so different for most of them
  • the rescue image is not i586

I know there are also non-ISO images for instance for Raspberry Pi or pure ARM at

  • [WayBack] Index of /ports/armv6hl/tumbleweed/images/:
    • openSUSE-Tumbleweed-ARM-JeOS-raspberrypi.armv6l-Current.raw.xz
    • openSUSE-Tumbleweed-ARM-JeOS.armv6-rootfs.armv6l-Current.tar.xz
  • [WayBack] Index of /ports/armv7hl/tumbleweed/images/
    • Too long a list to fully categorise right now; limited categorisation:
    • Flavours seem to be E20/GNOME/JeOS/KDE/LXQT/X11/XFCE
    • Architectures seem to be a13olinuxino/a20olinuxinolime/a20olinuxinomicro/arndale/beagle/beaglebone/chromebook/cubieboard/cubietruck/cuboxi/efi/loco/midway/nanopineo/olinuxinolime/olinuxinolime2/panda/paz00/raspberry2/sabrelite/sinovoipbpimplus/socfpgade0nanosoc/udooneo/wga//              all armv7zl flavoured

Then there is

I have questions on these too (:

The JeOS question got answered

When originally writing this in 2019, I could not figure out what JeOS was.

Now I know it is supposed to be pronounced as juice and is meant to have “Just enough Operating System” to get a base system working:

For Raspberry Pi 2, this was the image to use mid 2020 via [Wayback] HCL:Raspberry Pi2 – openSUSE Wiki and [Wayback]

The OpenQA shows the global build state, but not specific to Raspberry Pi models: [Wayback]


Read the rest of this entry »

Posted in *nix, *nix-tools, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

Need to do some catch up on “Transactional Server” from Open Suse

Posted by jpluimers on 2021/05/28

Transactional Server to me smiles like Microsoft data warehouse era, so seeing it in an OpenSuSE Tumbleweed install made me wonder: huh, DBMS?

So I likely need some catch up to do do on this:

Apparently “Transactional Server” is an installation type similar to “Server”, which can upgrade without touching a running system.

So how can the system then run with the updates applied?

The answer seems to be “reboot”.

This is contrary to a lot of update changes in the past (that seems to be towards “update the running system, even allow for live kernel patching” with optional before/after snapshots.

It immediately associates with “immutability”, and likely containers.

Hopefully I’m right, but I still have questions, like:

Until I have more time, these are on my reading list:


Read the rest of this entry »

Posted in *nix, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »

%d bloggers like this: