 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2021/09/27
appending : to the resolvable allows you to match different types in one command it seems.
zypper install java-1_6_0-openjdk-devel mercurial +pattern:devel_C_C++ +pattern:devel_java
The italic are packages; the bold are patterns.
Via: [WayBack] opensuse – How to install patterns and packages at the same time? – Unix & Linux Stack Exchange; thanks [WayBack] User llua – Unix & Linux Stack Exchange
–jeroen
Posted in *nix, *nix-tools, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
Posted by jpluimers on 2021/08/26
A while ago openSUSE switched to firewalld as a fronte-end for iptables. Tumbleweed was first in 2018, so I wrote a reminder: On my research list: migrate from OpenSuSE SuSEfirewall2 to firewalld « The Wiert Corner – irregular stream of stuff.
The core concept of firewalld is zones, which some people find hard to understand: [Archive.is/WayBack] Firewalld on Leap 15 – why is it so complicated ? : openSUSE.
Another concept is interfaces and how they bind to zones. [Wayback] Masquerading and Firewalls | Security Guide | openSUSE Leap 15.2 shows more of that.
The final concept is services that bind one or more aspects (like ports or addresses) to a service name [Wayback] Documentation – Manual Pages – firewalld.service | firewalld.
Other interesting bits of information:
Below are some examples on what I learned, especially finding details about active interfaces and the zones they are bound to.
All of them are based on:
xargs shell trick (I known you can do some of them without the trick, but I try to use common patterns in my solution so I do not have to remember which boundary case failsecho -n trick to skip the newline outputfirewall-cmd options (which kind of care commands)
--get-active-zones:Print currently active zones altogether with interfaces and sources used in these zones. Active zones are zones, that have a binding to an interface or source. The output format is:
zone1 interfaces: interface1 interface2 .. sources: source1 .. zone2 interfaces: interface3 .. zone3 sources: source2 ..If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.
--list-interfaces:List interfaces that are bound to zone
zoneas a space separated list. If zone is omitted, default zone will be used.
--get-zone-of-interface=<zone>:Print the name of the zone the
interfaceis bound to or no zone.
--info-zone=<zone> (which shows far more information than the manual indicates):Print information about the zone
zone. The output format is:zone interfaces: interface1 .. sources: source1 .. services: service1 .. ports: port1 .. protocols: protocol1 .. forward-ports: forward-port1 .. source-ports: source-port1 .. icmp-blocks: icmp-type1 .. rich rules: rich-rule1 ..
Two more notes before the examples:
--list-all-zones, but that shows details of all un-used zones as well.--list-interfaces to list *all* interfaces. I might replace this later with ls /sys/class/net (see [WayBack] linux – List only the device names of all available network interfaces – Super User).Besides lising zones and interfaces, you might be interested in services and ports:
# firewall-cmd --list-services dhcpv6-client ssh # firewall-cmd --list-ports
The first only shows the zone names
# firewall-cmd --list-interfaces | xargs -I {} sh -c 'firewall-cmd --get-zone-of-interface={}' public
The second both zones and interfaces:
# firewall-cmd --get-active-zones public interfaces: ens192
OpenSuSE by default does not bind interfaces to zones; it means any interface uses the default zone. That means the --list-interfaces commands in this blog post fail.
You can check this behaviour by running this command:
# ls /sys/class/net | xargs -I {} sh -c 'echo -n "interface {} has zone " ; firewall-cmd --get-zone-of-interface={} | xargs -I [] sh -c "echo [] ; firewall-cmd --info-zone=[]"' interface eth0 has zone no zone interface lo has zone no zone interface wlan0 has zone no zone
Alternatives:
# firewall-cmd --get-default-zone public
# firewall-cmd --info-zone=$(firewall-cmd --get-default-zone) public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
You can see that here the public zone is marked default which means it binds to any interface that is not bound to a specific zone.
# firewall-cmd --list-interfaces | xargs -I {} sh -c 'firewall-cmd --get-zone-of-interface={} | xargs -I [] sh -c "firewall-cmd --info-zone=[]"' public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
List interfaces and their zones:
# firewall-cmd --list-interfaces | xargs -I {} sh -c 'echo -n "interface {} has zone " ; firewall-cmd --get-zone-of-interface={}' interface ens192 has zone public
List interfaces and their zone details:
# firewall-cmd --list-interfaces | xargs -I {} sh -c 'echo -n "interface {} has zone " ; firewall-cmd --get-zone-of-interface={} | xargs -I [] sh -c "echo [] ; firewall-cmd --info-zone=[]"' interface ens192 has zone public public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
dns service is available, then allow it on publicVerify if a DNS is in the enabled services:
# firewall-cmd --list-services dhcpv6-client ssh
Here no DNS service is enabled, so I need to figure out if any DNS service is available to be enabled.
This lists all the services that can be enabled in a zone:
# firewall-cmd --get-services
On my system, this returned the following list:
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
I was searching to see if dns was available, so I split the string with tr, then searced with grep:
# firewall-cmd --get-services | tr " " "\n" | grep dns
dns
dns-over-tls
mdns
To get details, use the firewall-cmd --info-service=servicename like this:
# firewall-cmd --get-services | tr " " "\n" | grep dns | xargs -I [] sh -c "firewall-cmd --info-service=[]" dns ports: 53/tcp 53/udp protocols: source-ports: modules: destination: includes: dns-over-tls ports: 853/tcp protocols: source-ports: modules: destination: includes: mdns ports: 5353/udp protocols: source-ports: modules: destination: ipv4:224.0.0.251 ipv6:ff02::fb includes:
So for named (bind), I need the dns service to be enabled:
# firewall-cmd --zone=public --add-service=dns --permanent success
Now a –list-services will not show dns as we changed the --permanent configuration, not the current configuration:
# firewall-cmd --list-services
dhcpv6-client ssh
So you need to --reload the --permanent settings:
# firewall-cmd --list-services --permanent
dhcpv6-client dns ssh
# firewall-cmd --reload
success
# firewall-cmd --list-services
dhcpv6-client dns ssh
–jeroen
Posted in *nix, *nix-tools, bash, bash, Development, iptables, Linux, openSuSE, Power User, Scripting, Software Development, SuSE Linux, Tumbleweed, xargs | Leave a Comment »
Posted by jpluimers on 2021/06/18
Posted in *nix, Chat, IRC, Linux, openSuSE, Power User, SocialMedia, SuSE Linux | Leave a Comment »
Posted by jpluimers on 2021/05/28
The Tumbleweed ISO images have many flavours, none yet covered in a comprehensive list.
I found [WayBack] Get openSUSE , which only explains part of the puzzle:
I do get the processor/architectures:
README files:
These all have the same content:
These ISO files are published automatically once a new snapshot finished. They haven't seen any kind of testing before publishing, so download on your own risk and cost. Most of the time they work, but there are times when they are broken. So visit (and edit if you reported a bug severe enough) http://en.opensuse.org/Portal:Tumbleweed
But I could not find a single page explaining the difference between all these (and why some of them are not prefixed with Tumbleweed):
| flavour | media name | architectures: x86 | architectures: ARM | architectures: PowerPC | architectures: Z Systems |
|---|---|---|---|---|---|
| openSUSE-Kubic | DVD | x86_64 | aarch64 | ||
| openSUSE-MicroOS | DVD | x86_64 | |||
| openSUSE-Tumbleweed | DVD | i586, x86_64 | aarch64 | ppc64, ppc64le | s390x |
| openSUSE-Tumbleweed-GNOME | Live | i686, x86_64 | |||
| openSUSE-Tumbleweed-KDE | Live | i686, x86_64 | |||
| openSUSE-Tumbleweed | NET | i586, x86_64 | aarch64 | ppc64, ppc64le | s390x |
| openSUSE-Tumbleweed-Rescue | CD | i686, x86_64 | |||
| openSUSE-Tumbleweed-XFCE | Live | i686, x86_64 |
I do not get why:
I know there are also non-ISO images for instance for Raspberry Pi or pure ARM at
Then there is
I have questions on these too (:
When originally writing this in 2019, I could not figure out what JeOS was.
Now I know it is supposed to be pronounced as juice and is meant to have “Just enough Operating System” to get a base system working:
openSUSE Linux JeOS (pronounced /jo͞os/, just like “juice”) is a slimmed down form factor of openSUSE Leap and Tumbleweed that is ready to run in virtualization environment and cloud. With openSUSE Linux JeOS, you can choose the right sized option to fit your needs. JeOS provides ready to deploy server images for KVM/Xen Fully Virtualized, Xen Paravirtualized, Microsoft Hyper-V, VMware, and OpenStack Cloud.
For Raspberry Pi 2, this was the image to use mid 2020 via [Wayback] HCL:Raspberry Pi2 – openSUSE Wiki and [Wayback] http://download.opensuse.org/ports/armv7hl/tumbleweed/images/:
The OpenQA shows the global build state, but not specific to Raspberry Pi models: [Wayback] https://openqa.opensuse.org/group_overview/3
–jeroen
Posted in *nix, *nix-tools, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
Posted by jpluimers on 2021/05/28
Transactional Server to me smells like Microsoft data warehouse era, so seeing it in an OpenSuSE Tumbleweed install made me wonder: huh, DBMS?
So I likely need some catch up to do do on this:
Apparently “Transactional Server” is an installation type similar to “Server”, which can upgrade without touching a running system.
So how can the system then run with the updates applied?
The answer seems to be “reboot”.
This is contrary to a lot of update changes in the past (that seems to be towards “update the running system, even allow for live kernel patching” with optional before/after snapshots.
It immediately associates with “immutability”, and likely containers.
Hopefully I’m right, but I still have questions, like:
/ is read-only, but others like /etc , /srv, and /var are not, how does that affect transactionality?
Until I have more time, these are on my reading list:
--jeroen
Posted in *nix, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
Posted by jpluimers on 2021/01/15
I have seen this on one Raspberry Pi 3 system: named failing to start during a normal reboot.
The solution is to manually rcnamed start as root after boot.
From [Wayback] TUMBLEWEED Ordering cycle at boot with nss-lookup, the rcnamed status is the same as on my system, but no solution in that thread:
# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: inactive (dead)Jul 02 08:13:40 hpprol2 systemd[1]: nss-lookup.target: Found ordering cycle on named.service/start Jul 02 08:13:40 hpprol2 systemd[1]: nss-lookup.target: Found dependency on time-sync.target/start Jul 02 08:13:40 hpprol2 systemd[1]: nss-lookup.target: Found dependency on ntpd.service/start Jul 02 08:13:40 hpprol2 systemd[1]: nss-lookup.target: Found dependency on nss-lookup.target/start Jul 02 08:13:40 hpprol2 systemd[1]: nss-lookup.target: Job named.service/start deleted to break ordering cycle starting with nss-lookup.target/start
Apparently, sometimes there is a service startup dependency loop, and named becomes the victim of it, effectively rendering DNS inoperable.
My system was running this version of Tumbleweed:
statler:~ # cat /etc/SUSE-brand /etc/os-release openSUSE VERSION = tumbleweed NAME="openSUSE Tumbleweed" # VERSION="20200825" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20200825" PRETTY_NAME="openSUSE Tumbleweed" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:tumbleweed:20200825" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" LOGO="distributor-logo"
On an identical system, the boot just worked fine, so it might be timing related.
waldorf:~ # cat /etc/SUSE-brand /etc/os-release openSUSE VERSION = tumbleweed NAME="openSUSE Tumbleweed" # VERSION="20200825" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20200825" PRETTY_NAME="openSUSE Tumbleweed" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:tumbleweed:20200825" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" LOGO="distributor-logo"
It has been fixed late January 2021 as per [Wayback] Bug 1177491 – systemd ordering cycle with nss-lookup.target:
Josef Möllers 2021-01-27 15:50:15 UTCFixed by removing "Before=nss-lookup.target" from systemd's service file.
It means editing /etc/systemd/system/multi-user.target.wants/named.service from
[Unit] Description=Berkeley Internet Name Domain (DNS) After=network.target After=time-sync.target Before=nss-lookup.target Wants=nss-lookup.target Wants=time-sync.target [Service] Type=forking ExecStart=/usr/sbin/named.init start ExecReload=/usr/sbin/named.init reload ExecStop=/usr/sbin/named.init stop [Install] WantedBy=multi-user.target
into
[Unit] Description=Berkeley Internet Name Domain (DNS) After=network.target After=time-sync.target Wants=nss-lookup.target Wants=time-sync.target [Service] Type=forking ExecStart=/usr/sbin/named.init start ExecReload=/usr/sbin/named.init reload ExecStop=/usr/sbin/named.init stop [Install] WantedBy=multi-user.target
Note that it is an alias, so it won’t show up in a versioned /etc directory (for instance using etckeeper):
# ls -Alh /etc/systemd/system/multi-user.target.wants/named.service lrwxrwxrwx 1 root root 37 Sep 5 2020 /etc/systemd/system/multi-user.target.wants/named.service -> /usr/lib/systemd/system/named.service
–jeroen
Posted in *nix, Linux, openSuSE, Power User, SuSE Linux | Leave a Comment »
Posted by jpluimers on 2021/01/11
Apparently, during my 15 month rectum cancer fight, I missed the one month window of migrating my opensuse account (because of the sale of opensuse from Microfocus to a German investment company named EQT Partners).
I got the email on may 1st (right before my first surgery) and since I only just am recovering from the last surgery, discovered [Wayback] Community Account Migration:
The Community Accounts (aka. Bugzilla Accounts) will migration to the SUSE datacenter in Nuremberg
SUSE is the largest independent open source company.
We are finalizing this independence also on the technical level.
The Community Accounts (a.k.a. Bugzilla Accounts) were moved back to SUSE to a new system in our Nuremberg data center.All accounts have been migrated. Except for the password.
To access your migrated account a migration tool was offered until June 18th
The migration is no longer possible.
To regain access to your account you have to request a password reset.
This requires that the account has your correct email address registered.
If this is not the case you will have to create a new account.
It looks like the account migration uses Okta (identity management) – Wikipedia as authentication service (quite odd for a German company to use a USA based company for authentication: hellp GDPR!), using mail servers having hostnames not ending in opensuse.org, but like o#.mailrelay.okta.com.
Hopefully identify emails do get through: they are now trying to get past my grey-list filters.
Edit:
The okta mail servers didn’t get through the grey-list, so I forced them to the secondary mail servers where they did get through.
It indicated migration is not possible any more and I should seek help:
At this time your password can only be reset by an administrator. To send them a request, go to your Sign-in Help page. Then click the Request help link.
So I did:
Hi,
Due to my 15 months fight with rectumcancer and the “SUSE Account Changes – Coming soon!” last May not indicating any deadline for the migration, I missed the one month account migration window (2020-05-18 to 2020-06-18) mentioned at https://idp-portal-info.suse.com/
Can you please re-activate the account jeroen.suffix@example.com and re-bind the forums.opensuse.org username accountname for me and send me a password reset email on that above email address?
Thanks,
–jeroen
Edit 20210112:
I got an account activation email, added password/question/mobile-phone-number, then got redirected to https://myaccount.suse.com/app/UserHome, then the “Forums” link allowed me to enter a forums alias the same as my old alias. So it looks it sort of works now: my old
jpluimersposts have not been linked to my new account.
Some reading for when I have more energy:
I just checked and the email about migration did not indicate any deadline apart from that password reset links were valid for 90 days, a lot longer than one month window.
–jeroen
Posted in *nix, Linux, openSuSE, Power User, SuSE Linux | Leave a Comment »
Posted by jpluimers on 2020/09/21
[WayBack] Rebooting a Linux server unattended – twm’s blog:
/sbin/shutdown -r now
Simple, but I keep forgetting where Linux has short/long command options and short/long verbs.
–jeroen
Posted in *nix, *nix-tools, Debian, Linux, OpenShift, openSuSE, Power User, Raspbian, RedHat, SuSE Linux, Tumbleweed, Ubuntu | Leave a Comment »
Posted by jpluimers on 2020/09/11
Hopefully the below links will eventually get me further in figuring out how to force fsck with opensuse Tumbleweed on Raspberry Pi 3.
For now, I just reinstalled an SD card (my Mac didn’t support the file systems and I did not have time and equipment with me to mount it to another opensuse based device).
–jeroen
Posted in *nix, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
Posted by jpluimers on 2020/07/27
Somehow Firefox is available on ARM by default, but the crash recovery isn’t that awesome.
On my list of things to try is Chrome or Chromium. These links should help me find out if this is possible at all:
On Firefox crash recovery:
–jeroen
Posted in *nix, Chrome, Google, Linux, openSuSE, Power User, SuSE Linux, Tumbleweed | Leave a Comment »
The Wiert Corner - irregular stream of stuff 