Wed, May 15th, 2024
Experimental syslog-ng packages for Amazon Linux 2023
Last year, I received many requests about syslog-ng for Amazon Linux 2023, but I could not find an easy way to create syslog-ng packages. Recently, however, I found that Fedora Copr supports building packages for Amazon Linux 2023. So, with a little bit of experimentation, I got a cut down version of syslog-ng compiled.
Read more at https://www.syslog-ng.com/community/b/blog/posts/experimental-syslog-ng-packages-for-amazon-linux-2023
Tue, May 14th, 2024
Copr: build your Fedora / RHEL packages for POWER
I’m often asked, how can I be an IBM Champion for POWER, if I do not own an IBM POWER server or workstation. Yes, life would definitely be easier if I had one. However, I have an over 30 years history with POWER, and there are some fantastic resources available to developers for free. Both help me to stay an active member of the IBM POWER open source community.
Last time I introduced you to the openSUSE Build Service. This time I show you Copr, the Fedora build service.
Copr
Just like OBS, Fedora Copr also started out as a (relatively) simple service to build Fedora and CentOS packages for x86. As Copr is a project by Fedora, the public instance maintained by Fedora at https://copr.fedorainfracloud.org/ only allows you to build open source software. However, you can also install Copr yourself on your own infrastructure. The source code of Copr is available at https://copr.fedorainfracloud.org/, where you can also find links to the documentation.
Today you can use Copr to build packages not just for Fedora x86, but almost all RPM distributions, including openSUSE and OpenMandriva. In addition to x86, you can build packages for 64 bit ARM (aarch64), IBM mainframes (s390x), and IBM POWER 64 bit, little Endian (ppc64le).
You can access Copr using its web interface. There is also a command-line utility, but it was very limited when I last checked. Enabling support for POWER in your project is easy: just select the POWER architecture versions of distributions when you setup the project. You can enable support for POWER also later, but Copr does not automatically build packages for the new architecture. TL;DR: enable support for POWER before building any packages to make your life easier.
How do I use Copr?
Just as with the openSUSE Build Service, my first use of Copr was to make up-to-date syslog-ng packages available to the community. Along the way I used Copr to build some syslog-ng dependencies not yet available in Fedora or RHEL. Some of these are already part of the official distributions.
I did not have a chance yet to benchmark syslog-ng on POWER10, however in the POWER9 era POWER was the best platform to run syslog-ng. I measured syslog-ng collecting over 3 million log messages a second on a POWER9 box when x86 servers could barely go above the 1 million mark.
When I make the latest syslog-ng versions available, I build my EPEL (Extra Packages for Enterprise Linux) packages not just for x86, but also for POWER. I do not know how accurate Copr download statistics are, but for some syslog-ng releases it shows that almost a fourth of all downloads were for POWER syslog-ng packages: https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng44/.
Why Copr?
If your primary focus is to build packages for the Red Hat family of operating systems, Copr provides you with the widest range of possibilities. You can regularly test if your software still compiles on Fedora Rawhide, while providing your users with packages for all the Fedora and RHEL releases. Best of all: even if you do not have a POWER server to work on, you can serve your users with packages built for POWER.
Thu, May 9th, 2024
The syslog-ng Insider 2024-05: documentation; grouping-by(); PAM Essentials; health
The May syslog-ng newsletter is now on-line:
- The official syslog-ng OSE documentation got a new look
The syslog-ng Administration Guide received a new look and easier navigation. Not only that, but it is also up-to-date now. Besides, there are now contributor guides available both for the documentation and for syslog-ng developers.
The admin guide is available at: https://syslog-ng.github.io/admin-guide/README
You can reach all syslog-ng OSE-related documentation at: https://syslog-ng.github.io/
If you find any issues, pull requests and problem reports are welcome. The contributor guide describes how you can fix / extend the documentation. You can report issues at: https://github.com/syslog-ng/syslog-ng.github.io/issues
- Aggregating messages in syslog-ng using grouping-by()
- Alerting on One Identity Cloud PAM Essentials logs using syslog-ng
- The syslog-ng health check
It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2024-05-documentation-grouping-by-pam-essentials-health
Planned outage of Weblate on May 14th
The openSUSE will undergo a critical update with the migration of Weblate to a hosted solution.
Shifting to a hosted solution for the web-based localization tool in order to keep up with the increasing demands of projects’ development.
The migration is slated for May 14 and it is anticipated that the service will be down for approximately one day.
This is a planned short-term inconvenience for a long-term benefit and will allow for our translation contributors to pick up right where they left off.
People wanting to contribute to the openSUSE Project by helping to translate using Weblate can register on https://l10n.opensuse.org and connect with other translators through translation@lists.opensuse.org and project@lists.opensuse.org mailing lists.
Any attempt to connect to Weblate during the migration will trigger a notification informing the user of the ongoing maintenance. Others will be informed of the outage through https://status.opensuse.org.
Tue, May 7th, 2024
How to install SLE-15-SP6 on NVIDIA Jetson platform (Jetson AGX Orin/IGX Orin)
This covers the installation of updated Kernel, out-of-tree nvidia kernel modules package, how to get GNOME desktop running and installation/run of glmark2 benchmark. Also it describes how to get some CUDA and TensorRT samples running.
SP6
Download SLE-15-SP6 (Arm) installation image. This you can put on a regular USB stick or on an SD card using dd
command. Go into BIOS and change SOC Display Hand-Off Mode
settings, i.e. Device Manager -> NVIDIA Configuration -> Boot Configuration -> SOC Display Hand-Off Mode
, to Never
.
Boot from the USB stick/SD card, that you wrote above and install SP6. You need to install via serial console, since the monitor won’t get any signal without the out-of-tree nvidia kernel modules, which are installed later in the process.
Make sure you select the following modules during installation:
- Basesystem
- Containers
- Desktop Applications
- Development Tools
- Python 3
- Server Applications
Select SLES with GNOME
for installation.
Kernel + KMP drivers
Continue installation with serial console.
Now update kernel and install our KMP (kernel module package) for all nvidia kernel modules.
We plan to make the KMP available as a driver kit via the SolidDriver Program. For now please install an updated kernel and the KMP after checking the build status (rebuilding can take a few hours!) from our open buildservice:
Reboot with the updated kernel.
In Mokmanager (Perform MOK management
) select Continue boot
. Although Secureboot is enabled by default in BIOS it seems it hasn’t been implemented yet (BIOS from 04/04/2024). Select first entry SLES 15-SP6
for booting.
Userspace/Desktop
Unfortunately installing the userspace is a non-trivial task.
Installation
Download Jetpack 6 Driver Package (BSP) from this location. Extract jetson_linux_r36.3.0_aarch64.tbz2
.
Then you need to convert debian packages from this content into tarballs.
From the generated tarballs you only need these:
And from this tarball nvidia-l4t-init_36.3.0-20240404104251_arm64.tbz2
you only need these files:
So first let’s repackage nvidia-l4t-init_36.3.0-20240404104251_arm64.tbz2
:
Then extract the generated tarballs to your system.
Then you still need to move
to
and add /usr/lib/aarch64-linux-gnu
to /etc/ld.so.conf.d/nvidia-tegra.conf
.
Run ldconfig
Video group for regular users
A regular user needs to be added to the group video
to be able to log in to the GNOME desktop as regular user. This can be achieved by using YaST, usermod or editing /etc/group
manually.
Reboot the machine
Basic testing
First basic testing will be running nvidia-smi
.
Graphical desktop (GNOME) should work as well. Unfortunately Linux console is not available. Use either a serial console or a ssh connection if you don’t want to use the graphical desktop or need remote access to the system.
glmark2
Install phoronix-test-suite
Run phoronix-test-suite
CUDA/Tensorflow
Containers
NVIDIA provides containers available for Jetson that include SDKs such as CUDA. More details here. These containers are Ubuntu based, but can be used from SLE as well. You need to install the NVIDIA container runtime for this. Detailed information here.
1. Install podman and nvidia-container-runtime
2. Download the CUDA samples
3. Start X
Monitor should now show a Moiree pattern with an unframed xterm on it. Otherwise check /tmp/log.
4. Download and run the JetPack6 container
CUDA
5. Build and run the samples in the container
Tensorrt
6. Build and run Tensorrt in the container
This is both with the GPU and DLA (deep-learning accelerator).
Misc
Performance
You can improve the performance by giving the clock a boost. For best performance you can run jetson_clocks
to set the device to max clock settings
The 1st and 3rd command just prints the clock settings.
Mon, May 6th, 2024
openSUSE Asia Summit Set for Tokyo
openSUSE.Asia Summit will come back to Tokyo, Japan
The openSUSE Project is exciting to announce that openSUSE.Asia Summit 2024 is going to be held in Tokyo, Japan. The openSUSE.Asia Summit is an annual conference for users and contributors of openSUSE and FLOSS enthusiasts. During this summit, they will gather in person to share knowledge and experiences about openSUSE including applications running on it.
The venue of the summit will be located in Tokyo, the capital of Japan, blending tradition and cutting-edge technology. Its infrastructure and global connectivity make it a primal location for promoting collaboration among openSUSE users and developers. Moreover, Tokyo is a center of information technology; Many technology companies have their offices in Tokyo, with numerous engineers residing in the surrounding areas.
Tokyo is also a popular place for sightseeing with its unique culture, food, etc. Especially, characters from video games, anime, and comics, which are now common in the world, attract tourists to Japan. In Tokyo, you can easily find character shops and get items related to works you love.
The number of tourists from abroad has recovered last year to the same level as before COVID-19. Due to the currency exchange rate, it will be a great chance to enjoy your trip to Japan while saving your money. Even though you may have attended the last summit in Tokyo, you will discover new facets, developed before the TOKYO 2020 Summer Olympics.
Please see also:
The expected summit date is Nov. 2 and 3 soon after Open Source Summit Japan. Our call for speakers is going to end around the end of July. For more details including the venue, please stay tuned until the next announcement in a couple of weeks.
Fri, May 3rd, 2024
openSUSE Tumbleweed – Review of the weeks 2024/17 & 18
Dear Tumbleweed users and hackers,
Last week, I was attending the SUSE Labs Conference last week and had to skip writing the weekly review. As many SUSE devs were there too, the expectation was to get fewer changes anyway during week 17. Consequently, I am spanning two weeks again today and will be covering the nine snapshots (0419, 0421, 0423, 0425…0430) released during this period.
The most relevant changes delivered were:
- Linux kernel 6.8.7 & 6.8.8
- SETools 4.5.0
- libxml 2.12.6
- LLVM 18.1.4
- Python 3.11.9 & 3.12.3
- Mesa 24.0.5
- Mozilla Firefox 125.0.2
- SQLite 3.45.3
Having some engineers together at the Labs Conference also allowed them to directly exchange ideas and work on some of the things in staging. Simon and I have worked on dbus-broker and made some good progress, but we have not yet reached the end goal. Similarly for other things in the staging areas. The most interesting changes being prepared are:
- Mozilla Firefox 125.0.3
- LibreOffice 24.2.3.2
- QEmu 8.2.3
- GNOME 46.1
- Ninja 1.12.0
- util-linux 2.40
- Ruby 3.3.1
- dbus-broker: some networking issue after upgrades left to work out
- GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7
Wed, May 1st, 2024
Google Groupware Calendar with KOrganizer Fix
RuPerl - Rust with embedded Perl
Thanks to a colleague who introduced me to Nim during last week’s SUSE Labs conference, I became a man with a dream, and after fiddling with compiler flags and obviously not reading documentation, I finally made it.
This is something that shouldn’t exist; from the list of ideas that should never have happened.
But it does. It’s a Perl interpreter embedded in Rust. Get over it.
Once cloned, you can run the following commands to see it in action:
cargo run --verbose -- hello.pm showtime
cargo run --verbose -- hello.pm get_quick_headers
How it works
There is a lot of autogenerated code, mainly for two things:
-
bindings.rs
andwrapper.h
; I made a lot of assumptions andperlxsi.c
may or may not be necessary in the future (seemain::xs_init_rust
), depends on how bad or terrible myC
knowledge is by the time you’re reading this. -
xs_init_rust
function is the one that does the magic, as far as my understanding goes, by hooking upboot_DynaLoader
to DynaLoader in Perl via ffi.
With those two bits in place, and thanks to the magic of the bindgen
crate, and after some initialization, I decided to use Perl_call_argv
, do note that Perl_
in this case comes from bindgen, I might change later the convention to ruperl
or something to avoid confusion between that a and perl_parse
or perl_alloc
which (if I understand correctly) are exposed directly by the ffi interface.
What I ended up doing, is passing the same list of arguments (for now, or at least for this PoC), directly to Perl_call_argv
, which will in turn, take the third argument and pass it verbatim as the call_argv
Perl_call_argv(myperl, perl_sub, flags_ptr, perl_parse_args.as_mut_ptr());
Right now hello.pm defines two sub routines, one to open a file, write something and print the time to stdout, and a second one that will query my blog, and show the headers. This is only example code, but enough to demostrate that the DynaLoader works, and that the embedding also works :)
I got most of this working by following the perlembed guide.
Why?
Why not?.
I want to see if I can embed also python in the same binary, so I can call native perl, from native python and see how I can fiddle all that into os-autoinst
Where to find the code?
On github: https://github.com/foursixnine/ruperl or under https://crates.io/crates/ruperl
Tue, Apr 30th, 2024
openSUSE Tumbleweed Monthly Update - April
Welcome to the monthly update for openSUSE Tumbleweed for April 2024. This month began after addressing last month’s supply chain attack against xz compression library for the rolling release. An explanation of that XZ Backdoor, how it was address and what was learned can be found on news.opensuse.org.
A flurry of updates, enhancements, and crucial security fixes arrived in openSUSE’s rolling release this month as the busy season for conferences begins. Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.
New Features and Enhancements
- Linux Kernel: The month of April had a few kernel updates. Notable changes with the 6.8.5 version included mitigation for Branch History Injection (BHI) vulnerabilities, improvements to Spectre mitigation, updates for Intel graphics drivers, fixes for SMB client vulnerabilities and fixes for RISC-V architecture. Version 6.8.7 included updates and fixes for AMD display drivers, Intel i915 driver, x86 speculative execution vulnerabilities, arm 64 device tree files, DRM drivers, filesystem handling, and more.
-
KDE Frameworks 6.1.0: The
numpy
package introduces enhanced support for structured arrays and flexible indexing, whilepandas
incorporates improved handling of missing data and new methods for data manipulation. Additionally, thematplotlib
package offers enhanced customization options for plot aesthetics. New algorithms for machine learning tasks inscikit-learn
were included in the update. - KDE Gear 24.02.2: The KDE Gear 24.02.2 update encompasses a wide range of fixes and enhancements, including resolving issues with tag addition functionality in Akonadi, addressing translated shortcut and icon appearance problems in Akregator, various improvements and fixes in ark such as disabling RAR4 compression method, multiple fixes in Elisa including volume slider and track playback issues and numerous enhancements in Konsole. There were fixes for calendar selection and the todo view updates in Korganizer.
-
PHP8 8.3.6: There were significant bug fixes, security patches and improvements across different components including in the update. Besides fixes with Core, DOM, GD, Opcache and Session other fixes include:
- FPM: Fixes have been applied to address issues with the configuration test running twice in daemonized mode and incorrect checks in
fpm_shm_free()
. - Gettext: Fixes have been made to address issues with
dcgettext
anddcngettext
calls with specific configurations. - MySQLnd: Various fixes have been applied, including correcting handshake response and charset length checks.
- Random: Compatibility improvements have been introduced for PHP versions prior to 8.2, and issues with global
Mt19937
reset have been resolved. - Standard: Validation has been added for specific characters in the
mail()
function, and various bug fixes have been implemented, including addressing command injection and cookie bypass vulnerabilities. (Noted in CVE-2024-1874, CVE-2024-2756 and fixing issues withmb_encode_mimeheader
andpassword_verify
with CVE-2024-3096 and CVE-2024-2757.
- FPM: Fixes have been applied to address issues with the configuration test running twice in daemonized mode and incorrect checks in
-
Mozilla Firefox 125.0.2. The browser brought new features such as:
- Support for AV1 codec in Encrypted Media Extensions (EME) for improved video playback quality.
- Enhanced PDF viewer capabilities with text highlighting.
- Introduction of the URL Paste Suggestion feature, improving usability by allowing quick navigation to URLs copied to the clipboard.
- Multiple critical security fixes addressing vulnerabilities like out-of-bounds reads and use-after-free errors that enhance browser security.
- dracut: There were improvements such as the addition of tpm2.target and systemd-tpm2-generator and several memory leak fixes.
- ffmpeg: Versions 4 and 6 took care of some video handling issues and made fixes for memory leaks with improved EOF handling. The updates addresses:
- sqlite3: An update from version 3.45.2 to 3.45.3 addresses a long-standing bug affecting the accuracy of trigger responses in certain UPSERT operations to ensure for more reliable database operations.
- Flatpak: The 1.15.8 update had some security fixes to prevent sandbox escape and various other usability improvements.
-
Python3.11: The 3.11.9 version had various security patches and bug fixes, such as addressing CVE-2023-52425, updating bundled libexpat to version 2.6.0, fixing possible crashes in
collections.deque.index()
and improves SSLContext behavior. -
Cppcheck: New checks in version 2.14.0 include:
- eraseIteratorOutOfBounds: Warns about calling
erase()
on an iterator that is out of bounds, enhancing the robustness of code. - returnByReference: Warns when a large class member is returned by value from a getter function, which can impact performance and memory usage.
- eraseIteratorOutOfBounds: Warns about calling
Other Package Updates
- SDL2: Version 2.30.2 introduces support for various new controllers, including the 6-button SEGA Mega Drive Control Pad and the Hori Fighting Stick EX2.
- Cryptsetup: Version 2.7.2 addressed several issues, including fixes for OPAL device formatting and activation.
- SpamAssassin: A package with a great name, version 4.0.1 enhances URL shortener link redirection handling and improved TxRep locking management, which bolsters email security for users.
Bug Fixes
-
Xwayland: CVE-2024-31083 This critical security vulnerability mitigates an Xorg servers vulnerable due to use-after-free flaw in
ProcRenderAddGlyphs()
, allowing authenticated attackers to execute arbitrary code. - [PHP8]((https://www.php.net/):CVE-2023-51793, CVE-2023-49502, CVE-2023-50008 and CVE-2023-50007
- glibc: CVE-2024-2961 allows buffer overflow when converting to ISO-2022-CN-EXT, causing crashes or variable overwrites. libxml2: CVE-2024-25062 was a vulnerablity to use-after-free via crafted XML documents.
- Python3.11: CVE-2023-52425, CVE-2023-6597
- QEMU: Backports and bugfixes were made for a flaw that allows a malicious guest to crash QEMU and cause a denial of service condition with CVE-2024-3567. CVE-2024-3446 could affect arbitrary code execution and CVE-2024-3447 was also backported.
-
Freerdp2: Version 2.11.5 provided fixes for CVE-2023-40574, which experienced an Out-Of-Bounds Write in the
writePixelBGRX
function that was likely due to incorrect variable calculations, and CVE-2023-40575, which results in crashes.
Conclusion
The month of April 2024 had a blend of feature enhancements and crucial security fixes. From improved gaming support with SDL2 to strengthened encryption practices with Cryptsetup, users benefited from a host of updates aimed at enhancing functionality, stability and security. Other packages to update in Tumbleweed during the month were Mesa, GTK4, transactional-update and more .
For those Tumbleweed users that want to contribute, subscribe to the openSUSE Factory mailing list. The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.
Contributing to openSUSE Tumbleweed
Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.