Setting up a Pi-Hole for your network is a beautifully simple process. This is a guide whose intent is to give you the confidence to try it yourself. If you are not new to the Raspberry Pi and have accomplished many things with it, this guide is likely a bit too basic. The goal of […]

In a previous article I introduced the DBus technology and provided some examples built around the Klipper service to integrate the clipboard area within our scripts.

Dear Tumbleweed users and hackers,

Unfortunately, I missed writing up the weekly review last week, so I am spanning once again two weeks here. And Tumbleweed has been so stable for the last weeks, even the snapshot count shows this. For example, in the period from snapshot 1116 to 1222, only a total of three snapshots were not released (1204, opneQA issues, and 1216 & 1217 due to a new pango version having an impact on the rendering, which required a lot of needles to be created, which we could not do in time before the next snapshots reached QA). looking only at the time since my last weekly review, we have published 12 snapshots (1209..1215 & 1218..1222). Despite the holiday season, there seem still to be ample changes incoming (but it is getting less, as the look at the Staging dashboard reveals at the moment).

The main changes published in the snapshots of the last two weeks included:

• Linux kernel 5.15.7 & 5.15.8
• Mozilla Firefox 95.0
• Rust 1.57
• Kubernetes 1.23
• KDE Gear 21.12.0
• KDE Frameworks 5.89.0
• GNOME 41.2
• pipewire 0.3.40 & 0.3.42, with wireplumber as the used session-manager
• Pango 1.50.1 & 1.50.2
• Lots of yast modules prepared for Ruby 3.0

The staging projects are mostly empty due to the holiday season being upon us. Only some of the longer-standing changes are still there. New snapshots will be generated as submissions permit, but the snapshots are probably getting a bit smaller over the next few days. Changes being worked on include:

• Qemu 6.2.0 (Snapshot 1223+)
• Boost 1.78.0 (Snapshot 1223+)
• Gimp 2.10.30
• Moving default php version from php7 to php8 (builds basically ok, but our openQA tests are not ready, as they to often explicitly test php7-*)
• Testing the results when moving system ruby from 2.7 to 3.0: the YaST team is moving quickly to make this happen
• Enabling the build of python310-* modules; the move of the devault python3 provider to python310 should follow soon after
• openSSL 3.0

A lot of changes were brought in with the year 2021. The biggest of the change I was not expecting when the calendar rolled over and that was moving to a new house. All the changes have been good, have kept me busy and most importantly have been great for my family. I had all kinds of great ideas I was going to add to my house for light displays but instead, I have a new place and I was having a difficult time envisioning how I wanted to light the place up.

Hi All!

First, on behalf of all the openSUSE BAR regulars, we’d like to wish you Happy Holidays / Merry X-mas🎄. But, we are also aware that many of us will be spending the holidays this year unable to celebrate the way that we would like to. Therefore we’d like to invite you to join our ‘holiday bar party’, which will be available from the 24-26th of December.

We are also planning to celebrate the New Year 🎆 in the bar as well! Many of us will be online in the bar, celebrating the New Year over and over again, as it comes throughout the day and the night in all of our time zones around the world.

If any of you are around on either or both occasions, we would love to see you and celebrate with you!

We serve:

• Nice conversations
• Ditto music ( NEW !!! )
• A free course to become an openSUSE Bar DJ and share your music in the bar.

We don’t serve (yet):

• Food and drinks (coming soon)
• Lots of dad jokes (SPOILERS)

PS: The Jitsi team did an amazing job of redoing our conference server, so the joining issues are fixed now 🎉.

The openSUSE BAR crowd!

Download redirector current state (download.opensuse.org).

Introduction

Package updates are a bit controversial point in the openSUSE world and sometimes are related to questionable user experience, especially for those who are outside of Europe and the US.

It is important to understand that it is controversial to compare to experience in other distributions because openSUSE infrastructure is responsible not only for downloading Leap and Tumbleweed packages but potentially any other OBS project on any supported architecture / OS. This makes openSUSE infrastructure care about ~95000 various projects, which can receive updates every moment; compared to 5-8 projects with more or less defined release schedule in the typical infrastructure of other Linux providers.

Now, somebody can point out that openSUSE could split those challenges and provide a more consistent experience for selected projects like Leap and Tumbleweed, and have a separate solution for other OBS projects. This way allows minimizing chances of poor experience for most users and newcomers. And that will be a correct observation, just it doesn’t make the overall technical challenge much simpler and potentially will require more resources to enable and support both solutions. In any case, this paper doesn’t have the intention of going deeper into such discussion and its main goal is to serve general OBS downloads and Leap / Tumbleweed downloads as part of that.

MirrorBrain

Historically download redirector behind download.opensuse.org is MirrorBrain project https://mirrorbrain.org/ . I started contributing to it around May 2020, having some troubleshooting experience earlier that year. I introduced a CI environment, fixed some bugs, and also had some other plans. But then, thinking about deployment and troubleshooting - it was a frustrating experience to go through enormously huge logs of cron jobs to draw a picture of what is going on. Without any experience in deployment and maintaining MirrorBrain in such busy environment - there were few chances that I can quickly succeed in improving openSUSE infrastructure. Additionally:

• SQL schema needed a rework because of deadlocks happening during mirror scans;
• MirrorBrain is a mix of python / Perl / C (apache2 plugins) / cron, which feels a bit scattered;
• Need for additional WebUI for managing mirrors, admin tasks, reports, etc will most probably introduce an additional framework and make the project even more complicated.

To control and troubleshoot information flow I felt an urgent need for having a proper Job Queue. Since my previous project was related to OpenQA - I had a clear picture of how to achieve the challenges using Mojolicious framework and even reusing parts of code from OpenQA.

So I was planning to add a job queue to MirrorBrain, but a new feeling grew up quickly - it looked like I try to manage two projects in the same git repo and things became even more complicated. So I decided to split into a new project and see how it goes.

MirrorCache

So, currently, SSL encrypted traffic (https requests), to download.opensuse.org is redirected to the new redirector service - mirrorcache.opensuse.org . This was an apparent start because MirrorBrain is lacking http / https routing and the current volume of https load is several times smaller than http, giving a good opportunity to test performance on smaller load.

Additionally, North American mirrors are managed by mirrorcache-us.opensuse.org and Oceania mirrors are managed by mirrorcache-au.opensuse.org (aka mirrorcache.firstyer.id.au - thx to William Brown!), so requests from those regions to mirrorcache.opensuse.org are redirected accordingly. There are some plans to make zypper aware of regional instances, but they are in the early design phase.

So, if you are in Oceania or North America regions - consider using your regional mirrorcache instance directly instead of doing cross-continent requests. And also maybe consider adjusting access to use https download.opensuse.org . (Not like https improves security drastically, but rather it is a good practice anyway).

Privileged users now have an option to edit mirrors’ details using WebUI at https://mirrorcache.opensuse.org/app/server and the plan is to introduce individual mirror admins, so everyone can add and maintain own mirror.

And stay tuned for more news regarding the complete switch from MirrorBrain to MirrorCache and more regional mirrorcache instances to come in.

Useful links:

Explicitly configure MirrorCache for your machine: https://en.opensuse.org/MirrorCache#Setting_up_MirrorCache_for_your_machine

Troubleshooting: https://en.opensuse.org/MirrorCache#Troubleshooting

Get Help: https://en.opensuse.org/MirrorCache#How_to_get_help

Version 3.35.1 of syslog-ng introduced an MQTT source. Just for some fun in the last syslog-ng blog post of the year, I created an endless loop using syslog-ng and the Mosquitto MQTT broker. Of course, it does not have much practical value other than possibly a bit of stress testing, but hopefully provides a fun introduction to MQTT-related technologies in syslog-ng.

Read my blog at https://www.syslog-ng.com/community/b/blog/posts/creating-an-endless-loop-using-mqtt-and-syslog-ng

The election was announced on the project mailing list on the 1st of November 2021. The current Election Committee is composed of Ariez Vachha, Mohammad Edwin Zakaria and myself.

This election is required to fill two seats on the openSUSE Board, as the term for Simon Lees and Vinzenz Vietzke are coming to an end.

To learn more about openSUSE membership, check out this wiki.

As the initial nominations/applications phase ended, we had only two members who expressed to run for this election. They are:

• Attila Pinter
• Maurizio Galli

Since, we had only two candidates for two available seats, we extended the nominations/applications phase for another two weeks, giving other members the chance to toss the names of people who'd they wish to nominate. However, even after the two weeks, we were still left with only two candidates and therefore, as per the election rule about insufficient nominations, we started the election and each candidate is required to obtain 50% of votes to be considered a winner.

The ballots were opened on the 13th of December and openSUSE members received their voting URL/credentials by email. They can vote until the 30th of December at 23h59 UTC. Ballots will close on 31st December at midnight and a few hours later the result will be announced.

I dedicate this text to Vincent and Sara. :wave: If we cannot share the experience, so let me share at least the story.

Prologue

Also in 2021, holiday plans fell victim to yet another Covid-19 wave. Eventually, I waited until mid December and booked in face of the next emerging Covid-19 variant Omicron the least adventures holidays of my adulthood: a week-long all-inclusive cruise in the Orient with every aspect handled in due care by a world-class global-scale tour operator.

For the sake of completeness, let me quickly recap the outbound connection to the destination. I got a Rail&Fly ticket to a nearby airport in Germany. The Airbus A380 to Dubai, a huge airplane with two floors, was approximately occupied 30%, maybe less. I use Atmosfair.de for CO2 compensation. Not sure who would need to pay for all those empty seats around me. The time difference between Germany and Dubai is 3 hours. I arrive after about 6 hours of flight and a short sleep of about 3 hours at 6 o’clock in the morning. On top of mandatory PCR tests to get on the flight, it seems that Dubai tests just again all tourists upon arrival. No need to wait for the result – it is delivered about 3 hours later to you via SMS. I wonder what happens in the case of a positive test. I didn’t find out as my test was fortunately negative. 😁

The tour operator takes care of the transfer to the cruise ship. They also handle all subsequent paper work to enter the destination countries, that means here the United Arabic Emirates (UAE) and Oman. For this purpose, they require all passengers to hand over their passports before getting on board of the ship. After some hesitation and some questioning, I resign and hand out my passport, too.

Once on board of the ship, I drop off my luggage, eat something and head out to explore Dubai on my own.

Dubai: Everything is also a Shopping Mall

I have made no efforts to prepare my first day in Dubai. I only downloaded a city map. The cruise ship harbour of Dubai is a 30 min car ride from the lively city centre. So I join two other passengers, who happen to know Dubai very well, for a shared taxi ride to their destination, the Dubai Mall. I am amazed by all those skyscrappers on the way. Every street is a high way with 3 lanes minimum it seems.

Taxi ride from the harbour to the Dubai Mall. On the left side, you can see the aerial railway with its futuristic railway station (open in large).

Before the other passengers leave, they point me to the famous aquarium in the mall. The aquarium spans several floors and is indeed impressive. Otherwise, the mall has everything you expect: fashion store H&M, bakery PAUL, L’Occitane en Provence, Birkenstock, Decathlon, the best of the best!

I consider to buy a camera lens for landscape photography. I find an electronics store, who got one for 1500€. Now, the deal I found earlier in the Internet to rent this lens for 100€ per week appears under a totally different, much better light. So I head towards the rental office in the South of Dubai. Long tubes hanging 6 meters over the highways bring you from the mall to the metro. The metro is in fact an aerial railway. And it is packed. The people seem to be from all over the world – later I learn that Dubai has about 80% immigrants.

The photography rental shop is in the 8th floor of a skyscraper. Fortunately, they still have the lens in stock. Unfortunately, I cannot get it, because they ask as a deposit for a) my passport, b) amount blocked with a local credit card, or c) 1200€ cash in local currency. The tour operator has my passport, I don’t have a local credit card and feel uneasy to withdraw and hand in 1500€ in cash. I am frustrated. 😩 I envy all those people who have spare passports due to their second nationality. People ask me sometimes why I wanted to become also a French citizen. I just got one argument more. I decide to find another store that possibly rents lenses. I end up in the Dubai Marina Mall and buy eventually for about 280€ an entry-level lens.¹

On my way out, I discover a city e-bike self-rental station. I quickly sign up for a day plan (4€) and cycle to the Dubai Marina. I make a lot of photos.

Selfie at the Dubai Marina (open in large).

Then, I head towards the artificial lagoon The Palm Jumeirah. Unfortunately, I am on the wrong way of the highway and after half an hour to find a path I realise that there seems to be just no way to cross it with a bike. It happened again two more times later that day.

Eventually, I give up the search and get on the Monorail panorama train to access The Palm. The third stop is integrated in, guess what, the Nakheel Mall. The Mall features a hotel with a restaurant on the top called The View. The ticket for the lift after 4:00 PM (sunset time) is 40% more. It is now 4:03 PM. I decide to keep it for next time (:wave: Vincent, Sara), hop on the Monorail, and get to the next stop: Atlantis Aquaventure. It turns out, the part freely accessible is mostly a mall. Again! They have also an aquapark and a hotel and Dolphins.

View from the Monorail on The Palm Jumeirah (open in large).

I leave The Palm, find a city e-bike and get back to the harbour. After 90 minutes cycling without a break, I check the map. This city is huge and I am nowhere close to the harbour. On the way to bring the bike back to a rental station, I discover the Dubai Canal and the newly constructed canalfront promenade and bridges. Though I am quite exhausted, I spend another hour to make photos. Eventually, I get a taxi that brings me back to the harbour. At midnight, the ship leaves Dubai for the next stop in Abu Dhabi.

View from the Dubai Canal (open in large).

I wish I had BastilleBSD twenty years ago. I had a part-time sysadmin job - running web servers. PHP started to become popular by the turn of the century. Using jails on FreeBSD seemed to be a safe environment to run PHP-enabled web servers. However, there were no tools yet to work with jails. I had to write many scripts to build and update jails.

A bit of history

At first, I had a single server. Adding a new client every other month by hand was not a big overhead. However, after a year or so, the service became popular. First, I automated adding new users, then creating jails, migrating jails between servers. Later, the service gained central management, an LDAP and Windows-based management application, and almost everything was automated. At its peak, my system served tens of thousands of domains.

Of course, my scripts were not so universally useful as BastilleBSD. They were single purpose: creating FreeBSD jails with various PHP versions. Later some extra utilities were added, like ImageMagick, used by many popular PHP applications. As disk space was a premium, these scripts made sure that only the absolutely necessary files stayed in the jails. Removing all shells and apps with extra privileges also helped in reducing the attack surface. The way how my jails were created also meant that package management was not an option. The jails could not be updated. Any security update meant compiling a new base system and new ports.

Why BastilleBSD?

BastilleBSD has a very different approach to jails. Of course, not all functionalities of my scripts are covered, for example migrating jails between hosts is missing. However, they are more generic and make it easy to maintain jails.

Compiling an updated jail and updating jails was a painful process even with my scripts. With BastilleBSD, updating the base system without touching any of the ports is easy:

bastille update 13.0-RELEASE

And it is updated with the latest security updates in all jails utilizing this base system.

I spent a lot of time removing files from jails. This way I could spare hundreds of megabytes for each jail. BastilleBSD solves this problem in a different way: the base system is installed only once and mounted under each jail in read-only mode. This saves even more space and makes the system even more tamper-proof.

To add an application to a jail, I had to compile everything from scratch. Once everything was installed, the scripts removed much of the files. BastilleBSD has full package management within jails. If a user needs an extra app, it can easily be installed. And all ports in a jail can be updated easily, almost the same way as on the host:

bastille pkg alcatraz update
bastille pkg alcatraz upgrade

What’s more, BastilleBSD has a template system. Instead of installing all applications by hand from ports, templates can automate the process. It’s a bit like Dockerfile on Linux, but there is no central registry to store images. You can download the templates using git and apply the template to a jail locally.

bastille template alcatraz BastilleBSD-Templates/syslog-ng

I do not want to list here all BastilleBSD advantages, so here are just some highlights: it can configure PF firewall rules, use ZFS, and there is even some experimental support for Linux-based jails.

What is next?

If you want to learn more about BastilleBSD, check their website: https://bastillebsd.org/. For a very simplified introduction, you can also read my blog, where I use the syslog-ng template of BastilleBSD to setup a couple of syslog-ng servers: https://www.syslog-ng.com/community/b/blog/posts/running-syslog-ng-in-bastille-revisited