Microsoft’s Azure AD (Entra ID) is a popular choice for identity and device management. Until recently, Linux systems lacked a comprehensive solution for integrating seamlessly with these Microsoft services. Enter Himmelblau, a project meant to bridge the gap between Linux and Microsoft’s cloud ecosystem.

The Power of Intune Integration

Beyond authentication, Himmelblau plans to extend its capabilities to enforce Intune MDM policies on Linux devices. Intune is Microsoft’s cloud-based solution for managing and securing devices, and with Himmelblau, Linux systems can now be brought under the umbrella of Intune’s management capabilities. This means that IT administrators can maintain consistent security and compliance standards across both Windows and Linux devices, streamlining the management process and enhancing overall security posture.

Enhancing Security with Multi-Factor Authentication

In an era where security breaches pose a significant threat, Himmelblau is integrating Azure AD Multi-Factor Authentication (MFA) to add an extra layer of protection before granting access to Linux systems.

Offline Logon and Hardware TPM Integration in Himmelblau

Himmelblau has integrated the Hardware Trusted Platform Module (TPM) into its authentication process. By utilizing a hardware TPM, Himmelblau prevents ex-filtration and attacks against cached password hashes that are used for offline authentication.

Authentication Across Any Cloud Endpoint

Himmelblau stands out for its flexibility and adaptability by seamlessly accommodating authentication with any Azure cloud endpoint.

Himmelblau’s Fortified Foundation

Himmelblau is written in Rust. With its focus on memory safety, Rust mitigates the risk of common programming errors such as buffer overflows and null pointer dereferences, which are potential vulnerabilities often exploited by attackers. The strict ownership and borrowing system in Rust enforces strong memory management, preventing issues like dangling pointers and data races that can lead to security breaches. Rust’s strict compiler checks play a crucial role in eliminating entire classes of bugs before they even emerge. This proactive approach to preventing vulnerabilities at the development stage contributes to a more secure codebase, reducing the likelihood of exploitation in production.

Many users are annoyed by the version number included in the syslog-ng configuration. However, it ensures backward compatibility in syslog-ng. It is especially useful when updating to syslog-ng 4 from version 3, but also when updating within the same major version.

Read more about it at https://www.syslog-ng.com/community/b/blog/posts/backward-compatibility-in-syslog-ng-by-using-the-version-number-in-syslog-ng-conf

Virtual ipmi interface

Kvm/qemu support virtual ipmi devices which can be used to test ipmitool related commands on a virtual machine. These feature is barely documented, but is use able.

There are two components, the ipmi device of kvm/qemu and a ipmi simulator which is part of the ipmitools package.

Adding the ipmi device

The ipmi device can be added to qemu as command line argument, which is

-device ipmi-bmc-sim,id=virt-bmc -device pci-ipmi-kcs,bmc=virt-bmc,id=virt-bmc-pci

** Warning **

This changes the pci is, so other device need new ids

Unfortunately this device isn’t presented by the libvirt interfaces, but can be added to the xml configuration directly with the following lines

  <qemu:commandline>
    <qemu:arg value="-device"/>
    <qemu:arg value="ipmi-bmc-sim,id=virt-bmc"/>
    <qemu:arg value="-device"/>
    <qemu:arg value="pci-ipmi-kcs,bmc=virt-bmc,id=virt-bmc-pci"/>
  </qemu:commandline>

Connect device to simulator

Its also possible to connect this kvm/qemu to a ipmi simulator running on the host. The xml changes to

  <qemu:commandline>
    <qemu:arg value="-chardev"/>
    <qemu:arg value="socket,id=ipmi0,host=localhost,port=9002,reconnect=10"/>
    <qemu:arg value="-device"/>
    <qemu:arg value="ipmi-bmc-extern,id=virt-bmc,chardev=ipmi0"/>
    <qemu:arg value="-device"/>
    <qemu:arg value="pci-ipmi-kcs,bmc=virt-bmc,id=virt-bmc-pci"/>
  </qemu:commandline>

where we had to add an additonal chardev which connects to the ipmi simulator. The simulator can be started with

ipmi_sim /etc/ipmi/lan.conf -f /etc/ipmi/ipmisim1.emu -s $IPMISTATDIR

The configuration files under /etc/ipmi are part of the ipmitool package. Important is the $IPMISTATDIR which can contain addtional SDRs. A simple SDR with a temperature sensor can be added adding the followiing lines to the file $IPMISTATDIR/ipmisim1/sdr.20.main:

last_add_time:i:1691752652
6:d:\06\00Q\11\140\03\80\00\00\10\00\08\02\00\c9mm2frudev
5:d:\05\00Q\02" \00\02\08\01\00\00%o\03\00\03\00\03\00\c0\00\00\00\00\00\00\00\00\00\00\c7mm1pres
4:d:\04\00Q\0120\00\01\07\01E\00\01\01\00\00\00\00\00\00\00\01\00\00\01\00\00\01\01\00\00\00\00\00\ff\00\00\00\00\00\00\00\00\00\00\00\00\c7SubTemp
3:d:\03\00Q\011 \00\01\07\01E\00\01\01\00\00\00\00\00\00\00\01\00\00\01\00\00\01\01\00\00\00\00\00\ff\00\00\00\00\00\00\00\00\00\00\00\00\c6MBTemp
2:d:\02\00Q\03\14 \00\00\07\01#o\00\00\00\00\c8watchdog
1:d:\01\00Q\12\14 \00\00\8f\00\00\00\07\01\00\c9IPMI sim1

Have a lot of fun.

Confluent/Xcat quickstart guide for (open)SUSE

At first you need a least a compute cluster containing of one orchestrator and one node. For testing purpose a terrform configuration for setting this up is available under:

https://github.com/warewulf/warewulf-testenv

Install confluent

Add the reop and the keys

rpm --import https://hpc.lenovo.com/yum/latest/suse15/x86_64/lenovohpckey.pub
zypper install https://hpc.lenovo.com/yum/latest/suse15/x86_64/lenovo-hpc-zypper-1-1.x86_64.rpm

After that the confluent package can be installed with

zypper install lenovo-confluent

Unfortunately the dependency the python dbm package is missing and must be installed with

zypper install python3-dbm

To enable the service run

systemctl enable confluent --now

and enable also tftp with

systemctl enable --now tftp

Enable web client

Follow the steps under https://hpc.lenovo.com/users/documentation/installconfluent_suse.html or do following

cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/mySSL.conf

and create the SSL certificate with

osdeploy initialize -t

and enable SSL for apache with

a2enmod rewrite
a2enflag SSL
systemctl enable apache2 --now

Now a user root in this case can be added to the web gui with

confetty create /users/root role=admin

Configure cluster

Add nodes

Add global variables to everything group in which all nodes are part of

nodegroupattrib everything deployment.useinsecureprotocols=firmware console.method=ipmi dns.servers=172.16.16.1 dns.domain=cluster.net net.ipv4_gateway=172.16.16.1

The option deployment.useinsecureprotocols=firmware allows iPXE installations deployment.useinsecureprotocols=firmware allows iPXE installations. Secrets and passwords can be added with

nodegroupattrib everything -p bmcuser bmcpass crypted.rootpassword crypted.grubpassword

which will add the BMC/User with password and the cluster wide root password and as well the password to access grub.

Now the nodes can be added with

for i in {1..4}; do nodename=n$(printf %02i $i); nodedefine $nodename net.ipv4_address=172.16.16.${i}; done

Add the entries to /etc/hosts with

noderun -n n01-n04 echo {node}  {net.ipv4_address} >> /etc/hosts

Add OS

Before any OS can be added certificates for the OS deployment must be create with

osdeploy initialize -i

and import the SLE iso with

osdeploy import SLE-15-SP5-Full-x86_64-GM-Media1.iso

the imported image can be checked with

osdeploy list

Since last Friday, librsvg is available from crates.io. You can add this line to your dependencies in Cargo.toml:

librsvg = "2.57.0-beta.2"

I am nailing down the release process for this, but my intention is that starting with GNOME 45 / librsvg-2.57.0, the Rust crate will be in sync with the GNOME release schedule: a stable minor release every six months, and micro releases regularly and as needed.

For now, these releases are equivalent and contain the same code:

• 2.56.92 (the usual tarball, beta release before GNOME 45)
• 2.57.0-beta.2 (release for crates.io)

Both git tags exist in gitlab.gnome.org's repository and point to the same commit.

While GNOME uses .9x micro version numbers to identify alpha or beta releases, Rust uses Semantic Versioning, which allows for the -beta.2 suffixes. I'll keep the corresponding schemes and add both git tags to the release commits.

Dear Tumbleweed users and hackers,

At least over here where I live, the last few days we had slightly less summery time and more rain – and bad weather means more work in front of the screen. The same thing likely happened to other contributors, looking at the things we passed through staging or are still there. This week has seen 7 snapshots (0804..0810).

The most relevant changes during this week were:

• Mesa 23.1.5
• openSSL 3.1.2
• Linux kernel 6.4.8 & 6.4.9
• Libvirt 9.6.0
• Perl 5.38 (incl all perl modules rebuilt)
• GCC 13.2
• LibreOffice 7.6.0.1 & 7.6.0.2
• QEmu 8.0.4

Staging projects are currently testing these changes:

• Meson 1.2.1
• Python 3.11, configured for PEP-0688 (externally managed system tree)
• Node.JS 20.5.1
• glibc 2.38
• NetworkManager 1.44.0
• systemd 253.8
• Mozilla Firefox 116.x
• FMT 10: breaks mariadb boo#1213219 and ceph boo#1213217; help welcome
• libxml2 2.11.x
• oxygen 1.9.7 – breaks wxPython build

Tumbleweed snapshots didn’t lack excitement this week as multiple packages received updates and a couple major versions arrived for openSUSE rolling release users this week.

The 20230809 snapshot provided an update of GNU Compiler Collection. GNU Compiler Collection. The new 13.2.1+git7683 version for developers that rely on the compiler includes the 13.2 release and various fixes. Notably, the update addresses a patch for a broken testcase in libbacktrace, which resolves build issues on SUSE Linux Enterprise Server 12. GNOME users received an update of gtk4 4.10.5. The release addresses various issues, including fixing ordering problems with filter model signals, avoiding lingering resize cursors, and resolving alignment issues on the Scalable Processor Architecture. The fuse3 3.16.1 package, which is an interface for userspace programs to export a filesystem to the Linux kernel, had some enhancements with an ability to enable readdir kernel cache from the high-level Application Programming Interface. Office suite libreoffice received a minor version update to 7.6.0.2 a day after updating from the 7.5.4.2 version. This release incorporates bug fixes and updates to bundled dependencies, which ensures a more stable and feature-rich office experience. A third update this week of libstorage-ng 4.5.136 had translation updates for Indonesian. The upower package for power management and device information updated to version 1.90.2. Notably, the release marks the end of lid handling in UPower since the functionality will now be provided by logind. A few other packages updated in the snapshot like python-importlib-resources, which updated to major version 6.0.1 and removed legacy functions deprecated in 5.3; it require Python 3.8 or later.

LibreOffice was updated in snapshot 20230808. The change from 7.5.4.2 to 7.6.0.1 incorporates a wide array of features, bug fixes and improvements like the handling fonts. It fixed an issue with an infinite loop when changing the document language. The package added missing dependencies on Java Runtime Environment (64 Bit) for RISC-V 64. The pipewire multimedia framework updated to 0.3.77. This update included a fix for Advanced Linux Sound Architecture sources to prevent xruns and a new L permission to force node links. The Virtual Broadcast Audio Network module now supports Musical Instrument Digital Interface and a range of cleanup and fixes were made with the package. An update of KDE editor okteta to version 0.26.13 improves translations, decoding tables, and structures tools. It also improves CMake Unity builds that are now possible.

Some changes for GNOME became available in snapshot 20230807. The gnome-software package rolled out version 44.4. This update introduces several noteworthy improvements like enhancing error notifications from failed GPG checks and improving the handling of updates that involve the removal of some packages to fulfill dependencies. Perl enthusiasts will be delighted with it’s current major version release in Tumbleweed. The 5.38.0 version introduces a host of new features, including the class feature and support for unicode 15.0. The language also improves defined-or and logical-or assignment default expressions in signatures, and more. There was a significant deprecation in the release with the use of ‘ as a package name separator. There was some translation enhancements for Georgian users with openSUSE’s libstorage-ng 4.5.135 update. There was also an update of python-alembic 1.11.1 in the snapshot, which was also a major release. It modified calling signatures and had fixes for typing use of SQLAlchemy classes along with some enhancements in error handling.

Snapshot 20230806 had about a handful of packages updated. An update of the plasma5-desktop 5.27.7.1 includes a fix for an issue where applets did not return focus after pressing an applet shortcut, and a fix for a missing feature providing more fluid and seamless handling was made for the desktop environment. The 9.6.0 libvirt update includes an upstream commit to fix max file limits in systemd, contributing to smoother operations for virtualized environments. Python developers get an update that aligns with the latest changes in libvirt to ensure compatibility and seamless integration for Python-based virtualization tasks. The libzypp package management library underpinning openSUSE’s software management received an update to version 17.31.18. The version addresses the respect of ZYPP_READONLY_HACK when checking the zypp-rpm lock. Version 2.40.5 of webkit2gtk3 introduces several crash and rendering fixes, along with multiple security fixes addressing vulnerabilities like CVE-2023-38133, CVE-2023-38572 and more.

The Linux Kernel updated in snapshot 20230805. The kernel-source 6.4.8 release had some Btrfs fixes and some changes related to KVM (Kernel-based Virtual Machine) with the s390 architecture. The GNU Multiple Precision Arithmetic Library gmp 6.3.0 update brought better handling of integer overflow, enhanced error handling for malformed files and improved support for building Link-Time Optimization. An update of harfbuzz 8.1.1 addresses a regression introduced in the previous version. There were also optimizations made to speed up font loading, subsetting and shaping. The 4.6/6 yast2-installation update fixed a status label toggle issue and improved the user interface and experience during software installation. The first of three libstorage-ng updates for the week came with the 4.5.134 update in this snapshot.

Graphics improved in snapshot 20230804 as Mesa 23.1.5 updated. The release notes show that several fixes were made to different graphics drivers, including Radeon, ANV and more. The Intel ANV driver no longer experiences GPU hangs on Multisample Anti-Aliasing tests with Angle. Gamers might enjoy the SDL2 2.28.2 update.The software package takes a leap forward by addressing various issues and ensuring better compatibility. The update fixes controller lockup initializing some unofficial PS4 replica controllers, according to the changelog. An update of openssl-3 3.1.2 addresses potential vulnerabilities that include excessive time spent checking DH parameter values and proper handling of associated data entries with AES-SIV encryption. The update of dracut introduces a series of critical fixes and features. These improvements covered a wide range of areas, including systemd-udevd, systemd-journald, base functionality, and more. The openssl-3 3.1.2 update includes fixes for the proper handling of associated data entries with AES-SIV encryption. Another update in the snapshot was made to for the policy analysis tool for SELinux; The setools 4.4.3 version includes better compatibility with Cython 3.0.0 and enhanced manpages.

Tumbleweed users have the option of choosing between open GPU kernel modules or proprietary drivers and can get more information on using NVIDIA GPU drivers on openSUSE Tumbleweed. Tumbleweed users are presented with a choice between open GPU kernel modules and proprietary drivers, and can find guidance on using NVIDIA GPU drivers on openSUSE Tumbleweed. Within the openSUSE repositories, NVIDIA’s proprietary drivers are available for installation through zypper. It’s important to recognize that these proprietary drivers originate from the NVIDIA repository due to licensing restrictions. Additionally, users can enhance their experience with improved download accessibility and reduced latency by enabling the 3rd party NVIDIA repository. Furthermore, users can elevate their experience with enhanced download accessibility and reduced latency through the sponsorship of a CDN subscription by Fastly.com, benefiting download.opensuse.org.

Happy 18th Birthday to openSUSE! It’s that time of the year once again where we will raise our virtual glasses and celebrate the remarkable journey of open-source innovation.

On August 9th, 2005, an announcement was made during the LinuxWorld Conference & Expo in San Francisco, giving birth to what we now know as the openSUSE Project.

The now defunct company known as Novell unveiled openSUSE to the technology world with excitement. Riding on the heels of the success of Red Hat’s announcement of Fedora, it was natural for Novell to embrace the open-source movement and introduce its own community-driven Linux distribution.

The journey of openSUSE officially began with the release of beta versions of SUSE Linux 10.0 under the banner of openSUSE.org. The first official release under the openSUSE name was 10.2.

As we celebrate 18 years of openSUSE, it’s an opportune moment to reflect on the incredible journey this project has undertaken. Here we are years later and openSUSE stands strong with a lot of experiences endured by the community and its main sponsor SUSE. SUSE joined Novell in 2003, which broadened its horizons and influence. Six years later Novell made the announcement of the openSUSE Project there was an acquisition of SUSE by The Attachmate Group, which was later integrated into Micro Focus in 2014; this point in time showcased SUSE’s resilience. EQT added a unique touch in 2018 with the purchase of SUSE. In 2021, SUSE’s public debut on the Frankfurt Stock Exchange highlighted its dynamic evolution and enduring voyage as an open-source company.

To celebrate the project’s 18th Birthday, consider joining openSUSE’s virtual bar, where open-source enthusiasts from across the globe can gather to celebrate, connect, and share their passion for openSUSE. Known as slash bar (/bar), the virtual doors to meet others with a similar passion remain open. Join in or listen to the openSUSE bar’s playlist on Spotify.

As the world evolves, so does openSUSE, and we hope you celebrate along with us for turning 18. Let’s toast to 18 years of open-source excellence and look forward to the exciting chapters that lie ahead. Happy 18th Birthday, openSUSE! Here’s to the journey and the future!