Dear Tumbleweed users and hackers,

We have just finished week 26, meaning half of the year is over. This week was a ‘super fast’ one for Tumbleweed: in the 7 days since the last review we published 9 snapshots. Go figure! The 9 snapshots covered this week are 0621…0629.

The most relevant changes that were delivered during this week were:

• Mozilla Firefox 114.0.2
• KDE Plasma 5.27.6
• IceWM 3.4.0
• Node.JS 20.3.1
• AppArmor 3.1.6
• PHP 8.2.7
• Mesa 23.1.3
• Linux kernel 6.3.9
• util-linux 2.39
• firewalls 2.0.0
• strace 6.4
• transactional-update 4.3.0

As you come to expect, staging projects are filled up and the following few things are being worked on and tested:

• Protobuf 22
• linux-glibc-devel 6.4.0
• Linux kernel 6.4: kernel lockdown enabled, see the announcement
• exiv2 0.28.0
• wine 8.11: this was part of a single snapshot (0627) last week, but was quickly reverted in 0628 as there were issues starting apps. The problem could be identified and fixed.
• Python 3.12.0b3

Warewulf booting

The HPC deployment system warewulf uses the bootloader iPXE to load the linux kernel and the root file system with configuration overlay on top. This method was chosen as its flexible and scalable as well.

There was no technical reasons or outstanding features to choose iPXE over other boot loaders, so the de facto linux grub bootloader can also be used, which enables the secure boot and measured boot features. This document describes how to use grub with warewulf4 and enable secure for it. Measured boot can also be enabled so that keylime can be used for remote attestation.

Choose the right bootloader

It possible to boot grub directly, but in order to enable secure boot shim is used as first binray which is run and it will pull directly then grub with the same method as shim was pulled. This means that if shim was pulled per tftp, grub will to also be pulled per tftp.

With enabled secure boot the distributions which warewulf can use will be locked to one vendor as the shim of a vendor can only load the signed of grub of the vendor without any additional steps. Still it would be possible to the keys of the different vendors to the MOK (Machine Owner Key) database, but this requires a physical presence to enroll the MOKs.

Install

Follow the quck start guide for a basic installation of warewulf 4 4.x. If not already done, download am actual openSUSE leap container with the command

# wwctl container import docker://registry.opensuse.org/science/warewulf/leap-15.5/containers/kernel:latest leap15.5

This container contains allready a kernel but is missing shim and grub. In order to install this open a shell in the container with following command

# wwctl container shell leap15.5

within the container install the needed shim and grub binaries with

[leap15.5] Warewulf> zypper in -y shim grub2-x86_64-efi

Now the shim and grub binary has to copied to the tFTP directory. For this use the commands:

# cp $(wwctl container show leap15.5)/usr/share/efi/x86_64/shim-sles.efi  /srv/tftpboot/warewulf/sles.efi
# cp $(wwctl container show leap15.5)/usr/share/grub2/x86_64-efi/grub-tpm.efi /srv/tftpboot/warewulf/grub.efi

With the binaries in the right place the dhpc server configuration has to be updated. The name of the binaries can be configured in warewulf.conf where you should replace following two lines

    "00:07": ipxe-x86_64.efi
    "00:09": ipxe-x86_64.efi

with

    "00:07": shim.efi
    "00:09": shim.efi

and restart the dhpc services with

# wwctl configure dhcp

After this steps instead of the iPXE binaries, first the shim signed by Microsoft is loaded which then loads grub.efi. Still missing is a grub.cfg in the right place which is created with following command:

#  wwctl overlay edit host -p /srv/tftpboot/warewulf/grub.cfg.ww

Replace the content of this file with

# This file is autogenerated by warewulf
# Host:   {{.BuildHost}}
# Time:   {{.BuildTime}}
# Source: {{.BuildSource}}
echo "================================================================================"
echo "Warewulf v4 now booting with grub"
echo
uri="(http,{{.Ipaddr}}:9873)/provision/${net_default_mac}?assetkey="
kernel="${uri}&stage=kernel"
container="${uri}&stage=container&compress=gz"
system="${uri}&stage=system&compress=gz"
echo "Warewulf Controller: {{.Ipaddr}}"
echo "Trying to load a kernel... "
linux $kernel wwid=$"{net_default_mac}" quiet crashkernel=no vga=791 net.naming-scheme=v238
if [ x$? = x0 ] ; then
echo "Loading initrd..."
initrd $system $container
echo "Booting..."
boot
else
echo "MESSAGE: This node is unconfigured. Please have your system administrator add a"
echo "         configuration for this node with HW address: ${net_default_mac}"
echo ""
echo "Rebooting in 1 minute..."
sleep 60
reboot
fi

and after the modificatin rebuild the host overlay with

# wwctl overlay build -H

Now the nodes can be rebooted with secure boot enabled.

Known problems

With this configuration will be only able to boot openSUSE/SUSE as the shim is taken from this distribution. Also the kernel commandline is statically configured in grub.cfg.ww

The openSUSE.Asia Committee is seeking sponsors for the ninth openSUSE.Asia Summit. The summit will take place in Chongqing, China, from Oct. 21–23, 2023. Our participants are FLOSS users, developers, students and people who are interested in FLOSS from a wide range of different industries. The sponsorship is for accommodation, food, publicity, etc.

We are aiming to provide a low-barrier offline platform for users, contributors and developers to meet. Relationships between open-source enthusiasts can be greatly facilitated through offline summits. It is also an opportunity for technologists to share and promote the latest trends in technology and to exchange experiences. Sponsorship is an expression of your appreciation and recognition of our community and our work goals.

• Promote your products in the community.

• Business can promote their solutions / services to our community and stakeholders through business tracks.

• Sponsors can promote their products / services through

  • openSUSE.Asia Summit website.

  • Printed materials advertising the event.

  • Summit welcome package.

  • Promotional advertising visible throughout the event location.

  • Other community events that we attend  to promote openSUSE.Asia summit.

  • Sponsors can also request a booth to highlight their products and businesses.

Contact opensuse-asia-2023@googlegroups.com no later than 15th of September, 2023. The sponsorship prospectus is available at:

English Call For Sponsorship(en).pdf

Chinese Call For Sponsorship(cn).pdf

We would like to thank SUSE and arm, which are both Platinum sponsors, for their support.

This week’s openSUSE Tumbleweed snapshots are rolling out at a steady pace.

The snapshots were not large, but consistent.

Snapshot 20230628 provided a few small changes that focused on removing some obsolete mechanisms and cleaned up some aspects to help with the future direction of Python.

Snapshot 20230627 was one of the bigger snapshots this week and it provided updates for gegl, kdump pipewire, strace and much more. The graphics package gegl brought version 0.4.46. The package provides some bug fixes and performance improvements and it re-enabled a deprecation warning. The kernel-crash dumping package kdump updated to version 1.9.2; this had enhancements like a rewrite of kdump-save and updates for other parts to ensure mounts are now entirely handled by dracut. An update of audio-compression package flac 1.4.3 improved the encoder speed for all presets, and it made significant improvements for the fastest presets as well as 24-bit and 32-bit inputs. Multimedia framework pipewire 0.3.72 fixed a critical bug that refused to update JACK clients, and there were some audio enhancements for Advanced Linux Sound Architecture. Strace 6.4 and perl-Bootloader 1.4 were among several other packages updated in the snapshot.

The only package updated in snapshot 20230626 was low-level signal processing library spandsp; the updated 3.0.0 git + version had some modifications aimed at mitigating concerns related to buffer overflows, memory corruption, and other potential issues that could arise from excessive data copying into an output buffer.

The 20230625 snapshot updated two packages. New major version firewalld 2.0 gained support for nftables flowtable, which is expected to accelerate Transmission Control Protocol and User Datagram Protocol flows. The major version also gained a new feature called Zone Priorities, which allows the user to control the order in which packets are classified into zones; it can be set using command line option --set-priority. The other package to update in the snapshot was sssd 2.9.1. This identity management client fixed a couple regressions to include one that affected lookups for kernel-based automounter autofs when cache_first is set to true.

Mesa and the Linux Kernel were updated in snapshot 20230625, but LibVNCServer 0.9.14 had several changes to highlight. The package fixed some Transport Layer Security interoperability with GnuTLS servers, removed a CVE-2020-29260 patch and added support for qemu extended key events. Mesa’s 23.1.3 update fixed a regression related to boo#1209005 that caused a crash in some instances. An update of the kernel-source to version 6.3.9 addressed an issue related to x86 architecture where a switch is performed immediately after installing a new Global Descriptor Table (GDT). A change was also made in the wireless networking subsystem related to regulatory wireless device channel validation. Another package to update in the snapshot was sendmail 8.17.2. The package improved error handling for TLS setup failures, introduces various improvements related to Email Address Internationalization support and improves security by maintaining DNS-based Authentication of Named Entities requirements. Several other packages updated in the snapshot.

Dear Tumbleweed users and hackers,

Finally back on the weekly review cycle – are we taking bets on how long I can keep it up (summertime is ‘terrible’ – it motivates too much to take Fridays off). Anyway, even without me there, you are used to Tumbleweed rolling. Lately, all the excellent work on Staging Is being performed by Ana. During this week, we managed to publish again 6 snapshots (the 7th was in QA, but took slightly longer to test than the next one needed to build).

The 6 snapshots (0614, 0616, 0617, 0619, 0620, and 0620) brought you those changes:

• Python 3.11 has been set as the default Python interpreter
• libzypp: fix for stricter http/2 RFC 9113 server implementations: trim custom headers
• Qt 5.15.10
• PHP 8.1.20
• LibreOffice 7.5.4.2
• poppler 23.06.0
• LLVM 16.0.6
• node.JS 20.3.0
• Mozilla Firefox 114.0.2
• KDE Plasma 5.27.6

Integration tests are currently being performed on these planned changes:

• Linux kernel 6.3.9
• Protobuf 22.5: please help to sort out the failures in Staging:K
• util-linux 2.39
• Mesa 23.1.3
• PHP 8.2.7: Nextcloud was updated to 26.0.3, which claims to support PHP 8.2

A few weeks ago, I posted about sngbench, a shell script to measure syslog-ng performance. The performance of syslog-ng is influenced by many factors, including the hardware and OS it runs on, and syslog-ng itself. This blog summarizes some of my findings using the script.

https://www.syslog-ng.com/community/b/blog/posts/what-i-learned-about-syslog-ng-performance-using-sngbench

openSUSE.Asia Summit 2023

Call For Papers

It is a pleasure to announce the call for papers for openSUSE.Asia summit 2023 starting today, the openSUSE.Asia Committee is looking for speakers from different avenues of life, representing and advocating Free and Open Source Software. openSUSE.Asia Summits are organized every year to promote the use of free and open source software and have been appreciated events for the openSUSE community (i.e. both contributors and users) in Asia. Following the last Asia Summit, the nineth openSUSE.Asia Summit 2023 will be held by openSUSE Chongqing team on Late October. The speakers are eligible to receive sponsorship from openSUSE Travel Support Program (TSP). Even if you live away from China, please consider applying for the event.

The past Asia Summits received major participation from Indonesia, China mainland, China Taiwan, Japan, South Korea, and India.

Topics

openSUSE.Asia Summit 2023 will invite talks relevant to openSUSE and other topics like Cloud, Virtualization, Container, Container Orchestration, Linux desktop environments and applications since openSUSE is a collection of various FLOSS products. The examples of the topics (not limited to) are as the following:

• openSUSE (including Leap, Tumbleweed, Open Build Services, openQA, YaST)
• openSUSE Kubic & MicroOS, Cloud, Virtualization, Container, and Container Orchestration
• Embedded and IoT
• Security (Access/Integrity control, Cryptography, Vulnerability management)
• Desktop environments and applications (e.g. GNOME, KDE, XFCE)
• Office suite, graphic art, multimedia (e.g. LibreOffice, Calligra, GIMP, Inkscape)
• Multilingualization support (e.g. input methods, translation)
• Other software running on openSUSE

Please note that non-technical talks are also welcome. For example:

• Explanations of FLOSS technologies
• Development, Quality Assurance, Translation
• Tips & Tricks, Experience stories (success or fail), Best practice
• Marketing and community management
• Computer Science
• Education

Types of sessions

We are inviting proposals for these 4 types of sessions.

• Workshop (120 min + Q&A)
• Long talks with presentation (60 min + Q&A)
• Short talks with/without presentation (30 min + Q&A)
• Lightning talk (15 min and less)

Schedule

• The deadline of the call for proposals: August 20, 2023
• Notification to speakers: Week of August 28, 2023
• openSUSE.Asia Summit 2023: October 21 until October 23, 2023.

How to submit your proposal

Please submit your proposal to the event

• Your proposal must be written in English and 150–500 words long with an appropriate title.
• You need to use English or Chinese in speech and English only on slides.
• Please run spell and grammar checks for your proposal before submission. LibreOffice Language tools and Grammarly
• Your biography on your profile page is also a reviewed document. Please do not forget to write your background.
• You must obey openSUSE Conference code of Conduct. You will receive a forms link after successful submission of proposal for further information requirements.

Guide to write your proposal

Please ensure that your proposal is about and around a topic

For example, if your talk is on security or desktop application, a wholesome proposal will always start with steps to install the application first.

Please include the reasons as to why your proposal should be the one.

It may contain the following as a reason:

• Need of the application/ technology/ solution
• Future prospects of the proposed solution
• Learnings for the target audience (beginners, contributors)

Do not hesitate to contact the local team on social media or write to the committee if you are not sure about writing your proposal or preparing your presentation.

Contact Organising committee

For any enquiries regarding the programme, please contact:

opensuseasia-summit@googlegroups.com

We look forward to see you at openSUSE.Asia Summit 2023.

Dear Tumbleweed users and hackers,

Again I have to span the review over two weeks – in the region where I live we had some holiday last week and I allowed myself to stretch for a long weekend. But this had no impact on Tumbleweed: it just kept on rolling. There was some additional ‘confusion’ though as the system used to calculate the diff between snapshots has been defunct for a few days, which resulted in the announcements for snapshots 0601 – 0604 not being sent out to the mailing lists. The info was then collected in the report for 0605. This review covers the 10 snapshots 0601, 0602, 0603, 0604, 0605, 0607, 0608, 0610, 0612, and 0613.

The most relevant changes in those snapshots were:

• AppArmor 3.1.4 & 3.1.5
• LibreOffice 7.5.4.1
• openSSL 3.1
• GNOME 44.2
• Linux kernel 6.3.6 & 6.3.7
• openSSH 9.3p1
• KDE Gear 23.04.2
• KDE Frameworks 5.107.0
• Mozilla Firefox 114
• Mesa 23.1.2

Shortly, Tumbleweed will bring you these changes:

• Python 3.11 as the default Python interpreter (moving from Python 3.10). About 100 Python packages failed to rebuild: those will still have the python3- symbol on the python310-* package until fixed.
• LibreOffice 7.5.4.2
• PHP 8.1.20
• Qt 5.15.10