Dear Tumbleweed users and hackers,

The vacation season is upon us, and the number of requests to Tumbleweed is slightly lower than normal. Nevertheless, there is a constant flow of updates coming your way. Due to my slacking off last week, this review again spans two weeks. In total, 11 snapshots have been published in this time (0701, 0703…0710, 0712, and 0713)

These 11 snapshots brought you the following changes:

• GStreamer 1.22.4
• Network Manager 1.42.8
• linux-glibc-devel 6.4
• MariaDB 11.0.2
• Mozilla Firefox 115.0 & 115.0.1
• Python 3.11.4 & 3.12.0b3
• KDE Gear 23.04.3
• KDE Frameworks 5.108.0
• GNOME 44.3
• Linux kernel 6.4.2 (lockdown accidentally not enabled)
• wine 8.12
• Protobuf 23.4
• exiv2 0.28.0

Based on the staging projects, the following updates are likely to reach you soon:

• Linux kernel 6.4.3 – with lockdown enabled
• systemd 253.6
• Mozilla Firefox 115.0.2
• libvirt 9.5.0

A week of five openSUSE Tumbleweed snapshots brought crucial updates for key packages like GNOME, MariaDB, transactional-update and others.

The rolling release distribution showcased its commitment to providing users with the latest enhancements and bug fixes while ensuring users benefit from improved functionalities and better performance.

MariaDB is the most recent package to benefit from a new major version in the rolling release as snapshot 20230705 provided users with new features; the 11.0.2 version provides a new option that is enabled by default and improves the accuracy of the optimizer’s estimations for hash-join operations. The package also fixes some optimizer crashes and resolves the accidental disabling of some InnoDB monitors, which should now be enabled by default. Both Indonesian and Finnish translations were made in the yast2-trans update and yast2-network 4.6.5 fixes a typo when writing the wireless channel. An update to python-argcomplete 3.1.1 improves logic for user installation and enhances compatibility with Python 3.7.

Snapshot 20230704 updates just a few packages. Among the changes are openSUSE’s hardware detection tool hwinfo 22.3, which resolves linking problems with libsamba and ensures smoother functionality. An update of kdump 1.9.3 had changes to fix the calibrate feature as well as the treating of missing SSH, LFTP, or host keys as fatal errors. The 4.18.3 version of xfce4-settings has fixes related to display mode detection and securing the use of GSettings. Changes to the package also improve the handling of critical errors when opening the layout selection dialog. The update of kexec-tools: 2.0.26.0 introduces an upgrade where perl-Bootloader replaces kexec-tools with kexec-bootloader, making it obsolete.

Most of the packages updated in snapshot 20230703 were RubyGems; these updates gravitate toward a Common Vulnerability and Exposure. Patches were provided for CVE-2023-28362 that potentially leads to a Cross-site-scripting (XSS) payload on the redirection page. The Imath 3.1.9 package fixes a heap-buffer-overflow vulnerability, adds support for Densely Weighted Averaging compression and fixes a stack-buffer-overflow problem. Gamers will like the SDL2 2.28.1 update as it adds Linux controller mapping for the Logitech Chillstream controller. The update also introduces support for the Nintendo Online Famicom controllers as well as support for third-party Nintendo Switch controllers. The keyboard utility package kbd 2.6.1 had some minor fixes and improvements to include some for contemporary French Macs. The perl-Image-ExifTool 12.64 version adds a new Sony LensType, includes support for Garmin Low-resolution Video (GLV) files, improves French translations, along with introducing some Application Programming Interface changes.

The largest snapshot of the week kicked off the month with snapshot 20230701. This snapshot updates ImageMagick to version 7.1.1.12 that includes a patch fixing a heap-buffer-overflow vulnerability with CVE-2023-3428. GNOME users had some updates with gnome-software updating to version 44.3. This update includes fixes for a crash when refining a Flatpak app and recovering the state after a failed app update. It also comes with updated translations. The 44.3 version of gnome-control-center updated translations. GNOME personal management application evolution 3.48.4 fixes an issue related to ` EMailSignatureScriptDialog and EMeetingListStore` components was well as addresses issues such as difficulties in choosing a script file under Flatpak. An update of GStreamer to 1.22.4 fixes security issues in several components and addresses some mapping issues’ the package fixes memory leaks and provides stability improvements. An update of NetworkManager 1.42.8 fixes network filtering rules and IPv6 sharing as well as adds support for Point-to-Point Protocol 2.5.0. Other package to update in the snapshot were webkit2gtk3 2.40.3, libzypp 17.31.15, gvfs 1.50.5 and more.

Snapshot 20230629 kicked off the week and featured updates of various packages. Noteworthy changes included SDL2’s first package update of the week with version 2.28.0; this introduces new functions for window surfaces and rendering APIs. Display manager sddm 0.20.0 bringing initial support for Qt6 that will break themes that rely on Qt5. The package key to MicroOS and other projects with atomic updates, transactional-update, moved to version 4.3.0; this update improves custom utilities and scripts to call mkdumprd and the package adds support for libmount 2.39, while honoring the library’s LIBMOUNT_DEBUG variable for additional output. A few other library packages were updated in the snapshot.

Prior to the Dec 2020 situation at Red Hat and completely unawares, SUSE was working to release SLES 15 SP3, which is 100% binary compatible with openSUSE Leap 15.3. While Red Hat has been working to lock down sources and disparage those who build RHEL clones, SUSE has actively encouraged and sponsored openSUSE as a clone of SLES.

Let’s clarify the difference between openSUSE’s stable and testing ground distros. openSUSE Leap is a stable, enterprise-compatible distro, while openSUSE Tumbleweed serves as the testing ground for SLES and openSUSE Leap. I bring this up because I have repeatedly seen misinformation in community conversations about the state of enterprise Linux. Leap is not a testing ground.

The number of openSUSE users has been on the rise. Lets look into some of the reasons why your next install should be a SUSE distro.

SUSE was founded in 1992 (yes, that’s one year after Linus initially created Linux) in Nuremberg, Germany. Since then, SUSE has grown to have an international presence. SUSE is a publicly traded company and the largest independent open-source software company in the industry.

Similar to Red Hat, SUSE provides a Linux distribution tailored specifically for enterprise environments, catering to the needs of businesses of all sizes. SUSE provides long-term support, ensuring stability, security, and reliability for critical workloads in production environments.

Also, like Red Hat, SUSE follows a subscription-based model, where customers pay for access to their respective distributions along with technical support, maintenance, and updates. This model ensures that organizations receive timely security patches, bug fixes, and feature enhancements, allowing them to maintain a stable and secure infrastructure. Unlike Red Hat, the sources are freely available, and openSUSE Leap updates happen in sync with SLES updates.

In addition to providing enterprise support for SUSE Linux, SUSE also provides enterprise support and updates for RHEL via SUSE Liberty Linux.

SUSE Linux benefits from an active and vibrant opensource community. The community contributes to the development and improvement of the distribution, providing a wealth of resources, documentation, and user-driven support forums.

In summary, openSUSE Leap has emerged as a compelling alternative to CentOS, particularly in light of the changes at Red Hat. Considering these factors, openSUSE Leap, with its robust enterprise support, adherence to open-source principles, and active community, presents a compelling option for businesses seeking a reliable and secure Linux distribution for their infrastructure.

I'm spending some time every week working in the rpmlint project. The tool is very stable and the functionality is well defined, implemented and tested, so there's no crazy development or a lot of new functionalities, but as in all the software, there are always bugs to solve and things to improve.

The recent changes applied now in the main branch include:

• Update the usage of rpm to not use old API.
• Fixes for rpmdiff -v, check for NULL char, special macros in comments and spell checking of description in different languages.
• Move all the metadata from setup.py to pyproject.toml.
• Releasing rpmlint as pre-commit hook
• Improvements to the PythonCheck in the dependency checking.

Summer of Code 2023 updates

The first month of the Summer of Code has passed and Afrid is doing a great job there. We've now a draft Pull Request with some initial changes that allow us to mock rpm packages in tests so it's easier to create new tests without the need of creating a binary package.

The first step done was to extend the existing FakePkg class to allow us to define package files and some package metadata.

Now he's working in replacing all of the test_python.py tests that uses binaries rpm to something that doesn't needed.

The idea is to replace as much tests as possible to reduce the number of rpm binaries and after that, provide helper functions, decorators and classes to make it easy to write tests, writing less code.

Roadmap

In any software project there's always room for improvements, fixes and enhancements. If the project is there for enough time, it's even more critical to modernize the code to reduce the technical debt.

My plan for 2023 is to improve the tests around rpmlint as much as possible. First with the GSoC project, making it easier to write more tests, improving the testing tools that we've. And after the summer, improving the test coverage.

There's also a tool that shares some of the ideas with rpmlint, spec-cleaner, it's also written in Python, so the next step, after the tests improvements will be to take a deep look into the code of these two tools and try to integrate in some way. Maybe it's possible to refactor the common code into an external module, maybe we can bring some ideas from spec-cleaner to rpmlint. Not sure yet, but that'll be my next step.

Don't forget that this is free software, so you can participate too! If you find any issue in rpmlint or have an idea to improve it, don't hesitate and create a new issue.

Staying up-to-date with the latest trends, tools and industry knowledge is crucial for open-source developers and IT professionals like system administrators.

Online resources provide valuable information, but there is no substitute for the immersive and collaborative experience of attending conferences.

As the openSUSE Conference ended about a month ago and the openSUSE.Asia Summit is accepting talk proposals until August 20, we will explore the benefits and reasons why people should not only attend conferences but actively contribute by submitting talks.

The sharing of expertise and insights is perhaps the most fundamental of reasons to attend conferences as it provides an opportunity to share knowledge, expertise, and unique insights with a diverse audience. By submitting talks, people showcase their experiences, best practices, and innovative approaches to commonly shared challenges; they actively contribute to the growth and development of IT and open-source communities. These contributions can inspire others, spark new ideas and foster collaboration among attendees. Sharing expertise not only contributes to the collective knowledge but it helps to establish thought leaders and field experts.

Submitting talks and presenting it at conferences presents opportunities for personal and professional growth. It challenges people to refine their communication skills, overcome stage fright, and think critically about a topic. The experience of preparing and delivering a talk enhances people’s ability to articulate complex concepts clearly and concisely.

Attending sessions where speakers articulate a topic offers a unique opportunity to gain fresh perspectives, learn about emerging technologies, and stay ahead of the curve. The openSUSE and openSUSE.Asia Summit curate sessions with experts in open-source software and Linux, which provides valuable insights for attendees.

Many conferences like openSUSE and openSUSE.Asia Summit organize hands-on workshops where attendees gain practical experience and sharpen their skills. These interactive sessions allow IT professionals and developers to dive deep into specific technologies, frameworks, or tools. Attendees enhance their proficiency and return to their IT department with practical knowledge that can be immediately applied to their work.

Networking at conferences provides an invaluable chance to connect, exchange ideas, and establish meaningful relationships with industry peers and fellow community members. This helps to build a robust professional network that can lead to future collaborations, job opportunities, and mentorship possibilities.

Conferences like ours and others throughout the world foster a sense of community among attendees who share a common passion for technology and open-source. Engaging with fellow professionals and developers can lead to fruitful collaborations, collaborative projects, and contributions to open-source initiatives. The openSUSE and openSUSE.Asia Summit offer a vibrant community atmosphere and provide a platform for connecting with open-source enthusiasts from around the world.

For those managers and IT leaders that have not yet explored sending an employee to a conference, know that attending conferences provides immense value, but actively participating as a speaker takes the experience to new heights.

Get started today by submitting a talk, especially to the openSUSE.Asis Summit; it will take place at Chongqing University of Posts and Telecommunications in Chongqing, China, from Oct. 21 to 23.

When it comes to choosing a reliable and powerful Linux distribution for your workloads, CentOS and openSUSE are both popular options. However, recent changes in the CentOS project have left many users seeking alternatives. In this blog post, we will explore ten compelling reasons why migrating from CentOS to openSUSE might be a smart move. […]

The post 10 Reasons to Migrate from CentOS to openSUSE appeared first on SUSE Communities.

Dear Tumbleweed users and hackers,

We have just finished week 26, meaning half of the year is over. This week was a ‘super fast’ one for Tumbleweed: in the 7 days since the last review we published 9 snapshots. Go figure! The 9 snapshots covered this week are 0621…0629.

The most relevant changes that were delivered during this week were:

• Mozilla Firefox 114.0.2
• KDE Plasma 5.27.6
• IceWM 3.4.0
• Node.JS 20.3.1
• AppArmor 3.1.6
• PHP 8.2.7
• Mesa 23.1.3
• Linux kernel 6.3.9
• util-linux 2.39
• firewalls 2.0.0
• strace 6.4
• transactional-update 4.3.0

As you come to expect, staging projects are filled up and the following few things are being worked on and tested:

• Protobuf 22
• linux-glibc-devel 6.4.0
• Linux kernel 6.4: kernel lockdown enabled, see the announcement
• exiv2 0.28.0
• wine 8.11: this was part of a single snapshot (0627) last week, but was quickly reverted in 0628 as there were issues starting apps. The problem could be identified and fixed.
• Python 3.12.0b3

Warewulf booting

The HPC deployment system warewulf uses the bootloader iPXE to load the linux kernel and the root file system with configuration overlay on top. This method was chosen as its flexible and scalable as well.

There was no technical reasons or outstanding features to choose iPXE over other boot loaders, so the de facto linux grub bootloader can also be used, which enables the secure boot and measured boot features. This document describes how to use grub with warewulf4 and enable secure for it. Measured boot can also be enabled so that keylime can be used for remote attestation.

Choose the right bootloader

It possible to boot grub directly, but in order to enable secure boot shim is used as first binray which is run and it will pull directly then grub with the same method as shim was pulled. This means that if shim was pulled per tftp, grub will to also be pulled per tftp.

With enabled secure boot the distributions which warewulf can use will be locked to one vendor as the shim of a vendor can only load the signed of grub of the vendor without any additional steps. Still it would be possible to the keys of the different vendors to the MOK (Machine Owner Key) database, but this requires a physical presence to enroll the MOKs.

Install

Follow the quck start guide for a basic installation of warewulf 4 4.x. If not already done, download am actual openSUSE leap container with the command

# wwctl container import docker://registry.opensuse.org/science/warewulf/leap-15.5/containers/kernel:latest leap15.5

This container contains allready a kernel but is missing shim and grub. In order to install this open a shell in the container with following command

# wwctl container shell leap15.5

within the container install the needed shim and grub binaries with

[leap15.5] Warewulf> zypper in -y shim grub2-x86_64-efi

Now the shim and grub binary has to copied to the tFTP directory. For this use the commands:

# cp $(wwctl container show leap15.5)/usr/share/efi/x86_64/shim-sles.efi  /srv/tftpboot/warewulf/sles.efi
# cp $(wwctl container show leap15.5)/usr/share/grub2/x86_64-efi/grub-tpm.efi /srv/tftpboot/warewulf/grub.efi

With the binaries in the right place the dhpc server configuration has to be updated. The name of the binaries can be configured in warewulf.conf where you should replace following two lines

    "00:07": ipxe-x86_64.efi
    "00:09": ipxe-x86_64.efi

with

    "00:07": shim.efi
    "00:09": shim.efi

and restart the dhpc services with

# wwctl configure dhcp

After this steps instead of the iPXE binaries, first the shim signed by Microsoft is loaded which then loads grub.efi. Still missing is a grub.cfg in the right place which is created with following command:

#  wwctl overlay edit host -p /srv/tftpboot/warewulf/grub.cfg.ww

Replace the content of this file with

# This file is autogenerated by warewulf
# Host:   {{.BuildHost}}
# Time:   {{.BuildTime}}
# Source: {{.BuildSource}}
echo "================================================================================"
echo "Warewulf v4 now booting with grub"
echo
uri="(http,{{.Ipaddr}}:9873)/provision/${net_default_mac}?assetkey="
kernel="${uri}&stage=kernel"
container="${uri}&stage=container&compress=gz"
system="${uri}&stage=system&compress=gz"
echo "Warewulf Controller: {{.Ipaddr}}"
echo "Trying to load a kernel... "
linux $kernel wwid=$"{net_default_mac}" quiet crashkernel=no vga=791 net.naming-scheme=v238
if [ x$? = x0 ] ; then
echo "Loading initrd..."
initrd $system $container
echo "Booting..."
boot
else
echo "MESSAGE: This node is unconfigured. Please have your system administrator add a"
echo "         configuration for this node with HW address: ${net_default_mac}"
echo ""
echo "Rebooting in 1 minute..."
sleep 60
reboot
fi

and after the modificatin rebuild the host overlay with

# wwctl overlay build -H

Now the nodes can be rebooted with secure boot enabled.

Known problems

With this configuration will be only able to boot openSUSE/SUSE as the shim is taken from this distribution. Also the kernel commandline is statically configured in grub.cfg.ww