Back when i started using Let’s Encrypt I wanted a lightweight client. Danimo recommended dehydrated. Well it still had a different name back then. But details. So for years I had been a very happy camper with it. Then I learned that many daemons now support that you can run ECDSA and RSA certs at the same time and the server picks the right cert depending on the client. So we will solve this first.…

TL;DR Operating systems let you customize the sensitivity of the microphone allowing you to suppress environmental noise such as keyboard strokes. Video conferences software unfortunately tends to override such settings using autogain making your customization void. While some video conferencing tools let you control autogain via the settings, Jitsi does not have such an option. However, you can use https://your.jitsi.server/someroom#config.disableAGC=true when joining your Jitsi meetings to disable autogain and have more control over your microphone.…

Usually your AppArmor profile would look something like this: #include <tunables/global> /usr/lib/colord { ... } Now if we check if our profile is actually used: $ ps axZ | grep '^/usr/lib/colord' /usr/lib/colord (enforce) 4466 ? Ssl 0:00 /usr/lib/colord The Z parameter makes ps print the AppArmor profile name, or in the case of selinux the context of the program. /usr/lib/colord (enforce) tells us what AppArmor profile is used and in which mode it is.…

I haven’t been using apache for a few years now … oh wow maybe like 15 years now. There was one feature I really liked with apache and apparmor though … mod_changehat. The module allows me to assign different apparmor scopes to apache scopes. So you could limit that your wordpress vhost can not access the files of your nextcloud vhost even though they are running in the same apache.…

So I am working on a Nextcloud package at the moment. Something that does not have such brain dead default permissions as the docs give you. To give all users who need access to the files, I used ACLs. This worked quite fine. Until during one update … suddenly all my files got executable permissions. I ran rpm --setperms nextcloud to reset the permissions of all files and then I reran my nextcloud-fix-permissions.…

When you are hear 2 coworkers complaining about breaking each other’s changes to a package, you wonder what is going on. And this time it turns out they were complaining about a rubygem package. So yeah time to find a nice solution to this problem finally. The conflict rubygem-annotate and gd. Both provide a /usr/bin/annotate. In the case of our gem based packaging this is of course only a symlink handled by update-alternative.…

We already mentioned Instantiated Services a few times. However, there is one question we did not yet cover: How to hook up those instances with our package manager For a normal service file this is pretty easy. Such a service can be handled as follow in the spec file: %pre %service_add_pre superduper.service %post %service_add_post superduper.service %preun %service_del_preun superduper.service %postun %service_del_postun superduper.service That is it. It will do all the things we want.…

After all the fun we had in part 1 of our FreeIPA + DNS series, we now come to a new chapter. During the move of openSUSE to Let’s Encrypt we used the excellent tool from ssllabs to verify each server after we changed the certificate. One of our coworkers noted “Hey, why don’t you have a CAA record. It would give you an even better score”. CAA records allow the domain owner to specify which certificate authorities are allowed to create certificates for this domain.…

Requests are one of the staples for collaboration in the OBS. You can review via the webui or with OSC. WebUI Lets take the request listing for openSUSE:Factory. Your normal workflow will probably end up as middle mouse click on the little magnifying glass icon on the right. review the request in a new tab close the new tab go back step 1 My issues with the WebUI no advancing to the next request in my current list.…

One step at a time. Today: Requires You might have seen that we package rails apps for a while now. We have discourse, gitlab-ce, errbit and our own open build service. I probably forgot an app or 2 here. Anyway if you look at all the spec files e.g. this one. You notice we have to specify the Requires manually. BuildRequires: %{rubygem rails:5 >= 5.1} Requires: %{rubygem rails:5 >= 5.1} This comes with a few problems actually.…

Restic had been on my watch list for a while, but i never really got around to play with it. After Jan-Piet Mens blogged about it [1, 2], I thought it was finally time to give it a go. Of course this means, first we need to package it. This is done now. You can find the packages in home:darix:restic. After reading the first blog post I did restic and rest-server.…

I have been a haproxy user for quite a few years now. Even using snapshots in production for a very long time. Especially after support was added to terminate SSL connections directly in haproxy. Getting rid of stunnel was so nice. For a very long time i was doing really well with this setup. But over time more and more services were put behind haproxy and the connections/s and the total amount of connections went up.…

The Plan +---------+ +------------------------+ +---------------------------+ | FreeIPA | -> | upstream hidden master | -> | public facing dns servers | +---------+ +------------------------+ +---------------------------+ Sounds simple enough right? Well … The Fun Let’s get right too it … FreeIPA only sends out notifications to the NS records listed in the zone. But our hidden master is not reachable from the outside and should not be listed as an NS. ‘But bind has “also-notify” just use that.…

As i regularly look it up from my mailbox. lets post it here. osc co yourproject/yourpackage cd yourproject/yourpackage quilt setup -v *spec cd yourpackage-*/ quilt push -a # apply old patches quilt new yourpackage-version_fixbuild.patch quilt edit src/foo.c quilt refresh foo-fixbuild.patch will automatically be created in the parent dir. if you work on a package which doesnt have a patch yet. you have to remember to copy the patch from the patch directory to your package directory.…

A very simple frontend/backend definition in haproxy can look like this: frontend http bind 0.0.0.0:80 tfo bind 0.0.0.0:443 tfo ssl npn http/1.1,http/1.0 no-sslv3 crt /etc/ssl/services/ default_backend somebackend backend somebackend option forwardfor option httpchk HEAD /check.txt HTTP/1.1\r\nHost:\ somehost server somebackend1 172.16.0.1 check port 80 $ curl -I http://haproxy.example.com/ Works. $ curl -I https://haproxy.example.com/ Does not work. The log snippet also looks ok: http~ somebackend/somebackend1 0/3004/-1/-1/3005 503 3090 - - SC-- 529/126/0/0/3 0/0 "GET / HTTP/1.…

By default the epmd on (open)SUSE only listens on 127.0.0.1. Which in itself is a sane default policy. We don’t expose any services directly to everyone just because we install and run them. But if you want to cluster erlang services you need it to listen on more addresses. $ export EDITOR=vim $ systemctl edit epmd.socket Add the following content: [Socket] # unset all ports defined in the global file, in our case this is 127.…

If you ever discussed packaging in person with me, you might have noticed i normally don’t call “osc build” but a little shell thingie. The reason is i don’t want to maintain a long command line all the time. So in my shell RC file i have the following: osc_build() { pkg_dir=$1 shift repo=$1 shift osc build -x vim -k ../rpms/$pkg_dir -p ../rpms/$pkg_dir $repo x86_64 $@ } ob-15.1() { osc_build 15.…

FFI is a method to interface with native libraries, which is becoming more and more popular in many scripting languages. Unlike with native extensions though, we have nothing that links the shared library. As such our requires generator for shared libraries doesn’t kick in and we get no requires on the shared library package. To make matters worse with the shared library policy the soversion is dependent on against which distro you build against.…

Disclaimer: I am aware that python does not allow easy installation of 2 libraries in parallel. It is just an example. Let’s say you have an upstream requirement "needs pyfoo >= 1.6.0 but smaller than 2". Sounds easy right? Our naive solution will be: Requires: python-pyfoo >= 1.6.0 Requires: python-pyfoo < 2 so far … so good. If your repository has only one version of pyfoo available we will probably get the package you want.…

Since we have staging for Factory/Tumbleweed, it became surprisingly stable. Major breakages at least for core packages are really rare now. But even for leaf packages it is not a common sight. One thing was still annoying: for upgrading you should use zypper dist-upgrade or short zypper dup normally. zypper dup will upgrade all the packages to the latest version it finds but also downgrade/uninstall packages, if required. Something a zypper up will not do.…

After I was asked again today how to properly patch a rubygems package, here is a quick how to. First things first we branch the package. darix@tengu ~/osc/tmp % osc bco devel:languages:ruby:extensions/rubygem-net-ssh-session A home:darix:branches:devel:languages:ruby:extensions A home:darix:branches:devel:languages:ruby:extensions/rubygem-net-ssh-session A home:darix:branches:devel:languages:ruby:extensions/rubygem-net-ssh-session/net-ssh-session-0.1.6.gem A home:darix:branches:devel:languages:ruby:extensions/rubygem-net-ssh-session/rubygem-net-ssh-session.changes A home:darix:branches:devel:languages:ruby:extensions/rubygem-net-ssh-session/rubygem-net-ssh-session.spec At revision 9edd872bc9121e1c68a71d057dfa607f. Note: You can use "osc delete" or "osc submitpac" when done. darix@tengu ~/osc/tmp % cd home:darix:branches:devel:languages:ruby:extensions/rubygem-net-ssh-session So far nothing unexpected a gem file and spec+changes.…

This is just a quick post but imho still pretty neat. If you are a postgresql user you probably know about the commands with \ to inspect your database server e.g. . So far … nothing new … right? Now how about this? You could use a more complex solution like this wiki page. But for a quick glance … the plus is enough (imho).…

In the good old days of sysvinit, if you wanted to run some extra code during start up, you were either (ab)using the sysconfig file or patching the init script itself. The init scripts in many packages are not as marked as configuration, which means in those cases your edits were lost. If it was marked as configuration then you have to merge your changes with those fixes manually. In either case … not ideal.…

Getting started Let’s say you want to have 3 instances of redis. One for each redis using app. Getting 3 instances app with systemd’s nifty Instantiated Services is easy. [Unit] Description=Redis After=network.target PartOf=redis.target [Service] Type=simple User=redis Group=redis PrivateTmp=true PIDFile=/var/run/redis/%i.pid ExecStart=/usr/sbin/redis-server /etc/redis/%i.conf Restart=on-failure [Install] WantedBy=multi-user.target redis.target “systemctl start redis@discourse” will launch us an instance with “discourse.conf”. Other systemctl commands just work as fine. “systemctl enable redis@discourse” , “systemctl status redis@discourse” . Now to stop all redis instances?…

Especially when using irssi via your smartphone it can be highly annoying to switch windows. Yes the /win $number thing will work. But who can remember all those numbers when you go past 20 windows? That’s where window_switcher.pl comes into play. Setup First download the file and place it into ~/.irssi/scripts/autorun/. Then switch back to irssi and set up window_switcher. We will bind ctrl+oto window_switcher. The status bar item is placed in the front of the status bar, so we an still see it on small displays.…

General Official Install Documentation Repositories use the repositories from devel:languages:ruby and home:darix:apps zypper in –from home:darix:apps redis gitlab-ce gitlab-shell config redis: See also: /usr/share/doc/packages/redis/README.SUSE $ cd /etc/redis $ cp default.conf.example gitlab.conf $ vi gitlab.conf * daemonize no * pidfile /var/run/redis/gitlab.pid * logfile /var/log/redis/gitlab.log * dir /var/lib/redis/gitlab/ $ install -d -m 0750 -o redis -g redis /var/lib/redis/gitlab/ $ chown root:redis gitlab.conf $ sc start redis@gitlab $ sc enable redis@gitlab GitLab Shell cd /usr/share/gitlab/shell/; cp config.…

A long time a go a coworker documented the ssh forwarding with xinetd trick that i showed him. We use it heavily on our virtualisation cluster for openSUSE. Of course it gets annoying if you have to pass the port parameter to each invocation of ssh or scp. Especially since ssh and scp are so nicely consistent for that. ;) As the title already implies, ssh has a config file which we can use.…

Taking ruby packaging to the next level Table of Content TL;DR Where we started The basics One step at a time Rocks on the road “Job done right?” “Well almost.” Whats left? TL;DR we are going back to versioned ruby packages with a new naming scheme. one spec file to rule them all. (one spec file to build a rubygem for all interpreters) macro based buildrequires. %{rubygem rails:4.…

README.SUSE So it seems you installed the discourse package that we provide for openSUSE/SUSE. Preparing PostgreSQL $ zypper in postgresql-server postgresql-server $ su - postgres $ createuser -P discourse $ createdb -O discourse discourse Add the required postgresql extensions to the DB. We extract those at build time from the migrations. If you run migrations with a normal postgresql user, you can not add extensions during the migrations. That’s why we add them here.…