March 27, 2015

Copr statistics

Today I needed to generate some statistics of Copr. And they are quite interresting, so I decided to publish it:

  • avg. 230,804 files are served each day.
  • avg. 87 GB of data served per day.
  • avg. 5274 users download rpm package(s) from Copr every day.
  • 523 GB in yum repos right now (180GB on 2014-06-19, 100GB on 2014-03-10)
  • 2,945 projects
  • 1,995 active projects (with at least one build).
  • 148 projects shared by more then one member (likely team nightly repos).
  • 11,242 chroots (eg. el5, el6, fc21...).
  • 44,503 builds or src.rpm.
  • currently hosting 28,805 binary rpm packages (mind last successful build is preserved, build which are not latest are deleted fter 14 days).
  • 8982 - builds since 2015-01-01 (86 days)
  • 104 builds per day - however we are very limited by OpenStack performance and I asked several people to postpone their actions until new OpenStack instance is ready (Apr-2015). [EDIT: it is 104 tasks per day, which is then split to build according to associated chroots, so it is about 600-800 builds per day).

This is impressive to me. And I'm realy looking for next month. New Fedora OpenStack instance is ready and we are working on migration of our VM instances to this new OpenStack instance. Accumulated summary is 288 VCPUs and 686 GB RAM. It is not just for Copr, but Copr will use most of those resources. So we will be able to run more builders and encourage you to use Copr even more.

March 26, 2015

WebRTC: DruCall in Google Summer of Code 2015?

I've offered to help mentor a Google Summer of Code student to work on DruCall. Here is a link to the project details.

The original DruCall was based on SIPml5 and released in 2013 as a proof-of-concept.

It was later adapted to use JSCommunicator as the webphone implementation. JSCommunicator itself was updated by another GSoC student, Juliana Louback, in 2014.

It would be great to take DruCall further in 2015, here are some of the possibilities that are achievable in GSoC:

  • Updating it for Drupal 8
  • Support for logged-in users (currently it just makes anonymous calls, like a phone box)
  • Support for relaying shopping cart or other session cookie details to the call center operative who accepts the call

Help needed: could you be a co-mentor?

My background is in real-time and server-side infrastructure and I'm providing all the WebRTC SIP infrastructure that the student may need. However, for the project to have the most impact, it would also be helpful to have some input from a second mentor who knows about UI design, the Drupal way of doing things and maybe some Drupal 8 experience. Please contact me ASAP if you would be keen to participate either as a mentor or as a student. The deadline for student applications is just hours away but there is still more time for potential co-mentors to join in.

WebRTC at mini-DebConf Lyon in April

The next mini-DebConf takes place in Lyon, France on April 11 and 12. On the Saturday morning, there will be a brief WebRTC demo and there will be other opportunities to demo or test it and ask questions throughout the day. If you are interested in trying to get WebRTC into your web site, with or without Drupal, please see the RTC Quick Start guide.

How create a Fedora account

Are you a fedora user and would like collaborate with the project ( translating, testing, tagging, more.. ) cool so the only thing that you need is a fedora account .

Let go !!!

First go to FAS page => FAS2

we see the form login

<figure data-orig-height="559" data-orig-width="880"></figure>

Just need complete with your data, resolve the mathematical operation and click in the “Sign Up” button, Later this you will receive a welcome message in your email account beside the generic password for login ( later you will need change this ) 

Now go to login

<figure data-orig-height="384" data-orig-width="726"></figure>

Don’t forget accept the CLA agreement and it’s all now you can use all Fedora tools

<figure data-orig-height="529" data-orig-width="621"></figure>

Finally you will receive this badge

<figure data-orig-height="256" data-orig-width="256"></figure>

Cool !!!


Un abrazo !!!

iddnna

Workaround: Google-Kalender mit Evolution 3.16 abonnieren
Bitte beachtet auch die Anmerkungen zu den HowTos!

Evolution Version 3.16 wird allem Anschein nach wohl nicht in der Lage sein, Google-Kalender direkt aus Evolution heraus zu abonnieren.

Es gibt jedoch einen relativ einfachen Workaround, um auch mit Evolution 3.16 Google-Kalender zu abonnieren:

  1. Man besorgt sich die Kalender-IDs aller Kalender, die man abonnieren möchte, aus der Google-Kalender Weboberfläche, indem man dort die Einstellungen öffnet, in den Reiter “Kalender” wechselt und dort die Details der jeweiligen Kalender aufruft.
  2. In den Details findet man die Kalender-ID im Bereich “Kalenderadresse” neben den Buttons für XML, ICAL und HTML.
  3. Nun wechselt man in Evolution in das Kalender-Modul und legt einen neuen CalDAV-Kalender an.
  4. Als URL für den Kalender gibt man https://www.google.com/calendar/dav/[Kalender-ID ]/events/ ein und als Benutzername den Google-Benutzernamen ohne @gmail.com Suffix

Die oben genannten Schritte 3 und 4 widerholt man für jeden Google-Kalender, den man mit Evoluton abonnieren möchte.

NetVC BoF and a roundup of things IETF

In case folks hadn't heard the good news from IETF92 in Dallas, hums from the NetVC BoF indicated consensus for forming a NetVC working group. It's now up to the IESG to formally approve or nack formation. Should the working group be formally approved, we'll obviously submit Daala as one of the inputs to the development and standardization process.

The articles above are a good summary if a bit overly Daala-centric. It's unlikely that the final codec will be 'Daala', much as the IETF work on Opus drew from our codec CELT, but also drew from other contributors, most notably the SILK codec from Skype. We hope and expect to see substantial input from other participants (such as Cisco and Google).

As a parting mention, any IETF followers or insiders who haven't yet seen ietfmemes are missing their recommended daily allowance of realtime insider process backchannel snark :-)

OpenStack keeps resetting my hostname

No matter what I changed, something kept setting the hostname on my vm to federate.cloudlab.freeipa.org.novalocal. Even forcing the /etc/hostname file to be uneditable did not prevent this change. Hunting this down took far too long, and here is the result of my journey.

Old Approach

A few releases ago, I had a shell script for spinning up new virtual machines that dealt with dhclient resetting values by putting overrides into /etc/dhclient.conf.  Find this file was a moving target.  First it moved into

/etc/dhcp/dhclient.conf.

Then to a file inside

/etc/dhcp/dhclient.d

And so on.  The change I wanted to make was to do two things:

  1.  set the hostname explicitly and keep it that way
  2. Use my own dnsserver, not the dhcp managed one

Recently, I started working on a RHEL 7.1 system running on our local cloud.  No matter what I did, I could not fix the host name.  Here are some  of the things I tried:

  1. Setting the value in /etc/hostname
  2. running hostnamectl set-hostname federate.cloudlab.freeipa.org
  3. Using nmcli to set the properties for the connections ipv4 configuration
  4. Explicitly Setting it in /etc/sysconfig/network-scripts/ifcfg-eth0
  5. Setting the value in /etc/hostname and making hostname immutable with chattr +i /etc/hostname

Finally, Dan Williams (dcbw) suggested I look in the journal to see what was going on with the host name.  I ran journalctl -b and did a grep for hostname.  Everything looked right until…

Mar 26 14:01:10 federate.cloudlab.freeipa.org cloud-init[1914]: [CLOUDINIT] stages.py[DEBUG]: Running module set_hostname (<module 'cloudinit.config.cc_set_hostname' from '/usr/lib/python2.7/site-packages/cloudinit...

cloud-init?

But…I thought that was only supposed to be run when the VM was first created? So, regardless of the intention, it was no longer helping me.

yum erase cloud-init

And now the hostname that I set in /etc/hostname survives a reboot. I’ll post more when I figure out why cloud-init is still running after initialization.

No tienes cuenta en Fedora ? Entra aquí

Si eres un usuario de Fedora y te gustaría cooperar en la comunidad lo puedes de hacer de muchas maneras ( traduciendo, probando paquetes, etc) 

Solo necesitas tu cuenta FAS, así que aquí veremos como crearla :)


* Debemos ir a la web de FAS de fedora => FAS2

Una vez ahí veremos el formulario de logeo

<figure data-orig-height="559" data-orig-width="880">image</figure>

Solo tienen que llenarlo con sus datos, resolver la operación matemática  y darle click al boton “Sign Up”, luego de esto les llegará un mensaje de bienvenida a su correo y el password genérico el cual les servirá para ingresar por primera vez ( luego tienen que cambiarlo ).

Ahora lo siguiente será ingresar por primera vez al sistema

<figure data-orig-height="384" data-orig-width="726">image</figure>

No olviden de aceptar la cláusula CLA y listo, básicamente eso es todo, ahora ya podrán usar todas las herramientas que nos ofrece Fedora

<figure data-orig-height="529" data-orig-width="621">image</figure>

Finalizando, ya como regalo tendrán este nuevo badge :)

<figure data-orig-height="256" data-orig-width="256">image</figure>

Genial, no ?


Un abrazo !!!

iddnna.

Daala Blog-Like Update: Bug or feature? [or, the law of Unintentionally Intentional Behaviors]

Codec development is often an exercise in tracking down examples of "that's funny... why is it doing that?" The usual hope is that unexpected behaviors spring from a simple bug, and finding bugs is like finding free performance. Fix the bug, and things usually work better.

Often, though, hunting down the 'bug' is a frustrating exercise in finding that the code is not misbehaving at all; it's functioning exactly as designed. Then the question becomes a thornier issue of determining if the design is broken, and if so, how to fix it. If it's fixable. And the fix is worth it.

[continue reading at Xiph.Org....]

pghmcfc pushed to perl-Text-Hunspell (perl-Text-Hunspell-2.10-1.fc22). "Update to 2.10 (..more)"
pghmcfc pushed to perl-Text-Hunspell (perl-Text-Hunspell-2.10-1.fc23). "Update to 2.10 (..more)"
pghmcfc pushed to perl-Text-Hunspell (perl-Text-Hunspell-2.10-1.fc23). "Update to 2.10 (..more)"
pghmcfc pushed to perl-Text-Hunspell (perl-Text-Hunspell-2.10-1.fc22). "Update to 2.10 (..more)"
For discussion: Orphaned package in Fedora

The Fedora Security Team (FST) has uncovered an interesting problem.  Many packages in Fedora aren’t being actively maintained meaning they are unofficially orphaned.  This is likely not a problem since at least some of these packages will happily sit there and be well behaved.  The ones we worry about are the ones that pick up CVEs along the way, warning of unscrupulous behaviour.

The FST has been plugging away at trying to help maintainers update their packages when security flaws are known to exist.  So far we’ve almost hit the 250 bug level.  Unfortunately we forced a policy that still isn’t perfect.  What do you do with a package that is no longer is supported and has a known vulnerability in it?  Unless you can recruit someone to adopt the package the only responsible choice you have is to retire the package and remove it from the repositories.

This, of course, leads to other problems, specifically that someone has that package installed and they know not that the package is no longer supported nor do they know it contains a security vulnerability.  This morning, during the FST meeting, we discussed the problem a bit and I had an idea that I’ll share here in hopes of starting a discussion.

The Idea

Create a file containing all the packages that have been retired from a repository and perhaps a short reason for why this package has been retired.  Then have yum/dnf consume this information regularly and notify the user/admin when a package that is installed is added to this list.  This allows the system admin to become aware of the unsupported nature of the package and allows them to make a decision as to whether or not to keep the package on the system.

Okay, discuss…


gtk3 vclplug, some more gesture support

Now gtk3 long-press support to go with swipe

With the demo that a long-press in presentation mode will bring up the context menu for switching between using the pointer for draw-on-slide vs normal slide navigation.
Planet Fedora
<script></script>

Feed test, please ignore.

mingw-bundledlls – Automatically bundle DLLs for Windows deployment

Download the script – https://github.com/mpreisler/mingw-bundledlls

I recently had to build an application with mingw32 on Fedora 21 and then prepare the binaries for usage on Windows without any external dependencies.

In the past I used to look at the list of dependencies using depends32.exe or similar tools on Windows and then copy all the DLLs manually. Needless to say that is very repetitive work and gets annoying quickly. Googling for existing solutions did not yield any useful results so I decided to solve this myself.

The solution I came up with is a small Python 3 script that uses objdump  to recursively gather all dependencies of an executable file (WinPE EXE) or a dynamic loaded library (DLL). I published the script on GitHub – https://github.com/mpreisler/mingw-bundledlls.

The script can be run from Linux and only depends on python3 and objdump from binutils. It is very convenient to just run:

mingw32-configure && make && mingw-bundle-dlls --copy $EXE

After this invocation all the necessary DLLs will be right next to the EXE so you can just pack it all up and upload the release.

Practical example

I will show how I build SCAP Workbench for Windows from scratch on Fedora 21.

git clone https://github.com/OpenSCAP/scap-workbench.git
cd scap-workbench
mkdir build
cd build
mingw32-cmake ../
make -j 4

After the previous command finishes build/scap-workbench contains all the necessary resources including scap-workbench.exe. You however cannot run it on Windows without getting an error message about missing DLLs. Let us now run the script to solve that :-)

$ mingw-bundledlls ./scap-workbench/scap-workbench.exe

Found the following dependencies:

/usr/i686-w64-mingw32/sys-root/mingw/bin/libstdc++-6.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libpng16-16.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/zlib1.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libcurl-4.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libwinpthread-1.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libxslt-1.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/QtGui4.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/iconv.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libxml2-2.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libidn-11.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libintl-8.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libopenscap-8.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libcrypto-10.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/QtNetwork4.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libexslt-0.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libssh2-1.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/QtXmlPatterns4.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libpcre-1.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/QtCore4.dll
/usr/i686-w64-mingw32/sys-root/mingw/bin/libssl-10.dll

After confirming that the script did not find anything crazy we can proceed to copy the dependencies next to the exe. Use –copy as an option to accomplish that.

$ mingw-bundledlls --copy ./scap-workbench/scap-workbench.exe

Copying enabled, will now copy all dependencies next to the exe_file.

Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libidn-11.dll' to './scap-workbench/libidn-11.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libssh2-1.dll' to './scap-workbench/libssh2-1.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libwinpthread-1.dll' to './scap-workbench/libwinpthread-1.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libxml2-2.dll' to './scap-workbench/libxml2-2.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/QtNetwork4.dll' to './scap-workbench/QtNetwork4.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libstdc++-6.dll' to './scap-workbench/libstdc++-6.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/zlib1.dll' to './scap-workbench/zlib1.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libopenscap-8.dll' to './scap-workbench/libopenscap-8.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libpcre-1.dll' to './scap-workbench/libpcre-1.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc_s_sjlj-1.dll' to './scap-workbench/libgcc_s_sjlj-1.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/QtXmlPatterns4.dll' to './scap-workbench/QtXmlPatterns4.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libexslt-0.dll' to './scap-workbench/libexslt-0.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libcurl-4.dll' to './scap-workbench/libcurl-4.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libpng16-16.dll' to './scap-workbench/libpng16-16.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/QtCore4.dll' to './scap-workbench/QtCore4.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libssl-10.dll' to './scap-workbench/libssl-10.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libxslt-1.dll' to './scap-workbench/libxslt-1.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libcrypto-10.dll' to './scap-workbench/libcrypto-10.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/QtGui4.dll' to './scap-workbench/QtGui4.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/iconv.dll' to './scap-workbench/iconv.dll'
Copying '/usr/i686-w64-mingw32/sys-root/mingw/bin/libintl-8.dll' to './scap-workbench/libintl-8.dll'

The script also runs upx on all the binaries if –upx is supplied. That is useful for minimizing installed size of your application.

At this point I just zip build/scap-workbench and test it on Windows.

Runtime loaded DLLs

The script will not find any runtime loaded dependencies. Doing that would be possible by looking for LoadLibrary, LoadLibraryEx, … calls but probably not worth it. Bundling runtime loaded DLLs is a potential nightmare depending on whether relative or absolute paths are used when calling LoadLibrary. Inevitably the script would have to alter the EXE itself or any of the DLLs that is calling LoadLibrary.

Since I did not need this I decided to ignore this issue :-)

Hunting down a fd closing bug in Samba

In Samba I had a failing test suite. I have nss_wrapper compiled with debug messages turned on, so it showed me the following line:

NWRAP_ERROR(23052) - nwrap_he_parse_line: 3 Invalid line[TDB]: 'DB'

The file should parse a hosts file like /etc/hosts, but the debug line showed that it tried to parse a TDB (Trivial Database) file, Samba database backend. I’ve started to investigate it and wondered what was going on. This morning I called Michael Adam and we looked into the issue together. It was obvious that something closed the file descriptor for the hosts file of nss_wrapper and it was by Samba to open other files. The big question was, what the heck closes the fd. As socket_wrapper was loaded and it wraps the open() and close() call we started to add debug to the socket_wrapper code.

So first we added debug statements to the open() and close() calls to see when the fd was opened and closed. After that we wanted to see a stacktrace at the close() call to see what is the code path were it happens. Here is the code how to do this:

commit 6c632a4419b6712f975db390145419b008442865
Author:     Andreas Schneider <asn>
AuthorDate: Thu Mar 26 11:07:38 2015 +0100
Commit:     Andreas Schneider <asn>
CommitDate: Thu Mar 26 11:07:59 2015 +0100

    DEBUG stacktrace
---
 src/socket_wrapper.c | 37 +++++++++++++++++++++++++++++++++----
 1 file changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/socket_wrapper.c b/src/socket_wrapper.c
index 1188c4e..cb73cf2 100644
--- a/src/socket_wrapper.c
+++ b/src/socket_wrapper.c
@@ -80,6 +80,8 @@
 #include <rpc/rpc.h>
 #endif
 
+#include <execinfo.h>
+
 enum swrap_dbglvl_e {
 	SWRAP_LOG_ERROR = 0,
 	SWRAP_LOG_WARN,
@@ -303,8 +305,8 @@ static void swrap_log(enum swrap_dbglvl_e dbglvl,
 		switch (dbglvl) {
 			case SWRAP_LOG_ERROR:
 				fprintf(stderr,
-					"SWRAP_ERROR(%d) - %s: %s\n",
-					(int)getpid(), func, buffer);
+					"SWRAP_ERROR(ppid=%d,pid=%d) - %s: %s\n",
+					(int)getppid(), (int)getpid(), func, buffer);
 				break;
 			case SWRAP_LOG_WARN:
 				fprintf(stderr,
@@ -565,10 +567,35 @@ static int libc_bind(int sockfd,
 	return swrap.fns.libc_bind(sockfd, addr, addrlen);
 }
 
+#define BACKTRACE_STACK_SIZE 64
 static int libc_close(int fd)
 {
 	swrap_load_lib_function(SWRAP_LIBC, close);
 
+	if (fd == 21) {
+		void *backtrace_stack[BACKTRACE_STACK_SIZE];
+		size_t backtrace_size;
+		char **backtrace_strings;
+
+		SWRAP_LOG(SWRAP_LOG_ERROR, "fd=%d", fd);
+
+		backtrace_size = backtrace(backtrace_stack,BACKTRACE_STACK_SIZE);
+		backtrace_strings = backtrace_symbols(backtrace_stack, backtrace_size);
+
+		SWRAP_LOG(SWRAP_LOG_ERROR,
+			  "BACKTRACE %lu stackframes",
+			  (unsigned long)backtrace_size);
+
+		if (backtrace_strings) {
+			size_t i;
+
+			for (i = 0; i < backtrace_size; i++) {
+				SWRAP_LOG(SWRAP_LOG_ERROR,
+					" #%lu %s", i, backtrace_strings[i]);
+			}
+		}
+	}
+
 	return swrap.fns.libc_close(fd);
 }
 
@@ -704,6 +731,8 @@ static int libc_vopen(const char *pathname, int flags, va_list ap)
 
 	fd = swrap.fns.libc_open(pathname, flags, (mode_t)mode);
 
+	SWRAP_LOG(SWRAP_LOG_ERROR, "path=%s, fd=%d", pathname, fd);
+
 	return fd;
 }
 

We found out that the code responsible for this created a pipe() to communitcate with the child and then forked. The child called close() on the second pipe file descriptor. So when another fork happend in the child, the close() on the pipe file descriptor was called again and we closed a fd of the process to a tdb, connection or something like that. So initializing the pipe fd array with -1 and only calling close() if we have a file description which is not -1, fixed the problem.

If you need a better stacktrace you should use libunwind. However socket_wrapper can be a nice little helper to find bugs with file descriptors ;)

BUG: Samba standard process model closes random files when forking more than once

flattr this!

Creating a bridge for virtual machines using systemd-networkd

There are plenty of guides out there for making ethernet bridges in Linux to support virtual machines using built-in network scripts or NetworkManager. I decided to try my hand with creating a bridge using only systemd-networkd and it was surprisingly easy.

First off, you’ll need a version of systemd with networkd support. Fedora 20 and 21 will work just fine. RHEL/CentOS 7 and Arch Linux should also work. Much of the networkd support has been in systemd for quite a while, but if you’re looking for fancier network settings, like bonding, you’ll want at least systemd 216.

Getting our daemons in order

Before we get started, ensure that systemd-networkd will run on a reboot and NetworkManager is disabled. We also need to make a config file director for systemd-networkd if it doesn’t exist already. In addition, let’s enable the caching resolver and make a symlink to systemd’s resolv.conf:

systemctl enable systemd-networkd
systemctl disable NetworkManager
systemctl enable systemd-resolved
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
mkdir /etc/systemd/network

Configure the physical network adapter

In my case, the network adapter connected to my external network is enp4s0 but yours will vary. Run ip addr to get a list of your network cards. Let’s create /etc/systemd/network/uplink.network and put the following in it:

[Match]
Name=enp4s0
 
[Network]
Bridge=br0

I’m telling systemd to look for a device called enp4s0 and then add it to a bridge called br0 that we haven’t configured yet. Be sure to change enp4s0 to match your ethernet card.

Make the bridge

We need to tell systemd about our new bridge network device and we also need to specify the IP configuration for it. We start by creating /etc/systemd/network/br0.netdev to specify the device:

[NetDev]
Name=br0
Kind=bridge

This file is fairly self-explanatory. We’re telling systemd that we want a device called br0 that functions as an ethernet bridge. Now create /etc/systemd/network/br0.network to specify the IP configuration for the br0 interface:

[Match]
Name=br0
 
[Network]
DNS=192.168.250.1
Address=192.168.250.33/24
Gateway=192.168.250.1

This file tells systemd that we want to apply a simple static network configuration to br0 with a single IPv4 address. If you want to add additional DNS servers or IPv4/IPv6 addresses, just add more DNS= and Address lines right below the ones you see above. Yes, it’s just that easy.

Let’s do this

Some folks are brave enough to stop NetworkManager and start all of the systemd services here but I prefer to reboot so that everything comes up cleanly. That will also allow you to verify that future reboots will cause the server to come back online with the right configuration. After the reboot, run networkctl and you’ll get something like this (with color):

networkctl screenshot

Here’s what’s in the screenshot:

IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           carrier     unmanaged 
  2 enp2s0           ether              off         unmanaged 
  3 enp3s0           ether              off         unmanaged 
  4 enp4s0           ether              degraded    configured
  5 enp5s0           ether              off         unmanaged 
  6 br0              ether              routable    configured
  7 virbr0           ether              no-carrier  unmanaged 
 
7 links listed.

My ethernet card has four ports and only enp4s0 is in use. It has a degrated status because there is no IP address assigned to enp4s0. You can ignore that for now but it would be nice to see this made more clear in a future systemd release.

Look at br0 and you’ll notice that it’s configured and routable. That’s the best status you can get for an interface. You’ll also see that my other ethernet devices are in the unconfigured state. I could easily add more .network files to /etc/systemd/network to configure those interfaces later.

Further reading

As usual, the Arch Linux wiki page on systemd-networkd is a phenomenal resource. There’s a detailed overview of all of the available systemd-networkd configuration file options over at systemd’s documentation site.

The post Creating a bridge for virtual machines using systemd-networkd appeared first on major.io.

gtk3 vclplug, basic gesture support
gtk3's gesture support is the functionality I'm actually interested in, so now that presentations work in full-screen mode, I've added basic GtkGestureSwipe support to LibreOffice (for gtk3 >= 3.14) and hooked it up the slideshow, so now swiping towards the left advances to the next slide, to the right for the the previous slide.
My activities at FOSSASIA 2015
This blog in continuation to my earlier blog on "FOSSASIA 2015 Highlights noticed by me"

Group Photo

Talk on Glibc Unicode 7 update:

        Glibc is an important component of operating systems. Recently we upgraded Glibc Unicode support from 5.1 to 7.0. This was major update after 4-5 years. It usually remains unnoticed, i wanted to highlight. Even though i work for redhat still it took around 7-8 month to get patch finally in glibc upstream. Around 25-30 audience was there in talk and it was well taken. Slides for my talks are available at slideshare.

Fedora:

        We kept Fedora DVD's and stickers At Red Hat booth. Was at booth 2-3pm first day and distributed dvd's to attendees. Also got a chance to meet Harish, Izhar, Prima Yogi, Aditya patawari, and Kushal. I proposed Fedora badge for people attending fossasia and asked participant to add name in piratepad.  Unfortunately it got rejected due to not planned in advance :(


        Fedora Breakout session. This was planned by Praveen Kumar, we gathered there, not many attendees were there but we got a chance to interact with "Hamara Linux" representative Aarti Dwivedi and Samyak Datta,LifeNectar explained them regarding Fedora, Fedora.Next and also on widely used Fedora remixes.

FUDCon APAC 2015:

        Being one of the member of organizing committee thought its good time to discuss on FUDCon APAC 2015 with people mostly participate remotely. We planned BoF, decided to do it in lunch time since most of the time people were busy doing other stuff. Updated group on number of papers received, planning happened till date, BarCamp style track, lightening talks.
<script async="" charset="utf-8" src="http://platform.twitter.com/widgets.js"></script>


Represented Red Hat Globalization team:

        Working in this domain almost 8+years and worked on almost all complex scripts including Indic, Arabic.  APAC is more characterized by non-english speaking countries and fossasia was the perfect place to interact with users for globalization needs. Interacted with couple of people for what languages they used on Fedora.
<script async="" charset="utf-8" src="http://platform.twitter.com/widgets.js"></script>


I attended almost all talks in OpenTech track and provided feedback to speakers. Had a good time interacting with most of the attendees over the lunch, socializing events. We had a nice hangout of brewerkz with Anish, Kushal, Praveen Kumar, Lennart Poettering and Rémi Denis-Courmont. 

Thank you fossasia organizers Hong Phuc Dang, Mario Behling, Harish Pillay, Roland Turner, Justin Lee and Darwin Gosal looking forward to attend next year as well. :)

March 25, 2015

Python for remote reconfiguration of server firmware
One project I've worked on at Nebula is a Python module for remote configuration of server hardware. You can find it here, but there's a few caveats:
  1. It's not hugely well tested on a wide range of hardware
  2. The interface is not yet guaranteed to be stable
  3. You'll also need this module if you want to deal with IBM (well, Lenovo now) servers
  4. The IBM support is based on reverse engineering rather than documentation, so who really knows how good it is

There's documentation in the README, and I'm sorry for the API being kind of awful (it suffers rather heavily from me writing Python while knowing basically no Python). Still, it ought to work. I'm interested in hearing from anybody with problems, anybody who's interested in getting it on Pypi and anybody who's willing to add support for new HP systems.

comment count unavailable comments
Winner Wallpaper for Fedora 22

The 5 days the Fedora contributors had to choose there favorites amongst the submissions for Fedora 22 Supplemental Wallpaper are over and here is the result:

Congratulation to all winners, and for the not chosen one, there will be definitely a Fedora 23 contest. Where your picture ended up and also some statistics you can find at nuancier.

Fedora conferences this summer, writing release notes, brainstorming a better onramp, and a GSOC reminder

Fedora is a big project, and it’s hard to keep up with everything. This series highlights interesting happenings in five different areas every week. It isn’t comprehensive news coverage — just quick summaries with links to each. Here are the five things for March 25th, 2015:

Join us at Flock (and book your hotel now)

Every year, we have a big planning and developers’ conference, Flock. It alternates between Europe and North America, and this time around will be at the Rochester Institute of Technology in Rochester, New York, from August 12th to 15th. Flock organizers just announced that hotel reservations are open, as are talk submission. If you’re an active contributor or are interested in becoming one, start planning your trip now!

Or, come to FUDCon in Pune, India

In addition to Flock, we also hold annual gatherings in the Asia/Pacific (APAC) and Latin America (LATAM) regions. These are FUDCons — Fedora User and Developer Conferences. This year’s APAC FUDCon will be held in Pune, India from June 26th to 28th.

Talk submissions for this conference are closed and the selection committee working on choosing the best from over 140 submissions. There will also be a BarCamp-style track, where sessions will be chosen by attendees at the conference.

A limited amount of money is available for travel subsidies. See the FUDCon planning wiki for details.

Help with the F22 release notes

Fedora 22 is almost at the beta stage, with the final release slated for May. That means it’s time to start writing the release notes, and Fedora Documentation Project Lead Pete Travis put out a call for volunteers on the Fedora Join List. As Pete notes, this is a great, low-barrier way to get involved in Fedora — you don’t need a lot of prior knowledge, just a little bit of interest in some piece of software we include.

A more friendly ‘net presence for Fedora

This morning, Máirín Duffy led a brainstorming session on the topic of enabling new contributors, with the eventual goal of developing a modern Web interface to all aspects of the project for contributors, both new and already deeply involved. Mo wrote a great summary blog post afterward, and I highly recommend reading it if you’re interested in bringing more contributors to Fedora — or just improving your own workflows and interactions.

Google Summer of Code

And finally, a reminder that Fedora is participating in the Google Summer of Code. The application deadline is March 27 at 19:00 UTC; please check out Fedora’s GSOC 2015 page if you’re interested in being involved.

Summary of Enabling New Contributors Brainstorm Session

Photo of Video Chat

So today we had a pretty successful brainstorm about enabling new contributors in Fedora! Thank you to everyone who responded my call for volunteers yesterday – we were at max capacity within an hour or two of the post! :) It just goes to show this is a topic a lot of folks are passionate about!

Here is a quick run-down of how it went down:

Video Conference Dance

We tried to use OpenTokRTC but had some technical issues (we were hitting an upper limit and people were getting booted, and some folks could see/hear some but not others. So we moved onto the backup plan – BlueJeans – and that worked decently.

Roleplay Exercise: Pretend You’re A Newbie!

Watch this part of the session starting here!

For about the first 30 minutes, we brainstormed using a technique called Understanding Chain to roleplay as if we were new contributors trying to get started in Fedora and noting all of the issues we would run into. We started thinking about how would we even begin to contribute, and then we started thinking about what barriers we might run up against as we continued on. Each idea / thought / concept got its own “sticky note” (thanks to Ryan Lerch for grabbing some paper and making some large scale stickies,) I would write the note out, Ryan would tack it up, and Stephen would transcribe it into the meeting piratepad.

Photo of the whiteboard with all of the sticky notes taped to it.

Walkthrough of the Design Hubs Concept Thus Far

Watch this part of the session starting here!

Next, I walked everyone through the design hubs concept and full set of mockups. You can read up more on the idea at the original blog post explaining the idea from last year. (Or poke through the mockups on your own.)

Screenshot of video chat: Mo explaining the Design Hubs Concept

Comparing Newbie Issues to Fedora Hubs Offering

Watch this part of the session starting here!

We spent the remainder of our time wakling through the list of newbie issues we’d generated during the first exercise and comparing them to the Fedora Hubs concept. For each issue, we asked these sorts of questions:

  • Is this issue addressed by the Fedora Hubs design? How?
  • Are there enhancements / new features / modifications we could make to the Fedora Hubs design to better address this issue?
  • Does Fedora Hubs relate to this issue at all?

We came up with so many awesome ideas during this part of the discussion. We had ideas inline with the issues that we’d come up with during the first exercise, and we also had random ideas come up that we put in their own little section on the piratepad (the “Idea Parking Lot.”)

Here’s a little sampling of ideas we had:

  • Fedorans with the most cookies are widely helpful figures within Fedora, so maybe their profiles in hubs could be marked with some special thing (a “cookie monster” emblem???) so that new users can find folks with a track record of being helpful more easily. (A problem we’d discussed was new contributors having a hard time tracking down folks to help them.)
  • User hub profiles can serve as the centralized, canonical user profile for them across Fedora. No more outdated info on wiki user pages. No more having to log into FAS to look up information on someone. (A problem we’d discussed was multiple sources for the same info and sometimes irrelvant / outdated information.)
  • The web IRC client we could build into hubs could have a neat affordance of letting you map an IRC nick to a real life name / email address with a hover tool tip thingy. (A problem we’d discussed was difficulty in finding people / meeting people.)
  • Posts to a particular hub on Fedora hubs are really just content aggregated from many different data sources / feeds. If a piece of data goes by that proves to be particularly helpful, the hub admins can “pin” it to a special “Resources” area attached to the hub. So if there’s great tutorials or howtos or general information that is good for group members to know, they can access it on the team resource page. (A problem we’d discussed was bootstrapping newbies and giving them helpful and curated content to get started.)
  • Static information posted to the hub (e.g. basic team metadata, etc.) could have a set “best by” date and some kind of automation could email the hub admins every so often (every 6 months?) and ask them to re-read the info and verify if it’s still good or update it if not. (The problem we’d discussed here was out-of-date wiki pages.)
  • Having a brief ‘intake questionnaire’ for folks creating a new FAS account to get an idea of their interests and to be able to suggest / recommend hubs they might want to follow. (Problem-to-solve: a lot of new contributors join ambassadors and aren’t aware of what other teams exist that could be a good place for them.)

There’s a lot more – you can read through the full piratepad log to see everything we came up with.

Screenshot of video chat discussion

Next Steps

Watch this part of the session starting here!

Here’s the next steps we talked about at the end of the meeting. If you have ideas for others or would like to claim some of these items to work on, please let me know in the comments!

  1. We’re going to have an in-person meetup / hackfest in early June in the Red Hat Westford office. (mizmo will plan agenda, could use help)
  2. We need a prioritized requirements list of all of the features. (mizmo will work on this, but could use help if anybody is interested!)
  3. The Fedora apps team will go through the prioritized requirements list when it’s ready and give items an implementation difficult rating.
  4. We should do some resarch on the OpenSuSE Connect system and how it works, and Elgg, the system they are using for the site. (needs a volunteer!)
  5. We should take a look at the profile design updates to StackExchange and see if there’s any lessons to be learned there for hubs. (mizmo will do this but would love other opinions on it.)
  6. We talked about potentially doing another video chat like this in late April or early May, before the hackfest in June.
  7. MOAR mockups! (mizmo will do, but would love help :))

How to Get Involved / Resources

So we have a few todos listed above that could use a volunteer or that I could use help with. Here’s the places to hang out / the things to read to learn more about this project and to get involved:

Please let us know what you think in the comments! :)

LibreOffice online announced by Collabora

Collabora just announced that they are working on LibreOffice online, an online document editing application that will provide an Open Source alternative to Google Docs and Office 365. Collabora — a leading contributor to the LibreOffice upstream — is teaming up with collaboration software provider IceWarp to work on this much needed addition to the LibreOffice suite.

The work that Collabora and IceWarp intend to complete will build on the online rendering engine that the LibreOffice community started development on in 2011, and the two companies intend to collaborate closely with the upstream LibreOffice project:

IceWarp and Collabora will work alongside over a thousand existing LibreOffice contributors to implement the whole online editing portion of the software, including the server-side provided by LibreOffice, and the client front-end based on HTML5 technology. The result will be a fully mature server solution, which any other provider, individual or project in the community can utilize for their applications and services

It seems it is early days for this promising project, but you can view this sneak peak of LibreOffice Online in action in this short screencast:

<iframe allowfullscreen="allowfullscreen" frameborder="0" height="380" src="https://www.youtube.com/embed/MeoghUhFwME?feature=oembed" width="676"></iframe>

For full details on the announcement, check out the press release from Collabora.

Fedora 22: Lazarus derzeit nicht benutzbar

Wer selber Software mit Hilfe der Entwicklungsumgebung Lazarus entwickelt, sollte einstweilen von einem Upgrade auf Fedora 22 absehen, da Lazarus und auch damit compilierte Anwendungen derzeit unter Fedora 22 nicht benutzbar sind (Bugreport).

 

Troubleshooting Keystone in a New Install

Recently heard complaints:

I’ve done a deployment , and every time I try to log in to the dashboard, I get “An error occurred authenticating. Please try again later.” Somewhat surprisingly, the only log that I’m noticing showing anything of note is the Apache error log, which reports ‘Login failed for user “admin”‘. I’ve bumped keystone — where I’d assume the error is happening — to DEBUG, but it’s showing exactly zero activity. How do I go about debugging this?’

Trying to enable LDAP with OpenStack/keystone in Juno release. All the horizon users return error “You are not authorized for any projects.” Similarly, all the OpenStack services are reported not to be authorized.’
What is supposed to happen:

  1. You Login to Horizon using admin and the correct password
  2. Horizon passes that to Keystone in a token request
  3. Keystone uses that information to create a token. If the user has a default project set, the token is scoped to the default proejct
  4. token is returned to Horizon

Let’s take a deeper look at step 3.
In order to perform an operation on a resource in a project, a user needs to be assigned a role in a project. So the failure could happen at a couple steps.

  1. The user does not exist in the identity backend
  2. The user has the wrong password
  3. The user has no role assignments
  4. The user has a default project assigned, but does not have a role assignment for that project

The Keystone configuration file

Most deployments run with Keystone reading its configuration values from /etc/keystone/keystone.conf. It is an ini file, with section headers.
In Juno and Icehouse, the storage is split into two pieces: Identity and Assignment. Identity holds users and groups. Assignment holds roles, role assignments, projects and domains. Let’s start with the simplest scenario.
Identity in SQL, Assignments in SQL:
This is what you get from devstack if you make no customizations. To confirm that you are running this way, look in your Keystone.conf file for the sections that starts with
[identity]
and
[assignment]
and look for the value driver. In a Devstack deployment that I just ran, I have

[identity]
driver = keystone.identity.backends.sql.Identity

Which confirms I am running witht he SQL driver for identity, and

[assignment]
driver = keystone.assignment.backends.sql.Assignment

Which confirms I am running with the SQL driver for Assignment
First steps
For Devstack, I get my environment variables set using

. openrc
and this will set:
$OS_AUTH_URL $OS_NO_CACHE $OS_TENANT_NAME
$OS_CACERT $OS_PASSWORD $OS_USERNAME
$OS_IDENTITY_API_VERSION $OS_REGION_NAME $OS_VOLUME_API_VERSION
echo $OS_USERNAME
demo

To change to the admin user:

$ export OS_USERNAME=admin
$ export OS_PASSWORD=FreeIPA4All

While we are trying to get people to move to the common CLI, older deployments may only have the keystone CLI to work with. I’m going to start with that.

$ keystone --debug token-get
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://192.168.1.58:5000/v2.0/tokens
INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.1.58
DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 3783
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-03-25T16:03:25Z |
| id | ec7c2d1f07c5414499c3cbaf7c59d4be |
| tenant_id | 69ff732083a64a1a8e34fc4d2ea178dd |
| user_id | 042b50edf70f484dab1f14e893a73ea8 |
+-----------+----------------------------------+

OK, what happens when I do keystone token-get? The CLI uses the information I provide to try and get a token;

$ echo $OS_AUTH_URL

http://192.168.1.58:5000/v2.0

OK…It is going to go to a V2 specific URL. And, to confirm:

$ echo $OS_IDENTITY_API_VERSION

2.0

We are using Version 2.0
The username, password and tenant used are

$ echo $OS_USERNAME
admin
$ echo $OS_PASSWORD
FreeIPA4All
$ echo $OS_TENANT_NAME
demo

Let’s assume that running keystone token-get fails for you. Let’s try to isolate the issue to the role assignments by getting an unscoped token:

$ unset OS_TENANT_NAME
$ echo $OS_TENANT_NAME

That should return a blank line. Now:

$ keystone token-get
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| expires | 2015-03-25T16:14:28Z |
| id | 2a3ce489422342f2b6616016cb43ebc2 |
| user_id | 042b50edf70f484dab1f14e893a73ea8 |
+----------+----------------------------------+

If this fails, it could be one of a few things:

  1. User does not exist
  2. Password is wrong
  3. User has a default tenant that is invalid

How can we check:

Using Admin Token

Bootstrapping the Keystone install requires putting users in the database before there are any users defined. Most installers take advantage of an alternate mechanism called the ADMIN_TOKEN or SERVICE_TOKEN. To see the value for this, look in keystone.conf section:
[DEFAULT]
for a value like this:
#admin_token = ADMIN
Note that devstack follows the best practice of disabling the admin token by commenting it out. This password is very powerful and should be disabled in common usage, but is very powerful for fixing broken systems. To enable it, uncomment the value, and restart Keystone.

Using the Common CLI

The keystone command line has been deprecated with an eye toward using the openstack client. Since you might be deploying an old version of Openstack that has different library dependencies, you might not be able to install the latest version on your server, but you can (and should) run an updated version on your workstation which will then be capable of talking to older versions of keystone.
To perform operations using the common cli you need to pass the endpoint and admin_token as command line parameters.

The os-url needs to be the publicly routed URL to the admin interface. The firewall port for that URL needs to be Open.

$ openstack --os-token ADMIN --os-url http://192.168.1.58:35357/v2.0/ user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 042b50edf70f484dab1f14e893a73ea8 | admin |
| eb0d4dc081f442dd85573740cfbecfae | demo |
+----------------------------------+----------+
$ openstack --os-token ADMIN --os-url http://127.0.0.1:35357/v2.0/ role list
+----------------------------------+-----------------+
| ID | Name |
+----------------------------------+-----------------+
| 1f069342be2348ed894ea686706446f2 | admin |
| 2bf27e756ff34024a5a9bae269410f44 | service |
| dc4e9608b6e64ee1a918030f23397ae1 | Member |
+----------------------------------+-----------------+
$ openstack --os-token ADMIN --os-url http://192.168.1.58:35357/v2.0/ project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 69ff732083a64a1a8e34fc4d2ea178dd | demo |
| 7030f12f6cb4443cbab8f0d040ff023b | admin |
+----------------------------------+--------------------+

Now, to check to see if the admin user has a role on the admin project:

$ openstack --os-token ADMIN --os-url http://192.168.1.58:35357/v2.0/ user role list --project admin admin

+----------------------------------+-------+---------+-------+
| ID | Name | Project | User |
+----------------------------------+-------+---------+-------+
| 1f069342be2348ed894ea686706446f2 | admin | admin | admin |
+----------------------------------+-------+---------+-------+

If this returns nothing, you probably have found the root of your problem. Add the assignment with
$ openstack --os-token ADMIN --os-url http://192.168.1.58:35357/v2.0/ role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 1f069342be2348ed894ea686706446f2 |
| name | admin |
+-------+----------------------------------+
PHP 7.0 as Software Collection

RPM of upcoming major version of PHP 7.0, are available in remi repository for Fedora 20, 21, 22 and Enterprise Linux 6, 7 (RHEL, CentOS, ...) in a fresh new Software Collection (php70) allowing its installation beside the system version.

As I strongly believe in SCL potential to provide a simple way to allow installation of various versions simultaneously, and as I think it is useful to offer this feature to allow developers to test their applications, to allow sysadmin to prepare a migration or simply to use this version for some specific application, I decide to create this new SCL.

Installation :

yum --enablerepo=remi,remi-test install php70

emblem-important-2-24.pngTo be noticed:

  • the SCL is independant from the system, and doesn't alter it
  • this SCL is available in remi-test repository
  • installation is under the /opt/remi tree
  • the Apache module, php70-php, is available, but of course, only one mod_php can be used (so you have to disable or uninstall any other, the one provided by the default "php" package still have priority)
  • the FPM service (php70-php-fpm) is available, it listens on default port 9000, so you have to change the configuration if you want to use various FPM services simultaneously.
  • the php70 command give a simple access to this new version, however the scl command is still the recommended way (or the module command).
  • for now, the collection provides 7.0.0-dev, but alpha/beta version should be released soon
  • more PECL extensions will be progressively also available
  • only x86_64, no plan for other arch.

emblem-notice-24.pngAlso read other entries about SCL.

$ scl enable php70 'php -v'
PHP 7.0.0-dev (cli) (built: Mar 25 2015 14:40:01) 
Copyright (c) 1997-2015 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2015 Zend Technologies
    with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies

As always, your feedback is welcome, a SCL dedicated forum is open.

Edit UEFI varstores

See end of post for an important update

UEFI firmware has a concept of persistent variables. They are used to control the boot order amongst other things. They are stored in non-volatile RAM on the system board, or for virtual machines in a host file.

When a UEFI machine is running you can edit these variables using various tools, such as Peter Jones’s efivar library, or the efibootmgr program.

These programs don’t actually edit the varstore directly. They access the kernel /sys/firmware/efi interface, but even the kernel doesn’t edit the varstore. It just redirects to the UEFI runtime “Variable Services”, so what is really running is UEFI code (possibly proprietary, but more usually from the open source TianoCore project).

So how can you edit varstores offline? The NVRAM file format is peculiar to say the least, and the only real specification is the code that writes it from Tianocore. So somehow you must reuse that code. To make it more complicated, the varstore NVRAM format is tied to the specific firmware that uses it, so varstores used on aarch64 aren’t compatible with those on x86-64, nor are SecureBoot varstores compatible with normal ones.

virt-efivars is an attempt to do that. It’s rather “meta”. You write a small editor program (an example is included), and virt-efivars compiles it into a tiny appliance. You then boot the appliance using qemu + UEFI firmware + varstore combination, the editor program runs and edits the varstore, using the UEFI code.

It works .. at least on aarch64 which is the only convenient machine I have that has virtualized UEFI.

Git repo: http://git.annexia.org/?p=virt-efivars.git;a=summary

Update:

After studying this problem some more, Laszlo Ersek came up with a different and better plan:

  1. Boot qemu with only the OVMF code & varstore attached. No OS or appliance.
  2. This should drop you into a UEFI shell which is accessible over qemu’s serial port.
  3. Send appropriate setvar commands to update the variables. Using expect this should be automatable.

GNOME 3.16 is out!
Did you see?

It will obviously be in Fedora 22 Beta very shortly.

What happened since 3.14? Quite a bit, and a number of unfinished projects will hopefully come to fruition in the coming months.

Hardware support

After quite a bit of back and forth, automatic rotation for tablets will not be included directly in systemd/udev, but instead in a separate D-Bus daemon. The daemon has support for other sensor types, Ambient Light Sensors (ColorHug ALS amongst others) being the first ones. I hope we have compass support soon too.

Support for the Onda v975w's touchscreen and accelerometer are now upstream. Work is on-going for the Wi-Fi driver.

I've started some work on supporting the much hated Adaptive keyboard on the X1 Carbon 2nd generation.

Technical debt

In the last cycle, I've worked on triaging gnome-screensaver, gnome-shell and gdk-pixbuf bugs.

The first got merged into the second, the second got plenty of outdated bugs closed, and priorities re-evaluated as a result.

I wrangled old patches and cleaned up gdk-pixbuf. We still have architectural problems in the library for huge images, but at least we're up to a state where we know what the problems are, not being buried in Bugzilla.

Foundation building

A couple of projects got started that didn't reached maturation yet. I'm pretty happy that we're able to use gnome-books (part of gnome-documents) today to read Comic books. ePub support is coming!



Grilo saw plenty of activity. The oft requested "properties" page in Totem is closer than ever, so is series grouping.

In December, Allan and I met with the ABRT team, and we've landed some changes we discussed there, including a simple "Report bugs" toggle in the Privacy settings, with a link to the OS' privacy policy. The gnome-abrt application had a facelift, but we got somewhat stuck on technical problems, which should get solved in the next cycle. The notifications were also streamlined and simplified.



I'm a fan

Of the new overlay scrollbars, and the new gnome-shell notification handling. And I'm cheering on co-new app in 3.16, GNOME Calendar.

There's plenty more new and interesting stuff in the release, but I would just be duplicating much of the GNOME 3.16 release notes.
Fedora 22: Abonnieren von Google Kalendern funktioniert nicht mehr

In der Evolution Version 3.16 scheint es nicht mehr möglich zu sein, Google Kalender zu abonnieren, da man lediglich eine leere Liste der Kalender angezeigt bekommt (Bugreport).

Das Problem scheint jedoch bereits im Code-Zweig für Evolution 3.18 korrigiert worden zu sein. Da dafür jedoch Änderungen an der API notwendig waren, können die Änderungen nicht nach Evolution 3.16 zurück portiert werden.

Ein möglicher Workaround (der zumindest bei mir nicht funktionierte) ist, wie folgt vorzugehen:

Einrichtung eines CalDAV-Kalenders in Evolution

Einrichtung eines CalDAV-Kalenders in Evolution

  • Einen neuen CalDAV-Kalender anlegen
  • Als URL für den Kalender https://www.google.com/calendar/dav/ verwenden
  • Als Benutzer-Namen den Google-Benutzernamen ohne das @gmail.com Suffix angeben
  • Auf “Kalender suchen” klicken

Wenn alles geklappt hat, sollte man jetzt eine Liste seiner Kalender angezeigt bekommen.

Not using IPv6? Are you sure?
World IPv6 Launch logo

CC-BY World IPv6 Launch

Internet Protocol version 6 (IPv6) has been around for many years and was first supported in Red Hat Enterprise Linux 6 in 2010.  Designed to provide, among other things, additional address space on the ever-growing Internet, IPv6 has only recently become a priority for ISPs and businesses.

On February 3, 2011, ICANN announced that the available pool of unallocated IPv4 addresses had been completely emptied and urged network operators and server owners to implement IPv6 if they had not already done so.  Unfortunately, many networks still do not support IPv6 and many system and network administrators don’t understand the security risks associated with not having some sort of IPv6 control within their networks setup even if IPv6 is not supported.  The common thought of not having to worry about IPv6 since it’s not supported on a network is a false one.

The Threat

On many operating systems, Red Hat Enterprise Linux and Fedora included, IPv6 is preferred over IPv4.  A DNS lookup will search first for an IPv6 address and then an IPv4 address.  A system requesting a DHCP allocation will, by default, attempt to obtain both addresses as well.  When a network does not support IPv6 it leaves open the possibility of rouge IPv6 DHCP and DNS servers coming online to redirect traffic either around current network restrictions or through a specific choke point where traffic can be inspected or both.  Basically, if you aren’t offering up IPv6 within your network someone else could.

Just like on an IPv4 network, monitoring IPv6 on the internal network is crucial for security, especially if you don’t have IPv6 rolled out.  Without proper monitoring, an attacker, or poorly configured server, could start providing a path way out of your network, bypassing all established safety mechanisms to keep your data under control.

Implementing IPv6

There are several methods for protecting systems and networks from attacks revolving around IPv6.  The simplest, and most preferred method, is to simply start using IPv6.  It becomes much more difficult for rouge DNS and DHCP servers to be implemented on a functioning IPv6 network.  Implementing IPv6 isn’t particularly difficult either.

Unfortunately IPv6 isn’t all the simple to implement either.  As UNC‘s Dr. Joni Julian spoke about in her SouthEast LinuxFest presentation on IPv6 Security, many of the tools administrators use to manage network connections have been rewritten, and thus renamed, to support IPv6.  This adds to the confusion when other tools, such as iptables, require different rules to be written to support IPv6.  Carnegie Mellon University’s CERT addresses many different facets of implementing IPv6 including ip6tables rules.  There are many resources available to help system and network administrators setup IPv6 on their systems and networks and by doing so networks will automatically be available to IPv6-only networks of the future present.

Blocking and Disabling IPv6

If setting up IPv6 isn’t possible the next best thing is disabling, blocking, and monitoring for IPv6 on the network.  This means disabling IPv6 in the network stack and blocking IPv6 in ip6tables.

# Set DROP as default policy to INPUT, OUTPUT, and FORWARD chains.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Set DROP as a rule to INPUT and OUTPUT chains.
ip6tables -I INPUT -p all -j DROP
ip6tables -I OUTPUT -p all -j DROP

Because it can never known that every system on a network will be properly locked down, monitoring for IPv6 packets on the network is important.  Many IDSs can be configured to alert on such activity but configuration is key.

A few final words

IPv6 doesn’t have to be scary but if you want to maintain a secure network a certain amount of respect is required.  With proper monitoring IPv6 can be an easily manageable “threat”.  Of course the best way to mitigate the risks is to embrace IPv6.  Rolling it out and using it prevents many of the risks already discussed and it could already be an availability issue if serving up information over the Internet is important.

Fedora 22: flackernder GDM-Login Bildschirm

Beim unter Fedora 22 verwendeten GDM 3.16 kann es in Verbindung mit Intel-GPUs dazu kommen, das der Login-Bildschirm stark flackert, sobald die Maus oder Tastatur benutzt (Fehlerberichte hier und hier). Einige Anwender berichten jedoch, das es sich hierbei wohl eher um ein Problem mit dem Kernel 4.0 zu handeln scheint, da das Problem mit einem Kernel <= 3.19 nicht auftreten scheint.

Der derzeit einzige Workaround für das Problem ist, den GDM Login-Bildschirm wieder unter dem X-Server ausführen zu lassen (HowTo).

فيدورا 22 التجريبية (الفا) ما الجديد ؟
Fedora 22 Alpha

Fedora 22 Alpha

الاسبوع الماضي صدرت النسخة التجريبية الاولى (الفا) من فيدورا 22 تعالوا لنخذ نظرة خاطفة على احدث التقنيات الحرة في فيدورا 22 !

جاءت الاصدارة الجديدة بثلاث نسخ كما هو معروف: النسخة السحابية ونسخة السيرفر ونسخة المستخدم العادي Workstation نتحدث هنا عن اهم المميزات الجديدة في فيدورا 22 وخاصة ما يخص نسخة Workstation !

اهم الاضافات والتحسينات كانت كالتالي:

  • اعادة تصميم نظام الاشعارات في جنوم شيل ودمجه مع التقويم
  • اشعار جديد لاخبارك باكتمال العمليات في الطرفية
  • شاشة تسجيل الدخول تستخدم Wayland افتراضيا بدلX
  • تحسينات واضافات جديدة على مدير الملفات نوتلس لتجربة افضل واكثر اتساقا
  • تحسينات جديدة على جنوم شيل خاصة ما يتعلق بالشكل والثيمات
  • وغيرها الكثير من التحسينات

 

واليكم مجموعة من الصور من فيدروا 22

شاشة تسجيل الدخول باستخدام Wayland (قد لا يشعر المستخدم بهذا التغير مطلقا)

Fedora22-login-screen

فيدروا 22 مع Wayland

نظام الاشعارات الجديد

نظام الاشعارات الجديد

نظام الاشعارات الجديد في التقويم

نظام الاشعارات الجديد

نظام الاشعارات الجديد صورة من الاشعار

اخطار لاكتمال العمليات في الطرفية

terminal-notifications

اشعارات الطرفية عند اكتمال المهمة

terminal-notification

اشعارات الطرفية عند اكتمال المهمة

 

الحصول على النسخة التجريبة الفا:

يمكن تحميل فيدروا 22 الفا من الموقع الرسمي عبر الرابط

ومن المقرر اصدار النسخة التجريبة الثانية بيتا في 14 ابريل 2015 لتكون النسخة النهائية في 19 مايو 2015

Release State Release Date
Alpha Release Public Availability Tue 10 Mar 2015
Beta Release Public Availability Tue 14 Apr 2015
Final Release Public Availability (GA) Tue 19 May 2015

 

كونوا في انتظار النسخة الجديدة ولا تنسو مشاركة هذه التحديثات مع اصدقائكم ….

التدوينة فيدورا 22 التجريبية (الفا) ما الجديد ؟ ظهرت أولاً على غزاوي آي تي.

Progit is dead, long live pagure

You may have heard of a little pet project I have been working on recently, I called it progit but there already a more well-known project named progit (the pro git book).

So, after long deliberations, we decided to rename the project: pagure.

What is Pagure?

Pagure is a small git-centered forge project. You can host your code, your documentation, your tickets and have people contribute to the project by forking it and opening pull-requests.

All the information about the project is hosted in different git repositories, the code of course, but also the documentation as well as the metadata (discussion) of tickets and pull-requests. The idea being that one could host a project in multiples instances of pagure and keep them in sync.

What about the name?

Pagure is the generic (French) name for animals of the Paguroidea family which includes the well known Pagurus bernhardus. This little crab moves from shell to shell as it grows up. I found it was a nice analogy with this forge where project can move from place to place.

Where can I see it?

Pagure is still under development and pretty much changes every day. However, you can already see it, test it and poke at it via the dev instance we have running.

As you will see, pagure itself is being developed there, so feel free to open a ticket if pagure does not do something you would like (or does something you do not like).

Lohit Devanagari 2.95.1 release
Done with 2.95.1 release. This release in continuation with 2.95.0 release, basically to resolves issues raised in it ;)

Noticed issue while Fedora 22 testing from Bhushan. While analyzing it found it is due to autohinting in Lohit fontconfig file.

We are now using ttfautohint while building ttf file and on this hinted font again using autohint. This does not working very nice as reported in bugzilla.

From bug #1203996
There was couple of more issues i noticed on Fedora 22. These all are fixed now. Soon building 2.95.1 version for Fedora 22. Will be available in Fedora 22 Beta release.

Announced in lohit-devel list
 

March 24, 2015

How to turn the Chromebook Pixel into a proper developer laptop

Recently I spent about a day installing Fedora 22 + jhbuild on a Chromebook and left it unplugged overnight. The next day I turned it on with a flat battery, grabbed the charger, and the coreboot bios would not let me do the usual ctrl+L boot-to-SeaBIOS trick. I had to download the ChromeOS image to an SD card, reflash the ChromeOS image and thet left me without any of my Fedora workstation I’d so lovingly created the day before. This turned a $1500 laptop with a gorgeous screen into a liability that I couldn’t take anywhere for fear of losing all my work, again. The need to do CTRL+L every time I rebooted was just crazy.

I didn’t give up that easily; I need to test various bits of GNOME on a proper HiDPI screen and having a loan machine sitting in a bag wasn’t going to help anyone. So I reflashed the BIOS, and now have a machine that boots straight into Fedora 22 without any of the other Chrome stuff getting in the way.

Reflashing a BIOS on a Chromebook Pixel isn’t for the feignt of heart, but this is the list of materials you’ll need:

  • Set of watchmakers screwdrivers
  • Thin plastic shim (optional)
  • At least 1Gb USB flash drive
  • An original Chromebook Pixel
  • A BIOS from here for the Pixel
  • A great big dollop of courage

This does involve deleting the entire contents of your Pixel, so back anything up you care about before you start, unless it’s hosted online. I’m also not going to help you if you brick your machine, cateat emptor and all that. So, lets get cracking:

  • Boot chromebook into Recovery Mode (escape+refresh at startup) then do Control+D, then Enter, wait for ~5 mins while the Pixel reflashes itself
  • Power down the machine, remove AC power
  • Remove the rubber pads from the underside of the Pixel, remove all 4 screws
  • Gently remove the adhesive from around the edges, and use the smallest shim or screwdriver you have to release the 4 metal catches from the front and sides. You can leave the glue on the rear as this will form a hinge you can use. Hint: The tabs have to be released inwards, although do be aware there are 4 nice lithium batteries that might kinda explode if you slip and stab them hard with a screwdriver.
  • Remove the BIOS write protect screw AND the copper washer that sits between the USB drives and the power connector. Put it somewhere safe.
  • Gently close the bottom panel, but not enough for the clips to pop in. Turn over the machine and boot it.
  • Do enough of the registration so you can logon. Then logout.
  • Do the CTRL+ALT+[->] (really F2) trick to get to a proper shell and login as the chromos user (no password required). If you try to do it while logged in via the GUI it will not work.
  • On a different computer, format the USB drive as EXT4 and copy the squashfs.img, vmlinuz and initrd.img files there from your nearest Fedora mirror.
  • Also copy the correct firmware file from johnlewis.ie
  • Unmount the USB drive and remove
  • Insert the USB drive in the Pixel and mount it to /mnt
  • Make a backup of the firmware using /usr/sbin/flashrom -r /mnt/backup.rom
  • Flash the new firmware using /usr/sbin/flashrom -w /mnt/the_name_of_firmware.rom
  • IMPORTANT: If there are any warnings or errors you should reflash with the backup; if you reboot now you’ll have a $1500 brick. If you want to go back to the backup copy just use /usr/sbin/flashrom -w /mnt/backup.rom, but lets just assume it went well for now.
  • /sbin/shutdown -h now, then remove power again
  • Re-open the bottom panel, which should be a lot easier this time, and re-insert the BIOS write washer and screw, but don’t over-tighten.
  • Close the bottom panel and insert the clips carefully
  • Insert the 4 screws and tighten carefully, then convince the sticky feet to get back into the holes. You can use a small screwdriver to convince them a little more.
    Power the machine back on and it will automatically boot to the BIOS. Woo! But not done yet.
  • It will by default boot into JELTKA which is “just enough Linux to kexec another”.
  • When it looks like it’s hung, enter “root” then enter and it’ll log into a root prompt.
  • Mount the USB drive into /mnt again
  • Do something like kexec -l /mnt/vmlinuz --initrd=/mnt/initrd.img --append=stage2=hd:/dev/sdb1:/squashfs.img
  • Wait for the Fedora installer to start, then configure a network mirror where you can download packages. You’ll have to set up Wifi before you can download package lists.

This was all done from memory, so feel free to comment if you try it and I’ll fix things up as needed.

Fedora Design Team Update

Fedora Design Team Logo

Fedora Design Team Meeting 24 March 2015

Completed Tickets

Ticket 361: Fedora Reflective Bracelet

This ticket involved a simple design for a reflective bracelet for bike riders to help them be more visible at night. The imprint area was quite small and the ink only one color, so this was fairly simple.

Tickets Open For You to Take!

One of the things we required to join the design team is that you take and complete a ticket. We have one ticket currently open and awaiting you to claim it and contribute some design work for Fedora :):

Discussion

Fedora 22 Supplemental Wallpapers Vote Closes Tomorrow!

Tomorrow (Wednesday, March 25) is the last day to get in your votes for Fedora 22’s supplemental wallpapers! Vote now! (All Fedora contributors are eligible to vote.)

(Oh yeah, don’t forget – You’ll get a special Fedora badge just for voting!)

Fedora 22 Default Wallpaper Plan

A question came up what our plan was with the Fedora 22 wallpaper – Ryan Lerch created the mockups that we shipped / will ship in the alpha and beta and the feedback we’ve got on these is positive thus far so we’ll likely not change direction for Fedora 22’s default wallpaper. The pattern is based on the pattern Ryan designed for the Fedora.next product artwork featured on getfedora.org.

However, it is never too early to think about F23 wallpaper. If you have some ideas to share, please share them on the design team list!

2015 Flock Call for Papers is Open!

Flock is going to be at the Hyatt Regency in Rochester, New York. The dates are August 12 to August 15.

Gnokii proposed that we figure out which design team members are intending to go, and perhaps we could plan out different sessions for a design track. Some of the sessions we talked about:

  • Design Clinic – bring your UI or artwork or unfiled design team ticket to an open “office hours” session with design team members and get feedback / critique / help.
  • Wallpaper Hunt – design team members with cameras could plan a group photoshoot to get nice pictures that could make good wallpapers for F23 (rietcatnor suggested Highland Park as a good potential place to go.
  • Badge Design Workshop – riecatnor is going to propose this talk!

I started a basic wiki page to track the Design Team Flock 2015 presence – add your name if you’re intending to go and your ideas for talk proposals so we can coordinate!

(I will message the design-team list with this idea too!)

See you next time?

Our meetings are every 2 weeks; we send reminders to the design-team mailing list and you can also find out if there is a meeting by checking out the design team category on FedoCal.

Pulp 2.6.0 is available!

The Pulp team is very happy to announce the release of Pulp 2.6.0!

Highlights:

  • Full support for managing docker repositories and images
  • Full support for RabbitMQ as a message broker
  • Many other improvements and bug fixes

Release notes:

Thank you to everyone who helped test the betas and release candidates.

Server SIG Weekly Meeting Minutes (2015-04-24)

<html> <head> <meta content="text/html;charset=UTF-8" http-equiv="Content-type"/>
<style type="text/css"> /* This is for the .html in the HTML2 writer */ body { font-family: Helvetica, sans-serif; font-size:14px; } h1 { text-align: center; } a { color:navy; text-decoration: none; border-bottom:1px dotted navy; } a:hover { text-decoration:none; border-bottom: 0; color:#0000B9; } hr { border: 1px solid #ccc; } /* The (nick, time) item pairs, and other body text things. */ .details { font-size: 12px; font-weight:bold; } /* The 'AGREED:', 'IDEA', etc, prefix to lines. */ .itemtype { font-style: normal; /* un-italics it */ font-weight: bold; } /* Example: change single item types. Capitalized command name. /* .TOPIC { color:navy; } */ /* .AGREED { color:lime; } */ </style>

</head> <body>

#fedora-meeting-1: Server SIG Weekly Meeting (2015-03-24)

Meeting started by sgallagh at 15:00:30 UTC (full logs).

Meeting summary

  1. roll call (sgallagh, 15:00:31)
  2. Agenda (sgallagh, 15:03:18)
    1. Agenda Item: Anaconda Password Policy (sgallagh, 15:03:30)

  3. Anaconda Password Policy (sgallagh, 15:05:48)
    1. https://bugzilla.redhat.com/show_bug.cgi?id=1191842#c14 (sgallagh, 15:06:06)
    2. ACTION: adamw to email other products to try to unify the pwpolicy change (sgallagh, 15:16:17)
    3. https://fedoraproject.org/wiki/User:Kevin/Draft_Passwordpolicy (nirik, 15:21:36)
    4. http://www.oxforddictionaries.com/definition/english/bunfight (adamw, 15:38:09)
    5. AGREED: The password policy will be “–nostrict –minlen=6 –minquality=50 –nochanges –emptyok” for root, user and luks (sgallagh, 15:39:12)
    6. ACTION: sgallagh to update fedora-productimg-server with the agreed defaults. (sgallagh, 15:42:08)

  4. Open Floor (sgallagh, 15:42:57)
    1. http://reviewboard-fedoraserver.rhcloud.com/dashboard/ (sgallagh, 15:44:40)
    2. Help needed in reviewing rolekit database server patches (sgallagh, 15:44:53)
    3. ACTION: adamw and danofsatx to review the database server patches at their convenience (sgallagh, 15:47:27)

Meeting ended at 15:49:32 UTC (full logs).

Action items

  1. adamw to email other products to try to unify the pwpolicy change
  2. sgallagh to update fedora-productimg-server with the agreed defaults.
  3. adamw and danofsatx to review the database server patches at their convenience

Action items, by person

  1. adamw
    1. adamw to email other products to try to unify the pwpolicy change
    2. adamw and danofsatx to review the database server patches at their convenience
  2. danofsatx
    1. adamw and danofsatx to review the database server patches at their convenience
  3. sgallagh
    1. sgallagh to update fedora-productimg-server with the agreed defaults.

People present (lines said)

  1. sgallagh (99)
  2. mizmo (47)
  3. adamw (45)
  4. simo (38)
  5. nirik (37)
  6. danofsatx (14)
  7. zodbot (10)
  8. stefw (7)
  9. junland (3)
  10. masta (1)
  11. mitr (0)
  12. tuanta (0)

Generated by MeetBot 0.1.4. </body></html>

The easiest way to run your own OpenID provider?

A few years ago, I was looking for a quick and easy way to run OpenID on a small web server.

A range of solutions were available but some appeared to be slightly more demanding than what I would like. For example, one solution required a servlet container such as Tomcat and another one required some manual configuration of Python with Apache.

I came across the SimpleID project. As the name implies, it is simple. It is written in PHP and works with the Apache/PHP environment on just about any Linux web server. It allows you to write your own plugin for a user/password database or just use flat files to get up and running quickly with no database at all.

This seemed like the level of simplicity I was hoping for so I created the Debian package of SimpleID. SimpleID is also available in Ubuntu.

Help needed

Thanks to a contribution from Jean-Michel Nirgal Vourgère, I've just whipped up a 0.8.1-14 package that should fix Apache 2.4 support in jessie. I also cleaned up a documentation bug and the control file URLs.

Nonetheless, it may be helpful to get feedback from other members of the community about the future of this package:

  • Is it considered secure enough?
  • Have other people found it relatively simple to install or was I just lucky when I tried it?
  • Are there other packages that now offer such a simple way to get OpenID for a vanilla Apache/PHP environment?
  • Would anybody else be interested in helping to maintain this package?
  • Would anybody like to see this packaged in other distributions such as Fedora?
  • Is anybody using it for any online community?

Works with HOTP one-time-passwords and LDAP servers

One reason I chose SimpleID is because of dynalogin, the two-factor authentication framework. I wanted a quick and easy way to use OTP with OpenID so I created the SimpleID plugin for dynalogin, also available as a package.

I also created the LDAP backend for SimpleID, that is available as a package too.

Works with Drupal

I tested SimpleID for login to a Drupal account when the OpenID support is enabled in Drupal, it worked seamlessly. I've also tested it with a few public web sites that support OpenID.

Live Migrating QEMU-KVM Virtual Machines: Full Text

I’ve attempted to write down all I said while delivering my devconf.cz talk on Live Migrating QEMU-KVM Virtual Machines.  The full text is on the Red Hat Developer Blog:

http://developerblog.redhat.com/2015/03/24/live-migrating-qemu-kvm-virtual-machines/

SCAP Workbench 1.1.0

The new SCAP Workbench is out! This is the biggest release to date. We focused on improving the typical use-case of tailoring and remote scanning. This is also the first release to have Windows and MacOS X support!

Fedora updates for F22, F21 and F20 are pending. Testing and karma would be greatly appreciated! This release brings so many fixes and does not break existing use-cases that I decided to push it to older Fedoras as well. Even though it is a major release.

Screenshots

sw-1.1.0_1 sw-1.1.0_2

sw-1.1.0_3 sw-1.1.0_4

What’s new?

1.1.0 is a packed major release, the number of changes is second only to the 0.8.0 C++ rewrite.

  • Windows support – including a native MSI installer
  • MacOS X support – including a native dmg image
  • Complete redesign of the main window, with rich-text rule descriptions
  • Better SCAP Security Guide integration
  • Tailoring window greatly improved – shows relationships between values and rules
  • Opens bzip2 files
  • Performance improvements when loading big SCAP files
  • Countless UX improvements
  • And a lot more, a total of 49 tickets fixed, plus fixes merged from maintenance branches

Where to report issues?

The best place to report issues is the trac bug tracker. However I also accept reports via the mailing list or even comments to this blog post.

Chemnitzer Linux-Tage 2015

Last weekend there was Chemnitzer Linux-Tage, after the dead of LinuxTag in Berlin, Germany’s largest event around Linux and Open Source. I got to this event since the begin and it was like always a lot of visitors, even it was a little bit lsser this year as the years before. I had this year als only one talk, together with Robert Scheck.

So I had more time for conversations and the booth, which was as always good vistited. We did as the last 3 years also present an 3D printer but we was not the only ones, s time for a new idea. But the people have still interest in it. So we had a lot of conversations an handed out a lot of DVD and stickers.

P.S. if another Fedora Ambassador needs the slides, they can be found here

New package & new branch process

A little while ago, I blogged about the new package and new branch request processes.

These changes have been pushed to production yesterday.

What does this change for you, packager?

New package

If you already a packager, you know the current process to get packages into Fedora, you know that once your package has been approved on bugzilla, you have to file a SCM request.

With the new process, this step is no longer necessary. You can directly go to pkgdb and file the request there.

From there admins will review the package review on bugzilla and create the package in pkgdb (or refuse with an explanation).

New branch

If your package is already in Fedora, you can now directly request a new branch in pkgdb. Here there are multiple options

  • You have approveacls on the package (thus you are a package admin) and the request is regarding a new Fedora branch: The branch will be created automatically
  • You have approveacls on the package (thus you are a package admin) and the request is regarding a new EPEL branch: The request will be submitted to the pkgdb admins who will process it in their next run
  • You do not have approveacls on the package, then your request will be marked as: `Pending`, this means that the admins of the package have one week to react. They can either approve your request and by setting it to Awaiting Review, or they can decline the request (for which they must specify a reason). After this one week (or sooner if the package admin set the request to Awaiting Review) the pkgdb admin will process the request like they do with the other.

Note: Even with this new workflow, requests are still manually reviewed, so the requests will not necessarily be processed faster (but if it is easier for the admins, they may run it more often!).

What does this change for you, admins?

Hopefully, the process will be much simpler for you. In short

  • no need to log onto any system, you can do everything from your own machine and it should work out of the box
  • much more automated testing (including checking if a package is present in RHEL and on which arch for EPEL requests)
  • one tool to process the requests: pkgdb-admin distributed as part of packagedb-cli (aka: pkgdb-cli)



I hope this process makes sense to you and will make your life easier.

You are welcome to already use these processes, just let us know if you run into some problems, but for the time being both the old and the new processes are supported :-)

FUDCon Pune Planning Meeting - 24 Mar
Again we had FUDCon pune schedule planning meeting, some of us joined over phone and #fedora-india channel.

As usual we used http://piratepad.net/FUDConPunePlanning to keep notes and discussed different topic/blockers.

Key points are: 
  • Write a post for fedora magazine which will cover subsidy requests and barcamp details.
  • Travel related meeting will start from this week (on Friday) at fudcon-planning channel
  • Follow up for wifi connectivity with MITCOE sysadmin.
  • Get a list of volunteers from MITCOE


Entire minutes are appended below:

<body>24 Mar 2015

Agenda + Minutes
-----------

  • Outreach
    • http://piratepad.net/FudCon-outreach-list
      • this is for industry + mailing lists (communities)
      • we need help here with more lists + more volunteers to do the outreach.
    • http://piratepad.net/FUDCon-College-Outreach
      • Reach out to MIT to let them know about the event (mid/late May)
    • Video series
      • (no updates) -- let's have something next week though.
      • Videos from FPL (Matthew Miller), jsmith, Kushal, Parag, Rahul, Joerg, etc. -- extolling the virtues of FUDCon + Pune
        • Kushal and Shreyank to work on this
        • Two videos:
          • One in April
          • One in May
        • Reach out to design/marketing team for editing help.
  • Marketing
    • no updates this week
    • Fedora magazine
      • Anisha to write a post
        • CfP closed
        • Subsidy requests still open
        • Barcamp track
    • fudcon.fedoraproject.org
    • Twitter
    • Facebook
    • Google Plus
    • LinkedIn group
  • FUDCon planning
    • We should start a tradition to announce the next fudcon at the current one
    • We should start the bid process beforehand and get a bid selected before the current one starts
    • The FUDCon pages on the Fedora wiki already mention 1 yr of lead time is needed for starting the fudcon planning process.
    • https://fedoraproject.org/wiki/FUDCon_organization_process
  • Scheduling
    • https://ethercalc.org/fudcon-schedule
    • Rough program
    • We will have to select a few talks to schedule; and ask others to do barcamp-style
    • Siddhesh + Neeependra + Amit + Kushal
    • kushal to retract his talk to be unbiased in talk selection
  • Website
  • Travel updates?
    • Start meeting regarding this in #fudcon-planning
      • Final schedule to be decided on fudcon-planning list.
      • Start this week
    • Let's start looking at tickets
    • Email fudcon-planning@ to set up an IRC meeting to discuss tickets
    • Fedora contributors, speakers, APAC people - priorities.
    • Identify people to book early (esp people who travel from far).
    • Prepare an invitation letter for them.
  • Budget
    • (no update this week)
    • Make and maintain a publicly visible sheet to track expenses?
    • Sent a reminder to Ruth
      • Ruth replied; she's OK with using RH expense system
  • FUDPub
    • Rupali reached out to Venue1
    • Potential Venue 1
      • Space for 100 people
      • Reasonable (approx 1800 per person)
      • RH has relationship; payments are easier
      • Close to cocoon
      • No limitation on sound limits - a nice party can be had.
    • Rupali reached out to Venue-2
      • This place has to be shared with other event, So not interesting
    • Amit suggsts place where there is bowling option. 
    • On paud road there is go-carting place, not sure if they have bowling too.
    • Rupali continuing to reach out to others
      • Another venue visit next week
  • Swag
    • Niranjan suggests some programmable arduino boards manufactured locally with our logos
    • Let's start thinking about this now; approach vendors.
      • Niranjan will look in to these boards to build a simple game and show it to group by next week and decide. 
    • Swag for Volunteers
      • tshirts
    • Swag for Organisers?
    • Swag for Speakers
      • Mugs?
      • Umbrellas (for sweet Pune rains)
    • Fedora badge for attendees?(added to the FAS account)
  • Venue
    • WiFi
      • Amit, Siddhesh to call MIT sysadmin
      • Rohan Kanade to follow up
      • MIT COE are keen on doing it; they need input from us.
        • We will get in touch with their IT person.
        • Also talk about the Fedora mirror with them.
    • Power connector extensions
      • MIT were going to set this up.  Follow up
    • Note to speakers (include in prep email): In seminar hall: projectors are 4:3, screen quite small (don't include small text)
  • MIT meetups
    • What to do?
      • Packaging?
      • Bugzapping
    • Siddhesh to reach out to MCUG (this week, I promise!)
  • Volunteers
    • College reopens on Jun 15
    • Many students will be on leave till Jun 15
    • We should identify students who will be available in the break - e.g. students from Pune who don't plan to travel elsewhere; we don't need too much of their time anyway
      • Rupali to get a list of volunteers from MITCOE.
  • Mobile Application
    • No updates
    • Siddharth + Rohan had volunteered
  • Creating FAQ for FUDCon India 2015
    • Kushal to draft it
    • Kushal has a list of Q
      • Amit will get creative with answers.
        • Update: Kushal will send this later tonight (17/03/2015)
  • Videographing
    • No updates
      • kpoint: Not an option. Rates too high (20k per day just for recording)
        • asked for clarification on rates; they might have subsidised options for us
      • hasgeek
        • They're  allowing us use of their equipment + train a few volunteers who can do  the recording.   Equipment needs to be brought from BLR to Pune.  Nice  gesture by them; but sounds complicated given the expensive equipment +  need to get volunteers to be trained.
      • Look for cheaper quotes from other professionals (Bipin)
      • Buy our own cameras? (Rupali)
      • Open source solutions for streaming (amit)
      • Last option will be to have a tiny webcam doing live Hangout -- advantage is it has auto-archival on youtube.
        • amit: +1 for this option (or using the open source one for streaming)
</body>
Test Fedora 22 at Rackspace with Ansible

Fedora Infinity LogoFedora 22 will be arriving soon and it’s easy to test on Rackspace’s cloud with my Ansible playbook:

As with the previous playbook I created for Fedora 21, this playbook will ensure your Fedora 21 instance is fully up to date and then perform the upgrade to Fedora 22.

WARNING: It’s best to use this playbook against a non-production system. Fedora 22 is an alpha release at the time of this post’s writing.

This playbook should work well against other servers and virtual machines from other providers but there are a few things that are Rackspace-specific cleanups that might not apply to other servers.

The post Test Fedora 22 at Rackspace with Ansible appeared first on major.io.

Enabling New Contributors Brainstorm Session

You (probably don’t, but) may remember an idea I posted about a while back when we were just starting to plan out how to reconfigure Fedora’s websites for Fedora.next. I called the idea “Fedora Hubs.”

Some Backstory

The point behind the idea was to provide a space specifically for Fedora contributors that was separate from the user space, and to make it easier for folks who are non-packager contributors to Fedora to collaborate by providing them explicit tools to do that. Tools for folks working in docs, marketing, design, ambassadors, etc., to help enable those teams and also make it easier for them to bring new contributors on-board. (I’ve onboarded 3 or 4 people in the past 3 months and it still ain’t easy! It’s easy for contributors to forget how convoluted it can be since we all did it once and likely a long time ago.)

Well, anyway, that hubs idea blog post was actually almost a year ago, and while we have a new Fedora project website, we still don’t have a super-solid plan for building out the Fedora hub site, which is meant to be a central place for Fedora contributors to work together:

The elevator pitch is that it’s kind of like a cross between Reddit and Facebook/G+ for Fedora contributors to keep on top of the various projects and teams they’re involved with in Fedora.

There are some initial mockups that you can look through here, and a design team repo with the mockups and sources, but that’s about it, and there hasn’t been a wide or significant amount of discussion about the idea or mockups thus far. Some of the thinking behind what would drive the site is that we could pull in a lot of the data from fedmsg, and for the account-specific stuff we’d make API calls to FAS.

Let’s make it happen?

"Unicorn - 1551"  by j4p4n on openclipart.org. Public Domain.

“Unicorn – 1551″ by j4p4n on openclipart.org. Public Domain.

Soooo…. Hubs isn’t going to magically happen like unicorns, so we probably need to figure out if this is a good approach for enabling new contributors and if so how is it going to work, who is going to work on it, what kind of timeline are we looking at – etc. etc. So I’m thinking we could do a bit of a design thinking / brainstorm session to figure this out. I want to bring together representatives of different teams within Fedora – particularly those teams who could really use a tool like this to collaboate and bring new contributors on board – and have them in this session.

For various reasons, logistically I think Wednesday, March 25 is the best day to do this, so I’m going to send out invites to the following Fedora teams and ask them to send someone to participate. (I realize this is tomorrow – ugh – let’s try anyway.) Let me know if I forgot your team or if you want to participate:

  • Each of the three working groups (for development representation)
  • Infrastructure
  • Websites
  • Marketing
  • Ambassadors
  • Docs
  • Design

I would like to use OpenTokRTC for the meeting, as it’s a FLOSS video chat tool that I’ve used to chat with other Fedorans in the past and it worked pretty well. I think we should have an etherpad too to track the discussion. I’m going to pick a couple of structured brainstorming games (likely from gamestorming.com) to help guide the discussion. It should be fun!

The driving question for this brainstorm session is going to be:

How can we lower the bar for new Fedora contributors to get up and running?

Let me know if this question haunts you too. :)

This is the time we’re going to do this:

  • Wednesday March 25 (tomorrow!) from 14:00-16:00 GMT (10-12 AM US Eastern.)

Since this is short-notice, I am going to run around today and try to personally invite folks to join and try to build a team for this event. If you are interested let me know ASAP!

(‘Wait, what’s the rush?’ you might ask. I’m trying to have a session while Ryan Lerch is still in the US Eastern timezone. We may well end up trying another session for after he’s in the Australian timezone.)


Update

I think we’re just about at the limit of folks we can handle from both the video conferencing pov and the effectiveness of the brainstorm games I have planned. I have one or two open invites I’m hoping to hear back from but otherwise we have full representation here including the Join SIG so we are in good shape :) Thanks Fedora friends for your quick responses!

Restarting squid results in deleting all files in hard-drive

An awful lot of noise and nonsense is being made about this bug. Here are a couple of facts:

  1. The bug was never in any released version of RHEL.
  2. It was caught during Red Hat’s internal QA process. The bug report is filed by a Red Hat tester.

In other words, the system works. Anyone who says this is a bug in RHEL or Red Hat is releasing buggy software that will eat your hard drive is lying to you.


Tunir, a simple CI with less pain

One of my job requirement is to keep testing the latest Fedora cloud images. We have a list of tests from Fedora QA team. But the biggest problem is that I don’t like doing these manually. I was looking for a way to run these automatically. We can do this by the normal CI systems, but there are two problems in that.

  • Most CI systems cannot handle cloud images, unless there is a real cloud running somewhere.
  • Maintaining the CI system & the cloud is a pain in my standard.

Tunir came out as a solution to these problems. It is a simple system, which can run predefined set of commands in a fresh cloud instance, or in a remote system. Btw, did I mention that you don’t need a cloud to run these cloud instances in your local system? This is possible thanks to the code from Mike Ruckman.

Each job in Tunir requires two files, jobname.json and jobname.txt. The json file contains the details of the Cloud image (if any), or the remote system details, ram required for the vm etc. The .txt file contains the shell commands to run in the system. For now it has two unique commands for Tunir. You can write @@ in front of any command to mark that this command will return non zero exit code. We also have a SLEEP NUMBER_OF_SECONDS option, we use it when we reboot the system, and want Tunir to wait before executing the next command.

Tunir has a stateless mode, I use that all the time :) In stateless mode, it will not save the results in any database. It will directly print the result in the terminal.

$ tunir --job fedora --stateless

Tunir uses redis to store some configuration information, like available ports. Remember to execute createports.py to fill the configuration with available ports.

You can install Tunir using pip, a review request is also up for Fedora. If you are on Fedora 21, you can just test with my package.

I am currently using unittest for the Cloud testcases, they are available at my github. You can use fedora.json and fedora.txt from the same repo to execute the tests. Example of tests running inside Tunir is below (I am using this in the Fedora Cloud tests).

curl -O https://kushal.fedorapeople.org/tunirtests.tar.gz
tar -xzvf tunirtests.tar.gz
python -m unittest tunirtests.cloudtests
sudo systemctl stop crond.service
@@ sudo systemctl disable crond.service
@@ sudo reboot
SLEEP 30
sudo python -m unittest tunirtests.cloudservice.TestServiceManipulation
@@ sudo reboot
SLEEP 30
sudo python -m unittest tunirtests.cloudservice.TestServiceAfter

UPDATE: Adding the output from Tunir for test mentioned above.

sudo ./tunir --job fedora --stateless
[sudo] password for kdas: 
Got port: 2229
cleaning and creating dirs...
Creating meta-data...
downloading new image...
Local downloads will be stored in /tmp/tmpZrnJsA.
Downloading file:///home/Fedora-Cloud-Base-20141203-21.x86_64.qcow2 (158443520 bytes)
Succeeded at downloading Fedora-Cloud-Base-20141203-21.x86_64.qcow2
download: /boot/vmlinuz-3.17.4-301.fc21.x86_64 -> ./vmlinuz-3.17.4-301.fc21.x86_64
download: /boot/initramfs-3.17.4-301.fc21.x86_64.img -> ./initramfs-3.17.4-301.fc21.x86_64.img
/usr/bin/qemu-kvm -m 2048 -drive file=/tmp/tmpZrnJsA/Fedora-Cloud-Base-20141203-21.x86_64.qcow2,if=virtio -drive file=/tmp/tmpZrnJsA/seed.img,if=virtio -redir tcp:2229::22 -kernel /tmp/tmpZrnJsA/vmlinuz-3.17.4-301.fc21.x86_64 -initrd /tmp/tmpZrnJsA/initramfs-3.17.4-301.fc21.x86_64.img -append root=/dev/vda1 ro ds=nocloud-net -nographic
Successfully booted your local cloud image!
PID: 11880
Starting a stateless job.
Executing command: curl -O https://kushal.fedorapeople.org/tunirtests.tar.gz
Executing command: tar -xzvf tunirtests.tar.gz
Executing command: python -m unittest tunirtests.cloudtests
Executing command: sudo systemctl stop crond.service
Executing command: @@ sudo systemctl disable crond.service
Executing command: @@ sudo reboot
Sleeping for 30.
Executing command: sudo python -m unittest tunirtests.cloudservice.TestServiceManipulation
Executing command: @@ sudo reboot
Sleeping for 30.
Executing command: sudo python -m unittest tunirtests.cloudservice.TestServiceAfter


Job status: True


command: curl -O https://kushal.fedorapeople.org/tunirtests.tar.gz
status: True

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8019  100  8019    0     0   4222      0  0:00:01  0:00:01 --:--:--  4224



command: tar -xzvf tunirtests.tar.gz
status: True

tunirtests/
tunirtests/cloudservice.py
tunirtests/LICENSE
tunirtests/testutils.py
tunirtests/__init__.py
tunirtests/cloudtests.py



command: python -m unittest tunirtests.cloudtests
status: True

.suu
----------------------------------------------------------------------
Ran 4 tests in 0.036s

OK (skipped=1, unexpected successes=2)



command: sudo systemctl stop crond.service
status: True




command: @@ sudo systemctl disable crond.service
status: True

Removed symlink /etc/systemd/system/multi-user.target.wants/crond.service.



command: @@ sudo reboot
status: True




command: sudo python -m unittest tunirtests.cloudservice.TestServiceManipulation
status: True

.
----------------------------------------------------------------------
Ran 1 test in 0.282s

OK



command: sudo python -m unittest tunirtests.cloudservice.TestServiceAfter
status: True

.
----------------------------------------------------------------------
Ran 1 test in 0.070s

OK