We are hiring !

Did you knew SUSE is hiring ?

I've just looked at our counter today (October 7, 2015) and we have 68 opened positions.

Moreover, we have two positions which might interest people who are reading this blog through Planet GNOME(-FR):

• Xorg is your thing :  Linux Graphics Developer 
• you are more a GNOME desktop guy : SUSE Linux Desktop Engineer

Interested ? Apply !

Secure Boot on openSUSE talk at FOSDEM cancelled

Hi folks,

for those of you who are attending FOSDEM this year and were planning to attend my talk about Secure Boot on openSUSE on Sunday, I'm sorry to announce I had to cancel my travel to Brussels (and my talk) for family reasons.

Since my slides were already written, I thought I could still share them with you Feel free to ask questions / comments on this blog post.

Secure Boot on openSUSE, a battleplan

At openSUSE Conference in Prague last month, we had a BoF about Secure Boot, where I describe the various tasks which are needed to ensure openSUSE can support Secure Boot. They are listed on my slides, but I thought it would be more useful to describe them here.

Before we begin, if you need some refresh about Secure Boot, I suggest the blog posts from Olaf Kirch and Vojtěch Pavlík on SUSE Blog (overview, details and approach to it) and of course, all the war stories of Matthew Garrett on this topic ;)

To have openSUSE installable (and runnable) on a Secure Boot enabled system, without any additional user intervention (like adding your own key in UEFI firmware or disabling Secure Boot), we need to do the following to the distribution :

• to the kernel (many of those features are in 3.7 or in upcoming 3.8):

• convert the kernel as a EFI executable (it will be used to store kernel signature)
• UEFI variable access
• UEFI clock support (nice to have)
• UEFI getvideomode (if we want flicker-free boot)
• UEFI reboot (we already have 4 other way to reboot a system, why not add yet another one ;)
• KMS drivers (for old chipsets like Matrox, AST).
• sign main kernel
• sign all in-tree kernel modules
• generate a private/public key pair to be used out of tree modules
• add Secure Boot support in KExec / KDump and Xen (optional)
• disable hibernation in Secure Boot mode (or have a secure way to save / restore suspended system)
• add signature check in kernel
• to bootloader:
• package shim loader
• modify grub2 so it uses shim loader to check kernel signature at boot
• to Build Service:
• to be able to build external kernel modules (think KMP) using the private/public key generated at kernel build
• but do not allow this key to be used for any random KMP build (otherwise, you defeat the purpose of signing the module)
• to userspace tools:
• package xf86-video-modesettings, for graphics chipset with non-accelerated KMS drivers
• add support for signature check in modutils / kmod
• package tools to sign kernel / modules
• package tools to manage UEFI variables and keys
• to the installer / DVD image
• maybe display some warnings about installing a system in Secure Boot mode (not 100% sure we should do this)
• maybe signing the initial installer (and make sure it can't load non-signed modules)
• ensure the DVD image has shim + grub2 as bootloader when booting on UEFI system
• and we also need to do the signing part:
• if we want Secure Boot to be transparent to users, we need our shim loader to be signed by the authority handling UEFI key, ie Microsoft
• this requires some legal paperwork (getting MS developer account, getting a Authenticode certificate, etc..), some obligation (making sure you can't circumvent Secure Boot once Linux is booted) and once it is done, sending shim loader to be signed by MS and package the result.

As you can see, this is a lot of work but I think we will be able to have everything in order for next openSUSE release !

systemd (and dracut) in next openSUSE

Some weeks ago, I had the pleasure to do a talk at the openSUSE conference in Prague, about systemd (its current state in openSUSE and what we plan for the future) and dracut (mkinitrd replacement).

For those of you who didn't attend the conference, you can watch my talk on YouTube (thanks to openSUSE awesome video team for the recording):

And you can even get my slides ;)

My hackweek8 project: dracut

Now that SUSE Hackweek 8 is over, here is recap of my own project and how it went:

I've worked on dracut (a mkinitrd replacement), to see if it works nicely on openSUSE (with the hope to replace the three different initrd we have in openSUSE, main one created by mkinitrd, the one used by YaST installer and a third one in kiwi).

Fortunately, I was not alone working on dracut for openSUSE. Thomas Renniger had started packaging dracut for openSUSE and I was able to reuse his work and improve it. Moreover, Mike Gorse uses his hackweek to also improve dracut (adding support for CIFS for instance).

• Day 1:

• cleaned up dracut package (done by trenn), to meet openSUSE standard, remove any Fedora specific stuff in it and update it to latest dracut package, available at https://build.opensuse.org/package/show?package=dracut&project=home%3Afcrozat%3Abranches%3ABase%3ASystem in openSUSE:Factory.
  

• update hardlink package (available atm in Java:base, will move it to Base:System), needed for dracut at runtime. Available at https://build.opensuse.org/package/show?package=hardlink&project=home%3Afcrozat%3Abranches%3AJava%3Abase in openSUSE:Factory too.

• modified my own grub2 configuration to add a additional dracut menu entry (hard coded atm)
• succesfully booted a 12.2 VM with dracut image !
• Day 2:
• discussed with upstream if they would accept "compatibility" patches to team dracut about openSUSE / SLE own initrd command line and got no as an answer, because they don't want to maintain compability cruft on their own side.
• worked on a separate module which is able to convert at boot time SUSE initrd commands into dracut one (when they are available). Works fine for "shell=1" "linuxrc=trace" and "sysrq". Upstream proposed to review the module for mistake when we are done with it
• asked upstream if they were interested in "sysrq" feature for dracut. No response yet
• worked on separate journal (reiserfs / XFS). Need to create VM to test it and ask upstream if they want to integrate it
• Day 3:
• got trenn cflags patch merged upstream
• continue digging into dracut internals
• journaldev is working on boot command line (tested with XFS)
• need improvement to configure initrd with system fstab value, when available and try to use a more generic term (root.journaldev)
• Day 4:
• subscribed to initramfs mailing list
• got my first patch merged upstream (journaldev support)
• added cmdline support for mduuid and isci (TargetAddress / TargetPort / TargetName), untested (don't have the right setup)
• ran test suite, found some issues: some in dracut upstream (fixed immediatly by upstream), some in our package (fixed mdadm and device-mapper to not call blkid binary but use udev builtin-blkid, will be faster and we save some fork ;)
• Day 5:
• sr mdadm and device-mapper fixes
• tried to get all test suite to pass
• some fixes were made to dracut, with more test passing
• still getting issue with network based test (NFS, iSCSI, etc..). Partially working (DHCP server is working now in test suite), partially not (impossible to mount stuff in server test image, getting "EUID=1000" for root, even when booting the image with init=/bin/sh .. No clue to fix that and upstream never got this issue either, if you have an idea, I'm all ears..)

In short, this hackweek worked well for me, even if I didn't finished all I wanted to do. I'll make sure everything is pushed in Factory soon, so we could try (maybe) to switch openSUSE 12.3 to dracut.

GNOME 3.0 Live image release 1.5.0 available

Hi all,

I just push a new GNOME 3.0 live image labelled as 1.5.0 (yes, I forgot to push 1.4.0 after I built it, so we are at 1.5.0 now ;)

No big changes, it is based on GNOME 3.0.2 + some additional fixes.

As always, it can be downloaded from http://www.gnome.org/getting-gnome/

For people interested, here are some download hits (it doesn't include SUSE Studio appliance nor promo dvd which is also available from GNOME ftp) :

on GNOME 3.0 release day : 4526 hits
April :  145904 hits
May : 46551 hits
June : 24747 hits
July : 23611 hits
August (from 1 to 15) : 13063 hits

Enjoy !

Map for Desktop Summit 2011

I've cooked with other people from #gnomefr channel a Google Map with the various useful addresses for Desktop Summit 2011.

It is available here, you can also get KML file or import this map in your favorite software (for Android users, I suggest using Locus Free which can download offline OpenStreetMap data and merge our map on it, no roaming data needed !).

Berlin, Berlin

I've just finish slides for my talk From GIT to your custom OS image which will be on Sunday 7 August 15:10 - 15:40 at Rm3038. I'll explain how GNOME 3 Live images were built and how you can easily do the same for your project.

I'll also be on openSUSE booth and helping for Football event which is sponsored by


See you in Berlin !

Status update on systemd for openSUSE Factory

Hi all,

here is a update on the work done on systemd for Factory :

(beware, post is long !)

• basic support for systemctl in chkconfig and insserv is done : it is pending review by maintainer before integration
• support for --root in systemctl was merged upstream and will be used by chkconfig/insserv patches above.
• a patch has been submitted to upstream systemd to parse insserv.conf : this patch only handles the "system facility" part of insserv.conf and automatically adds depencies specified in the file
• quick investigation on Yast2 to adapt runlevel editor for systemctl support : we really need help from other people, as I don't have any knowledge of Yast internal and it seems the yast dbus client part might be missing some parts, needed for runlevel editor to talk with systemd.
• no work done on /usr as separate partition : it is not a systemd issue in itself but from other programs which might be using data from /usr before /usr is available. The best solution would be to mount /usr from initrd => help needed !!
• (open)SUSE is using unofficial LSB target named $ALL which is supposed to put services requiring it at the end of the boot sequence (or at the beginning of shutdown sequence); After discussing with upstream : on a static boot system (sysvinit), it is easy to resolve such dependencies, but it isn't on a dynamic system (systemd). There is a ugly hack to handle that (creating a ALL.target file which is starting after default.target is done) but it would be probably better to just fix the 4 initscripts which are still using $ALL ( amazon-late, stoppreload, Susefirewall2_setup and vboxes). I'll open bug for them.
• X-Interactive support in systemd is not working properly : it will only work before getty is started and is broken if you try to start a service after boot. We need to transition packages which are still using X-Interactive to systemd-ask-password (which takes care of the async conversation). Only two packages need to be ported :
• apache2, when querying password for SSL certificate : apache allows to start a script to handle the password request. We only need to plug the script and configuration part in our package
  and get it used when booting with systemd.
• openvpn : this one is a bit complex because we can either write a daemon which would do the interface between systemd and openvpn management interface or we can try to patch openvpn to have a similar feature as apache and get this patch upstreamed. The latter has the preference of systemd upstream.
• For both packages, help is welcome.
• For compability with sysvinit, support for from /etc/insserv.conf in systemd was not added, so we could remove X-Interactive from openvpn/httpd sysvinit scripts but still have the function when booting from /sbin/init, thanks to /etc/insserv.conf list.
• /etc/init.d/kbd was not handled properly : this should be fixed inFactory today or tomorrow, with systemd taking care of setting up keyboard properly. However, we might need to improve /etc/sysconfig/keyboard parsing in systemd. More tests are needed (and of course, help is welcome).
• discussion in progress on opensuse-packaging mailing list and upstream on a set of cross distribution RPM macros to handle systemd unit files.

As you can see, we still have some work to do, but we need everybody help : either on the issues I mentioned (feel free to say "I want to help on this" here) or to do more tests or even to start creating .service files (but we still need to fix the issues listed above).

Thanks everybody for your attention.

I would be great if we could get the ball moving and maybe get one of
the next Factory milestone be a "systemd" test release but to reach this
point, we need YOU !

The road to systemd for openSUSE 12.1

Hi all,



systemd is coming for next openSUSE (12.1) scheduled next fall.

I'll help for systemd integration in openSUSE Factory and will act as an interface between you (openSUSE testers, packagers, developers) and systemd upstream.

As you might guess, switching boot manager is not a trivial task and issues will be found. So, we want to have as much feedback and testing as possible, to try to tackle as much (if not all) issues in time for 12.1.

Here is our action plan, in several phases:

• phase 1: detecting current issues with systemd. Install systemd package and "manually" boot with it, by adding "init=/bin/systemd" at you kernel boot command line. In this setup, we want to find ALL the issues caused by switching to systemd, so please, check systemd on Factory status page and follow the instructions there to fill bug reports. We also want to ensure there is no regression, when using legacy sysvinit initscripts with systemd as boot manager.
• phase 2: systemd-sysvinit package installed by default and replace sysvinit.
• phase 3: providing systemd unit files to replace legacy sysvinit initscripts: this is a huge task which won't be completed before openSUSE 12.1, but it can be parallelized among a lot of people (ideally, each packager should be able to create unit systemd file). And we should also split this effort in manageable milestones :
• phase 3.1: GNOME and KDE live CDs should only use "native" systemd, without any sysvinit involved
• phase 3.2: installed system using GNOME and KDE live CDs be a "native" systemd (this involves testing additional paths in live installer)
• phase 3.3: install from DVD for GNOME and KDE should be "native" systemd

Of course, providing systemd unit file should not be a pure "openSUSE" task, because the ultimate goal for those files is to be cross-distribution and merged in relevant upstream projects. And we also don't want to duplicate effort which is starting in other distributions like Fedora, so, collaboration is key. I strongly recommend reading systemd for Administrators, Part III post about the conversion (and also all other posts : systemd for Administrators #1, #2, #3, #4, #5, #6, #7,#8 they are highly instructive).

For discussing / helping with systemd integration for Factory, please use opensuse-factory mailing list or go to #opensuse-factory IRC channel on Freenode.

We need your help to make sure openSUSE 12.1 will use systemd at 200% ;)