Upgrading to OpenSuSE Leap 42.1

This is a history of what jimc did to upgrade the OpenSuSE distro from 13.1 to 42.1.

Index

Quick Links

• Goals, Issues and Action
• Clean Install with the Network Installer
• Upgrade with the Network Installer
• Zypper Dist-Upgrade on Running Host
• Upgrade and Change Architecture with Instsetup

Table of Contents

• Introduction
• Planning
• Executing the Plan
  • Infrastructure Setup
  • Virtual Machine
  • Initial Installation (upgrade with the network installer)
  • Package Selection
  • SuSE Build Service, and Packman
  • Configuration Files
  • User Experience Checkout
  • Instsetup, No Hands Installer
  • Upgrade Production Machines
  • Upgrading Piki: Details
  • Upgrading Xena: Details
  • Upgrading Jacinth: Details
  • Upgrading Diamond (Master Site): Details
• Script Index
• Shockwave (Adobe) Flash Player, Hiss, Boo
• Making Firefox Use HTML5 Vs. Flash
• Large, Gross Botfly in Ointment: Printing
• LightDM Display Manager and Webkit Greeter
• Tidbits for Later Work
• Bug Reports

Introduction

We are upgrding from OpenSuSE 13.1 dated 2013-09-xx, installed about 2014-01-xx. The new OS is OpenSuSE Leap 42.1. Why the big leap in the version number? If SuSE's historical practice had continued, it would have been 14.0. However, Google's Chromium started omitting the major number and putting minor releases first, to give the impression of rapid development, and Mozilla Firefox followed suit. Maybe SuSE are jumping on the bandwagon of steroidal version numbers.

UCLA-Mathnet and jimc generally try to get about 1.5 years of use out of each new distro version: a balance between the effort to upgrade, and being ready with the new version when support ends for the old one. Here, support means that security patches and major bugfixes are provided. SuSE have changed their support policy: See SuSE's roadmap for the release schedule and a link to the lifetime policy. There is a distinction between releases with long term support (42.1 is one of them) and minor releases. The LTS releases correspond to SLES versions while the minor releases are like service packs. Three months after a minor release is superceded (by another minor one or a major one), it will lose support. Thus with 8 months or so between minor releases, if we install one, we will have to finish upgrading to the next one within a year. We should prefer LTS releases.

But I wonder how frequent the major releases really will be: we don't want to be stuck in a time warp for three years or so, judging from history on SLES.

One possibility is to switch to the Tumbleweed track, which is a rolling distro. I don't know the details on this, but judging from forum postings, you're supposed to do a dist-upgrade frequently, similar to the frequency of online updates (security patches) in a stationary distro. This means the upgrade effort is spread out over the whole year and could be a lot more automated, unless a new version of a package interferes with one of our special configurations (and surprises us when it goes in).

Planning

I always begin a project by stating its goals, issues likely to be encountered, and then the actions to be taken. The distro upgrade is a lot of work, but the goals, issues and action are pretty similar to what we've done in previous years.

Goals

• To get the new OpenSuSE distro (42.1) on all the machines with the minimum fuss, labor and disruption.
• To add new features that will be useful in our context.
• To preserve our unique setup parameters and administrative methods.
• To simplify our lives by junking cruft and special cases that are no longer useful.

Issues

• OpenSuSE no longer offers a DVD for i586, only x86_64. But the SuSE Build Service has 32bit packages, probably for all the officially supported packages. A number of sub-repos, however, do not have i586, specifically the network:time sub-repo that has Chrony, which we want to continue using. (It's easy enough to compile it from the provided source RPM.)
• At home, all my machines have x86_64 processors, and I am junking i586. At work, three servers are stuck as i586 (i686), but will be physically upgraded very soon, and they will become x86_64 at that time. We never got around to converting about 6 workstations; that will be done as part of the distro upgrade. One machine remains: Koala, which has an Intel Atom CPU which is incapable of 64bit operation.
• How to deal with Koala:
  • Upgrade to Leap 42.1 i586 using SuSE's servers (what a mess!), or …
  • Figure out how to download the i586 versions of all the packages in the main distro, and set up an enterprise mirror like we have now. This is not as horrendous as it sounds, probably just one rsync command that runs overnight. Or …
  • Replace it with a 64bit processor. This is probably the easiest solution, and we can just transplant the existing disc.
• We've been over-conservative in adopting new features. We need to aggressively identify what's new with this distro version, and get good ones installed (and garbage omitted).

Actions

Here's an overview of installing a new distro:

• Infrastructure: Download and emplace the new distro in the enterprise mirror.
• Virtual machine: Upgrade the VM up to the minute with the old distro. Save an image to revert to. Upgrade it. Test screwups. Revert to the old image. Repeat.
• Package selection: Update /m1/custom/mathnet.sel according to our preferred package selection. We won't know all the package problems until we try to install on the virtual macine. Adjustments to mathnet.sel will be frequent while we prepare for the upgrade.
• SuSE Build Service and Packman: Packages (and their dependencies) that aren't in the main distro will have to be downloaded. Fortunately we have gotten rid of most locally compiled packages.
• Configuration files: Do a giant diff between what's on the virtual machine and what Mathnet installs on the previous distro. Bring forward local hacks (unless they deserve to be tossed). Make sure they work in the new distro version.
• No hands installer (instsetup): Create an installer image for the new version and make sure it can really upgrade a machine without intervention from the sysop. It turns out that zypper for v13.1 can do a dist-upgrade to v42.1, and that is a credible alternative to instsetup, but you can't change the architecture this way.
• Upgrade the production machines. Try to detect screwups early.

Executing the Plan

Infrastructure Setup

This took one day, not a full 8 hour day.

Shell Variable Cruft Check

You can source the file /s1/SuSE/source.me to set useful shell variables for the distro root and the major scripts in distro maintenance. This file was reviewed for being up to date. It auto-sets the architecture (according to the machine it's run on) and the release, taking the lexically highest version in /s1/SuSE/SuSE-build/$ARCH/ , which will be the new version when you create the directory for it. Here is jimc's version of source.me.

Remove Old Distros

We need to keep files for v13.1 until all hosts have been upgraded, but 11.4 and older can definitely be tossed. At home, before cleanup, the repo occupied 167 Gb (oink). After, 73Gb; tossed 94Gb.

At the same time, we need to get rid of the configuration files for old distro versions. These are in /home/post_jump/${RLSE} or on Mathnet, /h1/post_jump/${RLSE}. Being anally retentive I made a directory ./ancient and moved all the obsolete dirs into it. When deleting one of these directories it's a good idea to shred the non-public files. Here's how, illustrated for distro version 10.2:
find 10.2 -type f ! -perm -04 -ls |& less #Are you going to remove the right files?
find 10.2 -type f ! -perm -04 -print | xargs -n 25 shred -u -n 3
rm -r 10.2

Create Directories

Create all the directories for distro components. Owned by root:root, mode 755, except the update dir has to be owned by wwwrun. These are illustrated for the new version, 42.1 and all paths are relative to $di (/s1/SuSE).

• ./SuSE/x86_64/42.1 -- Main distro, mount point for ISO image
• ./SuSE/i586/42.1 -- Separate mount point if still supporting i586
• ./SuSE/update/42.1 -- And change owner to wwwrun. Architecture subdirs will be created during the download.
• ./SuSE-build/x86_64/42.1 -- SuSE Build Service (and symlink from i586 dir if still supported)
• ./SuSE-build/x86_64/42.1/iso -- Storage for ISO images
• ./CouchNet/x86_64/42.1 -- Local and Packman packages (and symlink from i586 dir if still supported)

Download the Distro

Find it at software.opensuse.org . The x86_64 DVD ISO image goes in /s1/SuSE/SuSE-build/x86_64/42.1/iso/ . Older releases put it in the i586 arch directory and there is a symlink from x86_64/iso, but at least at home, I'm putting the ISOs in the x86_64 directory instead because i586 is deprecated. Also, formerly it was put in e.g. /s1/SuSE/SuSE-distro/x86_64/13.1/iso/ , but (at home) I'm going to mount the ISO image on the empty $sd directory, so the iso directory cannot be inside. This modification is optional at Mathnet.

The line in /etc/fstab to mount the DVD image is:
/s1/SuSE/SuSE-build/x86_64/42.1/iso/openSUSE-Leap-42.1-DVD-x86_64.iso /s1/SuSE/SuSE/x86_64/42.1 iso9660 ro,loop 0 0

Which ISOs to download? Clearly we need the DVD. I generally download the network installer CD; however, more and more machines lack CD drives. You can copy it to a USB flash storage device, but if you're going to do that, it makes a lot more sense, particularly for the rescue system, for the system image to be obtained from the USB storage rather than across the net. Making that work will take some research. Link to jimc's instructions to make a bootable USB flash drive.

Unpack the Distro

The unpacked ISO takes exactly as much space as the ISO itself, about 4.7Gb each. It's very tempting and easy to mount the ISO via a loopback device. However, in the past I put the iso directory, the local distro signing key, and the Packman key, in the root with the SuSE package signing keys, which would be impossible with a mounted ISO because it has to be readonly. At home I will modify post_jump and audit-pkgs to look for keys in all the sub-repos. This is optional at work.

Package keys wanted: The first two come with the main distro DVD; the others go in the CouchNet or Mathnet repo.

• gpg-pubkey-307e3d54-4be01a65 -- SuSE Package Signing Key
• gpg-pubkey-3dbdc284-53674dd4 -- openSUSE Project Signing Key (new)
• gpg-pubkey-1abd1afb-4c97c60c -- PackMan Project (signing key) (2006)
• gpg-pubkey-c8da93d2-493f7d78 -- VLC openSUSE Repository (not for Mathnet)
• gpg-pubkey-5c6c793e-4b272bea -- Carter Family Trust Distro Signing Key
• gpg-pubkey-0cc9523f-4a9865cc -- (or) Mathnet Distro Signing Key

These keys are obsolete:

• gpg-pubkey-3dbdc284-4be1884d -- openSUSE Project Signing Key (old, v11.4)

How to identify a public key:
gpg gpg-pubkey-0cc9523f-4a9865cc.asc
It prints: pub 1024D/0CC9523F 2009-08-28 UCLA-Mathnet Distro Signing Key <distro@math.ucla.edu>

Check Update Download Script

This script is $di/bin/rsyncsuse.sh and is executed from /etc/cron.d/distro-maint with this content (I download on Tuesday AM; Mathnet downloads more frequently):
10 0 * * 2 root /home/httpd/htdocs/SuSE/../bin/rsyncsuse.sh > /tmp/system/rsyncsuse.debug 2>&1

The script downloads updates for all versions for which update directories exist, except, it has a list of architectures, and it checks if any hosts have each version and architecture, and skips the download if none do. It's suggested that you edit the hostgroup entry for your virtual machine right away and put it in v42.1 and x86_64 (and not down), so the updates for the new version will be downloaded.

You normally don't have to actually edit the script (except for a change in the URL from which updates are obtained), but you should review it so you know what it's doing. Unfortunately SuSE dumbly inserted a subdirectory called leap in the download path, and I needed to edit the script and to download v13.1 and v42.1 in separate subroutine calls. Hiss, boo! Link to jimc's modified download script.

rsyncsuse downloads on a schedule, but if you run it by hand, give the -f option to download unconditionally. The outcome appears in /tmp/system/rsyncsuse.log .

Virtual Machine

The virtual machine for testing is called Oso, and is hosted on Diamond, the repo site, using KVM as the framework and qemu as the virtual executor. The guest connects itself to the host's network bridge (br0) and thinks that it is directly on the local network. (Look at Simba for an example of bridging.) Setting this up took about 0.5 days. It helped that I already had the XML file for this VM, for testing previous new distro versions.

It turns out that we're going to need to test converting the architecture from i686 to x86_64 at the same time as the version upgrade. I have a virtual machine for that called Petra. It was gotten into shape similarly to Oso.

VM Specifications

Oso is defined in this file. Key parameters of Oso and Petra are:

• RAM: 1Gb
• CPUs: 2
• Architecture: x86_64 (both VMs), formerly i686 for Petra.
• Disc: 17Gb (why such an odd number?) on virtio bus. Only 6Mb actually used.
• CD: The network installer for the new version (#1 in boot order)
• Graphics: VNC on Cirrus Logic emulation
• MAC address: 52:54:00:09:c8:d4 (Oso) or 52:54:00:9:c8:c7 (Petra) on the host's network bridge (virtio). Local convention: the MAC address of a VM is the KVM vendor number (52:54:00) followed by the last 3 octets of the machine's assigned IPv4 address.

Petra formerly had i686 architecture, and correspondingly for its image for v13.1. The VM architecture was changed to x86_64 to test upgrading. A i586/i686 image will boot and run on x86_64 hardware.

Formerly for the CD I had a symlink in /s1/kvm to whichever image, named for that image, which was named explicitly in the machine's XML definition file. This time I'm calling it just oso-cd.iso, and I can change the CD if I need to, without editing the definition and un/defining the VM anew. (Requires the machine to be powered off and restarted, though.) But changing the boot order still requires the VM to be un/defined. To undefine and redefine a VM:
virsh undefine oso
virsh define ./oso.xml

The definition file has the CD first in the boot order, and the hard disc second. To permanently not boot from the CD you can switch the boot order, which requires un/redefining the machine. However, I made a discovery: If oso-cd.iso is a symlink to /dev/null, the BIOS will not boot from it, same as if a physical drive has no disc in it. It goes on to the hard disc promptly and with no error messages.

Update VMs

Oso and Petra got all the current updates for v13.1 plus local configuration changes made since they were last used.

Save Disc

Save a copy of Oso's and Petra's disc. Command line:
cd /s1/kvm/oso
gzip -c disc1.raw > disc1.131final.gz

The raw disc ended up with 17Gb; why did I pick that number? Compressed size was 4.4Gb. Compression took 10.5 mins. To restore, make sure the machine is not running, and:
zcat disc1.131final.gz > disc1.raw
Restoration took 7 mins.

Start Oso

Oso is going to boot from the network installer. The command to start a VM is
virsh start oso
Then you need to connect to its console. If you have to do this on the virtualization host (not recommended, see next paragraph), do this:
virt-viewer -w -r oso
-w = wait (vs. dying) for it to start up. -r = reconnect (vs. exiting) if it reboots.

Running virt-viewer on the machine with the display (recommended):
virt-viewer -c qemu+ssh://root@diamond/system -w -r oso
This works as a non-root user provided it has a remote execution privilege as root on the hosting machine.

The VM's installer couldn't communicate with the repo server. See the next paragraph for how to get past this mess.

Untangle Network

When you boot the network installer disc on the virtual machine it uses a network interface that doesn't exist, with baleful effects on its ability to boot over the network. Here is the overly complicated procedure to get it running.

• The boot screen offers actions of boot from hard disc (default), install, upgrade, rescue system, or memory test.
• Scroll down to the one you are going to use, but don't press Enter.
• Press F4 for Source Selection
• Scroll to Network Configuration and press Enter.
• Choose Manual (press Enter). Default is DHCP but we want to prevent it from finding the gateway to the SuSE server.
• Press Enter when focused on the desired action, e.g. Rescue System.
• It boots the installer. Hit Esc when the green progress bar appears, to see real boot messages.
• Soon it will fail to open the SuSE repo URL. Don't try to fix it, just hit Back. (Right arrow, then Enter.)
• Language and keyboard: English
• Start Installation
• Scroll down to Network Setup and hit Enter.
• Do you want to keep the existing, screwed up configuration? No.
• Choose the network device: It's preset to Red Hat Virtio network device (null), which doesn't exist. Change to eth0.
• It shows the Start Installation menu. Wait 10-15 secs; it should then ask: Automatic config by DHCP? Tell it no. Actually I'm being anally retentive here; DHCP would have worked, provided your DHCP server knows the VM's MAC address and will give the VM's own IP rather than a random one.
• Give it the VM's IP with CIDR bits: 192.9.200.212/26
• Gateway: This time, tell it.
• Nameserver: Tell it.
• Search Domain: cft.ca.us. -or- math.ucla.edu. Should end with dot.
• We're back to the Start Installation menu. Pick Update, or Start Installation, or Rescue System.
• Source Media: Network
• Protocol: HTTP
• Server Name: give IP address of our enterprise mirror. A hostname should also work if you gave a DNS server and domain suffix, but this is a new feature and jimc always gives the IP address.
• Directory: SuSE/x86_64/42.1/ (no leading slash, yes trailing slash)
• Password: none. Proxy: none.
• It boots the installer or rescue system
• Tidbit: the installer is using the Wicked Network Management Service Daemon. If offered for production machines, see if it's better than the old Network Manager.
• To log in to the rescue system, your loginID is root and there is no password.

Initial Installation

The first step will be to upgrade Oso using the SuSE installer. This took about 4 hours.

Lurking Dragon

See this bug report about grub. Before beginning the upgrade, edit /etc/default/grub_installdevice and make sure it's installing itself in the MBR. 99% of the time you want the device to be (hd0), not e.g. (hd0,1) which would install in the root partition's boot sector. To detect whether (hd0) is correct you could do:
grub2-probe -t drive /boot/.
and remove the partition number, e.g. it might print (hd0,msdos2).

In hindsight the most trouble-free way to handle this issue would have been: First re-verify that (hd0) refers to the disc you're booting from, on all hosts. Then edit /etc/default/grub_installdevice on the master site and install on all hosts (v13.1 and v42.1). Install it as a new file in both versions' post_jump directories. If some host is found that boots from other than (hd0), edit specially and copy it to /m1/custom/conffiles/etc/default/grub_installdevice . See the bug report for when to use a UNIX device path.

Installation or Upgrade

Formerly the choice of install or upgrade was made partway through the installation. Now you get to choose on the installer's boot screen. Options are: boot from hard disc (default), install, upgrade, rescue system, or memory test.

Boot Screen

It's going to fail to communicate using the nonexistent Red Hat Virtio NIC. See Untangle Network above for how to get it booted and running.

Installation

Here are the steps in an upgrade:

• If you're going to activate buttons with the keyboard, one letter in the label is underlined, e.g. Abort. With my keyboard layout at least, hit Windows-R (vs. Alt-R) to activate this button.
• Language, keyboard, license agreement: take defaults, hit Next.
• Loading Drivers: It asks your permission to load a bunch of filesystem and storage management drivers such as reiser and raid6. It's OK to load them but you could also omit those you know you won't be using.
• Select for Update: It should find your old root partition. Hit Next.
• Old repos: It lists your back-version repos and proposes to toss them. Hit Next.
• Repo list: It lists the SuSE repos, specifically the update area. It doesn't list the enterprise mirror you configured. Will it prefer the enterprise mirror? Let's leave the default repos turned on. It will need to download the repo metadata (inventory), which takes some time, and you will be asked to agree with the license.
• Now you're in the installation settings page. 2614 packages to update, 1492 new packages to add, 142 packages to remove. Properties like the booter and the firewall are kept unchanged. Hit Update. The upgrade took about 2 hours. Confirmed by tcpdump that it is getting most of the packages from the enterprise mirror, not from the SuSE servers. But not all: fluid-soundfont-gm had to come from off-site, 115Mb, oink.
• Here is a list of packages after the upgrade.
• Awwww! It botched installing something and failed to reboot after the installation. I don't have records of what went wrong. I tried rebooting again; Grub was there (which version?) but it failed to find the kernel, and died. (If I had known about the MBR issue mentioned above, this would have worked.)
• Trying the rescue system. The installer still has the penguins animation! See Untangle Network above for how to boot it. A discovery: in the network installer's front page, if you just select Rescue System and hit return, without configuring anything, it will manage to find the right NIC, and the right webserver on that NIC, and the right directory on the server, all by itself. Not swift, but it works. I think actually it's booting from the SuSE server, and it's using IPv6 RFC 2462 autoconfiguration to find the default route.
• Steps for trying to rescue the installation:
  • What is the disc called? ls /dev ; it's /dev/vda1. See also /dev/disk/by-label/
  • mount /dev/disk/by-label//oso-root /mnt
  • mount -o bind /proc /mnt/proc ; And similarly for sys and dev.
  • chroot /mnt
  • rpm -qa | sort -o /tmp/rpm.all
  • Guess what, we have kernel-default-4.1.12 (plus back version kernels from v13.1).
  • In /boot we have a new initrd, and vmlinuz points to the installed kernel. Looks correct. I could, but won't, rebuild the initrd just in case.
  • In /boot/grub2/grub.cfg the default stanza is 0 (correct). This stanza is titled openSUSE 13.1 but is booting 4.1.12. Looks correct. I'm not going to touch it. (See below for fixing the title in /etc/default/grub.)
  • I wonder if the grub installation was botched. I'm re-installing it. Command line:
    grub2-install /dev/vda
    It took about 15 secs, and says there was no error.
  • When finished, unmount everything in reverse order, then reboot -f (regular reboot doesn't work, lacks infrastructure).
  • OK, it reboots! Shows grub menu, pick what it calls SuSE-13.1, it boots the new system, which starts XDM and gives a greeter box.
  • slogin oso works for root.
  • Daily housekeeping ran :-)
• Just for laughs I ran checkout.sh. A lot of stuff is expected to fail. Discrepancies:
  • /usr/diklo/default/path.{sh,all} omits /usr/diklo/{,s}bin, so various stuff is not on the path including checkout.sh and hostgroup. Add this manually first.
  • Boot scripts circular dependency (ignored): sysint.target requires rescue.service and rescue.target which require sysinit.target.
  • These services are wanted but not enabled: cups.path
  • Network Nanny is installed but not enabled. Check this out.
  • Yast2-Firstboot and YaST2-Second-Stage are enabled, but if they ran I don't see it.
  • Firewall and network are OK.
  • cronj is alive and passes its functional test. I'm going to disable it by hand to avoid complications from restarter. Wrong, I need to disable restarter.timer. Re-enabled cronj.
  • rpmconfigcheck reports 42 leftover config files (rpmsave).
  • wickedd (network management) is enabled and running. Investigate this package for possible adoption.
  • saslauthd cannot load libsasl2.so.2
  • Apache is not running. See below for successful fixup.
  • It claims that xdm is wanted, disabled, and dead, but it has put a greeter box on the screen. For systemd, call it display-manager. It will start the display manager named in /etc/sysconfig/displaymanager , which presently is xdm.
  • 19 services are enabled but unwanted.
  • 3 services are wanted but are disabled.
  • A surprising number of daemons are running, and they pass functional tests where available.
  • I didn't debug or fix anything except Apache. Let's get all the packages upgraded and their config files re-hacked first.

Apache Fixup

Apache would not start. Here are the 2 fixes:

• It was a syntax error in /etc/apache2/conf.d/Mathnet.conf: Order command is deprecated (at last). The failing motif is:
  Order allow, deny
Allow from all
• Use this instead, wherever occurring.
  Require all granted
  Or change to denied if the original says Deny from all.
• Affected in these files:
  • oso.conf (partially auto-fixed, needed to finish the job by hand)
  • Mathnet.conf (replace Order/Allow with Require, by hand)
  • gitweb.conf (auto switches, leave alone)
  • manual.conf (auto switches, leave alone)
  • roundcubemail.conf (overly florid auto switch, leave alone)
• Some config files have IfModule mod_access_compat.c and if it is loaded you do Order/Allow; if not, you do Require.
• OK, that's fixed, but now it fails to configure allowed ciphers for mod_ssl. Temporarily reverting to the default cipher list. [The real problem is, DEFAULT is no longer accepted; you have to list your basic ciphers explicitly.]
• OK, now it works, including HTTPS. Passes the functional test, and the machine page is displayed including HTTPS.

Default Installation

Having saved the disc image from the upgrade, I went back and Installed, taking defaults as much as was reasonable. Here are the details, emphasizing differences from the upgrade.

• It proposes to overwrite the whole disc partition, putting a btrfs filesystem on it, with a lot of sub-volumes such as /var/log and /var/tmp. This is something I need to learn about -- but not today. I kept the existing ext4 filesystem, by using the Expert Partitioner. But I did tell it to reformat the partition, to get a pristine installation.
• I selected the XFCE desktop (vs. KDE or Gnome). This is what I normally use.
• The default software list (which I didn't change) is:
  • Base System
  • Enhanced Base System
  • AppArmor
  • YaST System Adminstration
  • XFCE Base System
  • XFCE Desktop Environment
  • Software Management
  • Multimedia
  • Fonts
  • X Window System
  • Graphics
  • Size: 975Mb compressed, 3.3Gb installed
• You need to separately open the SSH port and enable the SSH service.
• This time it used image installation, and only 809 individual packages were needed. Also the installer downloads packages about 8 times faster then when upgrading. Package installation finished in 9 mins. 1 min more, it rebooted and auto logged me in. It did not botch grub installation like last time. It ended up installing 1692 packages, much less than for the upgrade.
• Here is the list of packages in the default installation.
• In the default configuration the network uses DHCP for IPv4 and accepts IPv6 auto configuration (RFC 2462).
• These major desktop-type packages are installed. Most are familiar from v13.3 but a few are new (to jimc).
  • Desktop Search -- actually Tracker, get rid of
  • Leafpad -- simple text editor, like Windows Notepad
  • Notes -- the XFCE panel plugin
  • Seahorse -- key and certificate manager (no keys yet)
  • Games -- standard Gnome games -- chess, mahjongg, sudoku, etc.
  • Evince -- PDF viewer
  • GIMP -- graphics editor
  • LibreOffice Draw
  • Shotwell -- organize your photos
  • Simple Scan -- replacement for Xsane
  • Firefox -- web browser
  • Thunderbird -- mail and news client
  • Pidgin -- multi protocol instant message
  • Remmina -- remote desktop client. It can handle multi protocols: RDP, SFTP (?), SSH, VNC, XDMCP, and it can accept an incoming VNC connection. You create multiple profiles and select one to connect.
  • Brasero -- burn CD/DVD
  • Pragha -- music player
  • Sound Juicer -- rip music CDs
  • Videos -- perform video media, formerly called Totem
  • LibreOffice -- office suite with writer, spreadsheet, database viewer, vector graphics drawing (organization charts), slideshow presentation
  • Thunar -- file manager
  • XFCE Terminal -- shell session window but fancier
  • XTerm -- shell session window
• There is a background process in the user session that checks for package updates and nags you to install them.
• Notable system daemons running:
  • systemd -- the root process
  • wpa_supplicant -- WiFi authentication, apparently everyone gets it whether you have WiFi or not. Also ModemManager.
  • lightdm is the default display manager.
  • wicked network manager including Network Nanny and DHCP clients
  • Gnome Keyring Daemon -- I hope it works better than last time.
  • ntpd -- time sync service; I use chrony
  • postfix -- mail transport agent
  • No local caching DNS daemon
• Notable daemon-like proccesses in the user's session:
  • tracker-miner (get rid of)
  • xscreensaver

Package Selection

What should the next step be? I'm very tempted to go forward with setting up the configuration files, so I can have a fully functional machine even if some packages are missing. However, if any new daemon-type packages are installed (like Network Nanny :-) it will be a lot simpler and more complete if I work on all the configuration files as a unit, rather than having to do that step over with the new packages. [Update: package issues continued throughout the following sections.]

Installed Packages

Immediately after the upgrade, Oso had these packages installed. A default installation would be different; in an upgrade it tries to preserve the existing package selection as much as possible. There were 4163 packages installed (oink). See earlier for the results of a default installation.

Package Selection List: Cleanup

In Debian you can specify a list of keystone packages and apt-get (I think) will install them and all their dependencies. SuSE doesn't have this. It's possible that a sysadmin could make a pattern (set of packages) and have it accepted by Zypper, but our list of wanted packages varies by hostgroup, so the equivalent of the list of keystone packages is a little more complicated, managed by the audit-pkgs app.

/m1/custom/couchnet.sel or mathnet.sel is our list of keystone packages. Source is in /src/math/etc/audit-suse. The first step is to clone a new version and get rid of cruft, particularly conditional expressions involving back versions. Now is also a good time to make a judgment for each package whether we really want it to be installed, or if it should be tossed.

Here's a list of points discovered that need to be handled later:

• Tracker and its components are for indexing the files in a user's homedir, for a content search. Users at Mathnet complained that the index was so big that it put them over their disc quota, so we junked this.
• Replace blas with openblas, or at least install both. Already done at Mathnet.
• See if gstreamer-plugins-gl is available (on Packman?) [No, it's included in gstreamer-plugins-bad.]
• flash-player is kicked off SuSE because of licensing conflicts with Adobe. See below for a more extensive discussion of Flash Player issues.
• Should we decommit xine? I never use it, GStreamer is better, and GStreamer is getting the development effort, so goodbye, Xine.
• Should we decommit Gnome? I'm not happy with the Gnome desktop and I never use it (I use XFCE), so it's kicked off of CouchNet. Only particular Gnome apps are selected, and they drag in a fair amount of infrastructure. The Gnome desktop is popular at Mathnet.
• CouchNet never had KDE but it is popular at Mathnet.

Keystone Packages

After cleanup, couchnet.sel has 590 packages listed. This is rather a lot. Can the list be shortened by listing only keystone packages? That means, we'll rely on keystones to drag in other packages, and not list them explicitly, even if they are important. It turns out that looking at the v13.1 couchnet.sel, there are 697 packages listed (including non-v13.1 packages) and 624 of them are keystones. So this kind of cleanup will have little effect and will not be worth doing.

Command line to distinguish keystone from dependent packages:
rpm -qa | sort | while read pkg ; do \
if rpm -e --test $pkg ; then echo Keystone: $pkg ; fi ; \
done >& /tmp/keystones.ls

New Packages

A major goal is to identify new packages that may be useful in my environment, and to add them to the package list. The package list from the default installation gives useful guidance.

• leafpad -- A lightweight flat file editor, replaces mousepad. Actually it's been around since v13.1 but I just didn't pay attention to it.
• shotwell -- Organizes your photos.
• simple-scan -- Replacement for xsane, hyped as being simpler, a welcome feature if true.
• remmina-plugin-rdp and vnc -- Multi-protocol remote desktop client. It can also do SSH (terminal window?) and SFTP (file manager GUI I hope), and XDMCP.
• sound-juicer -- For ripping audio CDs, replaces grip.
• xfce4-plugin-panel-notes -- For making informal text notes. I don't know much about it but it might be useful on Mathnet.
• wicked-service -- Network manager, controls DHCP and WiFi clients, includes Network Nanny. Let's give this a try.
• lightdm -- Lightweight display manager. I've tangled with it before, but its good features lead me to give it another chance.

Repo Definitions

Repo definitions are found in /etc/zypp/repos.d . On CouchNet and Mathnet there are four of them:

• Couch-SuSE-13.1.repo -- the main distro (DVD)
• Couch-Update-13.1.repo -- online updates and security patches
• Couch-Build-13.1.repo -- packages from the SuSE Build Service
• CouchNet-13.1.repo -- local and non-SuSE packages, e.g. Packman

For v42.1, separate repo files will be needed for updates to open source and non-open packages.

There is a subdir jail which has the original SuSE repos, and Packman and VideoLAN (for VLC). There is also a template subdir in which ARCH represents the architecture. The script audit-repos (called from instsetup and post_jump) retrieves the templates from the post_jump configuration file dirs (/home/post_jump/ or /u/sunset/h1/post_jump), then fills in the correct architecture and puts the result in /etc/zypp/repos.d.

While most configuration files have to wait until after package selection, the repo definitions are needed immediately.

Immediate Configuration Files

Here is how to set up the configuration file directory with enough content that package selection can be finished. The new OS version is 42.1 and the old one is 13.1.

• Let's represent by $pj either /home/post_jump/42.1 (on Diamond) or /u/sunset/h1/post_jump/42.1 .
  mkdir $pj
• mkdir -p $pj/DELETEME/etc/zypp/repos.d/template
touch $pj/DELETEME/etc/zypp/repos.d/template/Couch{-Build,Net,-SuSE,-Update}-{13.1,12.3}.repo
  # Or touch the files individually. Authentic content is not needed. We're getting rid of repo templates for the previous version(s).
• ssync -a $pj/../13.1/{backup.pln,m1,root} $pj/
  # Use rsync if you don't have jimc's ssync which has a better log format.
  # Mind ending slash on the destination, no slash on originals.
  # backup.pln is present only on CouchNet.
• cp -p /path/to/couchnet.sel.new $pj/m1/custom/couchnet.sel
• mkdir -p $pj/etc/zypp
• ssync -a $pj/../13.1/etc/zypp/ $pj/etc/zypp/
  #Mind the ending slashes on both directories
• In $pj/etc/zypp/repos.d/template , rename each file to refer to the new OS version (42.1) and edit each file similarly. You could use this fancy command line (and remove the originals later):
  for f in *.repo ; do
sed -e 's/13\.1/42.1/g' $f > ${f/13.1/42.1}
done
• You need to duplicate the update repo for oss and non-oss updates. In the URLs in the copies, insert /oss/ and /non-oss/ directories just after the version (42.1). Also insert -oss- and -non-oss- in the [name] item; the repo names have to be unique.
• Do the same thing for the files in $pj/etc/zypp/repos.d/jail , except you may have to do some research on the respective sites to determine what URL to use. The straight-arrow thing is to fetch download.opensuse.org-oss.repo and download.opensuse.org-non-oss.repo (the SuSE repos) from the VM you just upgraded, and to look on the Packman and VideoLAN sites for the correct URL. Notice that most of the jail *.repo have keeppackages=1 while it's 0 for the enterprise mirror *.repo. The kept packages will be needed in a later step. Except VLC (VideoLAN) has keeppackages=0; we don't host it and you need to install it individually on each machine needing it.

Package Keys

On CouchNet, the non-SuSE package signing keys have to be moved from the main distro root because the main distro was going to be mounted from the DVD ISO image. They are installed by audit-pkgs (-K option), and this script needs to be modified to look for them in the new location. As implemented, the script reads the repo URLs from /etc/zypp/repos.d/*.repo, so keys should be in the sub-repo to which they pertain, e.g. the CouchNet/Mathnet distro signing key should be in the CouchNet/Mathnet sub-repo. Also Packman and VideoLAN.

However, the mksuserepo script wants at least one package signing key in each repo. I copied the SuSE package signing key out of the main distro, to populate the SuSE Build Service repo.

Package List

Here is the package list for CouchNet. It's expected to evolve as problems are found and resolved.

SuSE Build Service, and Packman

Now is the time to try out the new package list. We're going to essentially run post_jump by hand and out of order, to finish upgrading the VM by installing the latest versions of packages not in the main distro. Due to the keeppackages=1 setting, downloaded packages will be kept and we will copy them over to the enterprise mirror.

What is the significance of Packman? SuSE is presently a subsidiary of an American company, Attachmate. (Formerly SuSE was owned by Novell.) Even though SuSE's main physical presence is in the European Union, it needs to comply with the union of EU and American law, specifically regarding sofware patents and licensing. Thus packages that are illegal in the USA may not be hosted on SuSE servers. On the other hand, Packman is wholly under EU jurisdiction, and it can legally ignore software patents, specifically those covering multimedia codecs. That is why Packman is included among the repos in this installation, but why the packages hosted there are kept separate from the SuSE Build Service packages.

Start VM

Start the virtual machine (Oso) first. Make sure you have the upgraded one, not the default installation test.

New Repo Definitions

Emplace the new repo definitions on Oso. Execute this on Diamond (with remote execution privilege to Oso).
audit-repos -n -v -r 42.1 -i oso
And if it looks reasonable, remove the -n. You need to specify the version explicitly because the default is the (old) version currently on the target.
Review the result for being correct.
Toss totally useless SuSE repos from the jail.
Snarf the official definitions for download.opensuse.org-oss.repo and download.opensuse.org-non-oss.repo and replace the ones in post_jump/42.1/etc/zypp/repos.d/jail . Look at the base URL, toss the update repos. Turn on keeppackage=1 .

Send Configuration

Send over the minimal configuration already set up. The most important item here is /m1/custom/couchnet.sel .
/home/post_jump/pushconfig -C -a oso >& /tmp/output
# Execute on the master (diamond/sunset). If the result looks reasonable, change -C to -c to actually push the files.

Erase Unwanted Packages

Better to clear the decks before trying to install SBS packages. The first step is to make a list of what it proposes to erase. Remember to add /usr/diklo/bin:/usr/diklo/sbin to the path (or /usr/math/etc). This is going to take a long time because it needs to make a cache of which packages depend on which, in /var/cache/audit-pkgs . Actually under 2 minutes.
audit-pkgs -v -e >& /tmp/output

It proposes to erase 1725 packages. (In a few cases dependencies are missed and the actually needed packages will not be erased.) Go through the list and try to spot gold among the mud. Maybe clearing the decks was not such a good idea because it's erasing quite a number of packages that are going to reappear in the final installation -- probably because prerequisites and/or requiring packages are not in the main distro, so the packages being tossed are unwanted at present.

These items bear investigation:

• Mesa-demo-x-8.2.0-4.4 -- I want Mesa Demos; is this junk, or the new package? The new one, renamed. Well… The main content is glxgears, none of the fancy demos. Instead I downloaded the Mesa-demos package from SBS. (Mesa-demo has even more demos.)
• NetworkManager-1.0.6-1.2 -- Make sure it's replaced by something.
• accountsservice-0.6.40-2.2 -- New, but is it valuable? No. Useradd/mod/del on d-bus. It turns out lightdm can optionally use this to make a list of users in the greeter. Install it.
• apache2-utils-2.4.16-9.1 -- Is this useful? Probably; keep it.
• baobab-3.16.1-2.6 -- What is it? Disc usage analyser, like du with a Gnome GUI. Probably worth keeping but I like the ancient tool better.
• beforelight-1.0.5-9.2 -- What is it? Lameass screensaver. Toss.
• caribou-common-0.4.18.1-2.2 -- What is it? On-screen keyboard. Toss.
• colord-1.2.12-1.2 -- If this is what I think it is, I want it. No I don't, requires Gnome desktop I think.
• crafty-23.2-10.2 -- Chess program, wanted on Mathnet.
• dbus-1-python3-1.2.0-6.5 -- Is this needed for Meow?
• dleyna-server-0.5.0-2.2 -- What is it? DLNA client. Toss.
• dracut-037-68.1 -- What is it? New initrd generator. Required.
• e2fsprogs-1.42.11-10.2 -- Shouldn't this be on all machines? Yes.
• glibc-extra-2.19-17.4 -- What's in here and is it important? No.
• gnuchess-6.2.1-2.2 -- Wanted on Mathnet
• grub2-snapper-plugin-2.02~beta2-70.1 -- What is it snapping? Filesystem snapshots (if your FS supports them; ours don't).
• gstreamer-plugin-gstclutter-2.0.16-2.2 -- What is it? GUI generator infrastructure.
• gtk3-immodule-inuktitut-3.16.7-5.1 -- How can we live without input support for the Inuit language family?
• ibus-1.5.11-3.2 -- What is it? Accessibility for input methods. Packages that need it should depend on it, evidently none do.
• java-1_8_0-openjdk-plugin-1.6.1-1.2 -- Browser plugin? Yes, we want it.
• kernel-devel-4.1.12-1.1 -- What's the policy on kernel-devel? Oink, yes we need it.
• kernel-macros-4.1.12-1.1 -- What is it? For building RPM packages of kernel modules. Wanted.
• All unwanted libs were tossed without inspection. 312 pkgs.
• metatheme-sonar-common-11.3.0-30.2 -- Wasn't this in couchnet.sel?
• mozldap-libs-6.0.7-2.3 -- What is it? Infrastructure, packages should depend on it.
• mutter-3.16.4-1.2 -- What is it? Compositing manager forked from Clutter (which is installed). Not sure if it's needed. Toss.
• notification-daemon-3.16.1-2.3 -- Don't we need this for XFCE?
• ntp-4.2.8p4-9.2 -- OK to toss, we use chrony instead.
• openssh-helpers-6.6p1-6.3 -- What did this give you? You can put the public key in LDAP. Sounds like NIS+. Toss.
• Perl packages tossed without inspection, 35 pkgs.
• PHP5 packages tossed without inspection, 28 pkgs.
• Python packages tossed without inspection, 28 pkgs.
• snapper-0.2.9-1.2 -- What is it? Filesystem snapshots. None of our FSs support this. Toss.
• TeX stuff tossed without inspection, 678 pkgs.
• timezone-java-2015g-0.3.1 -- Don't we need this?
• tracker-1.4.1-4.4 and friends -- Goodbye, take your diarrhea elsewhere.
• Typelib items tossed without inspection, 48 pkgs.
• wicked-0.6.28-3.1 -- This is supposed to replace NetworkManager; isn't it in couchnet.sel? wicked-service requires it; evidently the dependency was missed.
• xdbedizzy-1.1.0-11.2 -- What is it? Graphics demo. Toss.
• xf86-input-keyboard-1.8.1-6.2 -- Do we need this? Yes, and likely other input modules. Another missed dependency.
• xindy-2.4-8.7 -- What is it? Book index generator for Tex and friends. Toss on CouchNet, keep on Mathnet.
• xorg-x11-server-extra-7.6_1.17.2-7.3 -- Contains Xephyr. Keep.
• xrx-1.0.4-11.2 -- What is it? Remote execution from a web page. Gakk, bury this 20 meters deep!

Revise couchnet.sel so wanted packages are actually kept, and try again.

When couchnet.sel is correct, add the -c option to audit-pkgs, to actually erase the packages. Complicated dependencies are sometimes missed, and the script will give a reprieve to the needed packages and try again, sometimes several times. Removed 1699 packages; 2464 packages remain.

Up to this point took about 4 or 5 hours.

Something that I removed provided the shutdown and poweroff commands. A substitute is systemctl poweroff, which works. /sbin/shutdown has vanished.

Something that I removed prevents wicked.service (network) from starting. Oopsie! /usr/sbin/wickedd has vanished. Let's recover by bringing the net up manually.
ip link set dev eth0 up
ip addr add 192.9.200.212/26 dev eth0

More issues:

• zypper refresh complained that these repos were defective:
  • Couch-Build -- no ./media.1/media (which is not a lie)
  • CouchNet -- no ./media.1/media (which is not a lie)
  • Couch-Update -- no ./repodata/repomd.xml -- Should have been found.
• These repos were successfully refreshed:
  • Couch-SuSE (main distro)
• I'm going to restore wicked first, then fix up the distros, by putting one package in each and running $mkr $bs and $mkr $cn.
• Now, what's wrong with the Couch-Update repo? Another intermediate directory. OSS and non-OSS have separate repos, that we're going to have to support now.
• See the next paragraph for initializing Couch-Build ($bs) and CouchNet ($cn) sub-repos.
• There is something wrong with audit-repos -- it is not sending the new update repos. The problem was with the repo definitions. A. The alias (the name in brackets) must be unique. B. The oss or non-oss subdir is inside the version subdir (42.1).

How to initialize a new sub-repo: See $mkr for docs. Step by step:

• cd $cn
  # or $mn or $bs -- I assume you sourced /s1/SuSE/source.me
• Find a package in the old sub-repo that might be useful and copy it into the correct subdirectory here. I'm not sure if the repo is required to have content, but let's not tempt sleeping dragons.
• cp -p $sd/license.tar.gz . #Make sure $sd points to v42.1
• cp -p ../13.1/distro.key.link ../13.1/content ../13.1/content.key ../13.1/pubring.gpg ../13.1/BACKMEUP ./
  BACKMEUP only for $cn or $mn, to get them backed up. Actually I'm newly putting this in $bs. It backs up the toplevel files but has a NORECURSE directive.
• The script $mkr insists on at least one gpg-pubkey-*-*.asc package signing key. Copy the SuSE signing key from the main distro, if this dir has none. (Why not the CouchNet or Mathnet signing key? When the key expires and is replaced, best if there aren't any forgotten multiple copies that surface at inconvenient times.)
• mkdir media.1
• cp -p ../13.1/media.1/media ./media.1/media
  #You might want to edit the date.
• Oops, somehow I got content.key from Mathnet and it bitched about can't verify signature, no public key. Copied in the CouchNet public key as content.key. How to check:
  gpg ./content.key
• $mkr $PWD
  #It will ask for the distro secret key password twice. This is normally the current root password. Once the test signature is successfully made, only one signature is needed.
• Ignore the report about generic content in suse/setup/descr/*.
• Repeat for $bs (SuSE Build Service).

Recover Deleted Packages

Now I can run zypper without a zillion zingers, and install wicked and systemd-sysvinit (provides shutdown and poweroff commands).

Off-Site Packages

When the VM was upgraded the default SuSE repos were not disabled, and some packages are believed to have been downloaded from them. How to identify them:

• rpm -qa | sort -o /tmp/rpm.oso #On the VM, 2467 packages
• dirs421=`find $di -name 42.1 -print` # On the repo site (Diamond)
• find $dirs421 -name "*.rpm" -printf "%f\n" | sed -e 's/\.rpm$//' | sort -o rpm.421 #7623 packages
• comm -23 rpm.oso rpm.421 > rpm.not421 #930 packages
• The VM was upgraded. Many packages are from the previous OS version and had no newer version on the DVD. Identify them in a similar way.
• dirs131=`find $di -name 13.1 -print` # On the repo site (Diamond)
• find $dirs131 -name "*.rpm" -printf "%f\n" | sed -e 's/\.rpm$//' | sort -o rpm.131 #35120 packages
• comm -23 rpm.not421 rpm.131 > rpm.offsite
• We end up with 68 packages without an exact match in either repo, plus 837 texlive packages, whose dependencies were messed up in v13.1 and which I had to generate myself. Some of the non exact matches have different build numbers, e.g. xroach-12.6.97-1254.2.x86_64 installed, xroach-12.6.97-1248.1.2.x86_64 in repo. I don't know how this version skew occurred. How many packages on Oso have no counterpart at all in the repos?
• sed -e 's/-[^-]*-[^-]*$//' rpm.421 rpm.131 | sort -u -o rpm.bn.repos
• sed -e 's/-[^-]*-[^-]*$//' rpm.oso | sort -u -o rpm.bn.oso
• comm -23 rpm.bn.oso rpm.bn.repos > rpm.bn.offsite
• There are only 2 missing packages: crafty (needed by GnuChess) and libmuparser2_2_4 (needed by librecad, in couchnet.sel). There is a false positive for gpg-pubkey. On some machines, vlc would be in this list. I've snarfed these two packages from SBS.
• I think Oso is ready for upgrading from the SuSE Build Service remote site.

Distro Upgrade from SBS

We're going to enable the SuSE remote repos and do zypper dist-upgrade. This means to download and install all packages which are on the machine already and which have a newer version in any known repo. These packages will be saved (not tossed as usual) and then copied to the enterprise mirror, saving a tremendous amount of work, compared with downloading packages individually.

Particularly on Packman, it's important to install everything over a short time, e.g. on the same day, because multimedia packages evolve fairly quickly and may not be installable with back-version supporting libraries, requiring you to re-download and upgrade the whole multimedia suite again later.

• On Oso in /etc/zypp/repos.d/jail , check that packman-42.1.repo , download.opensuse.org-oss.repo , download.opensuse.org-non-oss.repo have the right URL and alias, and that keeppackages=1 . If you are going to need VLC, also check the VideoLAN repo, but it should have keeppackages=0 since we don't host this software locally. [Update: it's on Packman and we do keep local copies of Packman packages.
• ln [dp]*.repo ..
  # Make hard link, for easy removal later.
• zypper refresh
  # It may take a little time to download the package inventories.
• find /var/cache/zypp/packages -name "*.rpm" -print
  # Should yield no files. If RPMs are found from a previous attempt at this update, delete them.
• audit-pkgs -v -i -c -I |& tee /tmp/aui.log
  # Make sure all wanted packages are installed. I have 42 keystone packages that were missed. Issues:

  General Comments

  • When it says pkg-xxx not found in package names, trying capabilities, and appears to find the package, this means that some differently named package provides what was requested. It would be a good idea to track down the actual provider and change couchnet.sel to request it rather than the original name. [Done.]
  • 62 new packages to install, (only) 5 to be upgraded. 24.8Mb to download, 80.6Mb installed.
  • Guess what, it installed VLC. I wonder from where. Packman.
  • Took about 5 minutes.

  Really Wanted

  I really want these items but they were not found on SBS. I need to do some work to either find these packages or declare them discontinued. But that should be after the main upgrade is finished.

  • gstreamer-plugins-gl not found -- it is not a separate package. gstreamer-plugins-bad/42.1 provides /usr/lib64/gstreamer-1.0/libgstopengl.so
  • suspend not found -- probably made obsolete by systemd features, but I need to be positively sure of that. Provided by pm-utils in v13.1. This was never found, and was removed from couchnet.sel. Do systemctl suspend instead.
  • openblas not found (unexpected!) This name is for the source package. All the official libraries seem to be for 32bit. See below under Hiding on SBS.
  • flashplayerplugin not found (nowhere on SBS). I (actually Alice) absolutely need flash support, and Adobe's Flash Player has been kicked off SuSE due to licensing problems, and is a suppurating wound in the security area anyway. Find this thing and its dependencies (pepper-flash). Its correct name is freshplayerplugin and it is on SBS.
  • gstreamer-plugins-bad-orig-addon-1.6.1-85.1.x86_64 needs gstreamer-plugins-bad-1.6.1-85.1.x86_64 from Packman. Pick solution 1, install all the requested Packman items.
  • opensuse-manuals_en not found, available in Japanese. Check back later or post a request for it.

  Hiding on SBS

  These items were found on SBS outside of the official repo, i.e. the Science sub-repo or developers' home directories. These will be downloaded by hand.

  • abiword, requires libabiword-3_0 and libwps-0_3-3
  • abiword-docs not found (not found with abiword above)
  • gtk3-metatheme-sonar
  • gbrainy (a brain teaser game)
  • libopenblas… Installing libopenblasp0, libopenblas_pthreads0, libopenblas_serial0 v0.2.15 from the Science sub-repo.

  Not on SBS

  These are infrastructure that are requested in couchnet.sel but not found. I'm removing them from couchnet.sel . Later I should check that the provided features either have been moved into the package core (e.g. hyphenation), or are provided some other way, or are really discontinued.

  • libreoffice-hyphen not found (not on SBS)
  • libreoffice-thesaurus-en-US not found (thesaurus seems to be gone)
  • totem-browser-plugin-gmp not found (not on SBS)
  • xfce4-panel-plugin-quicklauncher not found (not on SBS)

  Low-Value Infrastructure

  These are nice to have items or infrastructure. I'm not going to put a lot of effort into finding them; I'm going to just delete them from couchnet.sel .

  • yast2-backup not found
  • yast2-restore not found
  • yast2-kerberos-client not found
  • yast2-ldap-client not found
  • yast2-runlevel not found
  • pm-utils not found
  • libqdialogsolver1 not found -- Got to be infrastructure, let it go.
  • xf86-video-v4l not found -- doesn't seem to be there any more
  • fam not found
  • tomboy not found (a notes app)

  Items Discovered While Searching

  These bear a second look.

  • xfce4-panel-plugin-sensors -- uses libsensors -- in main distro
  • xfce4-panel-plugin-battery -- in main distro

• zypper dist-upgrade --auto-agree-with-licenses --download-as-needed --no-recommends |& tee /tmp/upgr.log
  Issues:
  • 41 packages to upgrade, 6 to downgrade, 1176 new, 37 to change vendor (mostly to Packman). 714Mb to download, 1.6Gb installed.
  • A ton of these packages are texlive.
  • No problems doing the dist-upgrade. Took about 30 mins.
• Now that the packages are all downloaded and saved, copy them to the respective sub-repos. About 600 RPMs were snarfed. On Oso:
  ls /var/cache/zypp/packages/*/suse/* > /tmp/rpms.ls
  The various directory names are shown in the output. But this glob pattern misses the Packman repo. Now do this on the repo site (Diamond):
  cd /s1/SuSE/SuSE-build/x86_64/42.1/suse
ssync -a oso:/var/cache/zypp/packages/download.opensuse.org-oss/suse/noarch/ ./noarch/
  Mind the trailing slash in the source and destination dirs. Repeat for each directory and architecture.
• $mkr $bs
• Packman has three sub-repos. Snarf them like this:
  ls /var/cache/zypp/packages/packman-42.1/*/* #On Oso
  Change directory to $cn/suse or $mn/suse and do the ssync command as for $sb above, for each directory that has content.
• $mkr $cn
• Removing the cached files on Oso -- see also the zypper clean command.
  find /var/cache/zypp/packages/ -name "*.rpm" -print | xargs -n 25 rm
• There were missing packages that I found and downloaded manually (listed above). I went through the whole installation and dist-upgrade procedure again, in which dependent packages were downloaded and copied to the enterprise mirror. Now Oso has a complete set of packages that install with no error messages except for missing packages that I intend to track down and install.
• Removing the off-site repo definitions. Since they were put in place with hard links, the *.repo files will vanish but the originals in /etc/zypp/repos.d/jail will still be there.
  cd /etc/zypp/repos.d
grep '\[' *.repo #Prints the aliases
zypper removerepo download.opensuse.org-non-oss download.opensuse.org-oss packman-42.1

Configuration Files

In this section, for each configuration file that CouchNet/Mathnet has altered from the default, we compare with the distro-provided default, with these possible outcomes:

• The entire CouchNet file should replace the distro file. It stays in the post_jump directory.
• The CouchNet file is entirely obsolete and should be junked. This is strongly suggested if the distro lacks this file.
• The CouchNet file implements a service or feature that the distro doesn't have, e.g. network bridging or Jim's firewall. This file should stay in the PJ directory.
• The distro has evolved so its file is functionally the same as the CouchNet file. In this case the CouchNet file should be tossed.
• CouchNet has added features or different policies than the distro. In lucky cases, most or all of the shared code is identical, in which case the CouchNet file will stay and will replace the distro file.
• For CouchNet added features in a file that differs substantially in the new version from the distro's old version, we'll have to do some work to merge the CouchNet features into the new distro file. The result will go into the PJ directory.

I took a machine with v13.1 on it, upgraded to v42.1, then compared with v13.1 post_jump files, rather than comparing with a pristine v42.1 machine, which means that a lot of v13.1 configuration files are already on the machine. If they weren't altered during the upgrade, I don't have to mess with them (except see *.rpmnew files, below).

rpmnew files

When a package is replaced or removed, configuration files (so designated in the package's spec file) can be disposed of in several ways:

• If the old file was not altered since installation, it is just replaced by the new one, or is tossed.
• If it was altered, and the package is being removed, the altered file is saved as file.rpmorig.
• If it is an important file expected to have site-specific parameters or policy, it is retained unchanged (or rarely with automated editing), and the new default version goes in as file.rpmnew. These need to be compared specially.
• If the distro manager makes the opposite choice, the altered file will be renamed to file.rpmsave, and the new default version is installed. It can be compared by pushconfig -C/-Q or overwritten by pushconfig -c (called by post_jump).
• As a late step of post_jump, all the *.rpmsave, *.rpmnew, *.rpmorig files are tossed; supposedly the base files have been overwritten where appropriate.

Copy Old Version

I already had the repo definitions set up, so I did these steps:
cd /home/post_jump
mv 42.1 xx-42.1
mkdir 42.1
ssync -a 13.1/ 42.1/
rm -r 42.1/etc/zypp #To lose the v13.1 repos
ssync -a xx-42.1/ 42.1/
rm -r xx-42.1

Compare *.rpmnew Files

There are only 22 rpmnew files. Here are the outcomes:

• /etc/ntp.conf.rpmnew -- Toss, we're using chrony.
• /etc/ssh/moduli.rpmnew -- Toss rpmnew, we regenerate the moduli to resist the Logjam exploit.
• /etc/xinetd.d/vnc.rpmnew -- Toss, we use systemd, not xinetd. $pj/etc/xinetd.d didn't exist anyway, so forget this one.
• /etc/cups/cupsd.conf.rpmnew -- Can keep CouchNet version, but I'm also saving rpmnew as cupsd.conf.421 to see comments and possible new features (and stuff that got decommitted, see below).
• /etc/default/grub.rpmnew -- No new features, neatened up comments in CouchNet version.
• /etc/default/passwd.rpmnew -- No new features, use CouchNet version
• /etc/hostname.rpmnew -- Bogus, use auto generated version
• /etc/lightdm/lightdm-gtk-greeter.conf.rpmnew -- No CouchNet version! Ignore.
• /etc/logrotate.d/apache2.rpmnew -- Use ours.
• /etc/named.conf.rpmnew -- Use ours. Should hostgroup conditionalization be improved? Make sure dirsvr sites have an overriding version in /m1/custom/conffiles/etc/named.conf .
• /etc/pam.d.krb114/common-session.rpmnew -- Use ours.
• /etc/pam.d.krb114/sshd.rpmnew -- Use ours.
• /etc/permissions.local.rpmnew -- Use ours.
• /etc/postfix/main.cf.rpmnew -- Use ours.
• /etc/postfix/master.cf.rpmnew -- Use ours.
• /etc/protocols.rpmnew -- rpmnew has 2 items that screw up LDAP. Use ours.
• /etc/pulse/client.conf.rpmnew -- Use ours.
• /etc/rsyslog.conf.rpmnew -- Use ours.
• /etc/ssh/ssh_config.rpmnew -- Use ours, but review man page for new features.
• /etc/ssh/sshd_config.rpmnew -- Use ours, but review man page for new features.
• /etc/systemd/journald.conf.rpmnew -- Use ours.
• /etc/zypp/zypp.conf.rpmnew -- Use ours but retain the new version as zypp.conf.421, to see comments and new features.

By Hostgroup Files

In $pj/../byhg there are directories named after hostgroup expressions, and if the target is in that hostgroup, the files therein are installed on the target. It looks like some of them need love.

• all-jacinth-diamond-xena -- Move ./etc/named.conf to the main $pj and rely on /m1/custom/conffiles/etc/named.conf on the dirsvrs.
• all-jacinth-xena -- Move ./etc/resolv.conf to the main $pj; everyone gets the standard one.
• Subdirs i686 and x86_64 contain only x86_64/usr/lib64/mesa/bin/data which has/are symlinks to a separately compiled mesademo. This is going to be superceded by mesademos from the distro. Toss when v13.1 is gone.
• The dirsvr and pmaster subdirs need to be reviewed when the member hosts are upgraded.

Compare Conf Files

65 files differ, 434 files don't differ, total of 499 files.

• /etc/csh.cshrc -- Use ours
• /etc/csh.login -- Use ours.
• /etc/group -- Use ours and update with groups for pesign and vnc.
• /etc/hosts.allow -- Use theirs.
• /etc/hosts.deny -- Use theirs.
• /etc/insserv.conf -- Use ours.
• /etc/mailcap -- Use ours; the distro doesn't provide one.
• /etc/ntp.conf -- Toss ours.
• /etc/ntp.slave -- Toss ours.
• /etc/passwd -- Use ours and update with users pesign, rpc and vnc.
• /etc/profile -- Use ours.
• /etc/shadow -- Use ours and update with users pesign, rpc and vnc.
• /etc/shells -- Use ours.
• /etc/X11/xdm/GiveDevices -- Use ours.
• /etc/X11/xdm/README.SuSE -- Toss.
• /etc/X11/xdm/README.security -- Hasn't changed in 11 years. Use ours.
• /etc/X11/xdm/RunChooser -- Not used on CouchNet or Mathnet. Toss ours.
• /etc/X11/xdm/TakeDevices -- Use ours.
• /etc/X11/xdm/Xreset -- Toss ours, use theirs.
• /etc/X11/xdm/Xresources -- Use ours.
• /etc/X11/xdm/Xsession -- Use ours.
• /etc/X11/xdm/Xsetup -- Use ours.
• /etc/X11/xdm/Xstartup -- Use ours.
• /etc/X11/xdm/Xwilling -- Toss ours, use theirs.
• /etc/X11/xdm/sys.xsession -- Use ours.
• /etc/apache2/conf.d/Mathnet-ssl.incl -- Use ours, and fix up the cipher suite, Apache/OpenSSL rejected the ciphers used with v13.1. [Done, DEFAULT is no longer an allowed alias, use ECDSA:RSA:!eNULL instead.]
• /etc/apache2/conf.d/Mathnet.conf -- Use ours but copy from Oso, it has a fixup.
• /etc/apache2/conf.d/manual.conf -- Use theirs, toss ours.
• /etc/default/grub -- Use ours. Edit GRUB_DISTRIBUTOR to say SuSE 42.1.
• /etc/init.d/cups -- Rely on the systemd unit file and its wrapper. Toss our /etc/init.d/cups .
• /etc/init.d/named -- Use ours. This should be converted to a systemd unit file.
• /etc/init.d/ntp -- Toss ours, we use chrony.
• /etc/init.d/rpmconfigcheck -- Use ours.
• /etc/logrotate.d/ntp -- Toss ours.
• /etc/pam.d.krb114/atd and 10 others -- Use ours.
• /etc/sysconfig/cron -- Use theirs.
• /etc/sysconfig/displaymanager -- Use ours.
• /etc/sysconfig/keyboard -- Use theirs.
• /etc/sysconfig/locate -- Use theirs.
• /etc/sysconfig/mouse -- Use theirs.
• /etc/sysconfig/nfs -- Use ours.
• /etc/sysconfig/ntp -- Toss ours.
• /etc/sysconfig/suseconfig -- Use ours.
• /etc/sysconfig/syslog -- Use ours.
• /etc/zypp/repos.d/template/Couch-Update-non-oss-42.1.repo -- Copy from Oso which has a fixup.
• /etc/zypp/repos.d/template/Couch-Update-oss-42.1.repo -- Copy from Oso which has a fixup.
• /var/lib/postfix/master.lock -- Use ours. The Postfix files are only pushed during post_jump by pushconfig -a.
• /var/lib/postfix/prng_exch -- Use ours.
• /var/lib/postfix/smtp_scache.db -- Use ours.
• /var/lib/postfix/smtpd_scache.db -- Use ours.
• /var/log/inventory.dat -- Use ours. (Oink. Ignore extensive reported content.)
• /etc/apache2/backup.pln -- Use ours.

Cruft Removal

I reviewed all the post_jump configuration files (for v42.1) and tossed obsolete ones. Not too many. At the end of this document there is a list of items to be worked on later, and one item is to go over the LSB scripts in /etc/init.d and convert them to systemd units, as much as possible.

Test Upgrading

Supposedly we can now successfully upgrade a machine using the local enterprise mirror and configuration files. The following procedure is slightly edited according to later experience. The first time through, $target refers to Oso, but it's presented that way because this section is going to be followed for the production machines.

• Save Oso's disc as it is now. [Done.]
• Restore Oso's disc as v13.1. [Done.]
• backup-host
  #For a production machine, you may want to do a special backup.
• Make sure the target host is in the hostgroups for the new distro version and its correct architecture. This was already done for Oso.
• systemctl stop restarter.timer
systemctl disable restarter.timer
systemctl stop cronj
systemctl disable cronj
  # We don't want to restart daemons or run cron jobs during the upgrade. Cronj is jimc's special version of cron (CouchNet only).
• See this bug report about grub. Before beginning the upgrade, edit /etc/default/grub_installdevice and make sure it's installing itself on the MBR. 99% of the time you want the device to be (hd0), not e.g. (hd0,1) which would install in the root partition's boot sector.
• audit-repos -v -r 42.1 -i $target
  #Execute on master site. Without -r, it uses the (old) version actually installed on the machine.
• cd /scr
  #When done in /tmp, it couldn't find .. after the upgrade, so I changed to a directory that package aaa_base doesn't mess with.
• zypper refresh #On the target (Oso).
• zypper --gpg-auto-import-keys dist-upgrade --download-as-needed --auto-agree-with-licenses --no-recommends |& tee /scr/dist-upgr.log.1
  #See the next paragraph for agonizing details.
• Reboot. Does it fall on its face? Yes, see below for how to boot if you didn't edit /etc/default/grub_installdevice to install in the MBR.
• When testing on Oso I re-did the dist-upgrade. It upgraded another package, removed 94, and changed the vendor (mostly Packman to OpenSuSE) of 74. This might be a good idea on production machines also.
• post_jump -r 42.1 [-g workstation] $target |& tee $j/jump.$target
  #On the master site of course.
• Reboot again.
• checkout.sh

Post_jump and Checkout Issues

The first time this was run on Oso, I hit these issues:

• post_jump -r 42.1 [-g workstation] oso
  Issues encountered:
  • -g is only for Mathnet. -r 42.1 is needed because the default comes out of /home/post_jump/current which is 13.1.
  • post_jump tries to do /etc/init.d/sshd reload and that file is gone. Changed to systemctl reload sshd. Several other /etc/init.d/$service similarly fixed.
  • texlive-scheme-medium could not be installed, why? It's on SBS and should have been downloaded. I installed it (and 822 dependent packages, oink! Of which only 7 were absent from the enterprise mirror.)
  • xdm.service has no unit file, can't enable (??) It is very helpfully called /usr/lib/systemd/system/display-manager.service, alias is xdm.service. It starts /usr/lib/X11/display-manager which is a script that obeys /etc/sysconfig/displaymanager, with xdm as the default.
  • multi-user.target (for runlevel 3) is wanted statically and cannot be disabled. Probably graphical.target (runlevel 5) depends on it, where it was separate in v13.1. [Fixed in /m1/custom/scripts.dat ]
  • /etc/logrotate.d/ has several scripts referring to /etc/init.d. In $pj I converted them all to use systemd, and will reinstall.
  • I fixed these, then did post_jump again.
• Upgrade final test -- I restored Oso's v13.1 disc and went through the whole procedure again, minus SuSE servers, after fixing issues from checkout.sh (see next paragraph).
  • It wouldn't install texlive-scheme-medium. Total tangle; various packages declared that other packages were obsolete, that other packages required. I fixed this for v13.1.
  • It turned out that I could copy the hacked packages from $cn for v13.1 in to $cn for v42.1, and the 2015 TeXlive would go on with no complaints at all. List of packages:
    • texlive-collection-basic-2013.74.svn30372-50.2.noarch.rpm
    • texlive-collection-binextra-2013.74.svn30307-50.2.noarch.rpm
    • texlive-collection-htmlxml-2013.74.svn30307-50.2.noarch.rpm
    • texlive-collection-latex-2013.74.svn30308-50.2.noarch.rpm
    • texlive-collection-metapost-2013.74.svn30387-50.2.noarch.rpm
    • texlive-collection-xetex-2013.74.svn30396-50.2.noarch.rpm
    • texlive-extratools-2013.74-50.2.noarch.rpm
  • Starting over from the beginning: 2509 packages to upgrade, 113 to downgrade, 382 new, 9 to reinstall, 49 to remove, 72 to change vendor, 4 to change arch. Compressed 1.75Gb, installed 1.2Gb added. 3032 total packages. Took 36 minutes.
  • post_jump -r 42.1 oso # Took 6 minutes. About 5 packages to install, the ones requested in couchnet.sel but which haven't been found in SBS. For package removal, it proposed to toss quite a lot of stuff, but much was actually required, and it ended up removing nothing. I have my doubts that every package is actually required. There are 655 packages to be removed, and 334 of them could have been removed successfully one at a time. When I later ran audit-pkgs -v -e -c, 634 packages were removed.
  • checkout.sh -- Passed all test groups. (First I restored the fixed /etc/apache2/conf.d/oso.conf and restarted Apache.)
• checkout.sh -- Discrepancies found the first time it was run:
  • It complains about the circular dependency of rescue.{service,target} and sysinit.target. What can we do but ignore this? Actually, put a Band-Aid on the bug! Success: I copied /usr/lib/systemd/system/sysinit.target to /etc/systemd/system/sysinit.target , then hacked it to not be after emergency.{service,target} and that broke the circular dependency.
  • Network: OK including DNS.
  • /usr/lib/sasl2/cgi-helper can't load libsasl2.so.2 . This is a 32bit program. The missing library is in cyrus-sasl-32bit in v13.1, but not in v42.1. It's in libsasl2-3 (for libsasl2.so.3) and SBS does not have the back version libsasl2-2. The cure is going to be to recompile this program. Requires cyrus-sasl-devel. That fixed it.
  • apache2 is not running. /etc/apache2/conf.d/oso.conf line 53: an Order command that got unfixed when I restored Oso's v13.1 incarnation. Works now (and I saved a copy of the fixed conf file).
  • With these fixes, Oso passes all functional tests.
• User experience check, see section below.

Zypper Soap Opera

The dist-upgrade did not go as smoothly as desired. Here are the issues found:

• texlive-collection-htmlxml requires texlive-jadetex, the upgraded version is uninstallable (why). Break the collection by ignoring the dependency on jadetex. [See below for why it was uninstallable.]
• texlive-jadetex depends on texlive-jadetex-bin, which it didn't before, and that package is not in our SuSE-build repo, which makes jadetex uninstallable. Got it. No further dependencies. Yeah, sure.
• 1590 packages to upgrade, 105 to downgrade, 277 new, 1 to reinstall, 60 to remove, 61 to change vendor, 4 to change arch.
• java-1_7_0-openjdk and about 100 others are going to be downgraded. We're supposed to have java-1_8_0-openjdk. I assume that java-1_7_0-openjdk will be tossed during audit-pkgs -e (in post_jump).
• The master-boot-code is changing architecture from i586 to x86_64.
• I cancelled the upgrade, snarfed the missing package, and started over (from zypper refresh). But that didn't make jadetex installable, hiss, boo! I started the upgrade.
• File './suse/x86_64/ffcall-1.10-9.2.x86_64.rpm' not found on medium 'http://distro.cft.ca.us/SuSE-build/x86_64/42.1' -- I aborted the upgrade. This is a binary package for Common Lisp.
• I turned on SuSE repos and did the upgrade again.
• This time it's installing a lot more packages with no complaints:
  2508 packages to upgrade, 120 to downgrade, 374 new, 1 to reinstall, 45 to remove, 70 to change vendor, 4 to change arch. Total 3019 packages.
• But it still looks for ffcall on our SBS repo and it's not there (really). $bs/suse/setup/descr/packages.gz says it's there; it lies; why? Because there's a x86_64 subdir of the x86_64 arch dir, oopsie! The file is in there. I must have omitted/added a trailing slash where it should not have been. And that's where texlive-jadetex-bin was hiding too. I moved the content to the correct place, and rebuilt the distro. No other sub-repos were affected.
• Trying it yet again: Started 17:42. Done 18:40 (1 hour). No error messages.
• 1023 packages were downloaded from SuSE Build Service. At least one is going to be tossed during post_jump. Anyway I copied them into the enterprise repo. Including xfishtank and xroach.

Rescue System Again

• Press F4 for Network Configuration, pick DHCP.
• Scroll to Rescue System, press enter.
• This time it didn't fixate on the Red Hat Virtio NIC; it used eth0 from the beginning.
• This time it found the distro server by itself, probably from SLP, which works on CouchNet. It got the rescue system files, but slower than usual.
• Keyboard, en_US is preselected, hit Enter.
• It boots the rescue system.
• Log in as root, no password.
• mount /dev/disk/by-label/oso-root /mnt
• For dev sys proc ; mount -o bind /$dir /mnt/$dir
• Symptoms are similar to before, so I'm going to reinstall Grub.
  grub2-install /dev/vda #(not vda1)
• Exit from chroot and unmount everything in reverse order.
• reboot -f #Normal reboot doesn't work
• As before, grub installation was the problem; now Oso is back on line.

User Experience Checkout

The main point here is to check that old packages are still working and newly added packages are useful and functional.

Audio Output

Audio is often hard to get working.

• On the virtual machines, of course there is no sound.
• On Piki, aplay /usr/share/sounds/alsa/test.wav works.
• On Piki, PulseAudio is not running. I don't know if this is because my system setup is lameass, which is likely since I rarely log in to this machine's console. After upgrades on other hosts that I use more, PulseAudio was started as it should be, and plays the sound.

Firefox and Flash

Is Firefox performing its usual content? See Jimc's browser test suite for tests of a range of content.

A particular concern is Shockwave (Adobe) Flash content. Flash is a dinosaur and is totally proprietary; it should have been junked long ago. HTML5 is superior in every way. Nonetheless "should have been" is not the operative word here. The obsolete Flash Player for Linux has been reincarnated as Pepper Flash by Google for Chromium, and the freshplayerplugin acts as middleware to make it useful to Firefox. Check out Youtube and your favorite brokerage firm to see if the flash content is being performed.

• Confirmed that flash-player is not on Oso and /usr/lib64/browser-plugins/libflashplayer.so is not there. Instead it has libfreshwrapper-pepperflash.so .
• The out of the box pages are a commercial for Firefox private browsing, and openSuSE Search. The latter, when exposed, has a dippy cartoon of Geeko (the lizard) with animated color changing scales, and when you have a remote display it saturates the data link. Hiss, boo.
• Results from jimc's browser tester
  • The Java applet ran successfully, after several queries to the user that it is not signed and lacks modern metadata, so should not be trusted. All good.
  • JPEG, PNG and GIF images were shown OK.
  • PDF was shown using the builtin PDF viewer, presumably Adobe branded though there was no about info.
  • Sound files: WAV, Ogg Vorbis, MP3 all play on Piki. WAV is performed by VLC-Web, and the user has to confirm running this plugin.
  • Movies: These formats played: Ogg Theora, AVI. On Piki, performance was commensurate with the quality of the originals, but on the virtual machines they saturated the data link; nonetheless they were performed in a semblance of satisfactoriness.
  • Movies: These Quicktime sub-formats could not be performed: RPZA, 3GPP, 3GPP2, Sorenson, MPEG4, MPEG4/iPod, H.264/iPod. I wonder if the demuxer is wacked; it says the file is corrupt. All these formats can be played by GStreamer.
  • Shockwave (Adobe) Flash Video (not sure of the format version): Now this is interesting. It used the VLC-Web plugin which prints diagnostics. Content-Type is video/x-flv. It appears to be stuffed with mpga (MPEG Audio layer 1/2) which VLC cannot decode, and h264 (H264 MPEG-4 AVC (part 10)), which VLC also cannot handle. (Normally, VLC can handle almost anything, and would be expected to handle those formats.)
  • about:addons - Plugins - we have these out of the box:
    • OpenH264 Video Codec v1.5.1 by Cisco, always activate.
    • Shockwave Flash v20.0.0.228 for mime-type application/x-shockwave-flash and application/futuresplash. Via libfreshwrapper-pepperflash.so; always activate.
    • IcedTea-Web Plugin v1.6.1 for application/x-java-(all). Ask to activate.
    • VLC Web Plugin v2.2.1 by Terry Pratchett and VideoLAN. For a zillion mime-types including video/x-flv. Ask to activate.
  • In Preferences - Applications I switched Flash Video to use /usr/lib64/browser-plugins/libfreshwrapper-pepperflash.so -- Not a good idea; it downloaded the file and fed it to that shared library without any visible effect. Trying again with Videos. Same behavior, same result. Trying Parole (/usr/bin/parole) which uses GStreamer-1.x. This time it worked, although Firefox has to download the whole file and it launches Parole in a separate window. Performance was at a credible rate, though Parole popped a window saying that the stream was too slow. totem /tmp/starwars.flv also performed the media, though it flipped into full screen mode and the data link totally could not handle the traffic.
• Looking at a video on Youtube, performed by fresh. On the VM, some non-video content was performed, but the video itself, during setup, totally saturated the data link, and finally died. On Piki, performance was perfect on several videos, confirmed to be performed by Flash Player (provenance not made obvious).
• https://www.fidelity.com/ -- They used to have a chart in Flash on the account summary page; now it's replaced by SVG (good).
• http://www.cnn.com/ -- Their front page is in Flash, and was displayed successfully on the VMs. On Piki, several news videos were performed without error, confirmed performed by Flash Player (provenance not made obvious).
• Conclusion: On Piki, the Flash kludge passes the test. On the VMs, where the display is across the net, no Video formats are satisfactory because the data link is saturated and because OpenGL is useless; Flash Video is the most unable to adapt to resource limitations, and eventually dies.

GStreamer Multimedia

Check if Meow Music Player (by jimc), Parole for XFCE, and Totem (also called Videos) for Gnome, are functional. These apps all use GStreamer-1.x.

Conclusion: Piki (a real machine) can run any of the three players and can perform all the tested audio and video formats except AVI, with a quality corresponding to the resolution of the video clip. Oso (virtual) was more spotty. The X-Windows display is across the net and OpenGL cannot be used, so the data link is more or less overloaded, and some players and/or codecs react very badly.

Testing on Oso (virtual) with meow.sh, these video formats played: Ogg Theora. Quicktime videos stuffed with these formats played: RPZA, 3GPP, 3GPP2, Sorenson, MPEG-4, MPEG-2, MPEG-4/iPod, H.264/iPod. These video formats failed: AVI, These audio formats played (though no virtual sound was heard from the virtual sound card on the virtual machine): MP3, Ogg Vorbis. They did their thing for the expected length of the track used, whereas my experience is that when they fail, they do it right away. Repeating the test on Piki: these formats actually produced sound, and the listed video formats (except AVI) again played, with audio.

Parole on Oso (virtual) failed to play the MPEG-2, claimed a decoding error. It showed the first frame of the Ogg Theora, then shut down with no error message. It uses GStreamer-1.0 (libgstreamer-1_0-0-1.6.1-61.1.x86_64), why did it have a different outcome from meow.sh, which calls /usr/bin/gst-launch-1.0 (same version)? Repeating the test on Piki (real): all formats played successfully with audio, except AVI.

Totem on Oso (virtual) played Ogg Theora, though it started in nearly full screen mode and overloaded the data link. Other formats not tested. Repeating the test on Piki (real): all formats played successfully with audio, except AVI.

Grivet Music Service

Go through the chain of interdependent services by which CouchNet delivers streaming audio. Aurora has most of this toolchain and is in a hot standby mode. Can't test on Oso.

• Apache2, which executes…
• Grivet, which starts the sink and source…
• Sox, Lame, EZstream, which reformat the audio source and send it to…
• Icecast, which makes the stream available to…
• Meow, which performs the stream on…
• PulseAudio, which sends the stream to…
• Bluetooth, which delivers the content to the sound module.

Jacinth has the full stack of audio components, and they all work together to deliver audio from all sources. As a playback node, Piki performs music hosted on Jacinth, and also the OTA Icecast stream served from Jacinth. Kermit does the same; this is its primary role.

MythTV

Check if MythTV still works. Jacinth records programs on the assigned schedule, using the Hauppague WinTV 950q DVB device, which has touchy and flaky drivers. Both Iris and Aurora can perform these programs.

Tcl/TK

Jimc relies on Tcl/TK; check if the Tcl apps still work. Yes, it works. MicroEmacs also works (i.e. has the required 32bit libraries). Tested on both Oso and Piki.

Wicked and Network Nanny

Needs careful and extensive checking to see if the new network manager behaves itself. In particular, I need to find and read the documentation all the way through. There are man pages for:

• wicked (8) -- You do wicked ifup [options] $ifc etc. It obeys /etc/sysconfig/network/ifcfg-$ifc configuration files. It interprets such a file and passes its content to wickedd and/or Network Nanny.
• wickedd (8) -- It receives reformatted (to XML) ifcfg files over d-bus and passes them to the kernel, or to various sub-daemons, including wickedd-nanny, wpa-supplicant, and the DHCP clients.
• [The function of Network Nanny is to save portions of the configuration and pass them back to wickedd at the appropriate time, e.g. first bring up an interface, and then wait for its link to go live, and only then to set the IP address and/or start the DHCP client. Network Nanny also remembers the commanded network state and re-sends it to wickedd in case of a restart.]
• ifup, ifdown, ifstatus (8) -- For backward compatibility, basically they do wicked ifup ${args} or similarly for ifdown and ifstatus.
• wicked-config (5) -- Controls the behavior of the wicked system, such as which DHCP servers to prefer or blacklist, or which system aspects can be updated by DHCP data, or scripts to use to accomplish the updates.
• ifcfg (5) -- Gives the format of generic ifcfg-$ifc files.
• ifcfg-bonding (5) -- The rest of these describe additional parameters needed for special types of interfaces.
• ifcfg-bridge (5)
• ifcfg-dhcp (5)
• ifcfg-dummy (5)
• ifcfg-macvlan (5)
• ifcfg-macvtap (5)
• ifcfg-ovs-bridge (5)
• ifcfg-team (5)
• ifcfg-tunnel (5)
• ifcfg-vlan (5)
• ifcfg-wireless (5)
• ifroute (5)
• ifsysctl (5) -- This is like /etc/sysctl.conf but applies to the named interface.
• routes (5)

In a context of pre-made /etc/sysconfig/network/ifcfg-* files, Wicked and friends have worked with no issues on multiple virtual and real machines. I assume that Wicked would work equally well on a new machine whose network was set up with standard tools, e.g yast2 lan.

My laptop was another story. The admin guide for SLED-12 says you should enable either Wicked or NetworkManager, not both at the same time. Wicked does not have enough brain power to handle the dynamic networking of a typical laptop, and NetworkManager is recommended. My experience confirms this advice: I disabled Wicked and continued with the existing NetworkManager configuration.

Remmina

This is the new remote desktop client. Run through all the protocol variants and see how well they work.

Lightdm

See if we can get lightdm to do better than last time. See: /etc/lightdm/lightdm-gtk-greeter.conf ,.

Simple Scan

Check out this new scanner frontend. Pretty nice. It works. Call as simple-scan net:hostname:pixma. It actually has a manual which is not too lame (via yelp). It appears to be written in Java. The one problem is if your scanner is across the net: you can't just launch it from the menu system; you need to start it from the command line as indicated above.

Sound Juicer

Try this new app for ripping CDs.

Sound Juicer is specified for hostgroup user, which does not include Piki. I installed it specially. Should it be ubiquitous? Only 656kb installed, plus 1.9Mb for the language pack which I don't install.

Ripping a CD: estimated time about 18 minutes, actual 14 mins. It uses about 40% CPU on this AMD Athlon 2650e @1.6GHz (1 core). It was compressing to Ogg Vorbis; also available are FLAC, MP3, AAC. The program works similar to the old grip and has a reasonable user interface and a useful help document (via yelp). It automatically retrieves album and track metadata (artist and title) from musicbrainz.org. By default it delivers tracks to ~/Music with folders for the album artist, the album title, and the track within that. There is a limited set of track filename formats, which are probably fine for standard music players, but I'm going to have to rename them by hand to fit what Grivet wants to see.

The one problem I hit was with an album not on MusicBrainz; Sound Juicer claimed that the disc was not mounted. The help file says you should be able to fill in the metadata by hand (and send it to MusicBrainz).

Shotwell

Organize some photos; see if I like this app.

Instsetup, No Hands Installer

In the jump from SuSE 9.3 to 10.1 (I think), they changed the compression algorithm in the RPM files, and the back-version zypper could not read new RPMs. At that time I created instsetup, which creates an image of a chroot jail stuffed with the new version's zypper. It worked well. However, it's extra work and complication to maintain this program.

I've found that I can successfully make the back version zypper do a dist-upgrade from v13.1 to v42.1, and it's somewhat less scary, and about the same amount of work, if I bypass instsetup and do the key steps by hand.

Best laid plans etc. Several machines need to change architecture from i586/i686 to x86_64 and I really doubt that I can make this happen while the operating system is running. So I am going to have to set up instsetup. I will do the work for this on Petra, my i686 VM for testing distro upgrades.

Create Installer Image

The command has to be executed on a machine with the future architecture (x86_64) and preferably upgraded to the new OS version. That means execute on Oso. You will need a SSH agent on Oso because it is going to mount the distro directory using sshfs (FUSE). The command is:
instsetup -J -v
If it asks you for a password, and later maunders about transport endpoint not connected, the FUSE mount is hosed (due to failure to authenticate). To recover, look in /proc/mounts for the FUSE mount, then
fusermount -u /tmp/instsetup.oso.0/pjdir #(or whatever mount point).

Installing 107 packages in the installer image, which ends up at oso:/var/cache/instsetup.jail.x86_64.42.1/ (176Mb, oink).

Copy that dir to the same name on the master site (Diamond).

Virtual Machine

I prepared Petra similar to what I did for Oso, q.v.

• Rearranged petra.xml similar to what I did for Oso. Changed architecture to x86_64 (i686 OS still runs). The disc has about 13Mb; will I need to enlarge it? Oso's disc has 6.0Gb occupied; don't need to expand.
• A year of updates: 284 packages.
• I installed updated config files, and ran audit-scripts.
• Saving the disc, 4.2Gb compressed:
  gzip -c disc1.raw > disc1.131final.gz

Hostgroup

Put the target host in the hostgroups for its new architecture and OS version.

Emplace Installer

Command line is:
instsetup -h petra -d /m1/boot421 -D hd0,msdos2 -p wouldntyouliketoknow -a x86_64 -r 42.1 -R -E eth0 -v
See /usr/math/etc/instsetup for the command line arguments. The program used to fail to get the -E argument right on a VM and it was recommended to specify it explicitly as -E eth0. But instsetup has been fixed to omit netdevice entirely unless -E is specified, so just omit -E.

Items that need to be fixed up:

• It messed up audit-repos, causing it to use the old (13.1) ones. [Fixed.]
• Failed to add distro.cft.cft.ca to /etc/hosts: readonly filesystem (??) This is the outside /etc/hosts. [Fixed.]
• Failed to get gpg-pubkey-3dbdc284-4be1884d from main distro. Or SBS. This is the old key, should be getting gpg-pubkey-3dbdc284-53674dd4 . [Fixed by making it look in the new repo.]

Execute Installer

• First phase: replaced glibc and kernel-default for the old architecture and version with the new ones, plus some miscellany.
• Second phase: 1168 packages to upgrade, 84 to downgrade, 235 new, 168 to remove, 57 to change vendor, 1234 to change arch. Overall download size: 957.5 MiB, adding 400.2 MiB to installed size. 1634 total packages. Flash Player was the very first to be tossed.
• Third phase: 1069 packages to upgrade, 14 to downgrade, 111 new, 80 to reinstall, 17 to remove, 80 to change vendor, 78 to change arch. Overall download size: 658.4 MiB. Adding 583.5 MiB to installed size. 1286 total packages.
• Final phases found the correct kernel and bootloader, so did not reinstall them.
• Oopsie, it disabled network.service and did not re-enable Network Nanny and friends. [I brought up the net by hand. Fixed instsetup to enable Wicked and friends.]

Second Distro Upgrade

The second upgrade reinstalled and changed the vendor of 82 packages, a lot of Packman to OpenSuSE. A repeat of the same command did exactly the same thing to the same packages. This is very strange. I wonder if there was anything wrong with them in the first place.

Post_jump

Added 101 packages, removed 328 packages. Why did post_jump claim that Petra has v13.1? Failed to install chrony (got it from SBS) and libdvdcss2.

Checkout.sh

Both VMs cannot start vsftpd because they cannot find/read the (nonexistent) host certificate (for FTP over TLS). Other discrepancies were fixed with no problems: rpmconfigcheck, and missing chrony package in the repo.

Conclusion: I'm ready to sic instsetup on a real machine, Piki.

Upgrade Production Machines

Here's the schedule to upgrade the production machines. For several of them, see separate sections later with gory details on the upgrade including discrepancies encountered and fixed.

• Oso (virtual): I'm doing this one repeatedly to get the package selection and configuration files right. I think the new distro is finally ready to graduate from the virtual machine.

• Petra (virtual): This VM was used to get instsetup back into shape. Petra started out as i686 and got both its OS version and its architecture upgraded successfully.

• Piki (audio standby): Of the real machines this one goes first because it is in a standby role, having been replaced for audio performance by Kermit. It has its own monitor, so user experience tests will be more realistic.

  Nasty little detail: having only 2Gb memory, Piki's OS is for i586 architecture. I get to force it over to x86_64.

  See the separate section below about details upgrading Piki.

• Xena (jimc's laptop): It's probably best if Jimc starts eating his own dogfood as early as possible, to detect user experience problems. Also, Xena is one of the three directory servers (it's a server because jimc needs to exist even though there is no connection to CouchNet). It's going to be a lot safer to tempt sleeping dragons in the directory server area when nothing but this machine relies on the directory working in v42.1.

  See the separate section below about details upgrading Xena.

• Diamond (distro master): It's easier all around once the distro master gets upgraded, since post_jump has to skip some steps if it's not. However, you need to edit the repo definitions so it takes packages directly off its own disc, rather than relying on Apache to send them to itself while you're upgrading Apache. See instsetup for instructions. Post_jump also has instructions for how to run post_jump in that mode, but since post_jump is not going to affect Apache, likely you can post_jump Diamond in the normal way.

  See the separate section below about details upgrading Diamond.

• Aurora (Myth box standby): This is the old MythTV (home theater) machine and gives a good preview whether MythTV will be OK in the new OS. (Best laid plans… due to scheduling issues I had to update Jacinth before Aurora.) Aurora currently has i586, needs to change to x86_64, and Myth specifically will need to change architecture. Idea: set it up like Iris and make Aurora useful.

  Package discrepancies on Aurora:

  • Get these out of extra.sel; some may be bogus 32bit packages: vlc-aout-pulse vlc-gnome yast2-irda suspend apcupsd dvb provider lame Xdialog darkice icecast
  • libdvdcss2 -- turned into libdvdcss; still need to download this package.
  • MythTV-0_26 is requested; change to 0.27.
  • All done.

  checkout.sh discrepancies:

  • rpmconfigcheck [fixed]
  • Mythbackend is wanted but failed (not installed). Turn off, and install only mythfrontend-0_27
  • apache2 won't start. Changed Order command to Require.
  • After fixes, passes all test groups.

• Jacinth (directory master and router): Jacinth should be started on a Saturday when there are no major commitments involving the Internet, with the possibility to drag into Sunday. Jacinth has about 35 services, each of which has to be tested, and debugged if messed up.

  See the separate section below about details upgrading Jacinth.

• The remaining three machines should not have additional problems beyond what has been encountered and solved previously.

• Claude (virtual webserver): Upgraded, with two hiccups: first, I forgot to reinstall grub and had to use the rescue system. Then, IPv6 did not come up and network-wait waited a long time before timing out. The issue there was, if eth0 is in a bridge and has an IP address (4 or 6), it eats packets. Mosts hosts have a bridge with eth0 in it, so /etc/sysctl.conf says net.ipv6.conf.eth0.accept_ra=0 to ignore router advertisements, from which the IPv6 address could be configured. This of course has a bad effect on a virtual machine (with no bridge). I turned on accept_ra, and copied /etc/sysctl.conf into /m1/custom/conffiles/etc/ .

• Iris (home theater): Discrepant packages for Iris:

  • k3b was installed (plus KDE infrastructure); I don't really want this.
  • apcupsd missing -- was installed. The package overwrites /etc/apcupsd/apcupsd.conf (no rpmnew/rpmsave); need to restore from backup. [Done.]
  • libshout3-32bit is wanted and should not be. Probably for the 32bit /usr/local/bin/icecast, which has been deleted.
  • oggvideotools not available.
  • vlc-gnome not installable. Toss.
  • yast2-irda -- get rid of this, from couchnet.sel.
  • After the above fixups, and cleaning up scripts.extra, Iris passes all test groups in checkout.sh.

• Kermit (audio player): Currently has i586, needs to change to x86_64. Discrepancies found by checkout.sh:

  • Icecast did not start. Because it is not installed. In its current role, Kermit does not need Icecast. Toss.
  • There were a bunch of obsolete packages that were removed.
  • After fixup, Iris passed all test groups.

  Grivet on Kermit does play music, same as it did in v13.1.

• Now (2014-12-20) all hosts on CouchNet, including virtual hosts, have OpenSuSE 42.1 and x86_64 architecture, and pass the tests in checkout.sh. A few items remain to be cleaned up:

  • Printing from machines other than Diamond. [Fixed.]
  • I want to get lightdm (display manager) deployed and looking decent. [Done.]
  • If we're using XDM, the bootbox is no longer functioning, and the font in the greeter needs to be bigger. {Gone.]
  • Duplicate logrotate entry for chrony logs. [Fixed.]

Upgrading Piki: Details

• The installer botched network setup. I went into manual mode; it picked eth0 and succeeded. (A) should we omit the -E NIC name? (B) Should we specify eth0 explicitly? (C) Have they reverted from the bus geometry based NIC names? I altered instsetup to omit the netdevice (-E) unless it is specified explicitly. Watch this space to see if that was effective. [Apparently so.]
• Upgrade and architecture change succeeded (instsetup).
• /boot/grub2/grub.cfg section titles all refer to SuSE 13.1. These arise from /etc/default/grub.m4 which is transformed by /usr/diklo/lib/daily/grubdflt.J . The version number in the section title is from the GRUB_DISTRIBUTOR parameter in /etc/default/grub (.m4) which needs to be updated in the post_jump directory. [Fixed.]
• Post_jump: installed 80 packages, removed 416 packages. These wanted packages are still unavailable:
  • Xdialog -- Forget this one.
  • abiword-docs -- Really unavailable.
  • cdrkit-cdrtools-compat
  • libdvdcss2 -- On Packman, name seems to have gone back to libdvdcss.
  • libvirt-daemon-driver-xen -- Do not request.
  • suspend -- I think it's essential to find this, since Piki cannot go to sleep now. Wrong -- you're supposed to do systemctl suspend or poweroff or whatever. Fixed in jimc's susp2ram script
• post_jump failed to restart chrony.service, should be chrony.J.service. [Fixed.]
• systemctl enable cups.service failed, no such file (??) Also default.target. Could the problem be that when you reenable a unit that is not enabled, it tries and fails to remove the symlink that would have enabled it?
• Running housekeeping: chrony cleanup: 501 not authorized. Due to a bug in v13.1, you had to do chronyc -a -h $HOSTNAME $command; commands to the default socket were rejected. This bug is now fixed, but action commands across the net (i.e. to -h $HOSTNAME) are rejected out of hand. Also -a (look up auth key) is gone. But inquiries like sources are still allowed if chronyd is configured to listen to the outside world.
• Housekeeping: /etc/logrotate.d/chrony.J duplicate for /var/log/chrony/*.log
• Housekeeping: suse.de-backup-rc.config: some kind of binary garbage was given to find. See bug reports.
• Checkout.sh: rpmconfigcheck: cleaned up. Apache2: Order commands in piki.conf changed to Require all granted/denied. With these fixed, it passes all tests.

Upgrading Xena: Details

• (On Xena)
  systemctl stop restarter.timer
  systemctl disable restarter.timer
  systemctl stop cronj
  systemctl disable cronj
• (On Diamond)
  Hostgroup: xena in v42.1 (and install everywhere)
• audit-repos -v -r 42.1 -i xena
• pj=/home/post_jump/42.1
  ssync -a $pj/m1/ xena:/m1/ (gets couchnet.sel)
  Or: ins -src $pj xena /m1
• (On Xena) Edit /etc/default/grub_installdevice with device (hd0).
• (On Xena)
  zypper refresh
• zypper dist-upgrade --auto-agree-with-licenses --download-as-needed --no-recommends |& tee $j/dist-upgr.log
  Problem: gstreamer-plugins-bad-1.6.1-85.1.x86_64 requires gstreamer >= 1.6.1, gstreamer-1.6.1-61.1.x86_64 is uninstallable. Toss gstreamer-devel-1.4.0-3.1.x86_64
  Problem: gstreamer-devel-1.4.0-3.1.x86_64 requires gstreamer = 1.4.0, Toss gstreamer-plugins-base-devel-1.4.0-2.1.x86_64
  2887 packages to upgrade, 126 to downgrade, 325 new, 8 to reinstall, 80 to remove, 90 to change vendor, 5 to change arch. Overall download size: 1.87 GiB. add 1.2Gb to inst size. 3391 total packages. Started 10:15 done 10:51, 36 mins.
• • investigate: pam-config
  • ca-certificates -- /etc/ssl/certs/*.pem is "in the way", clean this up. [Done on all hosts.]
  • /usr/bin/ping {,6} 0755 "= cap_net_raw+ep" ; was 4755, check perms.local [Fixed by itself :-)]
  • /etc/postfix/main.cf -- tls_daemon_random_source=/dev/urandom is unused
  • /etc/postfix/master.cf -- adding 4 missing entries (save as master.cf.421)
• Fixed /etc/apache2/conf.d/xena.conf (before running checkout.sh)
• reboot.
  • Will it boot? Yes.
  • Will the network come up? Yes. IPv6 only.
  • Wicked and friends are not running.
  • systemctl start wicked -- Network goes down, doesn't come up.
  • Rebooted, back to IPv6 only.
• post_jump -r 42.1 xena < /dev/null >& $j/jump.xena &
  less $j/jump.xena
  Installing 94 keystone packages, 245 packages total (incl. pepper-flash)
  looks like it installed KDE games like ktuberling . Why? Also gdm. These were in extra.sel. Tossed.
  Tossing 830 packages. Actually removed 810 packages.
• Reboot.
  • Will it boot? Yes.
  • Will the network come up? Up, then back down.
  • Wireless is up, but IPv6 only.
  • The eventual cure was to disable Wicked and re-enable NetworkManager.

checkout.sh discrepancies:

• Name collision between network-J and network.J (skipped). Let's remove /etc/init.d/network.J . Done, fixed.
• IPv4: My addr is 192.9.200.195 on tun0 -- why tun0? /usr/diklo/sbin/MirrorTunnel.pl was used for bridge replacement, didn't work, should be turned off. /etc/init.d/network.J starts it. That is now gone.
• IPv4: Failed pinging default gateway 192.9.200.193 / wlan0
• NetworkManager-dispatcher is wanted, enabled, is this right? Also NetworkManager itself. Yes, I should have this and not Wicked.
• /sys/bus/pci/devices/0000:04:00.0 wakeup is disabled -- 802.3 NIC
• /etc/pam.d/gdm.rpmorig , also autologin [fixed]
• Checking bridge multicast: 1 (disabled) ..dead
• Service kpropd is failed or stopped.

More discreps:

• dhclient was started by NetworkManager
• wickedd-dhcp4 and wickedd-dhcp6 are both running.
• Both NetworkManager.service and wicked.service have alias network.service . Try with NetworkManager {,-dispatcher} disabled, wicked reenabled.
• There are 2 bridges, br0 and bridge0, with no members in either.
• br0 has no IP address. bridge0 has 192.9.200.215 (unreachable).
• We have a new wireless driver: iwldvm . No parm to join the bridge.

Trying with NetworkManager* disabled. Bad move, Wicked didn't know to bring up the network despite what should have been sufficient info in /etc/sysconfig/network/ifcfg-wlan0. The admin guide for SLED-12 says use NM or Wicked, not both. OK, Wicked off and NM back on.

Discrepancies reported in daily housekeeping:

• Both br0 and eth0 have the IP address 192.9.200.195. wlan0 refuses to join the bridge, see discussion and complaints with v13.1.
• Clean up chrony's server history files -- 501 not authorized (twice). Fixed: password authentication is junked in chrony-2.2 and above. You need to do just chronyc and not chronyc -a -h localhost.
• /etc/ssl/certs.rpmsave -- Toss. See what it's done with /etc/ssl/certs : definitely deprecated, maybe permanently gone. No, it's now a symlink to /var/lib/ca-certificates/pem/ . But junk /etc/ssl/certs.rpmsave . [Done.]
• /etc/logrotate.d/chrony.J duplicate entry for /var/log/chrony/measurements.log , permission denied on ..nts.log.4 . Fixed, needed su chrony chrony and to lose -a -h localhost.
• /etc/cron.daily/suse.de-backup-rc.config -- find: paths must precede expression -- path(?) was some binary garbage. Oooo, this is a bug! Better report it. I don't see why it fails -- find command botches -exec? Anyway, the version on Diamond from v13.1 is better, doesn't get the bug. I'm installing it on all v42.1 machines.
• Every time you do hostgroup on Jacinth it says operator - needs an operand before it. Confirmed that audit-pkgs -v -i can provoke the bug. Looking at the code, I don't see how an empty hostgroup expression could be generated. And similarly in the hostgroup command itself; when items are subtracted, the expression is always in parens, which is legal. After post_jump, the symptom is gone. Let's sweep this one under the rug. [Later: the bug is not seen any more. Rug was effective.]

Upgrading Jacinth: Details

• Before the upgrade, checkout.sh was run, passed all test groups. Saved (on Xena) as check.jacinth.before .

• Before the upgrade, Order commands in Apache configurations were changed to Require all granted/denied.

• Putting Jacinth in v42.1 hostgroup.

• Stopped restarter.timer and cronj on Jacinth.

• Edit /etc/default/grub_installdevice to put grub in the MBR on (hd0).

• Instsetup was run for Jacinth; even so, I plan to use a direct dist-upgrade. But the instsetup image is there to easily start the rescue system. Command line:
  instsetup -v -h jacinth -d /home/boot421 -D hd0,msdos3 -p the_pw -r 42.1 -R |& tee $j/ins.jacinth

• audit-repos -v -r 42.1 -i jacinth (is included in instsetup)

• Turn on SuSE OSS repo but not Packman. Don't want to upgrade MythTV on top of everything else. We had libmyth-0_27-0.27-2.17.x86_64 and numerous friends. Copied from v13.1 into v42.1 CouchNet repo. This should head off deleting these packages during dist-upgrade.

• zypper refresh

• [Cancelled! Internet is needed for the upgrade.] Disconnect Jacinth from the global hacking community. I need to explicitly abandon my wild side DHCP lease, so if the lease storage gets incompatibly improved I can get a new lease right away, rather than waiting for the old lease, as known to my ISP, to expire.
  dhcpcd -k eth1
  This worked. Now I disconnect the Ethernet cable from eth1.

  Bad move! Internet is needed for the upgrade. And now I can't get IPv6 service back. I'm not going to debug this, just take down he-ipv6. That did it, the zypper refresh now works.

• zypper --gpg-auto-import-keys dist-upgrade --download-as-needed --auto-agree-with-licenses --no-recommends |& tee /scr/dist-upgr.log.1
  Problems encountered:

  • perl-MythTV-0_27-0.27-2.17.x86_64 conflicts with perl-Net-UPnP-1.4.2-1.13.noarch . Toss perl-MythTV. Same for php-MythTV-0_27-0.27-2.17.noarch and mythweb-0_27-0.27.0-1.2.noarch .
  • 2879 packages to upgrade, 140 to downgrade, 408 new, 13 to reinstall, 63 to remove, 103 to change vendor, 10 to change arch. Download size: 1.91 GiB, adding 1.2 GiB to the installed size. 3464 total packages.
  • Started 11:08 ; done 12:40, 92 mins.

• Reboot.

• Discrepancies before running post_jump:

  • While booting: dependency error for NetworkManager-wait-online
  • Firewall is up.
  • Access point (hostapd) is up.
  • IPv6 is up and is passing packets from the internal net to wild side.
  • Claude (VM hosted on Jacinth) is up.
  • The following discrepancies are from checkout.sh.
  • hostgroup: command not found -- fixed the path by hand and re-ran.
  • Network is not enabled but is required on this host.
  • Circular dependency: sysinit.target -> rescue.target -> sysinit.target. PJ will fix.
  • Network passes test (it failed, when hostgroup was hosed).
  • A bunch of services are wanted but disabled, or unwanted but enabled. PJ will fix.
  • LDAP failed. I didn't troubleshoot this. Kerberos is fine. LDAP returned to life after post_jump.
  • saslauthd test failed: 32bit cgi-helper can't find shared libraries. PJ will fix. [Confirmed fixed.]
  • slpd failed.
  • Tigase test is hosed, possibly a problem in /home/diklo/lib/functest/xmppclient.pl . I didn't troubleshoot.
  • Apache2 failed. Problem in Mathnet.conf which PJ will fix.
  • Mythbackend is running.
  • Postgresql passed the very simple functional test.
  • slpd functional test failed.
  • Discrepancies reported by daily housekeeping:
  • Clean up chrony's server history files: 501 Not authorised (twice).
  • No unit file for mysql.service . Because it isn't installed.
  • /etc/logrotate.d/chrony.J duplicate entry for /var/log/chrony/measurements.log , and permission denied on /var/log/chrony/tracking.log.4 , also pbl has a duplicate for /var/log/pbl.log .
  • PostgreSQL server not running.
  • /etc/cron.daily/suse.de-backup-rc.config -- binary garbage possibly as the path argument to find.

• post_jump -r 42.1 jacinth |& tee $j/jump.jacinth

  • Took 30 mins exactly.
  • World writeable files: /m1/mozilla-sync-1.5/local/lib/python2.7/site-packages/setuptools-0.9.7-py2.7.egg-info/SOURCES.txt , about 8 in this directory. /home/owncloud/jimc/lucene_index/read-lock-processing.lock.file /s2/video/tv/1181_20151216204500.mpg.png -- All world writeable files were changed to 644 or 755, no sign that they need group write.
  • Tried to install 26 keystone packages, actually able to install 21, 46 with dependencies. Including java-1_8_0. Can't install mythweb-0_27 . What is 6kernel-devel? A typo. Let's toss libvirt-daemon-driver-xen in couchnet.sel, seems to run fine without it.
  • For package removal, assessing dependencies took a very long time.
  • 843 packages to remove. Acroread bites the dust. 823 packages actually removed.
  • No unit file for spamd mysql , cannot enable. They were not installed due to bogus contingencies in /m1/custom/extra.sel. Fixed and installed.
  • dhcp-server.service is enabled and not in the conf file. It's an alias for dhcpd.service . Bypassed in scripts.extra.
  • passwd-check jimc (on Jacinth) -- password matches in all sources, including servers on Jacinth.

• checkout.sh discrepancies after post_jump:

  • Network is OK. Firewall is OK. Wicked is OK.
  • dhcpd is running. dhcp-server is not wanted, is enabled but not in conf file. Check out what gives here. dhcp-server is an alias of dhcpd.service. [Fixed, bypassed in scripts.extra.]
  • mysql still lacks a unit file. Also spamd. Installed, fixed.
  • Claude did not come up. /usr/bin/qemu-kvm is missing, from package kvm, not installed. Package renamed to qemu-kvm . Installed. Claude is up. Fixed name in couchnet.sel .
  • Apache2 failed. Missed an Order command. Now it's up.
  • mythbackend failed, requires mysql which is missing. Installed mysql, mythbackend is up.
  • postgresql failed, cannot connect to server. DB needed version upgrade. Done.
  • slpd has an invalid fastbin entry and is catatonic despite a restart. Caused by memory corruption. See the bug report section.
  • Tigase did not start.
  • Time to this point: about 3 hours.
  • Grivet does not play. Details below.

• More targeted troubleshooting:

  • zypper install mysql-community-server . Provides mysql.service. Enabled. Started. I need to create /usr/diklo/lib/functest/mysql . Mythbackend starts up and delivers the status page. And records TV.
  • zypper install spamassassin : Installed. Passes functional test.
  • postgresql : Version upgrade from 9.2 to 9.4 requires a reload. Go through the procedure.
    • You did back up the database, didn't you? /home/database.bku/pgsql.gz.1
    • See the howto at /var/lib/pgsql/README.UPGRADE .
    • Verify that no server processes are still running; kill if found.
    • cd /var/lib/pgsql
    • mv data data.92
    • I don't want to copy the whole howto; just do what it says, translating from LSB to systemd.
    • Oops: /tmp/.s.PGSQL.5432 (socket) exists. Well, doesn't exist now.
    • Oops: ./postgresql.conf "unix_socket_directory" unrecognized parm. Should be unix_socket_directories = 'dir1, dir2, …' and defaults are /var/run/postgresql, /tmp. Leave it commented out. Now the daemon starts and creates the sockets in the right places.
  • zcat /home/database.bku/pgsql.gz.1 | su -c "psql" postgres >& $j/errs
    Seems to have restored the tables without errors. Very simple functional test was passed.
  • slpd has an invalid fastbin entry and is catatonic despite a restart. Caused by memory corruption. See the bug report section. For now I'm disabling slpd on Jacinth.
  • Grivet doesn't play. The task was to play the OTA FM stream. Going through the toolchain:
    • Apache2 -- Works including CGI (times for safe sun). But I can't see the Grivet CGI script. Apache has gotten very paranoid about running worker threads in separate containers and I don't know how to dig into them.
    • Grivet, which starts the sink and source…
    • Sox, Lame, EZstream, which reformat the audio source and send it to… Found a clue: ezstream can't load libshout.so.3 . It's there! /usr/local/bin/ezstream is a 32bit executable and lacks the library. Deleted in favor of /usr/bin/ezstream. OTA stream is playing!
    • Icecast -- Locally hosted music is sent out but the OTA FM stream is hosed.
    • Meow -- Established the output channel and received from Icecast. It can also perform an Icecast stream from off-site.
    • PulseAudio -- Meow was able to use it.
    • Bluetooth -- Confirmed connected to the sound module; there is a sound when it connects. Most music is playing, but not the OTA FM stream.

    It looks like the only non-working element is the OTA FM stream. For today I'm using KUSC's own Icecast server. Really fixed by getting rid of an old locally compiled 32bit ezstream.

  • Testing the VPNs: Testing with Selen (cellphone on cellular data), from the wild side, all of StrongSwan (IPSec), OpenVPN on 1194, and OpenVPN on 443 can connect and can give access to the internal LAN. In addition, OOBA can give the cellphone access to service ports, e.g. 1447, without the VPN. The only hiccup was, OpenVPN on 1194 once got into a cycle of bad packet IDs (possible replays). Killing the connection and reopening it allowed it to connect.

  Apache testing: This list gives the outcome of the main function on the various virtual hosts, all with a connection from the local LAN to jfcarter.net.

  • Main site (80): Perfect, as far as I can tell.
  • OOBA (1443): Writing on a readonly database. It is a SQLITE database, mode 644 ooba:ooba. The CGI is execed by suExec. Which does nothing. Because it is not setUID, because its name got changed. /etc/permissions.local was updated. Now OOBA works.
  • OOBA (1444): Writing on a readonly database. Same problem and same fix as on 1443. It did ask for a user cert and accepted it for authentication and authorization.
  • Roundcube Mail (1445) with Kerberos authentication: Fully functional.
  • Roundcube Mail (1446) with X.509 authentication: Fully functional.
  • ownCloud (1445) with password (SASL) authentication: Fully functional.
  • MythTV Status (6544): Shows the status, which is correct.
  • MythWeb (1445) with anonymous authentication: Needed a dependent package, needed to be installed. But it still has a morass of permission issues. See next paragraph. [Fixed.]
  • Grivet Music Player (80): Fully functional except OTA stream. [Fixed.]
  • Home Page on Claude (80): Perfect. Claude has SuSE 13.1 (upgrade soon).

  MythWeb (1445) with anonymous authentication: Forbidden, no index document. Because it isn't installed. It requires php-MythTV-0_27-0.27-2.17.noarch which requires perl-MythTV-0_27-0.27-2.17.x86_64 which needs perl(Net::UPnP) provided by perl-Net-UPnP-1.4.2-1.2.noarch.rpm which is no longer (or never was) on SuSE. But versions are on Packman for old SuSE versions (useless because requiring an exact version of Perl), plus the source RPM. rpm install the source RPM, then rpmbuild -bb $file.spec. rpmbuild --clean $file.spec. With this RPM, mythweb-0_27 installs -- copied to CouchNet repo. However, MythWeb still has a morass of permission issues. Fixed, the problem was that /etc/apache2/conf.d/mythweb.conf got overwritten, and the old content had to be found in backups. Now it's working.

  Where Jacinth stands now:

  • Tigase did not start; I'll debug that later; until then, Tigase is disabled.
  • slpd (service locator protocol daemon) has mysterious memory corruption not present on the other v42.1 machines. Disabled; I will make a bug report to SuSE.
  • The OTA FM radio stream doesn't happen. Other music will play. [Fixed.]
  • Mythbackend is alive. Will it record the news at 18:00? Yes!
  • MythWeb has some kind of permission problem. [Fixed.]
  • Miscellaneous error messages in housekeeping. [Fixed unless I missed one.]
  • Other than that, all services are fixed and tested.
  • checkout.sh: passed all test groups.

Upgrading Diamond (Master Site): Details

Diamond is the master site for distro storage, so there are issues of self-reference. For example, I will execute post_jup on Diamond as the master site, and that includes ssh diamond audit-pkgs -v -i (and numerous similar ones) with Diamond as the target to be upgraded. Audit-pkgs on the target will do zypper install whatever, obtaining the packages from Diamond as the repo storage. This will work for post_jump, but I'm afraid that it will work poorly for the dist-upgrade, particularly when Apache and ssh are being upgraded. Instsetup has some notes for what to do when upgrading the distro master: basically, hand edit the repo definitions to refer to the local disc rather than HTTP.

Steps in the upgrade:

• backup-host
  #For a production machine, is a special backup needed? Yes, for Diamond. Also a compressed copy of the virtual machine's disc, elsewhere than Diamond. It's in jacinth:/s1/kvm/baobei/baobei-1.raw . 22Gb (oink), took 43 minutes.
• Make sure the target host is in the hostgroups for the new distro version and its correct architecture. [Done.]
• systemctl stop restarter.timer
systemctl disable restarter.timer
systemctl stop cronj
systemctl disable cronj
  # We don't want to restart daemons or run cron jobs during the upgrade. Cronj is jimc's special version of cron (CouchNet only).
• Edit /etc/default/grub_installdevice to put grub in the MBR of (hd0).
• audit-repos -v -r 42.1 -i $target
  #Execute on master site. Without -r, it uses the (old) version actually installed on the machine. [Done.]
• instsetup -v -h $target -d /home/boot421 -D hd0,msdos3 -p the_passwd -r 42.1 -R |& tee $j/ins.$target
  # And edit the installer/rescue stanzas in /boot/grub2/grub.cfg to refer to the local disc. Change the HTTP URL to hd:?device=sda5/SuSE/SuSE/x86_64/42.1 (2 places, installer and rescue, cut off the mount point which in this case is /s1, and make sure that the device, here sda5, is the one holding that mount point); verify that boot is a subdir:
  ls /s1/SuSE/SuSE/x86_64/42.1
  I'm not going to actually use instsetup, but this is here so I have easy access to the rescue system.
• Now we need to edit the repo definitions in /etc/zypp/repos.d to refer to the local disc. The instsetup script has some notes on that. Change http://distro.cft.ca.us to dir:/s1/SuSE . Use ls to make sure the path is right. If you did use the installer, you would need to mount /dev/sda5 on /s1 in the target filesystem; see the instsetup script for where the mount point ended up.
• cd /scr
  #When done in /tmp, it couldn't find .. after the upgrade, so I changed to a directory that package aaa_base doesn't mess with.
• zypper refresh #On the target (Diamond). [Success, showing that the repo definitions were edited correctly.]
• zypper --gpg-auto-import-keys dist-upgrade --download-as-needed --auto-agree-with-licenses --no-recommends |& tee /scr/dist-upgr.log.1
  # 2775 packages to upgrade, 126 to downgrade, 403 new, 9 to reinstall, 57 to remove, 76 to change vendor, 5 to change arch. Download size: 1.82 GiB. Add 770.2 MiB to installed size. 3332 total packages. Took 38 minutes. Diamond is faster than other CFT machines, and didn't have to download over the net.
• Reboot. Does it fall on its face? Success!
• On Diamond I retried the dist-upgrade. It wanted to reinstall some packages, remove others, and change vendors. This was the same issue as seen on Jacinth, so I cancelled the dist-upgrade.
• Post_jump needs Apache to be running, to download packages. Do:
  ssync -a /home/post_jump/42.1/etc/apache2/conf.d/ /etc/apache2/conf.d/
  Then go through /etc/apache2/conf.d/*.conf and *.incl, and change Order/Allow commands to Require all granted/denied wherever occurring, in files not copied from the post_jump directory. Now restart Apache.
• On the master site (Diamond), add /usr/math/bin:/usr/math/etc to the path, and target=diamond, then:
  post_jump -r 42.1 -u 0 $target |& tee $j/jump.$target
  Post_jump will bitch that /etc/group and/or passwd is not up to date (duh). Do not run sync_jump; you need to copy in the other direction. Give the -u 0 option to ignore that error. Post_jump will install the correct /etc/group before the groups in it are needed by audit-pkgs and zypper. Took 10 minutes. Installed 18 keystone packages, proposed to remove 809 packages, actually removed 795.
• Reboot again.
• checkout.sh
  Passed all test groups -- Yay!
• User Experience Checkout:
  • Both aplay (ALSA) and paplay (PulseAudio) play the sound.
  • Firefox behavior:
    • Firefox connects to items on Alice's home page (except ~jimc/images, not Firefox's fault).
    • Browser test: Graphic formats were all shown. PDF was downloaded; click and it's shown by Evince (good). Audio: Ogg Vorbis and MP3 played; no codec for WAV, Video: Ogg Theora and video/x-flv (Flash Video) played; Quicktime(RPZA) and AVI didn't. Quicktime test: these stuffings did not play: 3GPP, 3GPP2, Sorenson, MPEG-4 (2 clips) These stuffings did play: MPEG-2, H.264. The Java applet was executed after four security warnings (deserved).
    • Commercial Flash sites: Youtube OK, video played normally. CNN OK, played news video.
  • Spot checks of formats show meow.sh (GStreamer-1.0) can play MP3, Ogg Theora, and Quicktime(MPEG-4); Firefox could not play the latter one. Also can play the KUSC OTA stream served from Jacinth.
  • Alice's XFCE setup is using the ALSA mixer panel widget; should be using PulseAudio. Need to fix. Actually it was sufficient to change the audio device to the USB Audio DAC (ALSA), which is the sound device being actually used. But it should use PulseAudio anyway, and I don't see a XFCE plugin for it.
  • Baobei, virtual machine running Windows-7. Seems normal.
  • Printing.
    • From Baobei to the configured printer (lp2): Prints.
    • From Diamond to lp2 as text: unsupported document-format text/plain.
    • On Diamond, enscript -Plp2 file prints.
    • On Diamond, enscript file prints; lp2 is the default printer.
    • On Xena, /etc/printcap (symlink to /etc/cups/printcap) has its correct content (also on Diamond). (File is deprecated.)
    • On Xena, no printers are admitted to exist and there is no default destination.
    • This has all been fixed. See below for more discussion about printing.
  • Tcl/TK are working.
  • Wicked and Network Nanny have the network under control.
  • Items not tested, not important to Diamond's mission:
    • Remmina remote desktop client
    • Lightdm display manager -- Still working on this.
    • Simple Scan
    • Sound Juicer
    • Shotwell photo organizer

Script Index

Here is a brief index of scripts used in the upgrade.

/s1/SuSE/bin/snarf-bs ($sbs)

Downloads a package from the SuSE Build Service and puts it in the correct directory. Also works with Packman and other outside repos. With SBS it downloads both the x86_64 and i586 versions, but if we're decommitting i586 that behavior will have to be suppressed.

/s1/SuSE/bin/mksuserepo ($mkr)

Rebuilds and signs the metadata for the repo, using the key in /s1/SuSE/distro-{pub,sec}.gpg . The private key is encrypted with the current root password.

hostgroup

The various scripts rely on hostgroup to accurately report the architecture and distro version on each machine. Before upgrading each machine, particularly for an architecture swap, you need to edit the hostgroup database.

audit-pkgs

This script adds, removes or updates packages by calling SuSE's zypper with appropriate arguments. For dealing with difficult situations it has a -I option to let you interact with zypper and make choices on the fly about what to install. Your goal should be that such handholding will not be needed when upgrading production machines.

audit-repos

Copies the repo definitions from the post_jump directory to the target, and fills in the target's architecture. Removes unwanted (e.g. back-version) repos.

onlu-check

Translates the output of zypper list-updates and extracts descriptions of the patches from repo metadata. As usual, they changed the metadata format in the new release.

instsetup

It installs in a chroot jail just enough packages to run zypper and do a distro upgrade. When that is set up, it prints out a page of instructions, which you should save so you can copy and paste from it during the upgrade. The installer has a -I option so you can interact with zypper, in case of unanticipated dependency problems.

post_jump

After an upgrade or a fresh installation, it copies over the configuration files in /etc, installs wanted packages, removes unwanted packages, and does an online update (all using audit-pkgs). It finishes by running daily housekeeping (slow, sorry).

audit-scripts

Enables or disables services to be started at boot. It is normally run by post_jump but can be run by hand if needed.

checkout.sh

Does a functional test on many services; others are just checked for being enabled and running. This is a good quick test if an installation or upgrade succeeded. Takes 1 to 2 minutes because it tests if a cron job will be executed and it has to wait for the scheduled time.

ins

Installs files on remote hosts. If you do e.g. ins -src /home/post_jump/42.1 v42.1 /etc/default/grub.m4 it will take this file out of the post_jump directory to install. While this feature has been there since 2009 (but forgotten), I improved the precheck display so the correct file is listed.

Shockwave (Adobe) Flash Player, Hiss, Boo

Adobe's Flash Player has been kicked off SuSE due to licensing problems. I doubt the SuSE staff are shedding tears over its demise, since it is a maintenance nightmare and is a suppurating security hole. But the WAF of SuSE in general and the upgraded OS in particular depends on being able to perform Flash, specifically Youtube videos, and stock market graphs. So what am I going to do?

• See this forum post about flash-player, comment #2 by nrickert (2015-10-29). He mentions fresh-player as a substitute. Also mentioned was pepper-flash. Comment #8 by Wraith5000: freshplayerplugin will provide Flash support in Firefox. But according to I_A in comment #9, it depends on pepper-flash, and he finds it buggy (as of 2015-10-29) so he doesn't use it. Google's Chromium includes a non-Adobe flash player (I think someone said it's pepper-flash -- confirmed). On SBS: freshplayerplugin-0.3.2 has the official release status, but it's not on the DVD.

• GNU Gnash is intended to play Flash movies; it's not clear how much other Flash features it handles. The current version is 0.8.1 dated 2012-02-xx (which is not exactly recent, in 2015-12-xx). It does not handle the current SWF version 10 formats.

• Lightspark is another open source Flash player. The latest version is 0.7.2 dated 2013-03-16, also not recent. On their wiki they say that support for Youtube and Google Maps is partial, which means there are bugs but it's good enough for daily use.

• chromium-pepper-flash is available on the SuSE Build Service, plus of course the containing Chromium browser by Google. This is a rather bizarre situation. Google has made a deal with Adobe that Google will maintain the Flash Player code and port it to their Pepper API for Chromium plugins. Chromium has a sandbox mode which keeps Flash Player in its cage, limiting the baleful effects when a hacking exploit succeeds against it. So they say.

• There is also a plugin for Mozilla Firefox called freshplayerplugin that does the middleware thing with the Pepper API, so Chromium plugins, specifically Pepper Flash, work with Firefox. It is available from SuSE Build Service. No news about whether sandbox mode exists here. Dependency: libconfig.so.9()(64bit)

I've used Chromium extensively and I gave it up because (at that time) it would not present X.509 and Kerberos credentials that I needed. The users here all use Firefox and are not likely to change. I think my solution is going to be to use chromium-pepper-flash and freshplayerplugin. Wish us luck, my user base are going to need it.

Freshplayerplugin and pepper-flash turn out to be satisfactory for the flash sites that we normally use: Youtube and CNN. However, Pepper Flash is the bad old Flash Player, security holes and all, just better maintained (maybe) and available with a slightly more sanitary license. It would be better if we could get Firefox to use HTML5, for which see the next section.

Making Firefox Use HTML5 Vs. Flash

Credit to Ben Carter for making this work. To make Firefox use HTML5, do these steps:

• This is for Firefox-42.0 which is the current version for SuSE 42.1 on 2015-12-27. Some forum comments suggest that Firefox-44 in nightly builds has improvements (details not stated).
• Before making changes, check your configuration. Look at YouTube's HTML5 page. On native Firefox-42.0 it reports that the browser supports:
  • HTMLVideoElement -- Yes
  • H.264 -- Yes
  • WebM VP8 -- Yes
  • Media Source Extensions -- No
  • MSE and H.264 -- No
  • MSE and WebM VP9 -- No
• Navigate to about:config (type it in the address bar).
• Blow off the warning page about hacking the settings.
• These instructions are from this Softpedia article on enabling HTML5 by Silviu Stahie (2015-08-18). Make these options true (some may already be enabled). Type an initial segment of the name in the search area. When you find it/them, double click on each one you want to turn on (or off).
  • media.fragmented-mp4.use-blank-decoder -- change to False
  • media.fragmented-mp4.* (4 other options) -- change to True
  • media.mediasource.enabled -- change to True
  • media.mediasource.mp4.enabled -- change to True
  • media.mediasource.webm.enabled -- change to True
  • media.mediasource.ignore_codecs -- right click, pick New, type Boolean, type the name, set the value to True.
• Navigate to about:addons . This page can also be found by Menu-Addons.
• You should already have the OpenH264 Video Codec by Cisco. If your Firefox is older, you may need to install it by hand. (Better to upgrade Firefox.)
• On CouchNet, Shockwave Flash will be present and set to Always Activate. This is libfreshwrapper for Pepper Flash. In other contexts you may have the authentic Flash Player by Adobe. Set it to Never Activate. At least on YouTube, if you admit supporting Flash, YouTube will send Flash, preferring it over HTML5.
• If you need to use sites that only have Flash, you will need to turn it on. Suggestion: turn to Ask To Activate, so if you forget to turn it off, Firefox will nag you and you can go back and suppress it (if the site doesn't really need Flash).
• Return to and reload YouTube's HTML5 page. It should report that all six elements, codecs and features are supported.
• Play a Youtube video. (Some are only in Flash, but most have a HTML5 version.) Move the mouse within the display area and the player controls will appear. Click on the gear icon (settings). Click on Quality (the last row). A table of available resolutions will appear. 1080p should be offered. Click on it. The video should play excellently. For a negative control (bad resolution) try 144p.

More web references about enabling HTML5 in Firefox:

• On LinuxVeda by Paul Hill, 2015-04-02. Basically pre-peats the above instructions, developed for Firefox-37.
• On Reddit, OP Amanoo, about 2015-10-xx. Several respondents quoted variants of these instructions.
• On Mozilla's Bugzilla, OP Robert Hancock, 2015-02-17, reports video tearing (screen flickering), particularly visible on the vertical lines of the referenced video. Happens on more than one compositor (mutter, compiz, …) and is set off by unredirecting the window.

Large, Gross Botfly in Ointment: Printing

After Diamond was upgraded, the financial manager, executing on the same machine, tried to print hardcopy and failed. The I.T. staff got an earful. On other Linux machines upgraded to v42.1, the command lp -d lp2 $file results in the error message lp: The printer or class does not exist. Executed on the machine with the printer, the same command prints the file (if it's PostScript).

Second symptom: if the file is text/plain, executed on Diamond, the error message is lp: Unsupported document-format "text/plain". The cure for this was to install these filter packages (like codecs). The filters are recommended with the cups package, and it looks like in my dist-upgrade the recommended packages were suppressed.

• cups-filters-ghostscript
• cups-filters-foomatic-rip
• cups-filters-cups-browsed (see below for whether this is useful)
• cups-backends
• gutenprint was already installed.
• manufacturer-PPDs was already installed.

In v13.1 printers were announced to clients by UDP broadcasts on port 631. But in v42.1 (cups-1.7.5) the UDP protocol (as well as slp) has been taken out of cupsd, and dnssd (DNS Service Discovery) is the only supported browse protocol. Here's an overview of how it's supposed to work:
dig @224.0.0.251 -p 5353 _services._dns_sd._udp.local. PTR
(The ending dot is essential; without it you get nothing. This is a multicast address. For IPv6 it's ff02::fb.) This should yield a set of PTR records to service categories, and when you ask for each of their referents, you should get PTRs to services within each category, together with answers to future queries, i.e. the SRV and TXT records for that service plus the A and AAAA records for the server in the SRV record. Empirically dig only shows the first service even if several are registered on the same machine, because dig reports the first reply it receives and ignores the rest. If services in a category are registered on multiple machines, necessarily each one will send its own packet. In the initial query all categories known to the responding machine are sent in one packet, but if another category is on a different machine, it will be sent in a separate packet.

To check what is registered:

• Install package avahi-utils .
• avahi-browse -t -k _ipp._tcp #(on any host, see below about VLANs)
• It should list your print queues, duplicated on IPv4 and IPv6. Omit -k for human readable service types.
• avahi-browse -t -k -a # To see all announced services

CouchNet has a very frustrating complication: a firewall on every host. Port 5353 had to be opened. And of course avahi-daemon.service and avahi-daemon.socket (both) had to be enabled and started. avahi-dnsconfd.service is apparently optional, and I haven't found a good explanation of what it actually does. You will also need package avahi-utils to get the avahi-browse command.

Another complication is, cupsd does not actually register its print queues with Avahi (dnssd) unless you tell it to. In my setup there is a separate configuration file for the print server, and I dumbly edited the generic file for hosts with no printers, so of course registration didn't work. [Fixed.]

Here is the current setup on CouchNet, also describing extensions needed for Mathnet:

• Avahi-daemon runs on all hosts. It makes and caches queries about services, such as print queues, for mDNS-aware software such as Firefox, Evince, and cups-browsed. In some or all cases there is a 10 second timeout while it waits for responses to straggle in.
• cups-browsed (from package cups-filters-cups-browsed) runs on all hosts. It uses DNS service discovery to discover remote printers, and also listens to CUPS UDP broadcasts. It can also be configured to send UDP broadcasts for the local printers if any. These are going to be important at Mathnet until all v13.1 clients are gone, but that has already been accomplished on CouchNet so I didn't turn that feature on. There is also a feature to create raw transfer queues that can only handle PDF, which seems kind of useless; I turned that off.
• All hosts, even those without printers, run a local CUPS daemon. cups-browsed signals cupsd to create a transfer queue (that can handle any format) for discovered remote printers. The only deficiency is that the system default printer is not recognized; CouchNet has one, but Mathnet doesn't.
• An alternative is to provide /etc/cups/client.conf which says just ServerName diamond.cft.ca.us. You can have only one ServerName. This would tell the clients to look for a list of printers on that host, or to send print jobs there. But if multiple hosts have printers, as as Mathnet, this is not sufficient.
• At Mathnet we're going to have to set up Avahi mDNS reflection. In /etc/avahi/avahi-daemon.conf on the main router (Harlech) you set enable-reflector=yes, and it will copy all mDNS packets received on one interface to all the others (local only). It can also reflect between IPv4 and IPv6 but this is rarely needed and is not recommended.

So printing on CouchNet is apparently functional, and we have a way forward for the more complex Mathnet printers.

Another tidbit: there's a file /etc/cups/cups-files.conf and the User, Group, ServerKey and several others are supposed to be in it. Read /var/log/cups/error_log . [Fixed.]

LightDM Display Manager and Webkit Greeter

It seems that in every release something bad happens to the display manager and its greeter, so I have to switch to a different one. By now I have used every one, some several times. In OpenSuSE 13.1 I tried to use LightDM. The GTK greeter was not satisfactory for our use case, and neither were either of the samples that came with the Webkit greeter, so I wrote my own HTML/Javascript document. It didn't work out due to (their) bugs, so I finally put together a satisfactory collection of widgets centered on the ancient XDM (which I am quite familar with). But it's a kludge and is obviously home-built. So this time around I decided to re-try the Webkit greeter. With the current software version, I was finally able to make it work right.

The requirements for the greeter are:

• The user has to be able to type in his loginID (and password). That lets out the provided sample greeters, which rely on a user list. At work there are hundreds of users and the user list is impossible. It's feasible at home but there are other issues.
• There has to be a session chooser that includes items for the failsafe xterm, the user's custom .xsession file, and a system default, as well as real sessions like Gnome, KDE, XFCE, FVWM and MythTV.
• At home it's required on some but not all machines (MythTV playback nodes) to pre-fill the watch TV loginID, so the user can just hit enter on the remote control and get logged in, without a password. Timed autologin has to be turned off, because we don't want a live MythTV session all the time. (Other families might judge the human engineering issues differently.)
• At home a power management widget is required.
• At work a language chooser is a helpful addition. So is the accessibility widget.
• We like to have a nice photo background for the greeter, and photos usually have their visual interest in the center. Therefore I want to put the greeter window in a corner, or for the work photo, vertically centered at the right edge. This lets out the GTK greeter for LightDM, which has no controls for moving it.
• There should be a way to customize the greeter's colors. At work I pick up a color from the photo; at home, a black background and white foreground fit reasonably with all the photos.

You need to install one of the provided branding variants -- I randomly picked lightdm-webkit-greeter-branding-bevel -- and it will drag in lightdm-webkit-greeter.

Here is a tarball of the finished greeter document. Make a directory under /usr/share/lightdm-webkit/themes and unpack it there. Files included:

• ./background.jpeg -> /m1/custom/background.jpeg -- Your background photo. We put ours in a standard (for us) location. Its aspect ratio should match the display (4x3 or 16x9) but the pixel size does not have to match.
• ./index.html.m4 -- A template file, input to fixup.sh
• ./index.html -- The greeter's code, output of fixup.sh . Remove this file and re-run ./fixup.sh to fill in your own hostname, pre-filled user, etc.
• ./fixup.sh -- Fills in configuration information in ./index.html
• ./index.theme -- I think this is for a theme chooser which we don't have.

These configuration files were modified:

• /etc/lightdm/lightdm.conf
• /etc/lightdm/lightdm-webkit-greeter.conf
• /etc/lightdm/users.conf
• /etc/alternatives/lightdm-default-greeter.desktop -- change this symbolic link to point to /usr/share/xgreeters/lightdm-webkit-greeter.desktop . The right way to do this is:
  update-alternatives --set lightdm-default-greeter.desktop /usr/share/xgreeters/lightdm-webkit-greeter.desktop
• /etc/pam/lightdm , lightdm-autologin , lightdm-greeter need to be symlinked or edited according to your login policies. lightdm-autologin is for logging in the preset user without a password. lightdm-greeter is for logging in the lightdm user (without a password) so it can show the greeter window.

The only deficiency I've found so far is, for the background you would like to specify (on the body) style="background: cover url(file:///m1/custom/background.jpeg)" but the cover property requires CSS-3, which the provided webkit does not have.

Another trap for the unwary: something provides a default session type of twm, which is an ancient ancestor of FVWM and is not installed on my system. It is seen in this role in /usr/bin/startx (package xinit), and in /var/lib/AccountsService/users/jimc (origin unknown but package accountsservice is the obvious culprit). If the lightdm session-child decides to use this session type, it will open /usr/share/xsessions/twm.desktop (ENOENT) and then hang forever, preventing any more logins. To recover, kill the hanging session-child by hand, then systemctl restart display-manager (which would miss the culprit session-child which holds some kind of lock). Then the user should explicitly pick a session type when logging in, creating ~/.dmrc .

Oopsie, in the morning I wake up my laptop, log in, and 13 seconds after wakeup (while I'm typing my password) the display-manager is killed. I have a script that kills orphan dbus and other session daemons, and it decides that the greeter session is not a real session, and kills its dbus daemon. Fixed.

So far, the LightDM Webkit greeter is working out for us.

Tidbits for Later Work

• A problem with package signing keys:

  libopenblas_pthreads0-0.2.15-24.1.x86_64.rpm:
      Header V3 DSA/SHA1 Signature, key ID 943d8bb8: NOKEY
      V3 DSA/SHA1 Signature, key ID 943d8bb8: NOKEY
  

  
  Need to find and add this key. Turns out to be the science OBS Project <science@build.opensuse.org>. Also 811e255b for chromium-pepper-flash. Not on public keyserver.
  gpg --keyserver hkp://keys.gnupg.net --recv-keys 0x943d8bb8 0x811e255b
  Since I can't find 811e255b I'm going to have to turn on zypper option --no-gpg-checks. Oooo, a security hole! That allowed it to be installed automatically, with a warning message, same as on v13.1.

• I should revive DNSSEC in the master's /etc/named.conf (and slaves?)

• Meow (the Python version) is using GStreamer-0.10 which is not going to be installed. Need to upgrade the app to use GStreamer-1.x.

• Verizon has increased our speed on FIOS. Change netpolice.J to match.

Finished items:

• cronj needs a proper systemd unit file. Then junk /etc/init.d/cronj . It needs to create $servdir if not existing. Actually also needs to mkdir $servdir/CronWake. Cronj was modified to take care of that. Unit file is written and installed.

• At home we want our own default background in back of the display-manager greeter, for the virtual machines that don't have individual photos. Presently it's royce.jpeg , the photo from work. OK, I picked a reasonable photo. XDM should scale/crop the image according to the actual screen size, analogous to CSS-3's background cover. It actually shrinks/stretches the image anamorphically.

• See if the current incarnation of lightdm can replace the kludge I'm currently using for a greeter. Yes it can. [Done.]

• In /etc/logrotate.d/openslp-server.J it restarts slpd when rotating the log file. See if reload will be sufficient. The version in the package also restarts slpd, so I guess it's necessary.

• locate (updatedb) does not index files on the main distro DVD. Turn this on. Also get rid of the former unpacked directory. To make this happen, edit /m1/custom/conffiles/etc/ and remove iso9660 from PRUNEFS. [Done.]

• libdvdcss2 apparently has gone back to the name libdvdcss. Download this package from Packman, install it, and test. It's not on Packman. RPMfind has libdvdcss-1.4.0 from Remi Collet for Fedora-23. You need to first uninstall (remove) libdvdcss2 from v13.1. You don't have the packager's key and you need to either ignore the error or not use the unverified package. Use --no-gpg-checks in a script, hiss, boo!. This package provides libdvdcss.so.2 (same as libdvdcss2). There are no arcane dependencies, just libc. [Installed.]

• Printing setup is not quite complete: Cups fails to register its print queues with Avahi. I'm using static files for Avahi. Also some of the configuration options have been moved to /etc/cups/cups-files.conf and I need to set this up. [Both items fixed, static files gone.]

• Need to install the latest version of Tigase, then get it to run.

  • Tigase is a XMPP/Jabber instant message server. See these URLs for my results with it.
    • Replacing My XMPP Server (2013-07-28)
    • Setting Up Tigase (2013-07-27)
  • Java is so confusing! /usr/bin/java (the referent of this symlink) is provided by java-devel which was not installed. Fixed.
  • Even so, /usr/local/Tigase/etc/tigase.conf had JAVA_HOME hardcoded to /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0 which is the version for v13.1 and is not installed. Changed to /usr/lib64/jvm/java which has a symlink to 1.8.0 via /etc/alternatives. Now Tigase starts up.
  • In this configuration, Tigase is apparently operating as it did before the OS upgrade.
  • Tigase is using a self-signed certificate; I don't know why. It has a symlink to the correct host key+cert file, and used it in v13.1. I'm accepting that cert so I can debug other issues first.
  • The functional test for Tigase uses ./xmppclient.pl (by jimc), but it somehow botches what I take to be a debug log file. That's where it stands now. Tigase is still disabled so restarter doesn't test it and freak out.
  • Debugging the functional test program is not going smoothly. My best guess is that there was an API change in one of the Perl infrastructure modules (not one that I call) that isn't reflected in dependencies. Also, the operational need for which I installed Tigase has evaporated. Therefore I'm putting Tigase on indefinite hold.

• The onlu-check script extracts patch descriptions for the patches to be installed by audit-pkgs -v -u -c. Of course they've changed the metadata format again. I need to update onlu-check, and it should use zypper info rather than extracting the description by cowboy programming. [Done.]

• Why didn't pushconfig (or anything else) complain that on dirsvr, /etc/named.conf differed from /m1/custom/conffiles/etc/named.conf ? Would have been revealed in the upgrade and the obsolete version would have been installed, I think. [/usr/diklo/lib/daily/conffiles.J now checks these files daily.]

• These LSB scripts are in the post_jump config dir. Wherever possible, create systemd unit files and junk the LSB scripts. Some have special status checkers; try to preserve these.

  • cronj [done]
  • daily.J [done]
  • firewall.J [done]
  • kerberos -- Enabled existing systemd units on correct servers; tossed LSB script.
  • named -- The LSB script does a lot of work to assemble configuration files. Keep it.
  • postfix -- With all the paranoia about MySQL and SASL sockets, we need to keep the LSB script.
  • rpcbind -- It's socket activated. Toss the LSB script.
  • rpmconfigcheck -- It's provided by package rpm, so it's not going to go away.
  • syslog -- Already has a systemd unit that is in use. Toss.
  • wakeup.J -- This is way too complicated for systemd to handle. Keep LSB.

Bug Reports

• When you boot the network installer on a VM, with Network Configuration in Manual, it picks the Red Hat Virtio NIC, which does not exist.

  SuSE Bugzilla: bug 960507

• Installing texlive-scheme-medium. Various packages declare other packages obsolete, which other required packages also require. Killing the obsolete tags in 7 collections allows it to install. This is an old bug which I fixed in this way for v13.1. The same fixed packages also allow it to install in v42.1.

  This was reported in OpenSuSE-12.3 bug 811162; some bogus obsoletes relations were removed, but the real culprit (for jimc) was not fixed, namely, that RPM trashes the obsoletes relation when printing it. To demonstrate the behavior:

  rpm -q --qf "obso=[%{OBSOLETES}\n]" -p http://download.opensuse.org/repositories/openSUSE:/Leap:/42.1/standard/noarch/texlive-extratools-2013.74-16.1.noarch.rpm
  

  It will print obso=texlive-tools where it should print obso=texlive-tools <= 2012; and there is corroboration that the correct relation is in an earlier version of this package (see bug 811162).

  Response from Fabian Vogt of SuSE: In the RPM sources the RPM tag is #defined to OBSOLETENAME (which is the observed symptom). To get the relation and version you need to do:
  rpm -q --qf "obso=[%{OBSOLETENAME} %{OBSOLETEFLAGS:depflags} %{OBSOLETEVERSION}\n]" $package

  Jimc says: that resolves this bug.

  SuSE Bugzilla: bug 960515

• Grub dies a horrible death without showing the list of bootable objects, when you upgrade my OpenSuSE v13.1 machines to v42.1 and then reboot,

  Initially I thought that the grub2 package's post script was forgetting to install the new grub modules. However, thanks to Jiri Srain and Michael Chang of SuSE for explaining what was really happening. grub2-install assembles a file of grub modules, copies it into the vacant space before partition 1 (if it fits), and fills a blocklist for the image into the booter code in whichever boot sector it's been told to use.

  In ancient times when initially installing SuSE on a new machine I would specify that grub should be installed in the MBR. However, starting around v12.1 I noticed that the default location was the root partition's boot sector, and I left this setting at the default. Bad move. The MBR still contained the old grub's blocklist for the old module image, which had been overwritten with a new one, possibly longer, or possibly moved. Thus the MBR may have trashed the image when loading it, with a fatal result. Another trouble point is, if the back-version grub stage 1 in the space before partition 1 finds and executes stage 2 or other modules in /boot/grub2/i386-pc, version skew could be unhealthy.

  To fix, following the advice given, I edited /etc/default/grub_installdevice to say:
  (hd0)
  activate
  generic_mbr

  This directs the YaST bootloader code to use the whole first disc (i.e. the MBR on that disc). Like a script kiddie I'm guessing that activate means to set the boot flag on the Linux partition, and generic_mbr means to overwrite the code portion of the MBR (but evidently not the blocklist or the partition table) with a generic booter. On 99% of machines (hd0) will get the correct disc; I checked, and this is true for all of my home and work machines. But if you boot from a floppy, CD, or USB drive, all bets are off for the drive number. In that case it's recommended to use a device path such as /dev/disk/by-id/ata-ST9750420AS_5WS4F4QQ with the model and serial number, or /dev/disk/by-label/its-label, or another disc-specific link in /dev/disk. Use the whole disc, not one of the partitions. Don't use the obvious /dev/sda because the drive letters are not necessarily consistent; I had a machine once with 4 discs which enumerated them in a random order.

  If this is done before the upgrade, the VM Oso could be upgraded from v13.1 to v42.1 and would reboot correctly afterward.

  SuSE Bugzilla: bug 960517

• When installing packages from subsidiary sub-repos, like the Science repo, you need the developer's key. Where do you get it? It isn't on the GPG keyserver net. To work around, zypper --no-gpg-checks (hiss, boo).

• Chrony lacks a systemd unit file. Send in mine.

• audit-scripts complains about the circular dependency of rescue.{service,target} and sysinit.target. What can we do but ignore this? Actually, put a Band-Aid on the bug! Success: I copied /usr/lib/systemd/system/sysinit.target to /etc/systemd/system/sysinit.target , then hacked it to not be after emergency.{service,target} and that broke the circular dependency.

• simple-scan -- It's not clear how to specify a network scanner: no GUI item for that. You need to launch it from the command line: simple-scan net:scan.example.com:pixma

• The one problem I had with sound-juicer was with an album not on MusicBrainz; Sound Juicer claimed that the disc was not mounted. The help file says you should be able to fill in the metadata by hand (and send it to MusicBrainz).

• In v13.1, unfamiliar but reproducible kernel names were assigned to network devices, e.g. enp1s1 for what formerly would (unreliably) be assigned to eth1. On multi-interface machines I had trouble when the installer fixated on the wrong NIC, so on the grub commmand line for running the network installer, I specify e.g. netdevice enp1s1. But this device does not exist for the 4.1.x kernel. Are we back to the ethN style of device names, relying on udev rules to produce consistent naming? In forum posts it's often suggested to omit netdevice unless there's a real problem, and my experience is that the installer (minus netdevice) will eventually find the right NIC, but I haven't upgraded the worst work machines yet.

• slpd has an invalid fastbin entry and is catatonic despite restarts. Per forum posts, this is probably being detected by the malloc code in glibc. Someone else gets it when running Java; other people see it when trying to run a variety of unrelated apps. In this forum post on Stack Overflow, idefixs (OP, 2013-07-02) ruled out a double free, and suspects a memory corruption bug. Aerospike's KB on GLibC Memory Corruption (no date, feels old) confirms memory corruption and recommends upgrading to glibc version 2.12-1.149 (on CentOS) or later. OpenSuSE 42.1 has 2.19-17.4 :-) I think this deserves a bug report to SuSE.

  After the restart, systemctl status slpd looks in good shape. Then I do slptool findsrvs service:ssh. It returns nothing, taking 10-15 seconds to do it. I see in syslog: Error in `/usr/sbin/slpd': invalid fastbin entry (free): 0x0000000000675c80. systemctl says the daemon is still running. If I make the query again I get no answer but also no second report of an invalid fastbin entry. If I restart (takes 2 mins) and make the query, I again get the invalid fastbin entry, 5 of 5 trials. rpm -V openslp-server-2.0.0-8.3.x86_64 gives no errors.

  On two other machines running OpenSuSE-42.1 x86_64, this query returns the correct service report with no invalid fastbin, 10 of 10 trials on each machine.

• /etc/cron.daily/suse.de-backup-rc.config from aaa_base-extras-13.2+git20140911.61c1681-7.1.x86_64 (v42.1) says:
  find /etc/sysconfig -type f -exec cat {} \; | md5sum
  whereas aaa_base-extras-13.1-16.49.1.x86_64 (v13.1) says:
  find /etc/sysconfig -type f | xargs cat | md5sum
  When executed using /bin/bash -vx, the v42.1 command line comes out as:
  find /etc/sysconfig -type f $'\342\200\223exec' cat '{}' ';'
  with an error message of find: paths must precede expression: -exec. The identical error occurs every time this script is run. This must be a bash issue, possibly having to do with the possibly reserved word exec. But putting -exec in quotes had no effect.

  As a separate issue, I think the command line from v13.1 is superior, using xargs. The -r option might head off an error in the special case of no sysconfig files, that is impossible to encounter in practice. Also, if the order of the filenames in the directory were to change, even with no change in content, the MD5 sum would also change. I would sort the filenames. Of course an unnecessary backup is not a big loss.

  To get this script working I just reverted to the v13.1 version.