Asus VivoBook S15 S532FA (2020)
Setup

Table of Contents

• In the Box
• BIOS Setup
• Windows Checkout
  • Windows 10 Media Creation Tool
• Installing Linux
  • Disc Partition Table
  • Partition Labels
  • Download the Network Installer
  • RAID vs. AHCI Mode
  • BIOS Alterations
  • Linux Installation Begins
  • The Final Partition Table
  • Reviving the Laptop's Networking
• Hibernation Quirks and Fixes
• Using the Screenpad (separate page)

In the Box

• Laptop: Asus VivoBook 15 S532FA-DH55-GN
• Power brick, nominally 45W, 19V x 2.37A (45W), 100V to 240V up to 1.0A, 50-60Hz. Size 54x54x29mm. Plug: NEMA 1-15P (North America, Andean South America, Japan), 2 parallel flat blades, no grounding pin, parallel to the square surfaces of the brick and in one corner. Cord length 1.9m (6.2ft).It ends with a barrel connector, about 4mm outside, 1mm inside diameter, 10mm long.
• User guide and regulatory compliance notices (in English). Key points:
  • Getting started: charge for 3 hours (actually under 1 hour), open the display, hit the power button.
  • Operating temperature range: 5C to 35C (41F to 95F). Don't block the air vents on the bottom and rear. Don't cover the power brick, e.g. with a pillow or blanket.
  • Support URL.
  • Do not use the laptop near water, during a lightning storm, or in an explosive atmosphere (gas leak). Do not dispose of batteries in a fire. Use only a compatible power adaptor.
  • The laptop is RoHS compliant (EU and India) and complies with other product environmental regulations.
  • The surface of the laptop is not electrically conductive, except around the I/O ports.
  • Wi-Fi operates in 2412..2472MHz and 5150..5725MHz (or 5850MHz); Bluetooth in 2402,,2480MHz. Output power 6..14dBm depending on which chip is in your model.
• Warranty and other documentation. Key points:
  • Warranty duration is 12 months from the date of purchase.
  • It covers hardware and (their) firmware, not software.
  • Criteria for warranty replacement of the display panel: 3 bright pixels; 5 dark pixels; 2 pairs of adjacent bright or dark pixels; 3 bright and/or dark pixels in a 15mm diameter circle.
  • If the TPM's pre-boot password is active and is lost, the only recourse is to replace the motherboard, which is out of warranty. You need to disclose the password to the repair techs.
  • Back up your data and remove anything sensitive. The techs may delete anything without restoring it.
  • If you have non-original hardware (e.g. disc) or software (e.g. Linux), they will only test or repair the original configuration.
  • ASUS' liability is limited to your purchase price.
  • Support link for our model; see the Warranty tab. International warranty service is available in most of Asia including China (PRC and Taiwan), Australia and New Zealand; most if not all of Europe and the Former Soviet Union; some of the Middle East (excluding Iran, Syria, etc.); Egypt, South Africa, but nothing else in Africa; USA, Canada, but nothing in Mexico, central or south America.
• Instructions for using the ScreenPad in Windows.
• A package of stickers or cards with cartoon characters.
• The box is nicely made, 100% Kraft cardboard (environmentally friendly). It should be saved to ship the laptop back for depot repair.

To do upon receipt:

• Inspect for shipping damage. All OK.
• Read labels; copy down the serial number and whatever other useful information (not too much).
• Plug it in so it can charge. Connect the Kill-a-Watt power meter for power measurements<. The instructions (for the Acer E5-573G) say to charge fully, then use up the battery completely, 3 times, as the first thing you do. Other sources, possibly more recent, claim that this is an urban legend, and the solid-electrolyte interphase layer is fully developed after the first charge. I"m going to do normal activities such as setup and power measurements, on battery power through three charge-discharge cycles, whether needed or not. Then I will do the battery life tests.
• The M.2 NVMe SSD is assumed to be installed already and functional, with Microsoft Windows-10 Home preinstalled. [Confirmed.]
• Connect wired Ethernet. Oops, 802.3 dongle is in use elsewhere. I'll have to set up Wi-Fi when I test Windows.

Colors

The top cover color, according to ASUS, is Moss Green. Seen under indirect south daylight, I'm calling it Pantone® 18-0629 Lizard (p.129). (How appropriate for installing OpenSuSE on it.) The very narrow border around the display is black, with an orange line between it and the Lizard top cover. The keyboard deck and the bottom cover are Pantone® 12-0811 Dawn (p.39), kind of a light bronze-ish color. The keys are silver, with a transparent inlay for the labels, which is dark when the backlight is off. But when it's on, it shines through the labels, which is cool, but the contrast is low with the silver key bodies, so you have to look carefully to see which key you're pressing. Other available color schemes are Punk Pink and Silver Transparent.

BIOS Setup

I will first review and record the settings, then boot Windows and check it out, and finally change them as noted before installing Linux.

• Doing this on line power.
• How to get into Setup: press F2 while booting. Suggestion from ASUS FAQ: press and hold F2, then press power. Release F2 when you see the BIOS main screen. If rebooting, hold down F2 as soon as it leaves the previous OS instance.
• Main Screen
  • BIOS version 304 (no date), Aptio Setup Utility by American Megatrends, Inc. GOP version 9.0.1092, EC version F0021503.309 (whatever those are).
  • Processor: Intel Core i5-10210U @1.60GHz (as advertised)
  • RAM: 8192Mb (as advertised)
  • Serial number is shown in the BIOS.
  • Realtime clock is set to 2020-10-08 06:30:xx when the current time (UTC) is 2020-10-07 22:30:xx, so the clock is set to civil time in timezone +8, China. [Change to UTC.]
• Advanced Screen
  • Hyperthread enabled [disable]
  • Virtualization enabled [keep]
  • AES-NI (acceleration) enabled [keep]
  • VT-d (directed I/O for virtual) enabled [keep]
  • ASUS EZ Flash 3 Utility. You should be able to flash the BIOS off a USB memory stick without installing and booting Windows.
  • Rapid Storage Technology (manage volumes on the RAID controller). We have a Kingston OM8PCP3512F-AB, 476.9Gb NVMe/PCIe flash disc. Serno: 5002 6B76 838A F321. It's non-RAID, so it says.
  • SMART: selftest all discs at boot.
  • UEFI network stack disabled [keep]
  • USB mass storage driver enabled [keep]
  • Graphics: DVMT (video RAM) 64Mb preallocated [keep]; very likely the video RAM can expand dynamically.
  • SATA: Intel RST Premium with Intel Optane System Acceleration. I'm viewing this with deep suspicion. Here's where you could select AHCI -- lack of which kept the Acer Aspire E515-54 from using its NVMe drive. [Change to AHCI later]
• Boot Screen -- It's preset with Windows Boot Manager on the NVMe disc. When I install Linux I'll need to mess with this to allow booting from a USB memory stick.
• Security Screen
  • Administrator and user password not set. I'm sure I'll have to set these to influence the following settings.
  • I/O Interface Security -- Wireless and HD Audio are unlocked [keep]
  • USB Interface Security -- Everything is unlocked: all USB, external ports, camera, SD card reader. [keep]
  • Secure Boot Control -- Enabled. Factory default keys are configured. Will I disable Secure Boot? When something goes wrong.
• Save & Exit -- This page has the boot override menu, pick a device to boot from. Also you can launch an EFI shell, possibly from a choice of devices.

So the only things that will actually be changed (after Windows checkout, before installing Linux) are:

• Main/Realtime clock to UTC.
• Advanced/Hyperthread disabled.
• Advanced/SATA changed to AHCI (from Optane).
• Boot: Get it to boot the Linux installer, unless the boot override menu can do this without formal setup. [Update: The installer USB stick is on the boot override list; don't have to mess with the Boot page.]
• Security/Secure Boot is being left active unless I get into trouble.

Windows Checkout

Boot into Windows. Here are the steps in Windows Setup.

• Language choices: English, Spanish, French. Yes the ScreenPad works in Windows for picking these options.
• It runs Setup with Cortana as its mouthpiece. Click the microphone icon (lower left corner) to shut up Cortana.
• Pick your region: United States (out of a zillion choices).
• Pick keyboard: US. Skip second keyboard layout.
• Network setup. This is Wi-Fi; I thought I had an extra 802.3 NIC, but it's in use. It scans for nets, pick one. Type the password.
• It does non-obvious stuff including possibly checking for Windows updates.
• Agree to the EULA.
• Add your Microsoft account. They won't let you skip this. For me the account identity is $luser@outlook.com.
• They offer face ID. I skipped setting this up.
• Create PIN for login. (Mandatory.) Click Include Letters and Symbols, and I gave it my regular password.
• Trust Microsoft to save your activity history etc. in the cloud. These were declined: activity history; share photos with Android or iPhone; back up to OneDrive (click Only Save to This PC), free Microsoft 365 trial, Cortana. Formerly Cortana would jump up and down and yap, begging to be turned on, but they've improved: this is gone.
• Privacy settings: I turned all of these off: speech recognition, find device, inking & typing, advertising ID tracker, location, diagnostic data (including web URLs), tailored ads per diagnostic data. If I were really using Windows operationally I would keep find device.
• Set up ASUS account and McAfee (virus scanner) account. Give full name, region, and e-mail address ($luser@outlook.com for me). Mandatory.
• This might take several minutes; don't turn off your PC.
• The ScreenPad comes on with feature icons. To once again use it as a trackpad, hit the trackpad icon on the lower toolbar of the ScreenPad about 20% from the left edge.
• They use Edge to show you a page of tips; you're pre-logged in to your Outlook account and its front page is showing.

Very quick checkout of features in Windows.

• Power measurements with Windows out of the box, crapware included. Default screen brightness and all other settings.
  • Windows idle with the screen on including ScreenPad: 9W. (Linux: 6.2W.)
  • Windows playing Big Buck Bunny (MPEG-4 + MP3 in AVI, 1080p): Edge is playing it. It downloads the whole thing first, 0.7Gb. Mostly 15W with occasional excursions up to 21W. Interesting, Linux can play this using 8.6W; usually Windows uses less power than Linux when playing media.
  • Showing a photo but screen (and ScreenPad) is off due to DPMS: 4W. (I don't know what the CPU is doing; it might be in S2 or S3 but I wouldn't know.) (Linux: 3.6W, essentially the same.)
  • After the timeout passed and the machine was supposed to have gone to sleep, power was 0W.
  • Hit any key, screen very promptly shows the greeter (no ScreenPad) and power is back to 11W.
  • Tap on the pad, the previous desktop is restored, ScreenPad is on, and power is 10W.
• Download and execute the Windows Media Creation Tool (details below).
• Update the BIOS. Don't skip this step. The machine ships with BIOS version 304 (no date) and the latest one on the support site (as this is written) is 302 dated 2020-04-23. So I guess I will skip this step. You can do the update using the flasher in the BIOS, so they say.
• Per Windows Settings, we have a Intel Wi-Fi 6 AX201 160MHz and its MAC address is bc:54:2f:f4:77:66 .
• Register the new machine on my firewall. Actually do the whole IP address procedure including updating kea-dhcp[46].conf. Since the old Xena is hosed and not recoverable, I'll use the name of Xena immediately for the new machine. [Done.]
• Windows storage requirements: 38Gb used of 475Gb total on C:, 476.9Gb raw disc capacity. But this definitely includes bloatware like Candy Crush which I wouldn't be caught dead running, plus the Big Buck Bunny download (0.7Gb) which I forgot to delete. Per this article on GHacks, Microsoft's official minimum is 32Gb. On Linux let's pre-allocate a partition of 50Gb, at the end of the disc, if I ever have to reinstall Windows, God forbid. I'll use it for temporary storage of big tables for special projects. I did the same thing on the old incarnations of Xena.
• We're done with Windows; time to install Linux.

Windows 10 Media Creation Tool

The goal here is to make it possible to reinstall Windows on the SSD if I need it, but I hope to completely delete Windows from my machine. The Windows 10 Specifications page says 20Gb is required for the 64bit OS (in 2019 it's raised to 32Gb). I'm sure you need more to actually do something. I ended up allowing 50Gb.

In this I'm following the review by TekSyndicus (2015-09-01) on the Amazon product page for the Acer E5-573G.

• Do this from the laptop when it's running the instance of Windows that you are going to reinstall, or a predecessor version, e.g. Win-7, which you either are able to upgrade for free or have bought a Win-10 license key for.
• The USB drive needs to be mountable by Windows, i.e. formatted, and with at least one partition with a valid Microsoftish filesystem on it. I cleared the first 10Mb of a drive that I was recycling, then ran parted (on another Linux machine) (parted /dev/sdb ; print ; make very sure you have the correct drive) to put a MBR on it (mklabel msdos), and a partition (mkpart primary fat32 0 -1) (quit to get out). Then format it (mkdosfs -F 32 /dev/sdb1).
• First insert the USB drive where you're going to put the resulting ISO image. It needs to be mounted; don't eject it (like I did). The ISO image is around 3Gb in size, so they say, so the USB stick needs to be bigger: 4Gb is enough. (Update for 2019: needs 8Gb.) The USB stick will be reformatted (all data lost) and turned into a bootable DVD. It is also possible to burn the ISO image to DVD media (if one has a drive).
• Go to the page for downloading the Windows 10 ISO. If you're on the target machine (vs. a Linux box) it automatically redirects to the Get Windows 10 page.
• Scroll down to Need to create a USB, DVD or ISO? Check the prerequisites (Before You Begin).
• When you have the prerequisites taken care of, hit Download Tool Now. It downloads slowly.
• The first step is to run it; there is a Run button on the download progress box when it finishes. Give it time to start; it isn't swift.
• Agree to the Microsoft EULA.
• Main activity: Create installation media for another PC.
• Choose the language, architecture and edition (Windows 10 covers both Home and Pro). It will pre-fill these. Don't try to install a different language, architecture or edition than the one already installed; they say it won't work.
• Tell it to stuff a USB flash drive. You could also save the ISO image and subsequently burn it on a DVD.
• Pick your drive; if there's only one, it will be preselected. It has to be mounted, or at least not ejected.
• For me, the download proceeded glacially. Looks like it's going to run overnight. Not really; it started very slowly, but speeded up and finished in only one hour. The ISO is about 3Gb in size, which translates to 6.7e6 bits/sec: limited by the server, not my FIOS speed. Update for 2019: the ISO is bigger but I'm not sure exactly how big. 8Gb should be enough space. Also the download steps are faster.
• Then it does a checksum, and finally writes on the media. This takes about 6 minutes with my USB stick, not particularly fast.
• When the program finishes, eject the USB stick using Windows Explorer, remove it, and put a label sticker on it.
• All done for the ASUS S532FA.
• Later I was able to install Windows from this image (on the E5-573G).

Installing Linux

This installation will be the second time I have attempted booting by UEFI (Unified Extensible Firmware Interface). Although SuSE has supported UEFI for several years, on both x86_64 and ARM architectures, I'm expecting a lot of trouble in this area.

But first I need to make some policy decisions.

Disc Partition Table

When I install Linux the first issue is going to be partitioning. On a MSDOS-type operating system, the disc begins with a Master Boot Record (MBR), which includes a code area for the booter, and a table giving the boundaries of the partitions. Of course the complete booter won't fit, so the MBR is a multi-layer kludge. One forum poster pointed out that Grub code is spread among the MBR code area, the unallocated space after the MBR, and the Linux boot/root partition, like spaghetti thrown by a baby. Also for people with huge RAID arrays, the MBR has an addressing limit of 2³² blocks or 2 terabytes (2e12 bytes).

The more modern partition table is called the GUID Partition Table (GPT) where GUID (Globally Unique IDentifier) refers to a field in each row that designates the role of the partition, which is ignored in Linux. Basically it replaces the partition table in the MBR. On machines whose BIOS is capable of reading a GPT, my policy is now to use the GPT, not the MBR partition table.

With non-UEFI (legacy) booting and a GPT, the first partition needs to extend from the end of the GPT header to at least the first cylinder boundary (1Mb is recommended in Grub docs), and its type needs to be 0x00 bios_grub. The filesystem type is irrelevant (don't format, or use FAT32). With UEFI booting you need a EFI partition. It should be the next partition (the BIOS from both Acer and ASUS will find it even if not first), it needs an actual FAT32 filesystem, and it needs the boot and ESP flags (gparted flag names). Windows installs it with a legacy (MBR) partition type of 0xef, whereas SuSE gives it a type of 0x00.

How big does the EFI partition really have to be? While the relevant Grub files should fit in 1Mbyte, if you're going to dual-boot Windows. the pre-installed Windows allows 100Mb, and 150Mb in a new installation, and the reference given below recommends 200Mb. On the old E5-573G I provided 150Mb. But actual usage ended up like this: Boot 1.13Mb; OpenSuSE (grub) 0.12Mb; Microsoft Boot Manager 18.7Mb, total 20.0Mb. On the A515-54 I gave it 30Mb, successfully. While SuSE puts the kernel(s) in /boot, other distros like Gentoo and Raspbian put them in the EFI partition, and you will need more than 30Mb. For my experiments with Gentoo on ARM I gave it 64Mb (with only one kernel and initrd at a time).

For the final result, skip ahead to the Partition Table.

I never dual boot because one of the operating systems becomes the favorite and the other one ends up not getting security updates. However, if other users need dual booting, for a procedure see this AskUbuntu forum thread, O.P. GhostMotleyX (2014-07-20) and particularly the reply by Rod Smith. He recommends using efibootmgr (package efibootmgr on SuSE and Ubuntu) to clean up cruft (avoid deleting important entries though) and particularly to change your boot order so Grub boots first. After a clean installation of OpenSuSE Tumbleseed, and presumably recent Leap and SLES versions, the boot order is preset in this way.

UEFI includes integrity management, referred to as Secure Boot. The kernel must be signed with a key known to the BIOS, and a fraudulently altered kernel cannot be booted, including a kernel created from scratch by the user. Microsoft Windows, and modern Linux distros, have access to a pre-installed acceptable key, but ordinary users need to forge a key and register it with the BIOS. This is feasible (in theory), but I really don't want to get tangled up with that kind of security, so I am going to [try to] turn off Secure Boot. However, if you run a public computer lab, or otherwise are likely to get malware installed on your machine, or if the KGB, Peoples' Liberation Army or NSA would be interested in monitoring your activities, and if you always run the distro's unmodified kernel, you are advised to use this security feature.

Assuming I can turn off Secure Boot, I am going to use UEFI, whether or not I'm also dual-booting Windows. Yeah, sure. How am I going to boot the installer if I have UEFI? I need installation media with a EFI partition -- and I have it, the OpenSuSE installation DVD or net installer on USB.

On a related topic, what filesystem type should I use? The contenders are ext4 and btrfs, which is now the default for OpenSuSE's root partition. They use XFS for /home, though, and I've had bad experiences with XFS. Btrfs has a lot of great features like copy on write, snapshots, and de-duplication (identical blocks in different files are stored only once). However, it has two disadvantages: I would need to learn a lot about its care and feeding, and it is slightly slower than ext4, which I am familiar with. I think I'm going to defer the transition to btrfs to the next machine, and stick with ext4.

Partition Labels

I frequently need to take the disc out of one machine and mount it on another, particularly for the Raspberry Pi's. If you use the hardware device name, e.g. /dev/sdd3, this is error-prone if done manually, and the major device number can change randomly from one boot to the next, so the device name shouldn't be used in /etc/fstab. The partition table includes a UUID which is used in a set of symlinks in /dev/disk/by-uuid, but UUIDs are semantically meaningless and are impossible to type by hand. So I give a label to each partition (except bios_grub), which appears as the name of a symlink in /dev/disk/by-label. I assign a number to each machine (or each incarnation, where relevant). On the old Xena (Acer A515-54), /dev/disk/by-label contains ROOT-09, HOME-09, SWAP-09, EFI-09 while the new one Xena (ASUS S532FA) will contain ROOT-10, HOME-10, SWAP-10, EFI-10, so they can coexist when I copy home directories onto the new machine.

Download the Network Installer

First step is to download the Network Image for x86_64 from the Tumbleweed installation page plus the checksum and GPG signature. See this help page, the section about verifying checksums, and follow the example. Yes the checksum and signature came out correct. Then write the image to a USB memory device; the next section has several options.

Oops, my Ethernet adapter is in use for the default route to my ISP. It's supposed to be possible to set up Wi-Fi after booting the installer, but I couldn't make that work. I repeated the above steps with the installation DVD. Similar filenames/URLs but replace NET with DVD.

RAID vs. AHCI Mode

The following was seen on the Acer A515-54 and the ASUS S532FA has the same issue, but fixable.

Gakk, the Linux (OpenSuSE Tumbleweed) installer cannot see the NVMe SSD, and neither can the rescue system. There is a mysterious item in boot messages: ahci 0000:00:17.0 Found 1 remapped NVMe device. Switch your BIOS from RAID to AHCI mode to use them. However, this setting is not available on the Acer A515-54. But it is on the ASUS S532FA, and when I followed the message's instruction, I was able to put Linux on the NVMe disc.

BIOS Alterations

• First plug the installer's USB stick into the laptop; you're going to boot it after the alterations and it has to be inserted when BIOS setup starts so it will be in the Boot Override list.
• Boot into BIOS Setup: starting from power off, hold down F2 (until the Setup main screen appears) and hit the power button.
• Make the BIOS changes planned in a previous step: change realtime clock to UTC, disable hyperthread, switch SATA controller to AHCI (vs. Optane). [Update: this allowed Linux to use the NVMe disc, which the Acer A515-54 could not do.]
• Save & Exit (confirm it), and as soon as the screen goes black, hold down F2 until the Setup main screen appears again.
• Navigate to Save & Exit again. Scroll down to the Boot Override list and within that, the line for the installer's USB stick. Sometimes it gives you an option for Partition 1; I always booted that if it was shown. Hit Enter.
• The EFI executor asks you if you're willing to trust the OpenSuSE cert for signing boot images (tell it yes). This choice persists for future EFI boots.
• It boots the installer. Scroll off Boot From Hard Disk which otherwise would boot Windows in a few seconds.

Linux Installation Begins

Procedure, once the installer is booted. Since my Ethernet adapter is pre-empted, I'm actually using the installation DVD.

• If you're using the network installer, use arrow keys to navigate to Installation. Hit E to edit the entry. To the linuxefi command, append (space) kexec=1 which is the magic incantation to get it to use the kernel off the installation repo, rather than the net installer's kernel, which is probably back version and which will make the installer refuse to install the wrong version distro. Hit F10 to boot. You need this for Tumbleweed because the kernel and the ISO images are constantly being updated, usually at different times. I never needed this maneuver for Leap, nor if I used the installation DVD.
• When the Plymouth progress screen obscures boot messages, hit Esc to turn it off.
• After downloading the kernel and the huge initrd, it reboots. Go through the same steps again (hit Esc when Plymouth comes on).
• With the network installer, be sure to let it add the online repositories because you don't have the DVD. (But I do have it.) There's no way (in this step) to add my Squid proxy and private repos.
• With the DVD, it's going to ask you to configure your Ethernet, which I don't have yet, so I just hit Next.
• On the page to select your desktop environment (KDE, Gnome, etc), pick Generic Desktop. I have a script to install the software I actually want, later.
• Partitioning: I'm trying to get a system that can be used with both legacy and UEFI booting. Each partition (except bios_grub) should have a label and should be mounted by label, to avoid confusion during experiments with UEFI vs. legacy booting. Set this in fstab options. The partition order shown below is best for my use case. All Linux filesystems are ext4 (not btrfs or XFS which are the current defaults in SuSE).
  • Delete everything first, try to get it to do UEFI.
  • 1. Bios_grub, 7.8Mb (tell it 8Mb) which is the smallest that parted will allocate on this big disc. Presumably that's the end of the first cylinder. Tell it do not format and pick the bios_grub partition type.
  • 2. EFI, 30Mb (see above for why I'm picking that size). First tell YaST do not format with partition ID (type) 0x00 EFI Boot. Then change back to yes format, with a FAT filesystem, and mount it on /boot/efi.
  • 3. Root, 20Gb. In SuSE 13.1 you need to ask for 5% less and your request will be expanded 5%, but in current versions it gives you the size you request.
  • 4. Swap, 24Gb. Yes, a label is allowed and you can swapon by label.
  • 5. Home, 30Gb. Eventually occupied: 2.5Gb, 9%.
  • 6. /s1 (scratch and special projects), the rest of the space, minus Windows if present. About 353Gb. My development VM's disc is here, 30Gb, and is by far the biggest occupant.
  • 7. Windows, 50Gb. If Windows is required, put it at the end so it can easily be merged later with /s1. Format it as FAT32 and let Windows upgrade it to NTFS, because Linux NTFS tools may not be bug-for-bug compatible with the real Windows formatter. Actually I put a ext4 filesystem on it and labelled and mounted it on /s2.
• New feature: If root's SSH public key were on a drive (normally USB) it could have been imported, presumably into authorized_keys. [Update: this worked.] The filename has to end in .pub .
• Software selection: Turn off the apparmor pattern. Turn on these individual packages. post_jump will install them if missing, but better to do it now to bypass sleeping dragons. *rsync *curl +m4 +expect +pam_ssh +pam_krb5 +krb5-client (* = already selected, + = needed to add.) Estimated 829MiB to download, 2.5GiB installed.
• If the firewall is disabled you don't get SSH, so enable the firewall. Enable SSH. Tell it to configure the SSH port to be open. You have to set all three of these, unlike in SuSE 13.1. post_jump will install my aggressive firewall.
• Switch to NetworkManager, since this is a laptop.
• Start installation. It goes very fast. About 1650 packages to install from the DVD, 142 from the repo, 1792 total. Installation took 10.5 minutes followed by about 1.5min non-package installation (e.g. copying the network configuration and indexing the kernel modules), after which the machine rebooted successfully into the production operating system.
• It drops you into a lightdm greeter with SuSE branding (blueprint with Geeko the lizard). It got its proper IPv4+6 addresses by DHCP.
• Run post_jump. CouchNet has a list of packages wanted on the machine, such as desktop packages and service daemons. Post_jump installs them (using the local Squid caching proxy to get to the SuSE repos), tosses unwanted packages, runs online update, and installs locally hacked configuration files.
• Major post_jump events:
  • Installing 317 keystone packages, 2235 packages total. 8 wanted packages could not be installed.
  • Removing 691 unwanted packages.
  • Updating 12 packages.
  • Service units: enabled 45, reenabled 17, turned off 19.
• Reboot, and run checkout.sh.

There was an emergency issue that diverted me for over 3 weeks. Returning to my new laptop. I left it with post_jump finished, and booting with no drama into the production OS. I'm going to move my homedir into the new laptop, then do checkout activities. Here's a more detailed list of steps.

• Minimal network setup: wired Ethernet is on en0 and I gave it the IP for xenaeth. It works; you can do ssh to Xena as root, with publickey auth.

• Go through the weekly update procedure to get a month of missed updates. Key substeps:

  • Reinstall conf files. There have been some major updates.
  • audit-pkgs -v -U -c (main action is zypper dist-upgrade, this is Tumbleweed). 457 packages to upgrade, 28 new, 12 to remove. Download 850.4 MiB, installed 939.6 MiB.
  • Issue: grub2-x86_64-efi was updated, and its posttrans script wanted but couldn't find shim-install. No other hosts have shim-install either. Only Holly (and Xena) have EFI. I created /boot/grub2/device.map = (hd0) /dev/disk/by-label/ROOT-10. Then ran grub2-install /dev/disk/by-label/ROOT-10. Output: Installing for x86_64-efi platform. Installation finished. No error reported.
  • Reinstall conf files again.
  • Re-run audit-scripts -k -E (re-enable all wanted services), in case of remnant weirdness. 54 items newly on, 19 turned off, 17 reenabled.
  • Re-run restarter and checkout.sh and fix discrepancies. Not too bad, I'm going to reboot, and then fix discreps.
  • It rebooted despite the grub error message above. Restarter failed to restart these services:
    • krb5kdc : /var/lib/kerberos/krb5kdc/principal does not exist, restore from backup.
    • kpropd : /var/lib/kerberos/krb5kdc/kpropd.acl does not exist, restore from backup.
    • ldap (slapd) : /var/lib/ldap/slapd.d does not exist, restore or propagate from another dirsvr.
    • unbound(+2,3) : /var/lib/unbound/etc/unbound/root.key is hosed, syntax error, where did they get this crap? Overwrite with a key from a working server. Now it won't start due to SuSE bug 1177715. Reverted from kernel 5.8.14-1-default to kernel-default-5.3.18-lp152.47.2 from Leap 15.2. Now unbound starts, but unbound2,3 require the host key+cert which needs to be restored from backup.
    • apache2 : No host key+cert
    • vsftpd.socket : No host key+cert
    • alsa-restore
    • firewallJ.d : Can't ping any partners (no IPv6), can't test.
    • nfs-server : Can't ping any partners (no IPv6), can't test.
    • perl Net::Ping is hosed, known bug (reported), need to apply my fix [done].
  • Run checksum.J to accept new security checksums, equivalent to Tripwire.

• Copy the HOME and S1 partitions off the Samsung EVO 860 disc (old Xena) to the new one, using the SATA to USB adaptor. Details:

  • /s2 is completely empty. Ignore.
  • Target /s1 is empty; source /s1 isn't: size 350Gb, 46Gb used. Copy lock, stock and barrel. 224090 files copied, took 21min, 36Mb/sec.
  • Copying /home. Size 31Gb, 2.4Gb used, 54831 files copied, took 76sec, 31.6Mb/sec.
  • Copying / (root) is going to be tricky. The source mountpoints will have nothing mounted on them (but I'll use -x anyway). Watch out, there are stray rpmsave files. First I'll copy with -n and assess what's going to be trashed. With no special options beyond -a -n: 738231 files. rsync options: -a [-n] -x -O -J -u -m --ignore-existing . Excluding these dirs: /bin /boot /lib /lib64 /lost+found run /var/cache /var/lib/hardware /var/tmp /var/lib/NetworkManager/dhclient* cache .cache .config . 1419 files remain, most of which I identify as being needed, like SSL host keys.
  • Next I'll use the same options minus --ignore-existing, to generate a list of non-identical files. Then I do a diff on them. Only 18 files:
    • /etc/nsswitch.conf -- Old Xena was jiggered to use libnss_usrfiles2 but new one wasn't (why? It's installed). Copy.
    • /etc/sysctl.conf -- Copy, Xena isn't a leaf node
    • /etc/vsftpd.banner -- Copy.
    • /etc/alternatives/default-xsession.desktop -- Old Xena uses gnome.desktop (hiss, boo), new Xena has xfce.desktop. Keep.
    • /etc/alternatives/gem2rpm -- Old uses ruby2.6, new uses ruby2.7. Keep.
    • /etc/alternatives/gem2rpm-0.10.1 -- Ditto.
    • /etc/alternatives/libcblas.so.3 -- Old Xena uses serial flavor, new is threaded. Keep.
    • /etc/default/grub.m4 -- Copy (and rebuild /boot/grub2/grub.cfg).
    • /etc/postfix/main.cf -- Copy.
    • /etc/ssl/certs -- Copy.
    • /etc/sysconfig/nfs -- Copy (different date, content same).
    • /etc/systemd/system/network.service -- Copy. Except NetworkManager is not installed.
    • /etc/systemd/system/multi-user.target.wants/kpropd.service -- Copy.
    • /m1/custom/background.jpeg -- Copy.
    • /var/lock -- symlink to ../run/lock, copy it
    • /var/lib/postfix/client_scache.db -- Don't mess.
    • /var/lib/unbound/etc/unbound/perhost.incl -- Copy.
    • /var/yp/nicknames -- Keep.
    • Command line: rsync -a -O --files-from=diffs.ls2 /mnt / [Done]

• Install extra software (like NetworkManager) that was missed by post_jump because /m1/custom/extra.sel wasn't there.
  Command line: audit-scripts -v -i -c -I
  These packages were not found (remove from extra.sel or couchnet.sel): yast2-trans-en yast2-trans-en_US giggle ifplugd GeoIP npapi-vlc These packages were merged, remove and/or replace with the one in parens: openssl-doc (openssl-1_1-doc); libreoffice-icon-theme-tango (libreoffice-icon-themes); yast2-control-center-gnome (yast2-control-center); blas-man (lapack-man); These packages lack dependencies: Mesa-demos (don't install); perl-Astro-Sunrise (works without compat module); perl-Mcrypt (works without compat module);

• Reinstall configuration files again.

• From rpmconfigcheck, 18 rpmnew-save-orig files were reviewed; all were tossed.

• audit-scripts again. Main items: enable NetworkManager, disable wicked.

• Compare (rsync -n) the backup on Diamond with the state on Xena. Transfer discrepant files that ought to be transferred. There should be very few of these in /home since the backup was done just before Xena got trashed, but there will be more in /etc, most of which are from distro updates that should be kept.
  Command line: ssync -a -n -O -J -c --exclude=/inventory.dat /home/backup/xena/ xena:/
  -c = compare by checksum, ignore mod time. This excluded almost 2/3 of the files, 469 files remain. I did a diff (scripted of course) on each of them. Many backup files are just old and are ignored out of hand. 11 files need to be copied; 2 need hand editing (new MAC address).

  /etc/dhclient.conf (no longer used but copy anyway) /etc/dnsmasq.conf (ditto) /etc/radvd.conf /etc/avahi/avahi-daemon.conf /etc/modprobe.d/99-local.conf /etc/pulse/client.conf.d/50-system.conf /etc/sysconfig/language /etc/sysconfig/network/ifcfg-en0 /etc/sysconfig/network/ifcfg-lo /etc/sysctl.d/70-yast.conf /etc/wpa_supplicant/wpa_supplicant.conf /etc/systemd/network/50-en0.link (needs hand editing) /m1/custom/conffiles/etc/systemd/network/50-en0.link (ditto)

• Rebooting Xena and trying to get up on Wi-Fi. It doesn't want to connect. The NetworkManager configurations for both rad0 and en0 were tied to the specific device's MAC address, so N.M. rejected them and created new connection pages for the actual devices (tossed). This was fixed, but a lot of issues continued. See below for nasty details.

• Run clonedir to suck recent edits from my homedir on Jacinth. Once this is done I'm allegedly operational on the laptop. [Done.]

• Now I'll continue with checkout and evaluation steps.

Details of regressing to an old kernel: As this is written, kernel-default-5.8.14-1.2.x86_64 is the latest version. It gives two problems: starting with the update to 5.6.14, the host of a VM runs for a variable time from 5 minutes to a day or so, then mysteriously crashes with no error messages in syslog nor visible on the screen. Second, unbound (the DNS server) drops privileges, and apparently our version of libcap-ng is using a back-version linux-api-headers, and barfs when the process potentially has capabilities with a higher number than it knows about. So unbound cannot start. For the unbound problem, per SuSE bug 1177715 (2020-10-14 ), it is apparently sufficient to revert to kernel 5.7.1. I tried reverting to old kernels, but could not get the RPMs. I succeeded by installing kernel 5.3.18-lp152.47.2 from Leap 15.2, and now unbound is running. [Update: on about 2021-02-23 Tumbleweed got util-linux-2.36.1-3.2.x86_64 and this fixes the problem.] Arch Linux bug 67781 (2020-08-31) describes this issue, and the developer indicates what he did to fix it.

Reviving the Laptop's Networking

I thought Xena would just join the net normally once connection configurations were restored, but it didn't work out that way. After much of a day of thrashing around with skimpy notes, I tried these interventions:

• rad0 is the NIC for Wi-Fi. en0 is the Ethernet NIC (USB). It's a design rule that Wi-Fi will be disabled (in the main NetworkManager menu) before Ethernet is plugged in, so that only one of them is physically operating at a time. They get their IP addresses by DHCP, different for each: rad0 = 192.9.200.195 + $pfx::c3; en0 = 192.9.200.227 + $pfx::e3.

• Formerly the connections for rad0 and en0 were locked to the NICs' former MAC addresses, so N.M. ignored them. This field was cleared.

• There seems to be a baleful interaction between /etc/sysctl.conf (settings in /proc/sys/net/ipv[4+6]/conf/$NIC/$various), the N.M. connection configurations, and other entitites yet to be discovered. I began by disabling N.M. and rebooting.

• Tidbit: /proc/sys/net/ipv6/conf/all/ignore_routes_with_linkdown should be turned *on*.

• I made a script to report relevant sysctl settings etc. I disabled N.M. and rebooted. The pristine network state goes like this:

  • Addresses of $pfx4.195/26 and $pfx6::c3/112 on rad0, no addresses on en0 or br0.
  • No routes, network is unreachable (duh).
  • forwarding == 1 on rad0 all default (both families) (correct).
  • accept_ra == 2 on rad0 + all (correct) but 1 on default (wrong).
  • accept_ra_defrtr == 1 on rad0 all default (correct).
  • disable_ipv6 == 0 on rad0 all default (correct). This continued on subsequent tests and won't be reported again.

• Starting N.M. with Wi-Fi disabled and en0 not plugged in, should get br0 but not en0.

  • Addresses of $pfx4.195/26 and $pfx6::c3/112 on rad0, $pfx4.177 and $pfx6::7:1 on br0, no en0 (correct).
  • No routes, network is unreachable (duh).
  • forwarding == 1 on rad0 br0 all default (both families) (correct).
  • accept_ra == 2 on rad0 br0 all (correct) but 1 on default (wrong).
  • accept_ra_defrtr == 1 on rad0 br0 all default (correct).
  • Petra is shut off, no vnet0. Let's keep it that way for now.

• Plugging in en0. jdhcp ran and provided some addresses. en0 immediately got a link local address and can ping on the local net, but N.M. could not get a DHCP address for it.

  • Addresses of $pfx4.177 and $pfx6::7:1 on br0, but nothing on rad0 or en0 (except llnk local address).
  • Routes: Default and local LAN via Jacinth on en0.
  • forwarding == 1 on all NICs for IPv4 but 0 for IPv6 on rad0 en0 br0, it's 1 on all + data.
  • accept_ra == 0 on rad0 en0 br0. This is bad, preventing an IPv6 address and routes from being set on en0. It's 2 on all and 1 on default.
  • accept_ra_defrtr == 1 on all (correct).

• Activating Wi-Fi, with en0 unplugged. N.M. behaves as if it had set up Wi-Fi normally.

  • Correct addresses on br0, $pfx4.195/26 but no IPv6 on rad0. But Xena can still ping IPv6 using the link local address.
  • Routes: default and LAN routes, both families, are correct on rad0.
  • forwarding == 1 on all NICs for IPv4 but 0 for IPv6 on rad0 en0 br0, it's 1 on all + data.
  • accept_ra == 0 on rad0 br0. This is bad, preventing an IPv6 address and routes from being set on rad0. It's 2 on all and 1 on default.
  • accept_ra_defrtr == 1 on all (correct).
  • I manually set IPv6 forwarding = 1 and accept_ra = 2 on rad0 and br0. Even so, it was seen to receive RA's and not obey them.
  • In this condition it's able to communicate normally with hosts on the local LAN, with www.jfcarter.net, and with www.google.com, using both address families. The only thing it can't do is use IPv6 to ping outside the local LAN.

• Wonder of wonders, when I started up the VM Petra, off-LAN pinging started to work. But we still don't have an IPv6 address on rad0. It claims to have received from RA's a correct default route and a prefix route on the local LAN, in fact two variants of each plus a spurious (high metric non-RA) route to br0's subnet.

• I ran restarter; it ran jdhcp which put rad0's proper IPv6 address on it.

• Petra is mostly working but has issues, which I'm going to leave for later to fix. [Getting networking right was a lot of work, but eventually it's fully operational and reliable.]

Hibernation Quirks and Fixes

When I first installed Linux, after the laptop hibernated (S4 state) and was awakened by pressing the power button, it would do a full reboot, not restoring the saved hibernation image. That was not good.

See this forum post on Stackexchange.com, OP user1337, 2020-07-04. He had the same symptom, and fixed it. The issue was, the Dracut configuration lacked an instruction to include the resume module; adding it made the initrd look for and restore the saved hibernation image.

Here is how I adjusted his procedure for OpenSuSE Tumbleweed:

• Check your kernel command line:
  cat /proc/cmdline
  It should have a resume device: for me, resume=/dev/vda1 or resume=LABEL=SWAP-10. If not, it can't find the hibernation image.
• Execute lsinitrd -m and see if you have the resume module in your initrd. If not, you need to add it.
• The resume module should exist. Check this path name (it's a directory): /usr/lib/dracut/modules.d/*resume . The '*' matches an order number; for me it's 95 but it probably varies among distros. It is included in the dracut package; if it's not there, that's beyond the scope of these instructions.
• The Dracut configuration files (on SuSE) are in /etc/dracut.conf /etc/dracut.conf.d/ /usr/lib/dracut/dracut.conf.d/ . Sample command to search for a resume configuration:
  grep -r -l resume /etc/dracut.conf* /usr/lib/dracut/dracut.conf.d/
• If you don't find resume mentioned, you need to configure it. I put it in /etc/dracut.conf.d/99-resume.J.conf . (If you do find it, but aren't getting restored even so, you have a complicated problem.)
• The content was:
  add_dracutmodules+=" resume "
  (plus #comments). This is a space surrounded list of modules to add; Dracut wants spaces before and after each module name.
• Then rebuild your initrd, with the module, using the command mkinitrd (old) or dracut -vf (modern). It's verbose; capture the output in a file, and look later for messages about including the resume module.
• The hibernation image now will be restored when you wake the machine.

Strange: 6 of my machines had the resume module in the initrd despite no configuration adding it.