Fortiter Et Recte
Recently we had a Korora user ask how to reset the keybindings in GNOME, which they had changed.
I don’t think that the shortcuts program has a way to reset them, but you can use dconf-editor.
Open the dconf-editor program and browse to:
org.gnome.desktop.wm.keybindings
Anything that’s been modified should be in bold font. Select it then down the bottom on the right click the “Set to Default” button.
Hope that helps!
Being new at OzLabs I’m dipping my toes into various projects and having a play with PowerPC and so I thought I’d cross-compile the Linux kernel on Fedora. Traditionally PowerPC has been big endian, however it also supports little endian so I wanted to build all the things.
Fedora uses a single cross toolchain that can build all four variants, whereas Debian/Ubuntu splits this out into two different toolchains (a BE and an LE one).
Install dependencies in Fedora:
$ sudo dnf install gcc make binutils-powerpc64-linux-gnu gcc-powerpc64-linux-gnu gcc-c++-powerpc64-linux-gnu bc ncurses-devel
Get the v4.2 kernel:
$ git clone https://github.com/torvalds/linux.git --branch v4.2 --depth 1 && cd linux
Successful big endian build of the kernel, using the default config for pseries:
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make pseries_defconfig
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make -j$(nproc)
# clean after success
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make clean
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make mrproper
Building a little endian kernel however, resulted in a linker problem:
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make pseries_defconfig
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make menuconfig
# change architecture to little endian:
# Endianness selection (Build big endian kernel) --->
# (X) Build little endian kernel
$ ARCH=powerpc CROSS_COMPILE=powerpc64-linux-gnu- make V=1
Here was the result:
powerpc64-linux-gnu-gcc -mlittle-endian -mno-strict-align -m64 -Wp,-MD,arch/powerpc/kernel/vdso64/.vdso64.so.dbg.d -nostdinc -isystem /usr/lib/gcc/powerpc64-linux-gnu/5.2.1/include -I./arch/powerpc/include -Iarch/powerpc/include/generated/uapi -Iarch/powerpc/include/generated -Iinclude -I./arch/powerpc/include/uapi -Iarch/powerpc/include/generated/uapi -I./include/uapi -Iinclude/generated/uapi -include ./include/linux/kconfig.h -D__KERNEL__ -Iarch/powerpc -DHAVE_AS_ATHIGH=1 -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Werror-implicit-function-declaration -Wno-format-security -std=gnu89 -msoft-float -pipe -Iarch/powerpc -mtraceback=no -mabi=elfv2 -mcmodel=medium -mno-pointers-to-nested-functions -mcpu=power7 -mno-altivec -mno-vsx -mno-spe -mspe=no -funit-at-a-time -fno-dwarf2-cfi-asm -mno-string -Wa,-maltivec -fno-delete-null-pointer-checks -O2 --param=allow-store-data-races=0 -Wframe-larger-than=2048 -fno-stack-protector -Wno-unused-but-set-variable -fomit-frame-pointer -fno-var-tracking-assignments -Wdeclaration-after-statement -Wno-pointer-sign -fno-strict-overflow -fconserve-stack -Werror=implicit-int -Werror=strict-prototypes -Werror=date-time -DCC_HAVE_ASM_GOTO -Werror -shared -fno-common -fno-builtin -nostdlib -Wl,-soname=linux-vdso64.so.1 -Wl,--hash-style=sysv -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(vdso64.so)" -D"KBUILD_MODNAME=KBUILD_STR(vdso64.so)" -Wl,-T arch/powerpc/kernel/vdso64/vdso64.lds arch/powerpc/kernel/vdso64/sigtramp.o arch/powerpc/kernel/vdso64/gettimeofday.o arch/powerpc/kernel/vdso64/datapage.o arch/powerpc/kernel/vdso64/cacheflush.o arch/powerpc/kernel/vdso64/note.o arch/powerpc/kernel/vdso64/getcpu.o -o arch/powerpc/kernel/vdso64/vdso64.so.dbg
/usr/bin/powerpc64-linux-gnu-ld: arch/powerpc/kernel/vdso64/sigtramp.o: file class ELFCLASS64 incompatible with ELFCLASS32
/usr/bin/powerpc64-linux-gnu-ld: final link failed: File in wrong format
collect2: error: ld returned 1 exit status
arch/powerpc/kernel/vdso64/Makefile:26: recipe for target 'arch/powerpc/kernel/vdso64/vdso64.so.dbg' failed
make[2]: *** [arch/powerpc/kernel/vdso64/vdso64.so.dbg] Error 1
scripts/Makefile.build:403: recipe for target 'arch/powerpc/kernel/vdso64' failed
make[1]: *** [arch/powerpc/kernel/vdso64] Error 2
Makefile:949: recipe for target 'arch/powerpc/kernel' failed
make: *** [arch/powerpc/kernel] Error 2
All those files were 64bit, however:
arch/powerpc/kernel/vdso64/cacheflush.o: ELF 64-bit LSB relocatable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), not stripped
arch/powerpc/kernel/vdso64/datapage.o: ELF 64-bit LSB relocatable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), not stripped
arch/powerpc/kernel/vdso64/getcpu.o: ELF 64-bit LSB relocatable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), not stripped
arch/powerpc/kernel/vdso64/gettimeofday.o: ELF 64-bit LSB relocatable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), not stripped
arch/powerpc/kernel/vdso64/note.o: ELF 64-bit LSB relocatable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), not stripped
arch/powerpc/kernel/vdso64/sigtramp.o: ELF 64-bit LSB relocatable, 64-bit PowerPC or cisco 7500, version 1 (SYSV), not stripped
An strace of the failing powerpc64-linux-gnu-gcc command above showed that collect2 (and ld) were being called with an option setting the format to 32bit:
24904 execve("/usr/libexec/gcc/powerpc64-linux-gnu/5.2.1/collect2", ["/usr/libexec/gcc/powerpc64-linux"..., "-plugin", "/usr/libexec/gcc/powerpc64-linux"..., "-plugin-opt=/usr/libexec/gcc/pow"..., "-plugin-opt=-fresolution=/tmp/cc"..., "--sysroot=/usr/powerpc64-linux-g"..., "--build-id", "--no-add-needed", "--eh-frame-hdr", "--hash-style=gnu", "-shared", "--oformat", "elf32-powerpcle", "-m", "elf64lppc", "-o", ...], [/* 66 vars */]
Alan Modra tracked it down to some 32bit hard-coded entries in GCC sysv4.h and sysv4le.h and submitted a patch to the GCC mailing list (Red Hat bug).
I re-built the Fedora cross-gcc package with his patch and it solved the linker problem for me. Hurrah!
We’ve finally had time to finalise Korora 22 and images are now available. I strongly recommend downloading with BitTorrent if you can.
We are not shipping Adobe Flash by default from 22 onwards, due to consistent security flaws. We still include the repository however, so users can install via the package manager or command line if they really want it:
sudo dnf install flash-plugin
Alternatively, install Google Chrome which includes the latest version of Flash.
Also, KDE 4 is not available for this release, so if you are not ready to move to KDE 5, then please stick to Korora 21.
It has taken a few weeks longer than we had hoped, but Korora 21 images are now available. I strongly recommend downloading with BitTorrent if you can.
The 21 beta was quite successful and we were able to make some minor changes to help improve the overall experience. Users who are currently on the beta need not re-install, updates are provided via the package manager. Users who are on 20 may consider upgrading, however this is not necessary as version 20 is supported for another 6 months or so.
I figured it was time to re-visit Ubuntu Touch on my Nexus 4 and see how it was going.
I was already running stock Lollipop and just kicked up the Ubuntu 14.10 GNOME live image under KVM on my Korora 21 laptop and passed the USB device through.
Following the instructions was really easy to get it going. Actually it was just one command and I was soon booting into Ubuntu, so that was quite impressive.
It booted up and asked me the usual things, connected to Wifi, etc. The interface is still the same as it was last time I checked, unsurprisingly, however it seems to work much better now. The animations are smooth and it’s quite clean looking. The Apps screen is easy to follow and you can easily filter by app group.
Apps
In computing, a DMZ (demilitarized zone) is a method for separating untrusted traffic from a trusted network. One of the most common implementations of this would be for supporting a publicly accessible server (such as web) on a local internet connection. The server sits in the DMZ and can be accessed from the Internet, but it cannot access the trusted network.
OpenWRT probably needs no introduction, the brilliant open source and community driven Linux based embedded router stack. I run it on my Netgear WNDR3800.
Netgear WNDR3800 running OpenWRT
I have an ODRIOD-U3 (little ARM box) running Fedora, which runs a web server. This is what I want to make publicly available in my DMZ.
So, how to create a DMZ in OpenWRT? Some commercial routers have a single button “make a DMZ” and everything is handled behind the scenes for you. Not so with OpenWRT; it’s powerful, transparent, and only does what you tell it to, so we have to create it manually.
Continue reading ‘Creating a DMZ in OpenWRT’
Korora 21 beta images are now available! Please leave a comment or ping me on social media with any issues or ideas so we can make it better.
Just to remind myself.. add systemd.unit=emergency.target to the kernel line, or if that fails, try init=/sbin/sh and remove both quiet and rhgb options.
Afterwards, exit or:
exec /sbin/init
Can also enable debug mode to help investigating problems with systemd.log_level=debug
You can get a console early on in the boot process by enabling debug-shell:
systemctl enable debug-shell.service
The default installation of FreeIPA includes the Dogtag certificate management system, a Certificate Authority for your network. It manages expiration of certificates and can automatically renew them. Any client machines on your network will trust the services you provide (you may need to import the IPA CA cert).
There are a number of ways to make certificates. You can generate a certificate signing request or you can have Dogtag manage the whole process for you. You can also create individual cert and key files or put them into a nss database. My preferred method is to use individual files and have Dogtag do the work for me.
If you so desire, you can join your servers to the realm in just the same manner as a desktop client. However, even if they are not joined to the realm you can still create certs for them! You will need to run a few additional steps though, namely creating DNS records and adding the machine manually.
Let’s create a certificate for a web server on www.test.lan (192.168.0.100) which is has not joined our realm.
SSH onto your IPA server and get a kerberos ticket.
[user@machine ~]# ssh root@ipa-server.test.lan
[root@ipa-server ~]# kinit admin
If the host is not already in the realm, create DNS entries and add the host.
[root@ipa-server ~]# ipa dnsrecord-add test.lan www --a-rec 192.168.0.100
[root@ipa-server ~]# ipa dnsrecord-add 0.168.192.in-addr.arpa. 100 --ptr-rec www.test.lan.
[root@ipa-server ~]# ipa host-add www.test.lan
Add a web service for the www machine.
[root@ipa-server ~]# ipa service-add HTTP/www.test.lan
Only the target machine can create a certificate (IPA uses the host kerberos ticket) by default, so to be able to create the certificate on your IPA server you need to allow it to manage the web service for the www host.
[root@ipa-server ~]# ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
Now create the cert and key.
[root@ipa-server ~]# ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k
/etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D
www.test.lan -K HTTP/www.test.lan
Now copy that key and certificate to your web server host and configure apache as required.
[root@ipa-server ~]# rsync -P /etc/pki/tls/certs/www.test.lan.crt /etc/pki/tls/private/www.test.lan.key root@www.test.lan:
You can also easily delete keys so that they aren’t tracked and renewed any more, first get the request id.
[root@ipa-server ~]# ipa-getcert list
Take note of the id for the certificate you want to delete.
[root@ipa-server ~]# getcert stop-tracking -i [request id]
A CRL (certificate revocation list) is automatically maintained and published on the IPA server at ​https://ipa-server.test.lan/ipa/crl/MasterCRL.bin
My OpenLDAP How To (Fedora) article has proven very popular over the years but now I’ve mostly moved on to FreeIPA.
So I thought it might be good to write up a FreeIPA How To (Fedora) article (CC BY-SA 4.0) in case it’s useful for anyone else out there.