Home Home
Sign up | Login

Author Archive

Developing with OpenSSL 1.1.x on openSUSE Leap

August 18th, 2017 by

The SUSE OpenSSL maintainers are hard at work to migrate openSUSE Tumbleweed and SUSE Linux Enterprise 15 to use OpenSSL 1.1 by default. Some work remains, see boo#1042629.

Here is how you can use OpenSSL 1.1 in parallel to the 1.0 version on openSUSE Leap for development and run-time:

Increase the thread/process limit for Chrome and Chromium to prevent “unable to create process” errors

July 25th, 2017 by

Browsers like Chrome, Chromium and Mozilla Firefox have moved to running tabs in separate threads and processes, to increase performance and responsiveness and to reduce the effects of crashes in one tab.

Occasionally, this exhausts the default limit on the amount of processes and threads that a user can have running.

Determine the maximum number of processes and threads in a user session:

$ ulimit -u

The SUSE defaults are configured in /etc/security/limits.conf:

# harden against fork-bombs
* hard nproc 1700
* soft nproc 1200
root hard nproc 3000
root soft nproc 1850

In the above, * the catch-all for all users.

To raise the limit for a particular user, you can either edit /etc/security/limits.conf or create a new file /etc/security/limits.d/nproc.conf. Here is an example for /etc/security/limits.d/nproc.conf raising the limit for the user jdoe to 8k/16k threads and processes:

jdoe soft nproc 8192
jdoe hard nproc 16384

If you want to do that for a whole group, use the @ prefix:

@powerusers soft nproc 8192
@powerusers hard nproc 16384

In either case, this change is effective only for the next shell or login session.

Manual encryption partition setup for stronger full disk encryption

May 26th, 2017 by

When installing openSUSE or SUSE Linux Enterprise, YaST is able to configure encrypted LVM using LUKS for full disk encryption. The default configuration is aes-xts-plain64 using a 256 bit master key. However, due to how the XTC mode splits the key into two halves, this reduces the effective key size used for AES to 128 Bits.

In order to use a 512 bit key for 256 effective AES, one needs to perform manual formatting prior to installation:
cryptsetup LuksFormat --key-size 512 /dev/sda1
However the installer suffers from boo#1030299 which prevents it from writing an entry to /etc/crypttab in this instance. This results in a system that is unable to boot after installation.

The work-around is as follows: Boot into the rescue system, open the crypto device and enter the installed system as a chroot:

cryptsetup luksOpen /dev/sda1 crypto
mount /dev/mapper/system-root /mnt
for X in proc dev sys; do mount -bind /$ /mnt/$X; done
chroot /mnt

(This example assumes /dev/sda1 to be the crypto device, and an LVM VG named system with a LV named root, and no separate /boot.)

Then in the chroot, edit /etc/crypttab to have the following line:

crypto /dev/sda1 none none

See man crypttab for additional settings and options. To finalize, regenerate the initrd and reboot


A future rewrite of the YaST storage abstraction layer is planned which should address this issue.

Uninstall a patch using zypper

July 11th, 2016 by

Maintenance and security updates for the stable openSUSE Leap releases are automatically tested using OpenQA, and also receive community testing prior to release. In addition, many updates to openSUSE Leap are inherited from SUSE’s enterprise products, where they already receive thorough review, and automated as well as manual testing.

Should anything go wrong, here is how to “uninstall” an online update using zypper.

zypper in --oldpackage ` \
zypper info -t patch --conflicts openSUSE-2016-XXX | \
grep " < " | while read NAME C VERSION; do \
rpm --quiet -q --queryformat "%{name}\n" $NAME && echo "${NAME}<${VERSION}"; \

Replace openSUSE-2016-XXX with the update in question. All involved packages are installed in a prior version. This, of course, is an alternative to using Btrfs snapshots. Note that the update will be offered again.

If you want to help review proposed online updates, just check the “untested updates” repo in YaST or add one of the -test repositories to receive updates early.

mounting TrueCrypt volumes in GNU/Linux using cryptsetup

January 12th, 2014 by

cryptsetup as of 1.6, which shipped in openSUSE 13.1, is able to mount TrueCrypt volumes without the use of TrueCrypt code otherwise, which I previously noted is problematic due to it’s license, at least for inclusion in the openSUSE distribution.

Here, then, is how you mount it:

cryptsetup open --type tcrypt /var/run/media/username/volume_name encrypted_volume
mount /dev/mapper/encrypted_volume /mnt

For read only access, add --readonly and -o ro respectively. When done:

umount /mnt
cyrptsetup close encrypted_volume

See man 8 cryptsetup for all details and options.

Apache Subversion 1.8 preview packages

April 15th, 2013 by

RPM packages of what will become Apache Subversion 1.8 fairly soon are now available for testing on all current releases of openSUSE and SLE 11.

Note that in this release, serf will replace neon as the default HTTP library, to the extend that the latter is removed completely. I wrote about ra_serf before and added support for it in recent packages. You can test this now with either 1.7 or 1.8 if you are concerned about performance in your network. Please note that for servers running httpd and mod_dav_svn, increasing MaxKeepAliveRequests is highly recommended.

Update: Apache Subversion 1.8 is now released. You can find maintained packages via the software search in the devel:tools:scm:svn project. This will be part of the next release of openSUSE.

xtrabackup for MySQL

October 14th, 2012 by

If you run data-driven applications like me, you are probably already running some kind of backup and have plans for disaster recovery. I hope you are not still using SQL dumps?

I have been using Percona XtraBackup professionally for MySQL backups for a while now. Especially if your database access is highly transactional you will find it useful that you can get consistent non-blocking, non-purging backups while continuing to serve transactions. Who wants downtime anyway?

Under the hood the software will take a dirty copy of the InnoDB tablespaces on disk, and extract binary logs required to bring all of these to a specific point in time, or rather LSN, using a patched version of the mysqld binary. The preparation / restore requires applying the binary log to the files which results in MySQL tablespaces and binary log files equivalent to how they would have been with a clean MySQL shutdown.

Mixing transactional with non-transactional database engines is possible if you are willing to accept some blocking time while backing them up. If you are using MySQL replication, you can also use this to create a new slave from either a master or to clone a slave from another without downtime of either.

The upgrade to the 2.0 series adds, among other things, parallel IO and parallel compression. This requires a new streaming file format xbstream in addition the previous tar. Think of it as a tar with multiple input pipes.

I added the xtrabackup package to openSUSE, it is available in the server:database project (repo, SLE 11) right now and will also be part of the next openSUSE release.

Remember that these are only tools. Love your data and protect your business. A copy is not a backup. A backup that isn’t monitored for success is not a backup. A backup that is not proven to restore successfully is barely a backup.

Contact me if you need help setting this up.

subversion with libserf – continued

March 15th, 2012 by

Further about my work on packages for Apache Subversion with support for serf / libserf / ra_serf, that repository access module was not made default in the 1.7 release after all. Anyway, version 1.0.13 of serf is now available in devel:libraries:c_c++ with the intention of getting this into and in Factory. You will find current Apache Subversion packages with fixed conditional compilation against serf in home:AndreasStieger:serf home:AndreasStieger:branches:devel:tools:scm:svn devel:tools:scm:svn for testing.

Updated 27/05/2012: repository locations
And again after SR#122507 was accepted.

subversion with libserf

April 26th, 2011 by

I packaged subversion to built against libserf in addition to neon. This adds a second repository access module to handle http and https schemes with potential improvements. To enable, install the packages from my home repository See updated package location.

To enable, adjust your ~/.subversion/servers file:

http-library = serf

Beyond this, the package tracks the package from devel:tools:scm:svn.

license implications when packaging TrueCrypt

March 6th, 2011 by

I use an encrypted USB stick to carry credentials and data for production servers I look after when I’m on call. One requirement was portability between my work (Windows) and home (GNU/Linux) desktops, so TrueCrypt came to mind. I packaged it all up an applied some patches to fix compiler issues and warnings. The TrueCrypt license, however, is not OSI-approved, and as such the program cannot be built in the openSUSE build service (see blacklist, discussion).

I almost forgot about the whole thing until I upgraded the package for new dependencies in the upcoming release of openSUSE 11.4. I talked with people over at packman, a popular 3rd-party repository for software not included in openSUSE proper for one reason or another. We analysed the license a bit and concluded that if we shipped binaries built from non-pristine sources, the product would have to be re-branded as per the requirements of their license. I am usually pragmatic about these things as long as FLOSS and non-FLOSS licences can be adhered to, but didn’t want to go the route Debian took with Firefox et al.

We contacted the TrueCrypt developers on this issue, we’ll see what comes out of that. Until then, if someone wants to build this package, here is what you need: