See everyone back at Kupros on May 20.
https://www.saclug.org/articles/2025/may-2025.html
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
I decided to give CentOS 9.2..... a try. Overall, it was a pretty good experience, but took a lot of time. Or more than it could have.
I decided to burn the iso to a CD. Turns out, the "new" systems CD drive doesn't work. Not being that familiar with EFI/boot it took a while to figure this out. So, I did a USB drive iso/boot. This seems a lot easier than the last time I did this. Just dd the iso over to the USB.
Everything worked. I installed the XFCE alternative. I didn't realize that this put me back at 9.2X instead of at 10.X. The qemu dnf install had issues. The main binary, qemu-kvm gets installed in a directory that is off the path. I put a link on the path to it. It works. But this is the lame stuff I was hoping to get away from by not using Fedora. This has to be a known issue and it would be nice if it was fixed. I would think qemu is a pretty popular package. Or is a directory named libexec supposed to be on the path now because there just weren't any good spots on the path we already have?
My plan is to run the new box headless and just vnc into it. I thought this would require Xvnc and some set up. I did this, it works. But I wanted to run a VM on the box. It took a little bit to rewrite my batch file to get things right. After installing a vnc viewer, I could see that it was running, using the Xvnc display :1, which is how I set it up. But I also noticed that the commandline output was telling me that a vnc server was running on 5900.
Turns out, I don't need all the Xvnc stuff. Just SSH in and start the VM and access port 5900 and I have a really nice vnc session. Almost like I am running the VM on the VNC client. This was nice.
Route and ifconfig are finally gone, so I had to learn ip. Man pages are, again, grouped and written in a unique way. Eventually found what I needed.
Default routing was set up with the wrong gateway. Fixed that with ip, but the old gateway kept coming back. Network configs have been moved and changed again. Found some docs online/Google and started unknowingly down an old path. Fortunately, they were nice enough to put a readme file in that directory telling me where the new stuff is.
Now it's time to configure the firewall. I've done this before with nft. Despite Googling the exact error message, telling me that the operation was not permitted,I got exactly zero exact hits. I've been running this exact command for years and never had a problem. It's hard for me to believe that reflects the actual data/web. While the wording on the hits was similar, the results were really unrelated.
So, I started going through the nft documentation. What a slog. I was focused on the fact that "firewalld" was underlined in the error message. I found stuff on table ownership in the man page. Spent a lot of time.
Then I started to play around with firewalld. Which I just happened to know was more than a namespace in nft, which is all the man page tells you. I finally found firewall-cmd. Which is, apparently, what I was "supposed" to be using all along. It does make things easier. Especially if the persist functionality works as advertised. A push in the right direction is nice. I kick in the pants, less so.
So they changed the nft-firewalld relationship somehow. I'm really surprised that Google turned up nothing on this when I searched the error. I guess I should have read the release notes. Maybe there is something there. Oh, where are they?
In the end, it all makes sense and I'm up and running. A "few" years back, I attributed the amount of time this all took to being just young and inexperienced. Now that I'm old and stupid, I realize it is either a natural, or artificially created, barrier to entry. No one is going to tell you or make it easy. You have to spend the time, and that is the way the world likes it.
In summary, while I have a positive impression of CentOS so far, the distros, man pages and Google search results have all gone downhill from days not that far gone by. Maybe that was the peak. Complexity on everything has gone up. All this starts to erode the benefits of open source IMHO. It's a receipe for disaster in the long run.
-Gary
It is a simple thing to make things complex,
a complex thing to make things simple.
My personal workstation desktop can get a little cluttered. Regardless, I had open centos.org. I'm not sure when that happened, but I must have come across itsomehow and just saved it to look into later.
Well later finally occured and I did some checking. I guess centOS isn't dead and I found this nice description of the ecosystem:
---
Fedora is RedHat's play area. All new, crazy ideas are tested on Fedora before deciding if they are going to be added to RHEL or not. This is the reason why Fedora has a short and dynamic lifecycle, with every new release there is something novel coming up.
CentOS is a stripped down, community supported version of RHEL. You can say that Fedora is (almost) a superset of RHEL, which in turn is a superset of CentOS.
---
I know we used to have some centOS fans on the list and this info claified some things for me, so I decided to post it.
I have a new, well used, system coming in a few days. I'm thinking that perhaps centOS may suit my needs and personality better. I'm considering installing it.
I just upgraded on my X1 carbon.
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
See everyone there!
Diego will do his third installment on Clojure!
https://www.saclug.org/articles/2025/april-2025.html
6-8pm
Gary, can you bring your projector again?
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
Linus,
What was that Linux from scratch you created several years back?
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
Today I received, via email, a security warning from my ISP, who is ATT. They were advising me that my system was being attacked and that the attack was based on an OpenSSH vulnerability.
After reading some CVE and Red Hat pages, it turns out I'm at risk because I updated my bastion server. My other systems, which the bastion server front ends for, aren't affected because the version of OpenSSH is too OLD.
What a pain.
This happens all the time, whether I get notified or not. Newer versions of software are NOT more secure. In fact, they become LESS secure as developers try to incorporate more functionalty and edge uses. And, in this case, because someone made a mistake.
The whole world is on this upgrade/update treadmill and it gets you nothing. IMHO you are delusional if you think it does.
I have to get on it because I HAVE to upgrade browsers. You can only do this independently from an OS upgrade for so long.
Fortunately the exploit is very difficut to exploit beyond causing a "system crash". It takes a lot of "resources" and thousands of attempts. Which is probably how ATT noticed it.
I can't determine if, or ask ATT, to just block the attack. I can't respond to the email. It seems like blocking the attack would be nice. Fortunately, my network is on the slow side and the exploit probably can't be feasibly involked.
This is why I resist upgrading/updating. It is a waste of A LOT OF TIME. Better to have a version and just patch vulnerabilities that apply to you and forget the rest.
The recommended fix is to set the logingracetime=0 for the sshd server. I'm trying to determine how this will affect password based authentication with long passwords over slow/bad networks, my situation. It seems like it might.
I'm seriously considering just downreving the OS on the bastion server. It doesn't really need that much functionality and never runs a browser. And, although I wouldn't like it, I'm not sure what they could do by executing arbitrary code there. They would have to be able to ssh somewhere useful.
I can see from the logs that I'm being hit every 3 sec or so. All different IP's, must be a botnet.
Can someone check a user field in libre office and check if they see a
difference between the way it looks in the Writer doc in Windows vs
Linux?
Ctrl-F2 Variables
User variable
Name: fizz
Value: [fizz]
In Windows, it shows "User field fizz=[Fizz]"
In Linux, it shows "[fizz]"
Can someone check for me and let me know?
Brian
--
Brian Lavender
https://www.brie.com/brian/
"There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the other
way is to make it so complicated that there are no obvious deficiencies."
Professor C. A. R. Hoare
The 1980 Turing award lecture
