Project

General

Profile

communication #101851

2021-12-07 19:00 UTC: openSUSE Heroes meeting December 2021

Added by cboltz 26 days ago. Updated 17 days ago.

Status:
New
Priority:
Normal
Assignee:
opensuse-admin
Category:
Event
Target version:
-
Start date:
2021-11-02
Due date:
% Done:

0%

Estimated time:

Description

Where: https://meet.opensuse.org/heroes
When: 2021-12-07 19:00 UTC / 20:00 CET
Who: The openSUSE Heroes team and everybody else!

Topics
see/use checklist


Checklist

  • Questions and answers from the community
  • status reports about everything
  • review old tickets
  • Contributor Agreement (see #99804)

History

#1 Updated by cboltz 26 days ago

  • Private changed from Yes to No

#2 Updated by lrupp 17 days ago

Status updates

Updates/Upgrades

Gitlab

Enabled the automatic de-activation of dormant users.

  • Dormant users are automatically de-activated after 90 days of inactivity.
  • Users can reactivate their account by signing in.

JeOS image (for Leap 15.3)

  • Update to 0.4.1:
    • add/change sysctl settings:
    • do not use the privacy extension, we disabled it anyway: net.ipv6.conf.default.use_tempaddr=0 -> disable_ipv6_autoconf.conf
    • make it easier to allow to disable/enable route verification on all interfaces via net.ipv4.conf.all.rp_filter -> rp_filter.conf
    • Disable response to broadcasts. You don't want yourself becoming a Smurf amplifier: net.ipv4.icmp_echo_ignore_broadcasts=1 -> ignore_broadcasts.conf
  • added new nrpe check definitions:
    • check_external.cfg
    • check_private.cfg
    • check_apache_status.cfg
    • check_connections.cfg
    • check_cpu_stats.cfg
    • check_partition_var.cfg
    • check_ntp.cfg
    • check_logrotate_status.cfg
    • check_iostat_vdb.cfg
    • check_mysql.cfg
    • check_rsyslog.cfg
    • check_running_kernel.cfg
    • check_eth1.cfg They are covering some defaults of the new monitoring setup.
  • added udev rules to rename eth0 to private
  • adjust /root/bin/initial_setup.sh
    • follow the renaming
    • add interactive mode for people, that need it
    • add the IP of the remote syslog server in /etc/hosts, as it might happen, that the DNS resolution comes up too late for rsyslog
  • install additional packages:
    • bzip2 (needed by some scripts for tar.bz2 files)
    • xfsprogs (to create/handle xfs filesystems)
  • switch from EFI boot mode to legacy boot (saves some space on the root disk of the VM. EFI is not really needed there atm.
  • enforced to clean-up config.sh from deprecated values
    • moved /etc/hosts modification from config.sh to initial_setup.sh
  • use releasever variable instead of hardcoded Leap version in zypper repositories, which makes an upgrade easier
  • remove check_mk from xinetd: not needed/used any longer
  • be a bit more verbose in config.sh: makes debugging easier
  • install nnd activate umad and tuned for performance tuning
  • use systemctl to enable/disable services, as baseInsertService and baseRemoveService seem not to work reliably at the moment
  • disable a couple of (for a VM) unneeded services:
    • IPv4 & IPv6 DHCP
    • Network nanny
    • Raid/mdadm checks
    • lvm2 services
    • battery check timer

Adjusted our virtual machine testing wiki page, to follow the latest image changes.

SSL Configuration changes

As CVE-2002-2001 allows an attacker to DoS our SSL endpoints, I disabled Diffie-Hellman Epheremal key exchange (DHE). As this was one of the weakest ciphers that our SSL servers supported, we potentially lost only very old clients (like Safari <= 8).

Have a look at https://www.ssllabs.com/ssltest/analyze.html?d=www.opensuse.org&latest for details.

Also available in: Atom PDF