communication #101851

2021-12-07 19:00 UTC: openSUSE Heroes meeting December 2021

Added by cboltz 7 months ago. Updated 4 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


When: 2021-12-07 19:00 UTC / 20:00 CET
Who: The openSUSE Heroes team and everybody else!

see/use checklist


  • Questions and answers from the community
  • status reports about everything
  • review old tickets
  • next meeting - Jan 4th or move to Jan 11th?
  • Contributor Agreement (see #99804)


#1 Updated by cboltz 7 months ago

  • Private changed from Yes to No

#2 Updated by lrupp 7 months ago

Status updates



Enabled the automatic de-activation of dormant users.

  • Dormant users are automatically de-activated after 90 days of inactivity.
  • Users can reactivate their account by signing in.

JeOS image (for Leap 15.3)

  • Update to 0.4.1:
    • add/change sysctl settings:
    • do not use the privacy extension, we disabled it anyway: net.ipv6.conf.default.use_tempaddr=0 -> disable_ipv6_autoconf.conf
    • make it easier to allow to disable/enable route verification on all interfaces via net.ipv4.conf.all.rp_filter -> rp_filter.conf
    • Disable response to broadcasts. You don't want yourself becoming a Smurf amplifier: net.ipv4.icmp_echo_ignore_broadcasts=1 -> ignore_broadcasts.conf
  • added new nrpe check definitions:
    • check_external.cfg
    • check_private.cfg
    • check_apache_status.cfg
    • check_connections.cfg
    • check_cpu_stats.cfg
    • check_partition_var.cfg
    • check_ntp.cfg
    • check_logrotate_status.cfg
    • check_iostat_vdb.cfg
    • check_mysql.cfg
    • check_rsyslog.cfg
    • check_running_kernel.cfg
    • check_eth1.cfg They are covering some defaults of the new monitoring setup.
  • added udev rules to rename eth0 to private
  • adjust /root/bin/
    • follow the renaming
    • add interactive mode for people, that need it
    • add the IP of the remote syslog server in /etc/hosts, as it might happen, that the DNS resolution comes up too late for rsyslog
  • install additional packages:
    • bzip2 (needed by some scripts for tar.bz2 files)
    • xfsprogs (to create/handle xfs filesystems)
  • switch from EFI boot mode to legacy boot (saves some space on the root disk of the VM. EFI is not really needed there atm.
  • enforced to clean-up from deprecated values
    • moved /etc/hosts modification from to
  • use releasever variable instead of hardcoded Leap version in zypper repositories, which makes an upgrade easier
  • remove check_mk from xinetd: not needed/used any longer
  • be a bit more verbose in makes debugging easier
  • install nnd activate umad and tuned for performance tuning
  • use systemctl to enable/disable services, as baseInsertService and baseRemoveService seem not to work reliably at the moment
  • disable a couple of (for a VM) unneeded services:
    • IPv4 & IPv6 DHCP
    • Network nanny
    • Raid/mdadm checks
    • lvm2 services
    • battery check timer

Adjusted our virtual machine testing wiki page, to follow the latest image changes.

SSL Configuration changes

As CVE-2002-2001 allows an attacker to DoS our SSL endpoints, I disabled Diffie-Hellman Epheremal key exchange (DHE). As this was one of the weakest ciphers that our SSL servers supported, we potentially lost only very old clients (like Safari <= 8).

Have a look at for details. We are meanwhile rated A+ :-)

Fixed Security problem on paste.o.o

Michal Hrusecky thankfully fixed a XSS security issue in today (2021-12-07). Lars asked, if he wants to migrate the service into the openSUSE heroes infrastructure: he agreed, but want to upgrade his application first, before doing so.

External IP for

Worked a bit on the external IP part for :

  • dehydrated setup beautified (to be ready for Salt)
  • nginx SSL settings adjusted to be "A+ conform"
  • services (xinetd) bond to internal interfaces

Security scans

As we have meanwhile an internal openVAS security scanner, Lars runs scans inside the internal network from time to time. Additional people with access to the instance:

  • cboltz
  • pjessen

For most important issues, Lars opened/opens issues here in progress.o.o and tries to assign these tickets to the Admins of the affected servers directly (if possible, otherwise Group opensuse-admin is default).

Most interesting at the moment might be #102599, as it's currently not clear, if jQuery is still in use at all?

#3 Updated by cboltz 6 months ago

  • Checklist item next meeting - Jan 4th or move to Jan 11th? added

#4 Updated by cboltz 6 months ago

2021-12-07 heroes meeting


  • test package is building
  • test installation will probably be updated next week
  • meet.o.o can currently only have SUSE admins because it's used for SUSE-internal meetings
  • meet-test.o.o server can have community admins (use one of the *.infra.o.o VMs as jump host for ssh login)

status reports:

openSUSE Infrastructure Contributor Agreement:

  • we base on trust
  • should include the common openSUSE principles/guidelines
  • we can not require an openSUSE hero to be an openSUSE member - as they just earn the credits to become a member by working as openSUSE hero - but we can ask to follow the member guidelines in general

next meeting:

  • will be moved by a week to Jan 11th

#5 Updated by lrupp 4 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF