FOSDEM 2025 is behind us. We ran Identity and
Access Management devroom at
FOSDEM. At the devroom, my team did few talks and demos about FreeIPA and
Kerberos. While preparing to those talks, we tried to create demonstrations
that could be repeated by others as well. First, this was an attempt to help
ourselves, as we need to communicate our advances to others in the teams. Then
we started to look at how to show our progress to folks outside of the development
groups.
We iterated over our tools and finally ended up with something that is based on
what we use in upstream CIs: we use podman containers to run what ends up being
ephemeral VMs hosting the software. This doesn’t give ability to handle all
possible scenarios. It is not a way to run actual production environments as well.
Yet, it allows us a quick reuse and share:
descriptive definition of the deployment configuration
standard tooling to provision the configuration as containers with podman-compose
use of Ansible playbooks to run repeatable actions against the hosts, with
inventory taken from the podman-compose integration
The tool, ipalab-config,
quickly became flexible enough to be used in multiple scenarios. It powers
ansible-freeipa’s own upstream CI, we aim to reuse it for new FreeIPA Web UI
development and for the FreeIPA workshop.
For the demos at FOSDEM IAM devroom we put a separate repository that has all
the scenarios and even recording files to reproduce the demos:
freeipa-local-tests. You can
try yourself how local authentication hub or IPA-IPA trust or IPA-IPA migration
do work.
This project demonstrates how complex multi-system FreeIPA deployments can be
tested locally or in your CI/CD. The test environment is built with the help of
podman and orchestrated with
ipalab-config and
podman-compose tools. FreeIPA
environment is deployed with the help of
ansible-freeipa. Upstream, we run
these tests in Github Actions as well.
Demo labs
Following configurations provided as ‘labs’ that can be reproduced using
ipalab-config tool and the configurations from this project:
minimal deployment, consisting of a
FreeIPA server and a FreeIPA client enrolled into it.
local KDC, consisting of two
standalone machines, not enrolled into any domain. Each machine runs its own
Kerberos KDC exposed to local applications over UNIX domain socket, with socket
activation handled by systemd. See “localkdc - local authentication hub”
talk at FOSDEM 2025. This is currently a work in progress.
Some of the demo labs have automated recording of the operations that could be performed on them.
Video recording is built upon excellent
VHS tool. A pre-built version for
Fedora is provided in COPR
abbra/vhs. This build also
includes a fix from the upstream
PR#551.
Minimal deployment demo
This demo recording includes a minimal use of FreeIPA command line:
an administrator logs into a client system over SSH using a password
Kerberos ticket is obtained automatically by the SSSD
IPA command line tool can authenticate to IPA server using Kerberos
Local KDC demo
The local KDC demo is more evolved:
a user logs into their own machine over SSH using a password
Kerberos ticket is obtained automatically by the SSSD from the local KDC which is activated on demand
User then uses a Kerberos ticket to authenticate to SUDO and obtain root privileges
The user also uses the Kerberos ticket to authenticate to Samba server running locally
Finally, the user authenticates with Kerberos IAKerb extension to a remotely running Samba server, removing completely a need for NTLM authentication protocol
IPA to IPA trust demo
This is a minimalistic demo of how users and groups from one IPA environment
can be resolved in the other IPA environment. There is a trust agreement
established between both IPA environments, similarly how IPA can establish a
forest level trust with Active Directory.
This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.
Week: 10th Feb – 14th Feb 2025
Infrastructure & Release Engineering
The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work. It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.). List of planned/in-progress issues
Our everyday scientific and educational work relies heavily on hardware, software, and, in modern times, cloud services. The equipment that we will mention below is specific to our group; common services used by university and/or faculty employees will not be specifically mentioned here.
The 46th annual meeting of the International TeX Users Group (TUG 2025) will take place in Thiruvananthapuram (aka Trivandrum), Kerala, India, on 18–20 July, 2025. The Indian TeX Users Group and TeXFolio (STMDocs) with support from International TeX Users Group and sponsors are organizing the event this time as it comes back to India after a long hiatus of 14 years (the last two instances hosted were in 2011 and 2002).
Details about the registration, venue, travel, accommodation, programme, deadlines and important dates etc. are available at the conference page https://tug.org/tug2025/.
Call for participation
TUG conferences always enjoyed excellent presentations and talks about TeX, Typefaces/Fonts, Typesetting, Typography and anything related. Please submit interesting papers — see call for papers and speaker advice. Note that a visa is required for participants from most countries and it is a non-trivial undertaking. Please register and contact the program committee for a visa invitation letter as soon as possible.
The drawings for TUG 2025 are made by notable cartoonist E.P. Unny and the flyer is typeset by CVR.
I have a Grandstream HT802V2 running firmware 1.0.3.5 and while playing around with the VPN settings realized that the sanitization of the "Additional Options" field done for CVE-2020-5739 is not sufficient.
Before the fix for CVE-2020-5739, /etc/rc.d/init.d/openvpn did
Looking at the OpenVPN configuration template (/etc/openvpn/openvpn.conf), it already uses up and therefor sets script-security 2, so injecting that is unnecessary.
Thus if one can somehow inject "/bin/ash -c 'telnetd -l /bin/sh -p 1271'" in one of the command-executing options, a reverse shell will be opened.
The filtering looks for lines that start with zero or more occurrences of a space, followed by the option name (up, down, etc), followed by another space.
While OpenVPN happily accepts tabs instead of spaces in the configuration file, I wasn't able to inject a tab neither via the web interface, nor via SSH/gs_config.
However, OpenVPN also allows quoting, which is only documented for parameters, but works just well for option names too.
That means that instead of
up "/bin/ash -c 'telnetd -l /bin/sh -p 1271'"
from the original exploit by Tenable, we write
"up" "/bin/ash -c 'telnetd -l /bin/sh -p 1271'"
this still will be a valid OpenVPN configuration statement, but the filtering in /etc/rc.d/init.d/openvpn won't catch it and the resulting OpenVPN configuration will include the exploit:
I recently wrote about using the MoSCoW method for prioritizing work at the project level. But how do you prioritize your own individual work? The method that has worked best for me is known as the Eisenhower Matrix.
The Eisenhower Matrix explained
The Eisenhower Matrix requires making two binary choices about a task: is it of high or low importance and is it of high or low urgency? The prioritization then goes like this:
High importance and high urgency. Do these first.
High importance and low urgency. Schedule these.
Low importance and high urgency. Delegate these.
Low importance and low urgency. Don’t do these.
Sometimes you can delegate priority 3 tasks to others in the project, but often you can’t. Those either get done once you finish priority 1 or you end up not doing them. Not everything that’s urgent is important.
I prefer to think of category 4 as “do these when you have the time”, but you can’t do everything you think of, so category 4 is a good place to drop things if you have to. It’s okay to not do things.
Evaluating tasks
On it’s face, the Eisenhower Matrix is very simple. In practice, making the choices about importance and urgency cause a lot of hangups. They don’t need to. Make a quick judgement and refine as you go. The point is to avoid hyperfixating on the act of prioritization so you can get stuff done instead.
Importance
Importance, in particular, is a place where everyone struggles at first. Everything seems important, and there’s a degree of emotional vulnerability in calling some of your tasks “low importance.” It’s a short trip from there to thinking “all of my work is unimportant.”
But here’s the thing: it’s not called “unimportant”, it’s called “low importance.” Everything is relative, so it’s a matter of labeling the less important tasks in your total task universe. If it helps, think of it in terms of impacts down the line. If skipping a task creates a lot of additional work or a time crunch or prevents a key thing from happening on time, that task has high importance. If skipping a task is manageably inconvenient, then it’s of low importance.
For example, as I was thinking about this section, I realized that some of my regular tasks are less important than I labeled them. Posting a reminder about the weekly project maintainer meeting has some importance, but the people who need to be there already have it on their calendar. If I forget one week and other community members don’t join, that’s not ideal, but there’s no real harm. The meetings are recorded anyway. I’ve been using the Eisenhower Matrix for years and I still tend to bias toward high importance.
Urgency
Urgency tends to be easier to manage. We know that some things can wait. Still, it’s sometimes difficult to decide how urgent is urgent. One good rule is this: if there’s an actual deadline looming, the task is urgent. If you’d just like to have it done, it’s not urgent. The looming deadline part is perhaps the trickiest. If a conference’s call for proposals closes in a month, writing your proposal is probably not an urgent task. If it closes at the end of the day, then writing your proposal is urgent. But what if it’s at the end of the week? Or in two weeks? That can be harder to judge.
The thing to remember is that task evaluations are not static. As deadlines approach, tasks can go from low urgency to high urgency. If you complete all of your high importance tasks and no new ones appear, then some of your low importance tasks become high importance relative to what’s left.
Limitations of the Eisenhower Matrix
Like any framework, the Eisenhower Matrix isn’t perfect. It is for making daily decisions on how to prioritize tasks, not to provide one true understanding of the importance and urgency of everything in your life. It’s power and weakness are in its simplicity.
One thing that the Eisenhower Matrix ignores is the time necessary to complete a task. One high importance, high urgency task might take all day (though maybe you should decompose it into smaller tasks). Would accomplishing 10 shorter tasks of lower individual importance or urgency have a greater impact in aggregate? Maybe. The Eisenhower Matrix doesn’t tell you what to do if your priority 1 tasks require more than your entire day. Then again, maybe that’s a sign that you’ve over-importanced some tasks.
How do you decide which of several tasks within a priority category to do first? The Eisenhower Matrix doesn’t say. You can just pick one. If you feel the need to rank them, the refining criteria in the MoSCoW post can help. The main point is that you don’t need to recursively evaluate each tasks until you have a strictly ordered list. That wastes time that you could be spending doing the actual work.
The Eisenhower Matrix also fails to account for how draining or fun a task is. All tasks give the joy of dopamine when you mark them done, but some are actually fun to complete and others are dreadful. I, for example, enjoy posting the recordings and notes from meetings but dread making phone calls. You won’t go to jail for not following your prioritized list exactly, though. If you need some joyful tasks to get you through the drudgery, you can make that choice.
Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for a parallel installation, the perfect solution for such tests, and also as base packages.
RPMs of PHP version 8.4.4RC2 are available
as base packages in the remi-modular-test for Fedora 39-41 and Enterprise Linux≥ 8
as SCL in remi-test repository
RPMs of PHP version 8.3.17RC1 are available
as base packages in the remi-modular-test for Fedora 39-41 and Enterprise Linux≥ 8
as SCL in remi-test repository
ℹ️ The packages are available for x86_64 and aarch64.
ℹ️ PHP version 8.2 is now in security mode only, so no more RC will be released.
Yesterday I wrote about how
I am using a different tool for git signing and verification. Next, I
replaced my pass usage. I have a small
patch to use
stateless OpenPGP command line interface (SOP). It is an implementation
agonostic standard for handling OpenPGP messages. You can read the whole SPEC
here.
Installation
cargo install rsop rsop-oct
And copied the bash script from my repository to the path somewhere.
The rsoct binary from rsop-oct follows the same SOP standard but uses the
card to signing/decryption. I stored my public key in
~/.password-store/.gpg-key file, which is in turn used for encryption.
Usage
Here nothing changed related my daily pass usage, except the number of time I am typing my PIN :)
I should not have stayed up late the previous night - This thought crossed my mind when I heard the alarm go off at around 0500am Central European Time on the second day of CentOS Connect 2025. On 31st January 2025, we had a bunch of talks planned since the morning and I did not want to miss out on a collection that I had planned on attending. I checked with Greg Sutcliffe who was in the dining area already so while I could have used some more rest, I decided to head down after getting freshened up. After going through my documentation to check the estimated action and projected estimate, I headed down for breakfast. I followed up with Amita Sharma's request to confirm some important details about the Fedora Project's presence during DevConf.IN 2025 while sticking to a light meal.
CentOS Connect 2025 info shown on the digital signage devices present in the DoubleTree by Hilton Brussels City hotel
At around 0700am Central European Time, Sumantro Mukherjee arrived at the dining area right around the time Greg and I were about to leave and he decided to join us a bit later in the day. Heading down to track number #2 of the Port De Namur station, Greg purchased a collection of tickets for the train ride while I decided to rely on my credit card for the expenses. Funnily enough, we had the exit unblocked at the Rogier station - which was super helpful for a confused Greg who ended up keeping the ticket that we used back in the collection he had. On our way to the DoubleTree by Hilton Brussels City, Greg remarked how happy he was after joining the Red Hat Community Linux Engineering team in a technical role after his stint in the community management role in the Red Hat Ansible community.
From left to right - Fabian and I exchanging snacks and wishes in the CentOS Connect 2025 event cloakroom
While it was cloudy on that day - the two of us were glad that the rain had paused for a brief period of time in the morning. We made it to the CentOS Connect 2025 reception desk to find Amy Marrich and Dorka Volavkova in the empty venue. We were soon joined by Michel Lind there with whom I caught up with conversations while Greg was getting himself registered for the event. As he was attending the CHAOSScon EU 2025 event the day before, this was the first day of attendance for him here. I also met up with Fabian Arrotin with whom I shared some Indian snacks, namely Chakli, before wishing him luck for the first talk that he had on that day. At around 0900am Central European Time, I dropped off my bags in the cloakroom and left to attend the talk on CentOS Infra SIG Review And Updates.
Some glimpses of some of the very best folks from the free and open source software fraternity sharing what they love doing the most (Courtesy. Akashdeep Dhar, Luis Bazan and Justin W. Flory CC-BY-SA 2.0)
I shared conversations with Neal Gompa, Mike McLean, and Sherif Nagy in the event corridor before finding a seating beside Michel in the Chestnut Hall. This talk was followed by the presentation on the CentOS Hyperscale SIG Update by Davide Cavalca and Neal at around 0945am Central European Time. I stayed back for the talk on CentOS Alternate Images SIG Update presentation by Troy Dawson at around 1015am Central European Time before heading out into the event corridor again. I met up with Sumantro who had arrived at the event venue by then and Julia Bley, who was giving a tour to her partner, Olaf Bley-Steglich, who was visiting a technical conference for the first time. His innocent inquisitiveness about how Red Hat does business around free and open source felt endearing to me.
Julia providing Sumantro and me with a quantitative analysis of why it is such a bad idea to plan for an event about three weeks before its commencement
At around 1130am Central European Time, I decided to bide my time into working on my planning around the Fedora Project presence at DevConf.IN 2025 while I was anxiously waiting for Justin W. Flory to arrive at the event. In the meanwhile, I also had conversations with Dorka who mentioned of her inability to help with the Fedora Project presence as she would be busy helping out with DevConf.IN 2025. Brian Profitt mentioned about his presence during DevConf.IN 2025 and volunteered to help with the transit of the booth resources that we would need in Pune - a welcome gesture that I was very appreciative of. In the cloakroom, Julia, Sumantro and I discussed around the feasibility of the Fedora Project presence during DevConf.IN 2025 and just how close we were cutting it to the actual event.
Greek Bowl with salmon salad would most definitely go down as one of the most fun snacks that I have had in any free and open source software conference so far
After a thorough discussion of the state of affairs, we kept ourselves open to the possibility of having to cancel the organization. Subjective to the budget that we might end up getting, I regarded that the event would be not worth organizing if we were not properly resourced for the same. While I provided Devang Parikh, Rajan Shah and Amita with a tentative nod, it was only after the discussion with Justin that I was able to move ahead. We kicked around for a while in the cloakroom with David Fan and Jess Chitas before heading over for lunch to the event corridor at around 0100pm Central European Time. While we were waiting for Justin's arrival, Sumantro and I shared our lunch consisting of a Greek Bowl with salmon salad while having conversations with Rich Bowen and Carl George.
From left to right - Myself and Daniel comparing who has it worse in terms of RPM packaging - Python SIG or Rust SIG (Courtesy. Luis Bazan CC-BY-SA 2.0)
I shared with Rich just how the Red Hat Community Platform Engineering team had changed since his departure from the team - covering stories from the renaming of the team and the merger of engineers with quality assurance. It was also interesting to know just how free and open source software communities were perceived and worked with from within the Amazon Web Services teams - where Rich was employed with then. At around 0130pm Central European Time, Justin had arrived at the event venue and we headed inside the cloakroom to have the discussion about the Fedora Project's presence during DevConf.IN 2025. The room seemed to be a lot more occupied than before but that did not stop me from swiftly getting him to speed about the situation and the requirements for the event.
From left to right - Jess, Julia, myself and Sumantro after wrapping up the discussions around the DevConf.IN 2025 event and heading for lunch
Given the limited period of time that we had before the DevConf.IN 2025 event, my primary resource of swags would have to be the leftovers from the Fedora Project booth at FOSDEM 2025. I was seeking funding for the travel and stay for Samyak Jain and Sumantro among other expenses like dining - the total estimated projection of which came around to be around 2000 USD. As the timing would have had it, all that Justin could reliably provide us with from Fedora Mindshare was barely 150 USD which would very clearly not be enough. While I was advised to keep the plan open to a minimal execution, I decided to reach out to Rajan and Devang with a declination notice for the Fedora Project booth as I promised them by the end of business on that day so that they could proceed ahead without us.
From left to right - Justin, Akashdeep and Sumantro after we figured that there is Justin's Red Hat is slightly bigger than the one I was provided with on joining Red Hat
After clearing the confusion around the ownership of the Fedora Project's presence during the event which was mistakenly considered to be Amita's instead of mine, we decided to start early from the next edition of DevConf.IN onwards. The only way with which we could avoid a disappointment like the one we just had would be to kick off the planning early during the next edition of DevConf.IN. With the notice being shared to the DevConf.IN 2025 organizer, Sumantro, Justin and I discussed about the plans around the Fedora Project presence around the Asia Pacific region. We also considered pivoting away from our existing presence to other events that we did not previously consider like COSCUP and representing the Fedora Project community there instead for wider outreach and ambassadorship.
From left to right - Julia, Carl, Mike, myself, Fabian and Olaf sharing a photograph frame in the late afternoon right before Mike's talk on Building RPMs in Konflux
I decided to reach out to the folks from COSCUP at their booth presence during FOSDEM 2025and we departed for the Chestnut Hall to Mike's talk on Building RPMs in Konflux at around 0400pm Central European Time. On my way to the presentation, I got in touch with Julia and Dorka about the cancellation of the Fedora Project's presence during DevConf.IN 2025. After a quick group photo with all the attendees, speakers and organizers at the event corridor, we headed inside to attend some of the last talks. Before I departed from the event at around 0530pm Central European Time, the event guests from the Red Hat Community Linux Engineering team gathered around for a quick set of photographs - before Sumantro and I headed over to the cloakroom of the event to fetch our belongings.
From left to right - Peter, Justin, myself and Sumantro sharing a photograph frame after Sumantro and I were pleased to meet Peter after a long time
While there was a waffle party planned by the CentOS Connect 2025 folks in Grand Place at 0830pm Central European Time, I thought of not attending that as I wanted to take care of the Fedora Project during the first day of FOSDEM 2025 early next morning. As we made it into the cloakroom, Sumantro and I were super pleasantly surprised to meet with Peter Boy with whom we were meeting after a long time. After clicking a couple of pictures with him and Justin with whom he was discussing details - the two of us decided to head back to the hotel. I decided not to attend the FLOSS Foundations dinner sponsored by Google as I did not have enough company from the Fedora Project and CentOS Project. Instead, I decided to rely on a takeaway for dinner like I did in the previous couple of days.
From left to right - Sumantro and I sharing a train ride back to the Port De Namur station and deciding to call it a day before FOSDEM 2025 fun begins on the next day
On our way back to the Moxy Brussels City Center hotel on train number #6, I decided to head out by myself to get my dinner as Sumantro was occupied with some work calls. Half of me wanted to wait for me but the other half of me was getting hungrier by the passing minute as I had relatively lighter breakfast and lunch as I was anxious about the planning around the Fedora Project presence. After getting a Chicken Wrap back with some addons as my order was delayed from Belchicken, I ran into Mike Nolan at the hotel lobby with whom I had the pleasure of meeting after a long time. Through some conversations with Luis Bazan and Justin, I put out a bid for assistance with setting up the Fedora Project booth at FOSDEM 2025 before getting some rest to prepare for the lively next day!
One of the power of Unix systems comes from the various small tools and how
they work together. One such new tool I am using for some time is for gitsigning & verification using OpenPGP and my Yubikey for the actual signing
operation via
openpgp-card-tool-git. I
replaced the standard gpg for this usecase with the oct-git command from this
project.
Installation & configuration
cargo install openpgp-card-tool-git
Then you will have to configuration your (in my case the global configuration) git configuration.
git config --global gpg.program <path to oct-git>
I am assuming that you already had it configured before for signing, otherwise
you have to run the following two commands too.
This is a short snippet to run PostgreSQL using Podman with a volume. The snippet has been tested on Fedora 41.
Create the Podman volume $ podman volume create psqldevel Run PostgreSQL $ podman run -d -p 5432:5432 -v psqldevel:/var/lib/postgresql/data -e POSTGRES_PASSWORD=xx --name psqldevel postgres:latest
Please join us at the next regular Open NeuroFedora team meeting on Monday 10 February 2025 at 1300 UTC.
The meeting is a public meeting, and open for everyone to attend.
You can join us in the Fedora meeting channel on chat.fedoraproject.org (our Matrix instance).
Note that you can also access this channel from other Matrix home severs, so you do not have to create a Fedora account just to attend the meeting.
You can use this link to convert the meeting time to your local time.
Or, you can also use this command in the terminal:
$date-d'Monday, February 10, 2025 13:00 UTC'
The meeting will be chaired by @ankursinha.
The agenda for the meeting is:
This article will discuss the state of finding your current geographical location in the Fedora Linux environment.
Background
For many mobile devices it is useful to get the current location. This is usually done using a GPS sensor, where the coordinates (latitude and longitude as given by the satellites) allow for step-by-step directions to the desired destination.
However, sometimes using the GPS isn’t desirable. This may be due to the high battery usage, or sometimes the device doesn’t have a GPS sensor at all. Even more interesting, the user might hit a GPS sensor limitation (such as being indoors) meaning there is a need for a secondary way to detect location to either replace or augment the GPS data.
But, what would that secondary source of data be? The alternative source needs to be some public data that is available for everyone, and we do have those! There are Wifi network identifiers, mobile cell towers data, and Bluetooth beacons. All of these are broadcast constantly, or almost constantly.
Using these alternative sources the user accepts the service of a location service provider (for example, Google Location Services provided by Google on Android). The provider has their own database of the specified device identifiers along with their approximate location. When making a location request the Wifi, Bluetooth, and cell identifiers are sent with the request and the location provider sends back coordinates. In addition they provide the precision of the coordinates based on an average of the locations available from the data in the database.
Of course, there is always the third option of combining both approaches in a way that fits the precision needed for the task. As an example, Google calls this combined approach Fused Location which is provided in their proprietary Google Play Services.
Ok, that is how it generally works and how mobile devices do it. But what about Linux?
So, how does it work on Linux?
In Linux, the software responsible for handling the location requests is Geoclue. As the Geoclue project puts it:
Geoclue is a D-Bus service that provides location information. The goal of the Geoclue project is to make creating location-aware applications as simple as possible.
Geoclue is capable of, among other things:
Support for location data based on Wifi (via wpa_supplicant integration. This uses Mozilla Location Service (MLS) by default)
Support for location data using GPS (if available)
Support for location data using mobile modems (via ModemManager integration)
GeoIP support (fallback mode)
Previously the Mozilla Location Service (MLS) was the default location service used under Linux. Unfortunately, in March 2024, Mozilla announced the project was being discontinued, making it necessary to switch to an alternative.
Mozilla Location Services and Ichnaea
Mozilla’s no longer available service called “Mozilla Location Services” (MLS) utilized the open source Ichnaea software. The service was capable of both receiving submitted user-data as well as responding with the approximate location based on user requests.
For submitting new data, users could use use a “stumbler” application. This was able to collect cell data, Wifi data and Bluetooth beacons, associate them with their location, and submit them to MLS or another Ichnea-compatible service.
Users would utilize the collected data by having their system (in the case of Linux or some Android ROMs using MLS) send the info about the radio devices in range and receive back info about the approximate location.
MLS alternatives and setup
Although there are many possible MLS alternatives (As long as they maintain Ichnaea compatibiltiy), the main alternative those days is beaconDB.
After restarting Geoclue you should have access to beaconDB.
A future article will focus on submitting new data, this might require an Android phone.
Notes
If there’s not enough data for your region yet, you might not have a very good experience. Consider looking at the beaconDB map before making the switch or submitting data for your region.
The Geoclue integration with Wifi networks requires wpa_supplicant, since currently only a wpa_supplicant backend exists. This means iwd users won’t be able to use Geoclue correctly since there is no Geoclue iwd support and no Wifi data will be sent. Instead fall back to beaconDB’s GeoIP implementation will occur.
There is a chance beaconDB’s implementation of GeoIP might be potentially worse than Geoclue’s own implementation. This could be explained by geoclue currently relying on Google, although in the future it will switch to using reallyfreegeoip. This will be noticed if city-level locations are not precise, such as showing the location a few cities away from the user actual location.
I found this in the elevator at the Moxy Brussels City Center hotel and it is as if that the selfie taking event was manifested by someone else
After a brief introduction with Bhagyashree before their departure, I realized that Greg had left his pink-coloured water bottle and sprinted outside to catch up with Greg who headed inside at the same time with the same realization. With the handover complete, I discussed the plans to head to the CentOS Connect 2025 event venue with Sumantro and Luis where Luis decided to head away in advance while the both of us decided to delay our departure by at least 0930am Central European Time. The shop that we were planning to visit during the first half of the day named Ichiban was opening at around 1000am Central European Time and was on the way between the event venue at DoubleTree by Hilton Brussels City and our hotel, Moxy Brussels City Center. We soon departed on bus number #71 bound for De Brouckère from a nearby bus stop and got off one stop before the designated point.
What Sumantro and I thought would be a "quiet bus ride" ended up being a "quiet bus ride" to the destination - Sometimes boring is amazing
The rain that morning was a lot worse than the one that Sumantro and I experienced the previous night. While we previously were considering heading to the event venue on foot, we quickly decided to use a bus instead. On our way from the destination stop to the Ichiban store, we also passed through the Hotel Marivaux which we stayed at during my first trip to FOSDEM in 2023. We swiftly made it to the Ichiban store where Sumantro explored some Goku figurines from the Dragon Ball Z (1989) anime and I was finally able to find some Manga books in English. As the selection did not match my expectations, Sumantro and I decided to head out after purchasing a couple of imported merchandise from Japan like quaint-themed Fanta drinks and some Anime themed Sakuma Drops from the popular Naruto (2007) anime and acclaimed Ansatsu Kyoushitsu (2015) anime.
The morning downpour somehow managed to be a whole lot worse than the one that we faced during our outing in the previous evening
Some more walking through towards the event venue and we soon found ourselves around the DoubleTree by Hilton Brussels City hotel where CentOS Connect 2025 was organized. This was also the place that I was staying in to attend the FOSDEM fringe events in 2024 so I felt this sense of familiarity with the place. What helped with the familiarity more was the sight of Carl W. George and Dorka Volavkova at the CentOS Connect 2025 reception desk at around 1030am Central European Time. For Carl - going as far as hugging me when I was super soaked from rain was "no big deal" and it was indeed great meeting him after a long time. Sumantro and I got ourselves the event badges along with CentOS Project themed tee shirts while we were at the desk. While we were at the desk, I noticed the SyncStar postcards that I worked to design and Dorka helped with printing from Brno.
This is definitely something that I could call a "treasure trove" for folks like myself who are invested too much in the anime and manga culture
I was grateful that Dorka managed to get these resources printed when these were turned in late to her because of the delays due to the confusion around the availability of Fedora Project themed USB flash drives for giveaways. SyncStar is a service that I developed by taking inspiration from an existing but unmaintained tool called Fedorator to help with creating bootable media at conference kiosks. Although there was this one thing that I was bummed about and that was the fact the CentOS Project-themed USB flash drives that were being given away were manually flashed with the recently released CentOS Stream 10 when SyncStar could have easily been of help with making the process convenient. After all, SyncStar was nothing but a fancy wrapper around GNU DD with asynchronous process queues written in Python and a responsive web interface written in ReactJS.
SyncStar postcards among USB flash drives with CentOS Stream 10 at the CentOS Connect 2025 event desk for the event attendees
After leaving my coat to dry in the Chestnut Hall, I ran into Brian Exelbierd who also seemed to have arrived around the same time. It was great catching up with him after a long time and after leaving the conversation to Sumantro, I started working on setting up the YAML file to configure the SyncStar utility at the reception desk. Carl and I struggled briefly with the hotel WiFi as I wanted my laptop to execute the service headlessly and Carl's laptop to exhibit the web interface before deciding to use Cloudflare Tunnels for the purpose. The final deployment was configured to be served through the Cloudflare network on the hostname syncstar.gridhead.net which surprised Carl as he thought that the hostname was limited to the local network only. I caught up with Shaun McCance as well following the conversations around their move to GitLab with Fabian Arrotin.
Digital display of schedule for all the presentation events to take place on the second half of the first day of CentOS Connect 2025
Some glimpses from the SyncStar dashboard exhibiting a collection of GNU/Linux distributions available for the creation of USB bootable media
Purchasing an extra orange-flavoured Fanta soda can among other Japanese imported products at the Ichiban store earlier that morning was a wise thing to do as that ended up coming in handy when David mentioned his struggle with the caffeine intake since the morning. Saving him a trip downstairs for a purchase, I caught up in conversations with him when the both of us ran into Matthew Miller who had just arrived at the venue at around 0100pm Central European Time. After a small chat with him and Amy Marrich at the reception area, they left for a meeting with Shaun and Carl so I decided to help out with the event reception area with Dorka. She provided me with a swift and effective walkthrough of what had to be done and once I relocated my stuff to the cloakroom for event organizers and speakers, I started helping out with the event registrations there.
CentOS Connect 2025 had almost every swag that you could ask for from the world of Enterprise Linux and then some more
Dorka mentioned her plans to come to India for DevConf.IN in Pune - which was great because we were also planning on organizing a Fedora Project booth at the event. We were soon joined by Luis whose wisecracking kept things interesting as we were getting folks registered at the reception. Among some folks I helped register, I caught up with the likes of Alexandra Fedorova whom I was meeting after the previous Fedora Council F2F Meeting in 2024 and Fabio Valentini whom I was meeting for the first time. While getting David Fan and Jess Chitas registered, he mentioned liking my Instagram stories about my adventures through various anime stores in Brussels and planning on heading out together whenever after the event. At around 0130pm Central European Time, I decided to grab a Greek Bowl meal with chicken salad that was served for the lunch meal at the event venue.
From left to right - Luis, Dorka and I goofing around at the CentOS Connect 2025 reception desk in the afternoon when we got some breathing room after the slight decrease in the entry footfall
Fabian arrived at CentOS Connect 2025 around the same time and I caught up with him, Frantisek Lachman and Alexandra in conversations who were present around the reception desk. At around 0200pm Central European Time, the presentations at the event began with an opening statement from Shaun - I started attending some talks while working on some recently noticed changes on the SyncStar project. The inexpensive USB flash drives used for the giveaways did not have unique hardware identifiers and hence, it was difficult to discern among multiple USB flash drives of the same type. Sumantro and I worked on brainstorming solutions (read as workarounds) with which we can retain the information about the USB flash drives plugged into the kiosk device, all while tuning into talks delivered by Troy Dawson, Dennis Gilmore and Joel Capitao in the Chestnut Hall.
Shaun kicking off the CentOS Connect 2025 event with his opening remarks and a reflection of the CentOS Project's code of conduct
At around 0500pm Central European Time, after spending some time brain storming and coming up with solutions that have some kind of compromises, Sumantro and I decided to call it a day and head back to the hotel. On our way out, we met up with Daniel Mellado and Mikel Olasagasti before we took a selfie with Alexandra, Brian and Dennis to close out the first day of CentOS Connect 2025. Coincidentally, we ran into Matthew and David at the dining area of the event venue so after waving David goodbye, the three of us "tailgated" our way out of the rear exit of the DoubleTree by Hilton Brussels City. On our way through the Rogier station to the train that we were supposed to catch for Port De Namur station, Sumantro and I discussed with Matthew about his tentative yet eager plans to visit India for the first time to represent the Fedora Project during DevConf.IN 2025.
From left to right - (Neal Gompa, Richard Brown), Sumantro, myself, Alexandra and Brian in a selfie right before Sumantro and I were heading out of the event
We had a report of belongings being stolen from one of the Fedora Project community members during their travels so we took that as a learning to be extra careful about our surroundings whenever we were travelling in crowded trains like we did that time. After all, the last thing that you would want when you are travelling in a different country is for your important belongings like wallet, passport or smartphone to be stolen - I was worried about whoever was affected. After getting off at the Port De Namur station at around 0530pm Central European Time, we walked back to the Moxy Brussels City Center hotel. I connected with Matthew asynchronously after resting for a while and dropped a bag of Indian snacks in his hotel room about an hour later. As Sumantro was occupied with his work, I decided to head out alone to get a takeaway from the Belchicken outlet for dinner.
You can clearly not have enough selfies with Sumantro, David and Matthew when you are at a community event with as much of a hustle and bustle as CentOS Connect 2025
I heard back from Amita Sharma on the way back to the hotel who was working with Rajan Shah for last minute approval on the Fedora Project booth so I knew that I had to start working on the planning as soon as possible. I had to ensure that I was ready with the statistical budget estimate for travel and accommodation for the representatives from the Fedora Project required for pulling off such an event. Imagine leading the planning of yet another Fedora Project event all while representing the community at the FOSDEM 2025 fringe - Talk about being crazy enough to take this up! As audacious of a plan as it was, I was able to get together an estimated action and projected estimate for the required budget on a document after I was swiftly done with my dinner. All I had to do next was to present this to Justin on the next day before reverting to Rajan and Amita with a confirmation.
While the Rogier station looked empty in this photograph, it was about to get super crowded with people when we took the train number #6 to the Port De Namur station
Looking back at the situation I was dealt with late in the evening at around 0830pm Central European Time when I was almost out of my juice - one half of me wanted to call it a day while the other half of me wanted to push through with the planning. In hindsight - I am glad that the other half took precedence because I like to think that exemplary actions in exigent moments like these end up creating a difference in free and open source software communities. After messaging Justin to reserve some time from his busy schedule and checking with Dorka to see if we could get some assistance from her end, I took inputs on the budget from Samyak Jain who was available until late. At around 1000pm Central European Time, I decided to head to bed and use the next day to make the best use of the stakeholders present in person at the CentOS Connect 2025 event to progress the planning.
FOSDEM 2025 is just behind us and it was a great event. I had a chance to talk
about the local authentication hub project. The talk was well received and I got
a lot of questions about the project. We ran Identity and Access Management
devroom for the second time in row and it was a great success. I had two talks
at the IAM devroom, both were process reports on the activity we have announced
at FOSDEM 2024. Now that both recordings of the both talks published, I can
share articles which go into more details.
But before going into details, let me provide a bit of a background. It is 2025 now
and we should go almost three decades back (ugh!).
History dive
Authentication on Linux systems is interwoven with the identity of the users.
Once a user logged in, a process is running under a certain POSIX account
identity. Many applications validate the presence of the account prior to the
authentication itself. For example, the OpenSSH server does check the POSIX
account and its properties and if the user was not found, will intentionally
corrupt the password passed to the PAM authentication stack request. An
authentication request will fail but the attempt will be recorded in the system
journal.
This joint operation between authentication and identification sources in Linux
makes it important to maintain a coherent information state. No wonder that in
corporate environments it is often handled centrally: user and group identities
stored at a central server and sourced from that one by a local software, such
as SSSD. In order to consume these POSIX users and groups, SSSD needs to be
registered with the centralized authority or, in other words, enrolled into the
domain. Domain enrollment allows not only identity and authentication of users:
both the central server and the enrolled client machine can mutually
authenticate each other and be sure they talk to the right authority when
authenticating the user.
FreeIPA provides a stable mechanism for building a centralized domain
management system. Each user account has POSIX attributes associated with it and
each user account is represented by the Kerberos principal. Kerberos
authentication can be used to transfer the authentication state across multiple
services and provides a chance for services to discover user identity
information beyond POSIX. It also makes strong linking between the POSIX level
identity and authentication structure possible: for example, a Kerberos service
may introspect a Kerberos ticket presented by a user’s client application to see
how this user was authenticated originally: with a password or some specific
passwordless mechanism. Or, perhaps, that a client application performs
operations on behalf of the user after claiming it was authenticated using a
different (non-Kerberos) authentication.
Local user accounts’ use lacks this experience. Each individual service needs to
reauthenticate a user again and again. Local system login: authenticate.
Elevating privileges through SUDO? Authenticate again, if not explicitly
configured otherwise. Details of the user session state, like how long this
particular session is active, is not checked by the applications, making it also
harder to limit access. There is no information on how this user was
authenticated. Finally, overall user experience between local (standalone)
authentication and domain-enrolled one differs, making it harder to adjust and
educate users.
Local authentication is also typically password-based. This is not a bad thing
in itself but depending on applications and protocols, worse choices could be
made, security-wise. For example, contemporary SMB 3.11 protocol is quite secure
if authenticated using Kerberos. For non-Kerberos usage, however, it is left to
rely on NTLM authentication protocol which requires use of RC4 stream cipher.
There are multiple attacks known to break RC4-based encryption, yet it is still
used in majority of non-domain joined communications using SMB protocol simply
because there was no (so far) alternative. To be correct, there was always an
alternative, use of Kerberos protocol, but setting it up for individual isolated
systems wasn’t practical.
The Kerberos protocol assumes the use of three different parties: a client, a
service, and a key distribution center (KDC). In corporate environments a KDC is
part of the domain controller system, a client and a service are both domain
members, computers are enrolled in the domain. The client authenticates to KDC
and obtains a Kerberos ticket granting ticket (TGT). It then requests a service
ticket from the KDC by presenting its TGT and then presents this service ticket
to the service. The service application, on its side, is able to decrypt the
service ticket presented by the client and authenticate the request.
In the late 2000s Apple realised that for individual computers a number of user
accounts is typically small and a KDC can be run as a service on the individual
computer itself. When both the client and server are on the same computer, this
works beautifully. The only problem is that when a user needs to authenticate to
a different computer’s service, the client cannot reach the KDC hosted on the
other computer because it is not exposed to the network directly. Luckily, MIT
Kerberos folks already thought about this problem a decade prior to that: in
1997 a first idea was published for a Kerberos extension that allowed to tunnel
Kerberos requests over a different application protocol. This specification
became later known as “Initial and Pass Through Authentication Using Kerberos V5
and the GSS-API” (IAKerb). An initial implementation for MIT Kerberos was done
in 2009/2010 while Apple introduced it in 2007 to enable remote access to your
own Mac across the internet. It came in MacOS X 10.5 as a “Back to My Mac”
feature and even got specified in RFC 6281, only to be retired from MacOS in
2019.
Modern days
In the 2020s Microsoft continued to work on NTLM removal. In 2023 they announced
that all Windows systems will have a local KDC as their local authentication
source, accessible externally via selected applications through the IAKerb
mechanism. By the end of 2024, we have only seen demos published by Microsoft
engineers at various events but this is a promising path forward. Presence of
the local KDC in Windows raises an interoperability requirement: Linux systems
will have to handle access to Windows machines in a standalone environment over
SMB protocol. Authentication is currently done with NTLM, it will eventually be
removed, thus we need to support the IAKerb protocol extension.
The NTLM removal for Linux systems requires several changes. First, the Samba
server will need to learn how to accept authentication with the IAKerb protocol
extension. Then, Samba client code needs to be able to establish a client
connection and advertise IAKerb protocol extension. For kernel level access, the
SMB filesystem driver needs to learn how to use IAKerb as well, this will also
need to be implemented in the user space cifs-utils package. Finally, to be able
to use the same feature in a pure Linux environment, we need to be able to
deploy Kerberos KDC locally and do it in an easy manner on each machine.
This is where we had an idea. If we are going to have a local KDC running on
each system, maybe we should use it to handle all authentication and not just
for the NTLM removal? This way we can make both the local and domain-enrolled
user experience the same and provide access locally to a whole set of
authentication methods we support for FreeIPA: passwords, smartcards, one-time
passwords and remote RADIUS server authentication, use of FIDO2 tokens, and
authentication against an external OAuth2 Identity Provider using a device
authorization grant flow.
How “local” a local KDC should be?
On standalone systems it is often not desirable to run daemons continuously.
Also, it is not desirable to expose these services to the connected network if
they really don’t need to be exposed. A common approach to solve this problem is
by providing a local inter-process communication (IPC) mechanism to communicate
with the server components. We chose to expose a local KDC via UNIX domain
sockets. A UNIX domain socket is a well-known mechanism and has known security
properties. With the help of a systemd feature called socket activation, we also
can start local KDC on demand, when a Kerberos client connects over the UNIX
domain socket. Since on local systems actual authentication requests don’t
happen often, this helps to reduce memory and CPU usage in the long run.
If a local KDC is only accessible over a UNIX domain socket, remote applications
could not get access to it directly. This means they would need to have help
from a server application that can utilize the IAKerb mechanism to pass-through
the communication between a client and the KDC. It would enable us to
authenticate as a local user remotely from a different machine. Due to how the
IAKerb mechanism is designed and integrated into GSS-API, this only allows
password-based authentication. Anything that requires passwordless methods
cannot obtain initial Kerberos authentication over IAKerb, at least at this point.
Here is a small demo on Fedora,
using our localkdc tool to start a local KDC, obtain a Kerberos ticket upon
login. The tickets can then be used effortlessly to authenticate to local
services such as SUDO or Samba. For remote access we rely on Samba support for
IAKerb and authenticate with GSSAPI but local smbclient uses a password first
to obtain the initial ticket over IAKerb. This is purely a limitation of
the current patches we have to Samba.
Make a pause here and think about the implications. We have an initial Kerberos
ticket from the local system. The Kerberos ticket embeds details of how this
authentication happened. We might have used a password to authenticate, or a
smartcard. Or any other supported pre-authentication methods. We could reuse the
same methods FreeIPA already provides in the centralized environment.
The Kerberos ticket also can contain details about the user session, including
up to date group membership. It does not currently have that in the local KDC
case but we aim to fix that. This ticket can be used to authenticate to any
GSS-API or Kerberos-aware service on this machine. If a remote machine accepts
Kerberos, it theoretically could accept a ticket presented by a client
application running on the local machine as well. Only, to do that it needs to
be able to communicate with our local KDC and it couldn’t access it.
Trust management
Luckily, a local KDC deployment is a full-featured Kerberos realm and thus can
establish cross-realm agreements with other Kerberos realms. If two “local” KDC
realms have trust agreements between each other, they can issue cross-realm
Kerberos tickets which applications can present over IAKerb to the remote
“local” KDC. Then a Kerberos ticket to a service running on the target system
can be requested and issued by the system’s local KDC.
Thus, we can achieve passwordless authentication locally on Linux systems and
have the ability to establish peer to peer agreements across multiple systems,
to allow authentication requests to flow and operate on commonly agreed
credentials. A problem now moves to the management area: how to manage these
peer to peer agreements and permissions in an easy way?
Systemd User/Group API support
MIT Kerberos KDC implementation provides a flexible way to handle Kerberos
principals’ information. A database backend (KDB) implementation can be
dynamically loaded and replaced. This is already used by both FreeIPA and Samba
AD to integrate MIT Kerberos KDC with their own database backends based on different
LDAP server implementations. For a local KDC use case running a full-featured
LDAP server is not required nor intended. However, it would be great if
different applications could expose parts of the data needed by the KDB
interfaces and cooperate together. Then a single KDB driver implementation could
be used to streamline and provide uniform implementation of Kerberos-specific
details in a local KDC.
One of the promising interfaces to achieve that is the User/Group record lookup
API via varlink from systemd. Varlink
allows applications to register themselves and listen on UNIX domain sockets for
communication similar to D-Bus but with much less implementation overhead. The
User/Group API technically also allows to merge data coming from different
sources when an application inquires the information. “Technically”, because
io.systemd.Multiplexer API endpoint currently does not support merging
non-overlapping data representing the same account from multiple sources. Once
it would become possible, we could combine the data dynamically and may interact
with users on demand when corresponding requsts come in. Or we can implement our
own blending service.
Blending data requests from multiple sources within MIT KDC needs a specialized
KDB driver. We certainly don’t want this driver to duplicate the code from other
drivers, so making these drivers stackable would be a good option. Support for
one level of stacking has been merged to MIT Kerberos through a quickly
processed pull request and will be
available in the next MIT Kerberos release. This allows us to have a single KDB
driver that loads other drivers specialized in storing Kerberos principals and
processing additional information like MS-PAC
structure
or applying additional authorization details.
Establishing trusts
If Alice and Bob are in the same network and want to exchange some files, they
could do this using SMB and Samba. But that Alice can authenticate on Bob’s
machine, they would need to establish a Kerberos cross realm trust. With the
current tooling this is a complex task. For users we need to make this more
accessible. We want to allow users to request trust on demand and validate these
requests interactively. We also want to allow trust to be present for a limited
timeframe, automatically expiring or manually removed.
If we have a Kerberos principal lookup on demand through a curated varlink API
endpoint, we also can have a user-facing service to initiate establishing the
trust between two machines on demand. Imagine a user trying to access SMB share
on one desktop system that triggers a pop-up to establish trust relationship
with a corresponding local KDC on the remote desktop system. Both owners of the
systems would be able to communicate out of band that provided information is
correct and can be trusted. Once it is done, we can return back the details of
the specific Kerberos principal that represents this trust relationship. We can
limit lifetime of this agreement so that it would disappear automatically in one
hour or a day, or a week.
Current state of local authentication hub
We started with two individual implementation paths early in 2024:
support IAKerb in MIT Kerberos and Samba
enable MIT Kerberos to be used locally without network exposure
MIT Kerberos did have support for IAKerb protocol extension for more than a
decade but since Microsoft introduced some changes to the protocol, those
changes needed to be integrated as well. This was completed during summer 2024,
though no upstream release is available yet. MIT Kerberos typically releases new
versions yearly in January so we hope to get some updates early 2025.
Samba integration with IAKerb is currently under implementation. Originally,
Microsoft was planning to release Windows 11 and Windows Server 2025 with IAKerb
support enabled during autumn 2024. However, the Windows engineering team faced
some issues and IAKerb is still not enabled in the Windows Server 2025 and
Windows 11 releases. We are looking forward to getting access to Windows builds
that enable IAKerb support to ensure interoperability before merging Samba
changes upstream. We also need to complete the Samba implementation to properly
support locally-issued Kerberos tickets and not only do acquisition of the
ticket based on the password.
Meanwhile, our cooperation with MIT Kerberos development team led to
advancements in the local KDC support. The MIT Kerberos KDC can now be run over
a UNIX domain socket. Also on systemd-enabled systems we allow socket
activation, transforming local KDC into an on-demand service. We will continue
our work on a dynamic database for a local KDC, to allow on-demand combination
of resources from multiple authoritative local sources (Samba, FreeIPA, SSSD,
local KDC, future dynamic trust application).
For experiments and ease of deployments, a new configuration tool was developed,
localkdc. The tool is available at
localkdc and COPR
repository can be used to
try the whole solution on Fedora.
If you want to get that test tried in a simple setup, you might be interested in
a tool that we developed initially for FreeIPA: FreeIPA local
tests. This tool allows to
provision and run a complex test environment in podman containers. The video of
the local KDC usage was actually generated automatically by the scripts from
https://github.com/abbra/freeipa-local-tests/tree/main/ipalab-config/localkdc.
The DNF5 team is working on ironing out bugs around matching the existing functionality of GNOME Software with PackageKit. The DNF and QA teams have organized a test week from Monday,February 10, 2025 to Monday, February 17, 2025. The wiki page in this article contains links to the test images you’ll need to participate. Please continue reading for details.
How does a test week work?
A test week is an event where anyone can help ensure changes basic functionality of GNOME Software work well in an upcoming release. Fedora community members often participate, and the public is welcome at these events. If you’ve never contributed before, this is a perfect way to get started.
To contribute, you only need to be able to do the following things:
Download test materials, which include some large files
Read and follow directions step by step
The wiki page for the kernel test week has a lot of good information on what and how to test. After you’ve done some testing, you can log your results in the test week web application.
Happy testing, and we hope to see you on one of the test days.
Lets keep the blogging rolling. This week went by really fast,
but a lot of it for me was answering emails and pull requests
and meetings. Those are all important, but sometimes it
makes it seem like not much was actually accomplished in the week.
riscv secondary koji hub
I got some x86 buildvm's setup. These are to do tasks that don't need
to be done on a riscv builder, like createrepo/newrepos or the like.
I'm still having a issue with auth on them however, which is related
to the auth issue with the web interface. Will need to get that sorted
out next week.
f42 branching day
Tuesday was the f42 branching day. It went pretty smoothly this cycle
I think, but there's always a small number of things to sort out.
It's really the most complex part of the release cycle for releng.
So many moving parts and dispirate repos and configs needing changing.
This time I tried to stay out of actually doing anything, in favor
of just providing info or review for Samyak who was doing all the work.
I mostly managed to do that.
Datacenter move
Planning for the datacenter move is moving along. I've been working on
internal documents around the stuff that will be shipped after we move,
and next week I am hoping to start a detailed plan for the logical
migration itself. It's a pretty short timeline, but I am hoping
it will all go smoothly in the end. We definitely will be in a
better place with better hardware once we are done, so I am looking
forward to that.
The decision of arriving to Brussels a day before the FOSDEM 2025 fringe events began was a smart one as that not only allowed me to catch up on some sleep due to the major timezone shift I faced but also to connect with my fellow community members. While the jet lag did not hurt me as badly as it did the last few times I have been to Europe, I did find myself waking up a little earlier, at around 0500am Central European Time. After getting through some physical exercise in the morning routine, Sumantro Mukherjee got in touch with me to hatch some plans for exploring Brussels and purchasing goodies. We made it to the dining place around the reception area of the Moxy Brussels City Center hotel at around 0830am Central European Time to have our meal, which mostly consisted of Oatmeal Bars, Golden Hashbrowns, Chicken Sausage, Scrambled Eggs and Apple Juice.
Light breakfast at Moxy Brussels City Center consisting of Oatmeal Bars, Golden Hashbrowns, Chicken Sausage, Scrambled Eggs and Apple Juice
Even though we were through with our breakfast by around 0900am Central European Time, we realized that most locations would not open before 1000am, and therefore, I decided to head back to my hotel room after waiting for Justin W. Flory for a while. I headed back down at around 0945am Central European Time, and with me gifting Justin a small bag of Vakadwadi snacks that he loved and sharing some conversation around the Fedora Mindshare revamp - Sumantro and I headed out on a shopping spree. Our first stop was a Kiko Milano outlet, where he made a couple of purchases for his wife before we crossed the road to make it to the ICI Paris XL outlet. After purchasing a couple of incense from there for my family members, we decided to head to a Primark store to pick up some clothes - only to find that we were probably one of their earliest customers.
Some anime themed apparel explored at the Primark store in Brussels
Admittedly, we ended up picking up quite a lot of things from there, which made me wonder just how we would be able to carry them all back on our return trip. Sumantro was in constant touch with Saheli Das Mukherjee while I was connected with my uncle and my mother over call to ensure that we made some well-informed decisions on apparel sizes. We joined the queue one after the other once we were through with making our choices, and we decided that it would be for the best if we were to head back to the hotel to drop these things before we continued with further exploration. On our way out, we headed into a nearby video game store where we looked into a bunch of retro consoles, arcade cabinets and action figurines while discussing whether Sumantro should purchase an archaic Nintendo Game Boy Color and searching for some Genshin Impact official merchandise.
Some anime themed action figurines explored at various stores from various franchises like Boku No Hero Academia (2016), Kimetsu No Yaiba (2019) and Jujutsu Kaisen (2020)
At around 1230pm Central European Time, we headed into an optometrist shop as Sumantro wanted to make a purchase of some shades from the acclaimed Versace brand as a gift for his wife. We headed into another video game store located beside the previous store, where we explored some more arcade cabinets, videogame cartridges, anime merchandise and archaic computers. We were sure that we were not going to make a purchase here anyway, so we decided to depart from there after obtaining a couple of energy drinks imported from Japan. In another computer peripheral store, Sumantro and I explored some transistor radios and feature phones that were going out of fashion swiftly before we realized that it was around time for us to head for lunch. Even though we initially planned to visit the Tintin store, we decided against it due to the lack of interest.
Some goods imported from Japan including imperial Japanese themed Red Bull, Doraemon (1979) themed snacks and Dragon Ball Z (1989) action figurine
We found ourselves heading into a Belchicken joint at around 0200pm Central European Time, and after I made one more purchase of trenchcoat from a UNIQLO store, we decided to get a couple of takeaways. We elected a no-brainer combo of some Chicken Tenders and French Fries with Garlic Sauce and decided to have our food together in my hotel room #610. Sumantro left at around 0300pm Central European Time after we were through with the lunch for his hotel room as he wanted to prepare for his Fedora Mindshare part of the Fedora Council meeting that was going to happen in an hour from then. I decided to catch up on some more of the rest before joining the Fedora Council meeting remotely with other folks from the Red Hat Community Linux Engineering team, represented by Brendan Conoboy and those from the Fedora Council and CentOS Board.
Some glimpses from when the rain was quite alright on our way from Moxy Brussels City Center to Grand Place
In the evening, Sumantro made some impromptu plans to throw me a birthday party in the evening - which surely came as a welcome surprise to me. Among my thankful declination and his brotherly insistence, I had to give in, and we decided to leave from Moxy Brussels City Center hotel for Delirium Village at around 0600pm Central European Time. On our way out of the hotel, we ran into Matthew Miller and Luis Bazan, who were returning from their rental workspace - with whom we shared some conversations before we were on our way again. The weather was on the drizzlier side, and while we thought that it would get better in some time, we were soon proven wrong as we kept proceeding closer to the Grand Place. The Decathlon Forclaz jacket proved to be useful when the rain took a turn for the worse, and we had to stay moving constantly to ensure that we were not drenched.
Some glimpses from when the rain had become worse on our way from Moxy Brussels City Center to Grand Place
After clicking a bunch of photographs around an absurdly vacant Grand Place square, we went through a row of memorabilia souvenir shops and luxury chocolate shops. While I could resist the temptation of making purchases from there as this was not my first time in Brussels, I could not help myself when I came across a conveniently tucked away Manga Cafe store when Sumantro and I were seeking shelter from the rain. The only reason why we could make it out was because of the distinctive Pikachu plushie and some Spy X Family posters visible from outside of the shop. Unlike the couple of shops that we visited earlier that day, this seemed like the place where we could find exactly what we were looking for - with the catch being that most merchandise available here, including the Genshin Impact Official Artbook, was localised to French, which was not helpful to me.
Some glimpses of the goodies I could not purchase from Genshin Impact and of the goodies I could from Spy X Family and Kimetsu No Yaiba
They had the entire manga collection of Horimiya (2021), which I would have purchased immediately had it been in English, but I did understand the reason why they were so. After spending almost an hour exploring the store until closing time of the store - I decided to get myself one unit of Kimetsu No Yaiba themed Sakuma Drops and three Gacha Boxes of metal plates with Spy X Family themed backgrounds. After clumsily dropping the cutter that I borrowed from the store receptionist a couple of times, I was finally able to pull plates with Loid Forger, Anya Forger and Yor Forger from the three boxes that I purchased. I wanted to buy out the entire stock to ensure that I ended up getting one of each kind possible from Spy X Family Code White (2023), but I decided not to go all out because that was most likely what the merchandise makers wanted us to do anyway.
It is surprising just how absurdly empty Grand Place had become due to the worsening weather that night
Sumantro purchased a Daruma Doll after I dropped a lore about what they are about and a reference to those from the popular anime Doraemon (1979), and we departed from the store at around 0800pm Central European Time. We ordered a couple of beers when we made it into the hustle and bustle of the Delirium Cafe, and I decided to keep mine non-alcoholic to ensure that I was on top of my hydration game. The vibes within the Delirium Village were amazing, but as it was growing colder, we headed to The Belgian Fries Co. outlet for dinner once we were done with our drinks. We departed from the restaurant around an hour later for the hotel on foot, with me taking care of the navigation this time. We walked swiftly back to the hotel to ensure that we had enough resting time and woke up healthy to participate and assist with the CentOS Connect 2025 event the next day.
Some glimpses of us sharing some drinks and snacks at the Delirium Cafe outlet and The Belgian Fries Co. outlet before heading back to the hotel
The rtl8852cu Linux driver (version 1.19.2.1, updated as of May 10, 2024) supports USB WiFi adapters based on the RTL8832CU and RTL8852CU chipsets. While Realtek continues to develop this out-of-kernel driver, it is important to note that it is not fully compliant with Linux Wireless Standards. This makes it more suitable for specialized use cases, such as embedded systems, rather than general desktop or server environments.
For most users, adapters with in-kernel drivers are recommended due to their stability and ease of use. However, if you’re working with an adapter supported by this driver, here’s everything you need to know.
Key Features of the rtl8852cu Driver
WiFi Standards: IEEE 802.11 b/g/n/ac/ax (WiFi 6)
Security Protocols:
WEP, WPA TKIP, WPA2 AES/Mixed mode (PSK and TLS)
WPA3-SAE R2
WPS (PIN and PBC methods)
Modes Supported:
Client mode
AP mode (with DFS channel support)
P2P-client and P2P-GO
IBSS (not tested)
Advanced Features:
Miracast
WiFi-Direct
Wake on WLAN
VHT and HE control (supports 160 MHz channel width in AP mode)
Note: Monitor mode is not supported. If you require monitor mode, consider adapters based on the mt7610u, mt7612u, or mt7921au chipsets.
Compatible Devices and Chipsets
This driver supports a variety of USB WiFi adapters, including:
Edup AX5400 EP-AX1671 (single-state, no onboard Windows driver)
Brostrend AX8
TP-Link Archer TX50UH V1
TP-Link Archer TXE70UH(EU) V1
MSI AXE5400
Warning: Multi-state adapters (those with internal Windows drivers) may cause issues on Linux. For better compatibility, opt for single-state and single-function adapters. Avoid multi-function adapters (e.g., those combining WiFi and Bluetooth).
Supported CPU Architectures and Kernels
CPU Architectures:
x86, i386, i686
x86-64, amd64
armv6l, armv7l (arm)
aarch64 (arm64)
Kernel Versions:
Officially tested: 5.4 to 6.6 (Realtek)
Community-supported: 6.7 to 6.12
Tested Compilers: gcc 12, 13, and 14.
Installation Guide
Prerequisites
Before installing the driver, ensure your system is up-to-date and has the necessary development tools installed. You’ll also need internet access during installation.
For Secure Boot: openssl, sign-file, mokutil Example for Ubuntu:
sudo apt install -y build-essential dkms git iw
Download and Install the Driver:
git clone https://github.com/morrownr/rtl8852cu-20240510.git
cd rtl8852cu-20240510
sudo ./install-driver.sh
Reboot Your System: After installation, reboot to ensure the driver loads correctly:
sudo reboot
Troubleshooting Tips
Conflicting Drivers: Installing multiple out-of-kernel drivers for the same hardware can cause issues. Use sudo dkms status to check for conflicts.
Secure Boot: If Secure Boot is enabled, follow the instructions in the FAQ to enroll the signing key.
Manual Installation: If DKMS is unavailable, you can manually compile and install the driver using:
make clean
make -j$(nproc)
sudo make install
sudo reboot
Recommended Router/AP Settings
To optimize your WiFi performance:
Security: Use WPA2-AES or WPA3. Avoid mixed modes like WPA/WPA2.
Channel Width:
2.4 GHz: Set to 20 MHz fixed width.
5 GHz: Use channels 36–48 or 149–165 for compatibility.
Network Names: Avoid naming all bands (2.4 GHz, 5 GHz, 6 GHz) the same.
Router Placement: Position the router centrally, elevated, and away from walls.
Final Notes
While this driver provides robust support for RTL8832CU and RTL8852CU adapters, it is not without limitations. Users should weigh the trade-offs between stability, compatibility, and advanced features when choosing a WiFi adapter. For most desktop and server users, in-kernel drivers remain the best choice.
If you encounter issues or have questions, consult the FAQ or open an issue on the GitHub repository.
This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.
Week: 03 – 07 February 2025
Infrastructure & Release Engineering
The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work. It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.). List of planned/in-progress issues
comments? additions? reactions?
As always, comment on mastodon: https://fosstodon.org/@nirik/113969409712070764