Fedora

From MukeWiki

Fedora

The Fedora Special Interest Groups (SIGs) are teams within the Fedora Project that are less formal than official subprojects. The SIGs are sometimes a first stage in the development of new projects within the Fedora Project.

The Fedora Minimal Core SIG is a group of people interested in maintaining Fedora's minimal package set. This is the Core group in the comps file, and any packages installed by the Anaconda installer by default. Stakeholders: Cloud SIG, Server SIG, Embedded SIG, etc.

Fedora Cloud provides few different images of Fedora Project which can be consumed in private and public cloud infrastructures. The following list contains the different kind of images available for the users. Fedora Cloud images optimized to run on cloud infrastructure (is container based).

  • Cloud Base - This is the minimal image of Fedora, it has the bare minimal packages required to run on any cloud environment.
  • Atomic Image (since 2019 replaced by CoreOS) - Atomic image is a lightweight, immutable platform, designed with the sole purpose of running containerized applications. This can also be used in any public or private cloud environment. To learn more you can visit the Project Atomic project page. The Atomic Host platform is now replaced by CoreOS.
  • Vagrant images - We also provide Vagrant images for both cloud base, and atomic. Both VirtualBox, and libvirt is supported by the two different image we publish for Vagrant.
  • Docker image - If you do docker pull fedora, then you will get the latest Fedora image for docker. This image is also created by the Fedora Cloud team.

What is the difference between Fedora CoreOS and Fedora Silverblue? The Fedora CoreOS and Silverblue editions use rpm-ostree, a hybrid transactional image/package system to manage the host. Traditional DNF (or other systems) should be used in containers.

Fedora Workstation (x86_64)

Packages

/etc/dnf/dnf.conf 

deltarpm=false

$ dnf remove \*PackageKit\* \*abrt\* \*virtual\* \*libvirt\* \*qemu\* \*java\* selinux\* libselinux-utils python3-libselinux         # remove ~960 M (~ 290 packages)
$ dnf remove ibus-anthy ibus-anthy-python ibus-hangul ibus-libpinyin ibus-libzhuyin ibus-m17n ibus-typing-booster
# spice\*
$ reboot   # selinux remove/disable

$ dnf remove orca rhythmbox totem cheese\* yelp\* hunspell-en hunspell-en-GB firefox-langpacks                         # remove ~120 M (~ 55 packages)
$ dnf remove gnome-shell-extension\* gnome-backgrounds gnome-user-docs gnome-online-miners mediawriter
$ dnf remove baobab gnome-weather gnome-contacts gnome-maps gnome-calendar gnome-characters gnome-tour gnome-text-editor   # gnome-autoar (with nautilus) gnome-clocks fedora-workstation-backgrounds
$ dnf remove ModemManager lrzsz pptp NetworkManager-openconnect NetworkManager-openvpn NetworkManager-pptp NetworkManager-vpnc   # -x libnm-gtk ( !!! libnm-gtk !!! must stay in Fedora)
$ dnf remove \*b43\* \*pcsc\* \*usb_modeswitch\* \*sane\* -x linux-firmware   # unnecessary \*firmware\*
$ dnf remove jomolhari\* khmeros\* lohit\* paktype\* sil\* thai\* \*cjk\*

$ dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
$ dnf install http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
$ dnf clean all; rm -rf /var/cache/dnf/; dnf upgrade

$ dnf install dconf-editor gnome-tweak-tool gnome-menus gnome-usage gnome-extensions-app
$ dnf install gcc-c++ binutils git git-tools rpm-build diffutils patch cmake make meson cppcheck astyle indent xmlindent emacs ShellCheck openssl jq inotify-tools # shfmt
$ dnf install libX11-devel libXpm-devel libXft-devel libXext-devel openssl-devel mesa-libGL-devel glew-devel ftgl-devel mariadb-devel pcre-devel libxml2-devel libuuid-devel giflib-devel krb5-devel systemd-devel zlib-devel lz4-devel tbb-devel xxhash-devel libzstd-devel
$ dnf install gtk3-devel gtk4-devel python-devel gl2ps-devel libAfterImage-devel gsl-devel sqlite-devel json-devel
$ dnf install mod_fcgid fcgi-devel readline-devel fuse-devel perl-Image-ExifTool perl-Tk perl-Digest-MD5 perl-Pod-Usage perl-IO-Zlib perl-Archive-Extract-zip-Archive-Zip perl-sigtrap perl-Unicode-Normalize
$ dnf install ntfs-3g wol p7zip p7zip-plugins unrar webp-pixbuf-loader qpdf ImageMagick pdf2svg python-img2pdf catdoc odt2txt xclip gcolor3 foliate genisoimage
$ dnf install audacious audacious-plugins-freeworld-aac vlc mediainfo
$ dnf install gstreamer1-libav gstreamer1-vaapi gstreamer1-plugins-{good,good-extras,ugly} gstreamer1-plugins-bad-free gstreamer1-plugins-bad-freeworld

NOTE I would recommend that you remove libavcodec-free (provided from fedora & codec limited) and replace it with libavcodec-freeworld (provided from rpmfusion & with almost all av codecs available). 

dnf swap libavcodec-free libavcodec-freeworld --allowerasing

$ dnf install libreoffice
$ dnf install httpd mod_ssl python-certbot-apache   vsftpd mariadb-server
$ dnf install php php-pear php-xml php-mysqlnd php-intl php-opcache php-gd php-mbstring ImageMagick-perl php-pear-Net-Curl php-pecl-mcrypt
fonts

minimum (optimal) needed fonts; lgc fonts family with Unicode coverage restricted to Latin, Greek and Cyrillic (no cjk for Chinese, Japanese and Korean) 

$ dnf install liberation*fonts gnu-free*fonts   # gnu-free-mono-fonts uses Emacs

fonts needed only for legacy applications (xmms, xpdf, xdvi) xorg-x11-fonts-75dpi; ISO8859-1 (Latin-1 — Western European), ISO8859-2 (Latin-2 — Eastern European), ISO8859-5 (Cyrillic) 

$ dnf install xorg-x11-fonts-ISO8859-1-75dpi     # needed for ROOT CERN
Adobe Flash Player
$ wget http://fpdownload.macromedia.com/get/flashplayer/pdc/28.0.0.161/flash_player_npapi_linux.x86_64.tar.gz
$ tar -xzf flash_player_npapi_linux.x86_64.tar.gz -C /usr/lib64/mozilla/plugins/ libflashplayer.so
$ chmod 755 /usr/lib64/mozilla/plugins/libflashplayer.so
Skype
$ dnf install https://repo.skype.com/latest/skypeforlinux-64.rpm   # install all needed depend packages

Configure Skype to use port 50123 in CERN

Java
OpenJDK
$ dnf install java   # icedtea-web
Oracle Java
$ tar -xzf jre-8u*-linux-x64.tar.gz -C /opt/
$ chown -R root:root /opt/jre1.8*
$ ln -s /opt/jre1.8* /opt/jre
$ alternatives --install /usr/bin/java java /opt/jre/bin/java 9999 --slave /usr/share/man/man1/java.1 java.1 /opt/jre/man/man1/java.1
$ alternatives --install /usr/bin/javaws javaws /opt/jre/bin/javaws 9999 --slave /usr/share/man/man1/javaws.1 javaws.1 /opt/jre/man/man1/javaws.1
$ alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64 /opt/jre/lib/amd64/libnpjp2.so 9999
$ alternatives --config java
$ alternatives --config javaws
$ alternatives --config libjavaplugin.so.x86_64

$ alternatives --display java

Hardware

NVIDIA on RPM Fusion

Gnome with Wayland and NVIDIA doesn't work by default at this point, but NVIDIA Prepares XWayland OpenGL/Vulkan Acceleration Support (spring 2021).

Intel Centrino Advanced-N 6230 or 6235, AC 7265
$ dnf install iwl6000g2b-firmware
$ dnf install iwl7260-firmware iwlax2xx-firmware   # Intel Wi-Fi 6 AX200 (ASUS ROG STRIX B550-I GAMING and Dell XPS 13 7390, Late 2019)
$ firmware-addon-dell

# 2023-07 (F38) group/module packages
iwlwifi-dvm-firmware
    replacing  iwl6000g2b-firmware.noarch 20230515-150.fc38
iwlwifi-mvm-firmware
    replacing  iwl7260-firmware.noarch 1:20230515-150.fc38
    replacing  iwlax2xx-firmware.noarch 20230515-150.fc38
Dell XPS 13 (7390)

Windows 10 Home, A) F2 - BIOS Setup B) F12 - Boot Menu, Sequence (One Time Boot Menu)

1) Change the SATA mode from RAID to AHCI 2) change "POST Behavior -> Fastboot" from "Minimal" to "Thorough" (vraj su s tym problemy, osobne som nic take nepozoroval) 

dnf install smbios-utils
smbios-thermal-ctl -v -g
smbios-thermal-ctl -i
smbios-thermal-ctl --set-thermal-mode=Quiet
Broadcom Corporation BCM43228
$ dnf install broadcom-wl kmod-wl
Brother DCP-7070DW
$ dnf install glibc.i686 http://www.brother.com/pub/bsc/linux/dlf/dcp7070dwlpr-2.1.0-1.i386.rpm http://www.brother.com/pub/bsc/linux/dlf/cupswrapperDCP7070DW-2.0.4-2.i386.rpm
Brother DCP-1512R
$ dnf install xsane sane-backends
$ wget http://download.brother.com/welcome/dlf006893/linux-brprinter-installer-2.1.1-1.gz
$ gunzip linux-brprinter-installer-2.1.1-1.gz
$ bash linux-brprinter-installer-2.1.1-1
Input model name ->DCP-1512R
# install all needed depend packages, but need install manually
$ dnf install libusb
lm_sensors and Nuvoton NCT6798D

Nuvoton NCT6798D Super IO Sensors (kernel driver nct6775) for Ryzen 5000 and ASUS B550 motherboard (more info [1], [2]).

/etc/default/grub 

GRUB_CMDLINE_LINUX="acpi_enforce_resources=lax"

# modinfo nct6775
# dmidecode | grep -A 3 -B 2 NCT
Handle 0x0022, DMI type 34, 11 bytes
Management Device
	Description: Nuvoton NCT6798D-R
	Type: Other
	Address: 0x00000295
	Address Type: I/O Port
Bluetooth mouse
Bluetooth dual boot pairing problem (2023-03)
$ python export-ble-infos.py -s /mnt/win_c/Windows/System32/config/SYSTEM

To co script vytvoril (subor bluetooth/84:C5:26:92:9C:B8/C9:E4:BB:E6:D3:8A/info) jednoducho skopirovat do /var/lib/bluetooth/ dir a restartnut bluetooth.service.

Pouzivat "jednoduchsi" sposob, resp. extrahovanie kluca z Linux prostredia.

fwupd

This project is configured by default to download firmware from the Linux Vendor Firmware Service (LVFS). 

$ fwupdmgr get-devices
$ fwupdmgr refresh
$ fwupdmgr get-updates
$ fwupdmgr update          # be careful

System config

mc fix ssh (fish) seconds

/usr/libexec/mc/fish/ls in function fish_list_perl 

my $mloctime= strftime("%m-%d-%Y %H:%M", localtime $mtime);
# replce by
my $mloctime= strftime("%m-%d-%Y %H:%M:%S", localtime $mtime);

kvm: disabled by bios

/etc/modprobe.d/kvm-blacklist.conf 

blacklist kvm
blacklist kvm_intel
blacklist kvm_amd


$ lsmod | grep kvm
kvm                   585728  0
$ modprobe -r kvm

SELinux

/etc/selinux/config 

SELINUX=disabled   # after remove selinux-policy package is automatically set to disabled

https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable

Wget

  • disable HSTS policy (wget --no-hsts, no more ~/.wget-hsts)

/etc/wgetrc 

hsts = off

PulseAudio

/etc/pulse/default.pa 

# .ifexists module-esound-protocol-unix.so
# load-module module-esound-protocol-unix
# .endif

GRUB 2

$ grub2-mkconfig -o /boot/grub2/grub.cfg
$ grub2-set-default 2     # 0 - Fedora, 1 - Fedora recovery, 2 - Windows
$ grub2-editenv list

/etc/default/grub 

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rhgb quiet ipv6.disable=1"
GRUB_DISABLE_RECOVERY="true"
2024-10, ToDo
https://thelinuxforum.com/articles/712-how-to-add-remove-kernel-boot-parameters-arguments-and-grub-boot-entries-on-fedora-rhel-almalinux-rocky-linux-centos-stream
GRUB 2 default boot entry

2023-02 

$ grub2-editenv list
boot_success=1
boot_indeterminate=0
saved_entry=23ab04fdeb0e4e589bb30befde0cb2f1-6.1.10-200.fc37.x86_64

Subor /etc/default/grub obsahuje (by default) directive GRUB_DEFAULT=saved, a teda, GRUB 2 nahra directive saved_entry=23ab04fdeb0e4e589bb30befde0cb2f1-6.1.10-200.fc37.x86_64 zo suboru /boot/grub2/grubenv, ktora obsahuje (by default) meno posledneho instalovaneho kernel balika, co je definovane UPDATEDEFAULT=yes a DEFAULTKERNEL=kernel-core directives v subore /etc/sysconfig/kernel.

/etc/sysconfig/kernel 

# UPDATEDEFAULT specifies if kernel-install should make new kernels the default
UPDATEDEFAULT=yes

# DEFAULTKERNEL specifies the default kernel package type
DEFAULTKERNEL=kernel-core

INFO upgrade kernel balika vobec "nesaha" na subor /boot/grub2/grub.cfg, ale len doplni subor 23ab04fdeb0e4e589bb30befde0cb2f1-6.1.10-200.fc37.x86_64.conf (entry polozku) v dir /boot/loader/entries/. V pripade UPDATEDEFAULT=yes prepise v subore /boot/grub2/grubenv hodnotu saved_entry na aktualny kernel.

Zamena default boot hodnoty (aktualny kernel balik) na Windows
$ readlink -f /etc/grub2.cfg
/boot/grub2/grub.cfg
$ awk -F\' '$1=="menuentry " {print $2}' /boot/grub2/grub.cfg
$ grep -P "^menuentry" /boot/grub2/grub.cfg | cut -d "'" -f2   # grep "menuentry" /boot/grub2/grub.cfg
Windows Boot Manager (on /dev/nvme0n1p1)
moznost 1 (not recommended)

Simple way of setting the default entry, but they are prone to error if/when grub2-mkconfig is re-run. These include directly setting the default in /boot/grub2/grub.cfg or setting GRUB_DEFAULT to either a number or an entry title in /etc/default/grub. Neither of these methods is recommended (more info).

Priama zamena directive GRUB_DEFAULT=saved v subore /etc/default/grub na GRUB_DEFAULT="Windows Boot Manager (on /dev/nvme0n1p1)". 

$ grub2-mkconfig -o /boot/grub2/grub.cfg

$ grub2-editenv list
boot_success=1
boot_indeterminate=0
saved_entry=23ab04fdeb0e4e589bb30befde0cb2f1-6.1.10-200.fc37.x86_64
moznost 2 (recommended)

Directive GRUB_DEFAULT=saved v subore /etc/default/grub zostava default, nezmenena. 

$ grub2-set-default "Windows Boot Manager (on /dev/nvme0n1p1)"   # pripadne poradove cislo

$ grub2-editenv list
boot_success=1
boot_indeterminate=0
saved_entry=Windows Boot Manager (on /dev/nvme0n1p1)

Tato zamena bude fungovat len do chvile, kedy prebehne upgrade na novsi kernel, ktory prepise hodnotu saved_entry (subor /boot/grub2/grubenv) na novsiu verziu kernel. V pripade ak potrebujeme permanentne boot-vat do Windows, zamiename UPDATEDEFAULT=yes na UPDATEDEFAULT=no v subore /etc/sysconfig/kernel.

Na rozdiel od prvej moznosti, nie je potrebne volat grub2-mkconfig, a teda, ani samotny subor /boot/grub2/grub.cfg sa nijako nemeni.

POZOR na directive GRUB_SAVEDEFAULT v subore /etc/default/grub. By default, sa tato directive v subore vobec nenachadza, resp. nie je nastavena, co je ekvivalent GRUB_SAVEDEFAULT=false. If GRUB_SAVEDEFAULT is set to true, then, when an entry is selected, save it as a new default entry for use by future runs of GRUB. So, maybe, you need be sure that GRUB_SAVEDEFAULT is not set to true. GRUB_SAVEDEFAULT is only useful if GRUB_DEFAULT is saved (more info).

dalej
GRUB_CMDLINE_LINUX_DEFAULT="nouveau.modeset=0 rdblacklist=nouveau"   # nVidia driver
GRUB_CMDLINE_LINUX_DEFAULT="nouveau.modeset=0 rd.driver.blacklist=nouveau video=vesa:off vga=normal"

GRUB_THEME="/boot/grub2/themes/system/theme.txt"

GRUB_GFXMODE=1280x1024
GRUB_FONT=/boot/grub2/DejaVuSansMono18.pf2
GRUB_GFXPAYLOAD_LINUX=keep
GRUB_BACKGROUND=/usr/share/backgrounds/path/image.png
  • Neodporuca sa menit parameter GRUB_DEFAULT=saved, namiesto toho spustit prikaz grub2-set-default, ktory vygeneruje, modifikuje subor /boot/grub2/grubenv
  • Pouzivanie parametra vga=788 sa povazuje za zastarale a neodporuca sa, namiesto neho sa preferuje pouzitie paramametra GRUB_GFXMODE=1280x1024
  • Ake GRUB_GFXMODE podporuje graficka karta mozno zistit po vchode do console z GRUB2 menu
  1. stlacit "c" pre vchod do GRUB2 console
  2. spustit nasledujuce prikazy v console
grub> set pager=1
grub> insmod vbe
grub> vbeinfo
  • GRUB_FONT mozno vygenerovat pomocou grub2-mkfont 
    $ grub2-mkfont --size=18 --output=/boot/grub2/DejaVuSansMono18.pf2 /usr/share/fonts/dejavu/DejaVuSansMono.ttf
  • install the bootloader (grub2 to hard drive) without chroot
$ fdisk -l
Device     Boot     Start       End  Sectors  Size Id Type
/dev/sda1  *         2048  81922047 81920000 39.1G 83 Linux => root directory (with /boot dir)
/dev/sda2        81922048 143362047 61440000 29.3G 83 Linux
/dev/sda3       143362048 234440703 91078656 43.4G 83 Linux

/dev/sdb1            2048  524290047  524288000   250G 83 Linux
/dev/sdb2       524290048 1953525167 1429235120 681.5G 83 Linux

$ mount /dev/sda1 /mnt      (with /mnt/boot dir)
$ mount /dev/sdaX /mnt/boot (only if root directory without /boot dir)
$ grub2-install --boot-directory=/mnt/boot /dev/sda (or try with option --recheck)
$ grub2-mkconfig -o /boot/grub2/grub.cfg (only if needed)

Disk partitions

2024-02
# blockdev --getalignoff /dev/sda   # '0' if the partition is aligned

Automatic trim (using the discard mount option) trims freed blocks on sync after any file is deleted, whereas manual trim (using fstrim) trims all the free space at once. There is no need for the discard (mount) flag if you run fstrim periodically. Don't use discard mount option, prefer fstrim. 

# fstrim --all --verbose
# systemctl status fstrim.timer

$ findmnt
$ findmnt --types ext4,tmpfs
$ cat /proc/mounts
$ blkid
$ cat /usr/lib/systemd/system/tmp.mount

The biggest issue with atime is SSD write cycles. An SSD has a life that is measured in number of write cycles. With atime enabled, every read results in a write, to update the atime. When a write takes place on an SSD, a whole block must be read, changed and rewritten. 

$ findmnt --target /home 
TARGET SOURCE         FSTYPE OPTIONS
/home  /dev/nvme0n1p4 ext4   rw,relatime

Prefer noatime mount option (maximum performance) before the default relatime mount option (compromise). From mount(8), noatime works for all inode types (directories too), so it implies nodiratime.

/etc/fstab 

UUID=a1b2c3d4-a1b2   /            ext4    defaults,noatime     1 1
UUID=a1b2c3d4-a1b2   /boot        ext4    defaults,noatime     1 2
UUID=a1b2-a1b2       /boot/efi    vfat    umask=0077,shortname=winnt 0 2
UUID=a1b2c3d4-a1b2   /home        ext4    defaults,noatime     1 2
UUID=a1b2c3d4-a1b2   /mnt/free    ext4    defaults,noatime     1 2
UUID=a1b2c3d4e5f6    /mnt/win_c   ntfs    default,ro   0 0

# nfs
strela-stor.jinr.ru:/vol/vol1/strela   /strela-stor   nfs   defaults,noatime 0 0

Fonts

Adding new fonts (as admin) into system dir /usr/local/share/fonts/ or /usr/share/fonts/ or (as user) into ~/.local/share/fonts/ user dir (using dir ~/.fonts/ is obsolete, deprecated). Then update the fontconfig font cache by fc-cache -v command (fc-cache on x64 architecture is fc-cache-64 command).

Disable bitmap fonts

V pripade ak pouzivame (LibreOffice), resp. sme donuteni (Linux + Firefox + MS Outlook + Calibri fonts) pouzivat Microsoft fonts, mozu fonts vyzerat "nepekne", resp. nie su korektne renderovane [3], [4]. MS fonts pouzivaju tzv. embedded bitmaps a pre korektne zobrazovanie v Linux je ich potrebne zakazat. 

$ fc-match --verbose Cantarell | grep embeddedbitmap   # or any other fonts
embeddedbitmap: True(s)
$ wget https://raw.githubusercontent.com/musinsky/config/master/fontconfig/20-no-bitmap-all-fonts.conf \
  -P /etc/fonts/conf.d/
$ fc-cache
$ fc-match --verbose Cantarell | grep embeddedbitmap
embeddedbitmap: False(w)

NOTE Vo Fedora sa nachadza subor /etc/fonts/conf.d/25-no-bitmap-fedora.conf, ten vsak zakazuje embeddedbitmap len pre specificke (azijske) fonts.

Free fonts family (typeface)

Pozor nie vsetky fonty, ktore deklaruju, ze plne podporuju znaky pre konkretny jazyk, ich v skutocnosti aj podporuju, napr. problemy s ceskou diakritikou pre niektore fonty z Google Fonts.

Cantarell

Default fonts pre GNOME3 prostredie, nahradzaju predchadzajuce DejaVu fonts. GNOME Cantarell povodne podporovali len Latin jazyky, neskor pridana podpora aj pre napr. Cyrillic alebo Greek. GNOME Cantarell nativne neobsahuju italics or oblique glyphs, na rozdiel od Google Cantarell. Neobsahuju mono fonty. GNOME v Ubuntu (by default) pouziva vlastne Ubuntu fonts. 

$ dnf install abattis-cantarell-fonts abattis-cantarell-vf-fonts   # installed by default on Fedora
$ fc-list | grep -i cantarell
Exo 2

Cca od roku 2020 sa fonty nachadzaju priamo aj v repo pre Fedoru. Exo 2 neobsahuju mono fonty a len ciastocna podpora pre grecke znaky. 

$ dnf install ndiscover-exo-2-fonts
$ fc-list | grep -i exo
Roboto

Roboto family fonts: Roboto (google-roboto-fonts), Roboto Condensed (google-roboto-condensed-fonts), Roboto Mono (google-roboto-mono-fonts) and Roboto Slab (google-roboto-slab-fonts). 

$ dnf install google-roboto-fonts google-roboto-condensed-fonts \
              google-roboto-mono-fonts google-roboto-slab-fonts
$ fc-list | grep -i roboto

Network

/etc/hosts 

127.0.0.1        localhost localhost.localdomain localhost4 localhost4.localdomain4
147.213.X.X      alice alice.saske.sk
::1              alice alice.saske.sk localhost localhost.localdomain localhost6 localhost6.localdomain6

/etc/resolv.conf 

nameserver 147.213.192.3
nameserver 147.213.196.3
search saske.sk
  • Ake pouzit nameserver(s) mozeme zistit pomocou dig - DNS lookup utility
$ dig -t ns saske.sk
;; ADDITIONAL SECTION:
ns1.saske.sk.		86400	IN	A	147.213.192.3
ns2.saske.sk.		86400	IN	A	147.213.196.3
ns3.saske.sk.		86400	IN	A	147.213.192.31

$ dig -t ns jinr.ru
;; ADDITIONAL SECTION:
ns1.jinr.ru.		44546	IN	A	159.93.17.7
ns2.jinr.ru.		44546	IN	A	159.93.14.7

/etc/sysconfig/network 

NETWORKING=yes
HOSTNAME=alice     # alice.saske.sk

/etc/sysconfig/network-scripts/ifcfg-em1 

DEVICE=em1
NM_CONTROLLED=yes    # if 'no', NetworkManager will ignore this connection/device (default 'yes')
HWADDR=AA:BB:CC:DD:EE:FF
ONBOOT=yes
IPADDR=147.213.X.X
NETMASK=255.255.255.0
GATEWAY=147.213.X.1
DNS1=147.213.192.3
DNS2=147.213.196.3
# PEERDNS=no          # don't modify /etc/resolv.conf file

/etc/NetworkManager/NetworkManager.conf 

[main]
plugins=ifcfg-rh     # read and write configuration from the standard /etc/sysconfig/network-scripts/ifcfg-em1 file
  • Prepojenie medzi starym network (disabled) a novym NetworkManager (enabled) service pomocou plugins=ifcfg-rh a paremetra NM_CONTROLLED=yes
  • NetworkManager prichadza aj s command-line utility nmcli a nastrojom nm-tool
  • The /etc/sysconfig/networking/ directory is used by the Network Administration Tool (system-config-network) and its contents should not be edited manually

Services and Daemons

  • Although it is still possible to use the chkconfig a service utilities to manage services that have init scripts installed in the /etc/rc.d/init.d/ directory, it is advised that you use the systemctl utility
$ systemctl stop NetworkManager.service
$ systemctl disable NetworkManager.service
$ chkconfig --levels 35 network on            # obsolete (not prefer) way
$ service network start                       # obsolete (not prefer) way
  • systemctl control the systemd system and service manager, that uses services files located in /usr/lib/systemd/system/ for services, and /etc/systemd/system/ for configuration
$ systemctl
$ systemctl action service_name.service       # action = enable, disable, start, stop, restart, is-enabled, is-active, status, cat
$ systemctl list-units --type=service

$ systemctl status chronyd.service

$ systemctl enable mariadb.service
$ systemctl start mariadb.service     # /var/log/mariadb/   (750, mysql:mysql)
Created symlink '/etc/systemd/system/mysql.service' → '/usr/lib/systemd/system/mariadb.service'.
Created symlink '/etc/systemd/system/mysqld.service' → '/usr/lib/systemd/system/mariadb.service'.
Created symlink '/etc/systemd/system/multi-user.target.wants/mariadb.service' → '/usr/lib/systemd/system/mariadb.service'.
$ systemctl enable httpd.service
$ systemctl start httpd.service       # /var/log/httpd/   (700, root:root)
Created symlink '/etc/systemd/system/multi-user.target.wants/httpd.service' → '/usr/lib/systemd/system/httpd.service'.
  • TRIM Support (SSD disks)
$ systemctl enable fstrim.timer
$ systemctl cat fstrim.timer
  • user mask service
$ systemctl --user mask any.service
Created symlink /home/musinsky/.config/systemd/user/any.service → /dev/null.
sshd

NOTE Povodne program scp pouzival SCP protokol, ktory je uz dnes zastaraly a neodporuca sa dalej pouzivat. Namiesto SCP sa dnes pouziva SFTP protokol, resp. program sftp. Od verzie OpenSSH 9.0 (2022-04-08) aj program scp pouziva (by default) odporucany SFTP protokol.

  • /etc/ssh/sshd_config
PermitRootLogin no     # disable root access
PermitRootLogin without-password
  • /etc/motd

message of the day with ASCII Text Signature Generator (standard font + kerning) or with FIGlet program figlet -k alice 

figlet -k $(hostname -s) > /etc/motd

Warning problem with "passwordless" login on CentOS Stream release 8 

$ tail /var/log/secure
Jan 24 17:27:43 old-work sshd[3696]: Authentication refused: bad ownership or modes for directory /home/musinsky

$ ls -l -d /home/musinsky
drwx------. 22 musinsky musinsky 12288 Jan 24 17:09 /home/musinsky   # (access 0700) Fedora 37, OK
drwxrwxr-x.  7 musinsky musinsky 4096  Jan 24 17:10 /home/musinsky   # (access 0775) CentOS Stream 8, problem

Change /home/musinsky directory permission to 755 (or 700), but not 775.

vsftpd

/etc/vsftpd/vsftpd.conf 

anonymous_enable=NO

listen=YES
# listen_ipv6=YES
user LS_COLORS

see /etc/DIR_COLORS 

export LS_COLORS="$LS_COLORS:di=01;30"
user and autostart applications
  • disable evolution services
$ systemctl --user list-unit-files | grep evolution
$ systemctl --user mask evolution-addressbook-factory.service evolution-calendar-factory.service evolution-source-registry.service evolution-user-prompter.service
  • disable autostart desktop application

/etc/xdg/autostart/

Potrebujem zakazat napr. migrates user settings from GConf to dconf, zmazanim suboru rm /etc/xdg/autostart/gsettings-data-convert.desktop sa dana aplikacia ani jednoducho nespusti. Toto je vsak len "docasne" riesenie, kedze system po update (alebo nejakej inej zmene) moze tento subor znova vygenerovat.

Desktop Application Autostart Specification odporuca "when the .desktop file has the Hidden key set to true, the .desktop file MUST be ignored". Aby nam vsak system tento subor (aj s Hidden key) po nejakom case (napr. update) neprepisal, skopirujeme subor do $XDG_CONFIG_HOME = ~/.config/autostart/. Do skopirovaneho suboru potom pridame Hidden=true key. 

$ cp /etc/xdg/autostart/gsettings-data-convert.desktop ~/.config/autostart/
$ echo -e "Hidden=true" >> ~/.config/autostart/gsettings-data-convert.desktop
  • disable GNOME Tracker (desktop autostart application)

/etc/xdg/autostart/tracker-{extract,miner-apps,miner-fs,miner-rss,store}.desktop

Jednotlive aplikacie mozem zakazat pomocou Hidden=true key (pripadne jednoducho zmazanim suborov, ale len docasne riesenie). Samotny tracker sice bude bezat, ale nebude nic indexovat. Najjednoduchsie je uplne zakazat tracker services, nebude spusteny a teda nebude ani indexovat (package tracker nemozem odinstalovat zo systemu !!! na F31 uz je to mozne !!!). 

$ systemctl --user list-unit-files | grep tracker
$ systemctl --user mask tracker-extract-3.service tracker-miner-fs-3.service tracker-miner-fs-control-3.service tracker-miner-rss-3.service tracker-writeback-3.service tracker-xdg-portal-3.service
2024-08

https://github.com/Lennart1978/servicemaster

FirewallD

default settings (for all zones) in directory /usr/lib/firewalld/zones/ 

$ firewall-cmd --get-default-zone
FedoraWorkstation
$ firewall-cmd --set-default-zone=FedoraServer

$ dnf install cockpit # must be installed
$ firewall-cmd --permanent --zone=FedoraServer --add-service=http     # modify (or create) file /etc/firewalld/zones/FedoraServer.xml
$ firewall-cmd --permanent --zone=FedoraServer --add-service=ftp

$ firewall-cmd --permanent --zone=FedoraServer --add-port=5555/tcp
$ firewall-cmd --permanent --zone=FedoraServer --add-port=5556/tcp

$ firewall-cmd --permanent --zone=FedoraServer --add-port=1714-1764/tcp
$ firewall-cmd --permanent --zone=FedoraServer --add-port=1714-1764/udp

$ firewall-cmd --reload

$ firewall-cmd --get-services     # list of all supported services
$ firewall-cmd --list-all-zones
$ firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
$ firewall-cmd --get-active-zones
FedoraServer
  interfaces: eno1
$ firewall-cmd --zone=external --change-interface=em1
external: em1
$ firewall-cmd --zone=external --list-all
$ firewall-cmd --zone=external --add-port=1234/tcp
$ firewall-cmd --zone=external --remove-port=1234/tcp

# allow IP address
$ firewall-cmd --permanent --zone=FedoraServer --add-rich-rule="rule family="ipv4" source address="159.93.0.0/16" port protocol="tcp" port="7503" accept"

$ firewall-cmd --zone=external --add-rich-rule="rule family="ipv4" source address="147.213.192.75" accept"

# port forwarding
$ firewall-cmd --permanent --zone=FedoraServer --add-forward-port=port=443:proto=tcp:toport=7503
$ firewall-cmd --permanent --zone=FedoraServer --add-port=443/tcp

$ firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=4321:toaddr=10.0.0.1
Retrieved from "https://muke.saske.sk/mediawiki/index.php?title=Fedora&oldid=2988"