The officially official Devuan Forum!

You are not logged in.

#1 Re: Installation » [SOLVED] kernel command line from pkg hardening-runtime with bug » 2024-11-02 21:56:17

the hardening-runtime package is out-of-date and should be uninstalled.

in particular, the boot option kaslr no longer exists as kaslr is the
default. however, there is a 'nokaslr' kernel parameter:

nokaslr         [KNL,EARLY]
                When CONFIG_RANDOMIZE_BASE is set, this disables
                kernel and module base offset ASLR (Address Space
                Layout Randomization).

i have 6.10 kernel from backports and its boot options can be found here:
   https://www.kernel.org/doc/html/v6.10/a … tions.html

the 6.10 kernel params can be found here:
   https://www.kernel.org/doc/html/v6.10/a … eters.html

just change the kernel version in the above URLs to what your kernel is
and take a look.

a good, more up-to-date, hardening guide can be found here and here:
   https://wiki.archlinux.org/title/Hardening_Guides
   https://gist.github.com/dante-robinson/ … 87633ff8ca

additionally, page_poison is no longer recommended and should be replaced
with 'init_on_alloc=1 init_on_free=1' and, related to this, change to
slub_debug=ZF instead of slub_debug=FPZ

for reference, my personalised 'hardened' grub command line is:

   ipv6.disable=1 ia32_emulation=0 page_alloc.shuffle=1   \
   pti=on init_on_free=1 slab_nomerge slub_debug=ZF vsyscall=none"

on a practical note, hardening devuan/debian is really hard :-) so not
really worth it. the biggest weakness is the browser, not the kernel.
try to harden firefox (apparmor, firejail, VM) first.

if you are really motivated then checkout the firefox hardening guides
such as arkenfox user.js. this involves a lot of work and is for the paranoid.

if you are really interested in hardening linux then try to make the
system read-only. that's a nice, long-term project. see alpine linux.

#2 Re: Other Issues » [SOLVED] changing the size of udev filesystem on /dev » 2024-10-28 05:49:04

thank you ralph.ronnquist.  this works.  i like ths solution: if there is no 'knob' to adjust then make one!

#3 Other Issues » [SOLVED] changing the size of udev filesystem on /dev » 2024-10-27 20:20:11

grunchy
Replies: 2

i cannot find the config file or setting used to specify the size of /dev

currently /dev is set to 50% of physical memory. there is nothing in
/etc/defaults or /lib/init and only a remount in /etc/init.d/eudev, which
specifies a variable setting: tmpfs_size="10M" (so that ain't it)

nothing appears in /var/log/boot

where could this setting/config be coming from?
seems odd that it would be hard-coded and not documented.

#4 Re: Desktop and Multimedia » PulseAudio always resets to mute » 2024-07-13 20:38:36

thanks fsmithred! forum search led me here.

the IDTYPE=RANDOM was the problem for me. comment-out this line and machine_id
remains stable across boots.

this change keeps pulseaudio stable with no build-up of junk files in ~/.config/pulse.
it also keeps the ~/.dbus/session-bus/ directory clean as well, which is welcome.

i had scripts to handle the build-up of junk files in these two dirs, which have now been deleted.

FYI, after making the above change i came across this blog post, which adds a little more info:

https://kelar.org/~bandali/blog/pacify.html

#5 Other Issues » KDE login oddity » 2024-05-05 21:24:09

grunchy
Replies: 1

am running daedalus+KDE and there is an odd behavior i would like
to understand better.

the KDE login screen has several 'buttons' in addition to the password-box:
   sleep, hibernate, restart, shutdown

these buttons are non-functional on my computer but are working in a QEMU
VM (daedalus+KDE)

KDE login uses sddm (and sddm-helper)

i am guessing this problem has something to do with init (boot-time). so,
testing this idea, i added a delay to /etc/init.d/sddm just before the
"call do_start_cmd"

after adding this delay the login-screen buttons became functional.

testing on this computer shows i need approx 250 millisecond delay to get
these buttons to become functional. 200 milliseconds is not enough.

i would like to know how to determine what sddm is waiting on. how does one
debug timing-related issues like this?

#6 Re: Installation » [SOLVED] Firefox and Firefox Nightly repos in Synaptic . . » 2024-04-06 21:28:41

hello, i realize i am a little late to this thread, but i use the mozilla apt repo to keep up-to-date
with the latest firefox. it moves quickly, so whenever i want to get up-to-date, my receipe is:

apt-mark unhold firefox
apt update 
apt-mark hold firefox

go here for the step-by-step

https://support.mozilla.org/en-US/kb/in … tributions

in sum, you need to add mozilla signing key, add moz apt repo to /etc/apt/sources.list.d
and prioritize moz repo with pin-priority: 1000 in /etc/apt/preferences.d/mozilla

#7 Re: Hardware & System Configuration » [SOLVED] no time service » 2024-03-10 01:26:43

thanks for the help/advise everyone! i got it sorted now. i only need a NTP client as there is
an NTP server on my lan. chrony installed without issue. added "-4" flag to /etc/default/chrony
and the server ip to /etc/chrony/chrony.conf and rebooted. 'chronyc tracking' shows things
as working as desired.

the first time chrony started-up and did a sync it adjusted the system clock by 30 seconds!
my mobo realtime clock must drift a lot.

#8 Hardware & System Configuration » [SOLVED] no time service » 2024-03-07 22:30:12

grunchy
Replies: 8

i have two installs of devuan daedalus+kde: qemu VM and bare-metal.

the VM was updated over existing install going back to ascii. the bare-metal
devuan was a fresh install.

i cannot find any timekeeping service running on either: no ntpd, ntpsec,
chrony, timedatectl. nothing

how is timekeeping done?

what is standard practice (if any) for timekeeping?

my thought is to install chrony+timedatectl but maybe something else is preferred?

#9 Re: Other Issues » disable ModemManager » 2024-02-24 20:53:24

so i found something. not perfect, but better than nothing.

it turns out ModemManager is started by (everyone's favorite) dbus.

the directory /usr/share/dbus-1/system-services contains systemd .service files.
at init-time dbus scans this directory and starts all the listed services.

i did not find documentation about the function of this directory, so it does
appear to just be baked-in to debian. this setup must be documented somewhere
but i did not find out where.

to disable ModemManager just rename the appropriate file so that it get ignored.

so, rename /usr/share/dbus-1/system-services/org.freedesktop.ModemManager1.service
to /usr/share/dbus-1/system-services/org.freedesktop.ModemManager1.service.disabled

the only catch is that if dbus/ModemManager every get updated this change probably
gets stomped-on and needs to be redone. but, since an update is very unlikely until
devuan excalibur rolls around, not too bad.

#10 Re: Other Issues » disable ModemManager » 2024-02-20 18:21:24

glenn, yeah i can just purge the package, but was hoping to merely disable it.

there must be something somewhere that instructs init to start this process,
i just cannot find it. i guess purging packages is the usual way in devuan?

swanson, thanks for the clue. sysv-rc-conf is very helpful. the command-line
dump gives a good, condensed view of init-time.

#11 Other Issues » disable ModemManager » 2024-02-18 22:46:25

grunchy
Replies: 5

running daedalus+kde and pstree shows the very first process created by init is ModemManager.
my devuan machine will never need the services of ModemManager and i would like to disable it.

ModemManager is not a 'service' , is not an XDG 'autostart', is not a KDE 'autostart'. it seems to
be baked-in. on my kubuntu box systemd has ModemManager 'masked' so that it never starts.

in devuan how do you stop/disable ModemManager?

#12 Re: Hardware & System Configuration » switch to schedutil governor » 2024-01-13 22:00:47

well, after much reading and fumbling around, i now understand what is happening.

mostly, i mis-read the doc :-(

amd-pstate leverages the Linux kernel governors such as schedutil, ondemand, etc. to manage the performance hints which are provided by CPPC hardware functionality that internally follows the hardware specification (for details refer to AMD64 Architecture Programmer's Manual

it's all explained here: https://docs.kernel.org/admin-guide/pm/amd-pstate.html

i wanted to try out this new amd-pstate-epp driver to see what advantages it offers over the default
ACPI stuff. there are lots of tunables in the ACPI. there are no tunables in amd-pstate-epp - it is all
handled by the firmwware. so, in sum, you cannot change the cpufreq governors in amd-pstate-epp.
oops!

primarily, the amd-pstate-epp driver lets the cores idle at 400MHz rather than 2.2GHz in ACPI-mode.
this is desirable for always-on machines. you can provide a 'hint' to EPP if you want, but the choice is
either powersave or performance and, as i discovered, powersave does not really do much beyond
the 400MHz idle freq, so performance (the defaut) hint it is.

in order to 'activate' this driver you need to change the BIOS and enable 'ACPI CPPC'

on my MSI BIOS, i made two changes:
   Overclocking -> AMD CBS -> Global C-state Control: Auto -> Enable
   Overclocking -> AMD CBS -> CPPC CTRL: Auto -> Enable

#13 Hardware & System Configuration » switch to schedutil governor » 2024-01-07 19:37:27

grunchy
Replies: 4

i would like to use schedutil cpu frequency governor for my computer
but cannot. there must be something i am missing, but i do not know
what.

computer has ryzen 5700g and the 6.5 kernel from daedalus-backports
so that amd-pstate-epp driver is being used.

checking the kernel config, i see SCHEDUTIL is built-in:

> grep CPU_FREQ /boot/config-$(uname -r)   
   ...
CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL=y
CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
CONFIG_CPU_FREQ_GOV_POWERSAVE=m
CONFIG_CPU_FREQ_GOV_USERSPACE=m
CONFIG_CPU_FREQ_GOV_ONDEMAND=m
CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y

list of loadable kernel modules checks out:

> ls -l /lib/modules/6.5.0-0.deb12.4-amd64/kernel/drivers/cpufreq   
   ...
-rw-r--r-- 1 root root 22899 Nov 23 15:05 cpufreq_conservative.ko
-rw-r--r-- 1 root root 33531 Nov 23 15:05 cpufreq_ondemand.ko
-rw-r--r-- 1 root root  9539 Nov 23 15:05 cpufreq_powersave.ko
-rw-r--r-- 1 root root 18123 Nov 23 15:05 cpufreq_userspace.ko

list of available drivers is not what i expected:

> cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors
performance powersave

cpupower also not what i expected:

> cpupower frequency-info
analyzing CPU 11:
  driver: amd-pstate-epp
  CPUs which run at the same hardware frequency: 11
  CPUs which need to have their frequency coordinated by software: 11
  maximum transition latency:  Cannot determine or is not supported.
  hardware limits: 400 MHz - 4.67 GHz
  available cpufreq governors: performance powersave
  current policy: frequency should be within 400 MHz and 4.67 GHz.
                  The governor "powersave" may decide which speed to use
                  within this range.
  current CPU frequency: Unable to call hardware
  current CPU frequency: 400 MHz (asserted by call to kernel)
  boost state support:
    Supported: yes
    Active: no

what needs to be done to switch to schedutil ?

#14 Re: Installation » netinstall and KDE » 2024-01-02 21:39:10

thanks GleenW - your  suggestion replaced the white screen with a recognizable screen.
did not think to do the obvious thing.

i looked more carefully at this issue today. it looks to me that there is a mis-configuration here.

the "login screen (sddm)" settings page shows three entries: breeze, debian breeze and debian
breeze. the first entry "breeze" is selected but has not actually installed. i simply selected the
already-selected thing, clicked apply and the white screen was replaced. ¯\_(ツ)_/¯

the other two entries, which appear to be duplicates, are the white screens i complained about.
these entries, if they are  not the same thing, should not be white screens but actual images.
this could be where the white screen is sourced. this must be a mis-configuration.

#15 Installation » netinstall and KDE » 2024-01-02 00:44:59

grunchy
Replies: 4

i want to share my recent experience installing devuan+KDE onto a small
form factor computer. this setup has a ryzen 5700G and an MSI B550 ITX
motherboard with a 1TB Samsung 970 PRO with an EFI partition. so, nothing
fancy and no GPU as the 5700G has built-in graphics.

this installation did not go well.

i tried to use the netinstall iso so that i could minimize the number
of packages to remove post-install. but i was unable to get netinstall
to work, it either failed to install or left an incomplete install.

the first netinstall errors i was able to get around. this mobo has
builtin wifi and bluetooth. the BIOS defaults to leaving them enabled.
netinstall would fail to install when wifi was enabled with a odd
message about /target, which i gather had something to do with
missing wifi firmware, although this bit was not mentioned. so, when
using netinstall you MUST disable wifi in BIOS or it will fail.

the BIOS also enables, by default, secure boot. in this BIOS the secure
boot setting is under 'windows setup', so it took me a while to find it.
with secure boot enabled, netinstall fails with an error message about
'shim-boot' or something. did not write this down. after disabling
secure boot in BIOS netinstall was able to install a base system, no
DE was installed.

whew!

but i want KDE for my DE, so after login, i installed the minimal KDE
package via: apt install kde-plasma-desktop.

all packages were installed, no errors were produced. but, after
reboot, i could not login. the sddm greeter would not accept my password.
the greeter screen looks _nothing_ like i see in the two devuan VM's
i have. the greeter screen is all white with a small 'password' box,
so sddm has been incompletely installed or mis-configured. i could
not figure out what the problem was.

as an experiment, i installed the xfce desktop via netinstall and
everything worked as expected. so then i installed KDE and selected
slim as the greeter instead of sddm. this change allowed me to login
but the screen was locked to 1024x768 and xrandr refused to run.
as i use a 4K monitor (old man, bad eyes) this result was no good.

at this point i gave up on netinstall. too many problems and i did
not want to spend any more time chasing them down.

so i went with 'live' iso install. this went smoothly, although it
loads up on packages that i do not want. after login i installed
KDE, selected sddm as greeter, and rebooted. this time i was able
to get my password recognized, the 4K monitor was recognized and
i was able to remove xfce, emacs and libreoffice. btw, was not
expecting emacs! the only problem is the sddm greeter screen is
all white with a tiny password box, not the usual stuff that appears,
so something is still misconfigured but i have no idea what.

i will say that installing devuan+KDE into a QEMU VM is a helluva
smoother process than bare-metal install.

Board footer

Forum Software