Category: Linux

Next step: Bookworm to Trixie. Went without issues with the base system as usual, the configuration needed to be updated only for two packages:

Apache2 needed to be changed backed from GnuTLS to mod_ssl, because GnuTLS is not supported anymore. It was simple, just playing with mods_enabled, and changing 3 configuration keywords (GnuTLSEnable to SSLEngine, GnuTLSCertificateFile to SSLCertificateFile and GnuTLSKeyFile to SSLCertificateKeyFile) but keeping the values.

On the other hand dovecot was a bit more work as the structure of the configuration file changed, more specifically the mailbox location: previously it was defined in one string, now there are 3-4 separate values.

The big issue, however, was again MediaWiki. A the Parsoid site states: “Parsoid is incompatible with the current MediaWiki release (1.45) if PHP 8.4+ is used.” Thank you. 😀 The solution: installing php8.3 from the sury repository and in the virtual host section of the mediawiki site setting the php8.3-fpm as the handler for the php files.

I have been planning for some time now to finally upgrade all Linux systems to Trixie. Yesterday I got there to do it on my server. To my surprise, it was still running Bullseye so first I had to upgrade to Bookworm. Just do the usual:

# apt-get update
# apt-get upgrade

Afterwards all the standard things were working properly, no adjustment needed. I’m a bit surprised that the munin execution time increased. Also the overall load is a bit higher, but I can expect that from a new system.

For those who don’t understand what I’m talking about: see Debian release version history on Wikipedia. 🙂

The only issue I had was with my web services. WordPress seems to work fine, but both mediawiki and roundcube were throwing internal server errors. Mediawiki was at version 1.32 from 2019, so I can say it is my fault. I tried to upgrade to 1.45, but there web-based upgrade was throwing a lot of errors. Then I read the manual (read me first – LOL) – it turned out 1.32 is too old, so I did the upgrade in two stages: from 1.32 to 1.38 and then 1.38 to 1.45. Was more or less ok, but I had to manually tweak the update scripts, more specifically the SQL commands in the .sql files, because the scripts wanted to drop tables or indexes that didn’t exist or update tables with commands having syntax error. Also needed to update the LocalSettings.php, but the Manual:Upgrading page in the Mediawiki documentation describes these.

Update: roundcube actually works, the internal server error was caused by a mistake I did in the configuration file, not putting a string setting in ”. It was already there for years, triggering warnings in the log stating that in the future it will cause an error. I cannot say I have not been warned.

Note to self: after update sometimes Windows disappears from the grub boot menu. To put it back, just edit /etc/default/grub and add the line

GRUB_DISABLE_OS_PROBER = false

And then just run

# update-grub

That should put Windows back in the list. By the way, if os-prober is disabled, update-grub will warn you.

Since I was already updating the server, I though I’d install munin as well. I have used munin 20 years ago at the dormitory and I realized, why I liked it. 🙂 Anyway, while I was installing, and checking, I saw that apache started to max out the CPU. After experimenting with it for a while, it turned out that somehow it is related to HTTPs and mod_gnutls. It turned out that I was not the only one with this problem:

Debian Bug report logs – #942737
libapache2-mod-gnutls: mod_gnutls consumes 100% cpu

So one more thing in the server maintenance backlog…

Finally I found some time to update the vanyi.org server. The first step: move from Debian Stretch, before the support expires in June 2022 to Buster. The update was quite uneventful:
# apt-get update
# apt-get dist-upgrade
I’m still checking, but it looks like only 3 things needed manual update in configuration:

• dovecot (IMAP server)
• apache
• ejabberd

Dovecot replaced ssl_parameters with ssl_dh. To fix the configuration I just followed this page. Actually quite simple. First create a dh.pem (can take several minutes, which was at least half an hour in my case);
# openssl dhparam -out /etc/dovecot/dh.pem 4096
Then you need to update /etc/dovecot/dovecot.conf:
ssl_dh=</etc/dovecot/dh.pem
After a restart dovecot works again.

For apache it is even easier, as it is documented on this page. Just enable the socache_dbm module:
# a2enmod socache_dbm

For ejabberd I have not had the time yet.

It looks like that the BIOS update on the HP 250 G7 removes the Machine Owner Key (MOK), so it has to be added again, as described here: https://wiki.debian.org/SecureBoot. Otherwise the custom drivers (like the 8821ce) will not be loaded, if SecureBoot is on.

Fixing it is actually only one step:
# mokutil --import MOK.der


Usually I work, browse, email on a PC and not on a smartphone. However I use viber and I had it only on the phone. As there is a PC version, I thought I give it a try. On the download page there is of course the windows version, but there are also two packages for linux: one .deb for Ubuntu and .rpm for Fedora. I tried to install the .deb, but it has some dependencies on an older libssl. So what I did, I just unpacked it with
dpkg -x viber.deb out/
and then manually moved to /opt. When trying to start I got some error message that I could not interpret, but using strace to figure out, what was going on, I saw that some libraries were missing. Installing them solved the issue:
apt-get install libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-randr0 libxcb-render-util0 libxcb-xkb1 libxkbcommon-x11-0
Now it runs, and seems to be working.

After several years the time has come to replace our aging Thinkpad Edge330. Our choice was a HP 250 G7 with Core i7, 512GB SSD and 16GB RAM. Regarding the OS, there was no question: Debian. At the time of installing it was Debian 10 (“buster”). Below some points regarding the installation:

1. Installation worked out of the box, even with SecucreBoot enabled, no problems with the netinst image, with two exceptions:
   • Wireless LAN is not working (Realtek RTL8821CE)
   • Brightness control keys are not working
2. There is a solution for the wireless driver, works as described on several forums:
   • install the tools:
     apt-get install git dkms build-essential
   • get the source:
     git clone https://github.com/tomaspinho/rtl8821ce
   • build the kernel module:
     cd rtl8821ce
chmod +x dkms-install.sh
chmod +x dkms-remove.sh
./dkms-install.sh
3. To keep using SecureBoot the driver must be signed as described on https://wiki.debian.org/SecureBoot. Otherwise you get the following error message:
   Apr 24 22:58:55 hp250 kernel: [ 3762.662396] Lockdown: Loading of unsigned modules is restricted; see https://wiki.debian.org/SecureBoot
   You can disable SecureBoot so it will work with the following warning in the kernel log:
   Apr 25 13:22:40 hp250 kernel: [ 3.402154] 8821ce: loading out-of-tree module taints kernel.
Apr 25 13:22:40 hp250 kernel: [ 3.402917] 8821ce: module verification failed: signature and/or required key missing - tainting kernel

   I suggest to sign the driver, it can be done quickly based on the instructions in the Debian Wiki.
4. Brightness control works via power settings, or via the battery icon, for the keys I’m looking for a solution. In the kernel log I see these error messages:

Some further notes:
$lspci
00:00.0 Host bridge: Intel Corporation Device 3e34 (rev 0c)
00:02.0 VGA compatible controller: Intel Corporation UHD Graphics 620 (Whiskey Lake) (rev 02)
00:04.0 Signal processing controller: Intel Corporation Skylake Processor Thermal Subsystem (rev 0c)
00:08.0 System peripheral: Intel Corporation Skylake Gaussian Mixture Model
00:12.0 Signal processing controller: Intel Corporation Cannon Point-LP Thermal Controller (rev 30)
00:14.0 USB controller: Intel Corporation Cannon Point-LP USB 3.1 xHCI Controller (rev 30)
00:14.2 RAM memory: Intel Corporation Cannon Point-LP Shared SRAM (rev 30)
00:16.0 Communication controller: Intel Corporation Cannon Point-LP MEI Controller (rev 30)
00:17.0 RAID bus controller: Intel Corporation 82801 Mobile SATA Controller [RAID mode] (rev 30)
00:1d.0 PCI bridge: Intel Corporation Cannon Point-LP PCI Express Root Port (rev f0)
00:1d.1 PCI bridge: Intel Corporation Device 9db1 (rev f0)
00:1d.4 PCI bridge: Intel Corporation Device 9db4 (rev f0)
00:1f.0 ISA bridge: Intel Corporation Cannon Point-LP LPC Controller (rev 30)
00:1f.3 Audio device: Intel Corporation Cannon Point-LP High Definition Audio Controller (rev 30)
00:1f.4 SMBus: Intel Corporation Cannon Point-LP SMBus Controller (rev 30)
00:1f.5 Serial bus controller [0c80]: Intel Corporation Cannon Point-LP SPI Controller (rev 30)
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)
02:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter
03:00.0 Non-Volatile memory controller: Sandisk Corp WD Black 2018/PC SN520 NVMe SSD (rev 01)