Linux Tips & Tricks on openSUSE Leap 15 and Tumbleweed
On this page I summarize things I had to do some research for to make them work. That way others might find somthing handy to solve a similar
problem without the need to do a horrendous research on their own.
Be advised that this is not a forum for discussing a problem - just a compendium of Tips & Tricks for your conveniance. What I put down here worked for me. That does not mean it will work for you.
It's just another list of things you might want to try out. Use at own risk without any guarantees whatsoever - this is more a scrapbook to me I share with others.
To make these pages usable for a wide audience, it is completely in English.
Currently this all referes to an openSUSE Leap 15.3, 15.4 and Tumbleweed installation. However with Ubuntu and other distros some of these will also work or give a hint where to start.
- Content:
- 1. Convert MBR to uEFI - openSUSE Linux Leap 15.3
- 1a. Re-Install uEFI after e.g. a BIOS update
- 1b. Remove an "accidental" windows install into your Linux uEFI
- 2. Sound Blaster Z SE (Sound Core3D [Sound Blaster Recon3D / Z-Series] (SB1570)
- 3. Stop auto updater (PackageKit) widget in KDE
- 4. Set time of HP printers via cron script
- 5. Re-Compile NVidia drivers for older kernel
- 6. 90s wait at shutdown/reboot because of scdaemon
- 7. Update Leap 15.3 -> 15.4: bind does not work anymore
- 8. Update Leap 15.3 -> 15.4: php-fpm and AppArmor
- 9. Update Leap 15.3 -> 15.4: Re-install certbot
- 10. Enable ClearView Fonts with WINE
- 10a. Update to fonts and font sizes
- 10b. Mouse cursor themes - setting does not change for all
- 11. Run CS:GO with openSUSE
- 12. Kernel 6.2.1 with lockdown of unsigned kernel modules and secure boot
- 13. Zypper: force a mirror if downloads are lame
- 14. Make a "Pi-Hole" without a Rasberry PI but with your own DNS (BIND 9)
Convert MBR to uEFI without data loss
- Convert MBR to uEFI - openSUSE Linux Leap 15.3
-
If you, like me, have had a computer for a very long time and could finally use EFI after upgrading, you have to change your installation from MBR boot to uEFI boot. This is possible by a new installation, or by migrating to uEFI without data loss.
Here are the instructions for download - CHECK FIRST
-
- Read kernel parameter line to restore it. You can do that with Yast.
- check if "Grub2 efi" and "mokutil" are installed - if not, install them via Yast beforehand
- Further: we need a live system (only for using KDEpart) and a rescue system (to do the magic)
- The mount point /boot/efi can be created already withmkdir /boot/efi
- Definitions:
-
This tutorial assumes that the Linux disk is the second disk in the system (/dev/sdb), partition 1 is SWAP, partition 2 is the data partition.
- sdb1 remains untouched
- sdb2 is to be shrunk to create the efi partition as sdb3
- Basic procedure:
-
- Make space for the EFI drive (500MiB would be standard, less is also possible, 200KiB should be at least)
- Format and
- extend fstab with the mount point
- let's yast do its magic
- Tips:
-
Create two bootable USB sticks - one with the live OS and one with the rescue OS.
Put downloaded ISOs on USB-Stick with belenaEtcher - is available for linux and windows
- STEP 1: Reboot with Live-CD to make space with KDEpart
-
Since the disk to be adjusted is the system disk, creating space is not so easy. We need a live system or any other system that can access our disk. With any live Linux plus KDE you can do this quickly and easy, because we can use a graphical tool. You can also do this in the rescue system but you will then have to use a command line tool.
--> Free 500MiB at end of partition /dev/sdb2 with KDEPart
- STEP 2: Reboot with Rescue (already in EFI-Mode!!)
-
Then we need some commands to create the file system and change fstab for mounting it. Do not forget fstab or you will be doomed (na, just reboot with a rescue system...)
1: Create partition and change from MBR to GPT with gdisk (NOT fdisk!!!)
This will also convert your disk from MBR to GPT - which also means, that when writing the changes there is no way back!
gdisk /dev/sdb
n # new partition
type: EF00 (-> show with 'L') EFI System
c # give name, we can use that later
EFI-System
w # <-- now there is no turning back! MBR converted to GPT in this step!
q
2: read the partitions
partprobe /dev/sdb
3: create filesystem - if you do it with UUID or sdb3, you don't need the name
mkfs -t vfat -v /dev/disk/by-partlabel/EFI-System
4: mount system to mnt
mount /dev/sdb2 /mnt
5: create efi mountpoint in sdb2 (if not already done):
mkdir /mnt/boot/efi
6: and mount efi partition to it
mount /dev/sdb3 /mnt/boot/efi
7: now mount additional directories
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/proc
8: start chroot environment - we are in our old system then:
chroot /mnt
mount -a # just in case
9: add EFI mountpoint in fstab - first line
ll /dev/disk/by-UUID # find out UUID of /dev/sdb3
mcedit /etc/fstab
UUID=A1B2-D3E4 /boot/efi vfat defaults 0 0
Do not forget to change the UUID to the correct value. Simply add this line at the top.
10: now change boot configuration in yast
yast
--> boot loader
tab bootcode
--> change to "GRUB2 for EFI"
--> X Secure Boot
--> X NVRam
--> protective MBR flag "no change"
Kernel parameters tab
--> resume=/dev/sdb1 nosplash noplymouth quiet # or whatever you need here!
--> graphics: choose resolution and theme
select "OK" and Yast does its magic.
11: finish up
exit yast
exit
shutdown -r now
- STEP 3: Test after reboot:
-
Remember: in bios you should now have selected efi boot mode for sdb - other will not work anymore!
Now test your efi after reboot:
efibootmgr -v
You should be on efi now...
Re-Install uEFI after e.g. a BIOS update
For uEFI and secure boot to work with openSUSE (Leap or Tumbleweed), the uEFI-Entry "opensuse-secureboot" must be selected in BIOS for boot. This will start SHIM, which might install keys and will then start GRUB.After a BIOS-Update this entry was gone for me - and I have no idea, why. Booting the entry "openSUSE" will not work with secure boot and will end up in a GRUB rescue mode.
However, to get it back, there are some simple things you can do:
- First: change in BIOS to boot in BIOS/CSM mode
-
When you cannot boot "opensuse-secureboot", no secure boot is possible and GRUB will quit service. To get back into your installation, go into your BIOS and select
CSM
as your boot mode. There might be several places to look for. With me this was inAdvanced
Options underWindows OS Configuration
. There you have to selectCSM
mode.
After that you will be able to boot into openSUSE installation via GRUB again. - Second: re-install bootloader
-
When back in your openSUSE installation you can now re-install the boot with SHIM. Simply open a console and enter
sudo yast2 bootloader
That will display current settings of your openSUSE bootloader and re-install everything when exited with "OK". Make sure, that the following is selected:
GRUB2 for EFI
X Secure Boot support
X Support for Trusted Boot
X NVRAM
protective MBR flag
--> do not change
After this you can check the boot entries by callingsudo efibootmgr -v
in the console.opensuse-secureboot
should be the first selected entry now
- Third: re-activate uEFI secure boot
-
Now reboot your machine and instantly enter BIOS again. There
- change back fromCSM
toUEFI
- go to the boot order selection and activateopensuse-secureboot
You should be done now!
Remove an "accidental" windows install into your Linux uEFI
If you have to re-install windows in a dual boot environment, where you use two disks for each OS - with their own boot EFI partitions to still run standalone - Windows will use the Linux EFI boot partition if you completly emtpied your Windows disc for a fresh install.You can avoid that by disconnecting your Linux disc. But if you forgot about that (and I did...) you will have a Windows entry in that partition.
Don't hesitate. It's is very simple to get rid of that again. First you can remove entries from the bios by using
efibootmgr
. That however only
works for invalid entries that are deleted on discs but were not deleted in the bios. With our scenario we will need the second approach. But to be complete
I also describe this:- First: How to delete an entry (is not successfull in this scenario!)
-
Check the boot entries with
sudo efibootmgr -v
. You will see all available boot entries. Each entry has an ID likeBoot0000
. You now can remove an entry with its ID by callingsudo efibootmgr -b
and mark the default boot entry by specifying the boot order with-B sudo efibootmgr -o
. YYYY and XXXX are the number of the entry - soBoot0001
is simply1
(no need to give all four numbers)
In this example scenario however this does not do the trick. As in our Linux partition still is an entry for Windows, the BIOS will automatically find that one again and add it to the boot order. YAST will by the way also identify it and add it to the bootloader.
This only works for entries that are invalid and nevertheless were not deleted. - Second: remove entry in uEFI partition
-
To realy get rid of that illegal boot entry we need to delete it in the uEFI partition. This is simply done in Linux as the EFI-Partition is mounted to
/boot/efi/
and can be manipulated with the tools of your choice. In the directory/boot/efi/EFI/
you will find a directory namedMicrosoft
which we want to get rid of.
However, to find out if we are dealing with the right place, first do this minimally invasive by renaming/boot/efi/EFI/Microsoft/Boot/bootmgfw.efi
to/boot/efi/EFI/Microsoft/Boot/bootmgfw.efi.BAK
- or whatever you prefere. That way the boot entry will not be found anymore.
You can now regenerate the boot loader withyast
like discribed above and the superflues entry will be gone. Do a reboot and verify if your Windows installation can still be booted via GRUB.
If everything is fine you can then delete the whole directory/boot/efi/EFI/Microsoft
anytime to gain back space. - ADVICE
-
Fooling around with uEFI boot partitions and their content can lead to an unbootable system. Do this on your own risc. There should always be the possibility to boot with the MBR version like described above. Change to
CSM
boot mode and try that. If that does not work you will need a rescue system and a CHROOT envirnoment. Some ideas to that are in the first chapter of this block.
You should be done now!
Sound Blaster Z SE (Sound Core3D [Sound Blaster Recon3D / Z-Series] (SB1570)
The Sound Blaster Z SE does not really want to work with Linux. This has several causes:1. The output lines need to be changed to get redirected to the correct output jacks.
2. After reboot some speakers are not enabled by default.
To solve this we need to redirect the output first, so the right speakers receive the correct output. To then activate the speakers we simply need to set the volume. Use
alsamixer
to change the volume one down and up again. This writes the volume value to the card and
activates the speakers.This is all done with your local user, not with root!
- Change speaker output lines (swap speakers):
-
This is done in a local user file called
.asound.rc
in the root of your home dir. We copy a configuration of 5.1 surround specification from/usr/share/alsa/pcm
and add an entryttable
where we swap the channels 4/5 with 2/3. Do that like the following:
The whole file should then look like this:
- Change volume at startup to activate speakers
-
The sound output is now directed to the right channels, however the sound card still will not do output to all speakers. You can "activate" the speakers by using
alsamixer
. Select your sound card with F6 and then adjust every volume one down and up again. This will activate all speakers.
But as we do not want to do that after every reboot, we can let an autostart script do the job for us.
So create a script somewhere, let's call it"~/bin/setSpeakers.sh"
, and fill it with the following:
and make it executable withchmod 755 ~/bin/setSpeaker.sh
.
For auto start we create a link in autostart-scripts to make it run after login:
ln -s ~/bin/setSpeaker.sh ~/.config/autostart-scripts/setSpeaker.sh
This script now uses 80% and 100% - adjust these to the values you prefere.
Also adjust the index-c 1
used here. You can find out the index of your card byaplay -l
.
- Change / fix the index of your sound card
-
However, the index of the card can change. That is, if for instance a USB camera device is sometimes connected (like with me), sometimes not. It might get somewhere in between and so change the index.
If you want to fix the index of your soundcard you need to set that in a config file under/etc/modprobe.d
. You can create a new one named e.g.sound.conf
or you alter the50-sound.conf
which was created by yast.
BE ADVISED:
- this file is alterd by yast if you mess with audio there. Luckily a copy.YastSaved
will be created.
- watch out for other settings somewhere else that might interfere. Do acat * | grep snd
or usemc
to verify that your file is the only one messing with snd-hda-intel
What you need to add, are some or oneoptions
line for the intel driver, setting a certain index order. So first let's find out the IDs and current Index:cat /proc/asound/cards
- you might also useaplay -l
for that, but that will not necessarily list the camera. That info can be used to create the needed option lines. Consider the following output:
We would now need something likeoptions snd_hda_intel index=3,0,1,2
to move the creative card to the top. But that does not work because of two things:
1. without the USB camera the creative would be at index 2, so the given index 3 would be empty
2. the camera does not use the snd-hda-intel but snd-usb-audio - so configuring in that way will not help
So what we do first is to define which driver should be loaded first and at which slot. This is done byoptions snd slots=snd-hda-intel,snd-hda-intel,snd-hda-intel
- that way the intel driver is reserved for three slots making room for the onboard, the graphics and creative sound card output.
On the internet you will find the idea of using "ID=" likeoptions snd_hda_intel id=Creative,PCH,NVidia index=2,0,1
. This also does not do the trick. It simply sets the names of the index meaning whatever now lands on index 0 (card number 2) will be named "Creative", no matter what its generic name would be.
Additionally something might come in handy: if you have an onboard INTEL soundcard, you might want to blacklistsnd_soc_skl
and additionally stop power saving.
This all leads to my example of50-sound.conf
: (you now needroot
access to alter that file and do a reboot afterwards to make the changes take effect)
- Change pulse audio mixing for LFE
-
We want PulseAudio to remix the output to add bass to LFE. Typically our Sound Blaster can do that itself, but this seems to be helpful.
So if you still experience any difficulties with sound being not directed to the SubWoofer (LFE), asroot
add the following to"/etc/pulse/daemon.conf"
Adopt this to your own preferences.
- How to save settings done with alsamixer
-
When you changed settings with alsamixer for your local user, these settings should be written to
/var/lib/alsa/asound.state
from where those values will be loaded after reboot. To do so, just usersudo alsactl store
. This will write all settings into that file.
There is also the possibility to write settings to a different file and restore those with a script running at startup. This can be achieved with
alsactl --file ~/.config/asound.state store
for saving the values, and
alsactl --file ~/.config/asound.state restore
for restoring these values.
Remember that always all values for all settings of all soundcards are written. - Migration to Pipewire
-
Maybe you already noticed it that the new Counter Strike 2 is not really running with Pulse Audio. As this is the default with OpenSuse, we can solve this by switching to PipeWire. The development is already smoothed out and things are working very well. The best thing is, that it is also compatible to Pulse Audio - so most of the software above does still work.
Installingpipewire pipewire-pulseaudio pipewire-alsa
should already do the trick. De-installpulseaudio
but keeppavucontrol
.
However, you will need a minimal update of your config after de-installing Pulse Audio and migrating to PipeWire.
Ifwireplumber
is installed (which should automatically), one suggestion is to deactivate the suspend of Wireplumber:
Domkdir -p /etc/wireplumber/main.lua.d && cp /usr/share/wireplumber/main.lua.d/50-alsa-config.lua /etc/wireplumber/main.lua.d/50-alsa-config.lua
Then edit/etc/wireplumber/main.lua.d/50-alsa-config.lua
and replace
--["session.suspend-timeout-seconds"] = 5, -- 0 disables suspend
with
["session.suspend-timeout-seconds"] = 0, -- 5 is default, 0 disables suspend
This will prevent wireplumber from sleeping und promises to avoid crackling sound, but e.g. an installed webcam will be then switched on forever. I highly suggest NOT to use this adoption!
For pipewire do the following:
Domkdir -p /etc/pipewire && cp /usr/share/pipewire/pipewire.conf /etc/pipewire
Then edit/etc/pipewire/pipewire.conf
and replace:
#default.clock.allowed-rates = [ 48000 ]
with
default.clock.allowed-rates = [ 44100 48000 96000]
This is not default because of this
With these changes, audio crackling should be minimized.
Stop auto updater (PackageKit) widget in KDE
To stop PackageKit from checking for updates, we need to set the periodic checks in its config file. We could do that with the widget itself, but there is a bug that prevents the changes do be written to the additional config for root, as the config file can only be changed by root and the widget is run by current user.So we simply do it by hand as
root
:
- Change all periodic scans to false for root:
-
Just edit the
main.xml
and change daily, weekly and monthly tofalse
to prevent PackageKit to ever come up again for root, only for your desktop user. Themain.xml
is in the directory/usr/share/plasma/plasmoids/org.kde.plasma.pkupdates/contents/config
sudo mcedit /usr/share/plasma/plasmoids/org.kde.plasma.pkupdates/contents/config/main.xml
- Change all periodic scans to false for your own user:
-
To also change this for your user and disable update checks completely, the corresponding file is
~/.config/plasma-org.kde.plasma.desktop-appletsrc
.
In there is an entry for the applet No. 14:[Containments][7][Applets][14][Configuration][General]
. In that section you might find entries likemonthly=true
.
Set all entriesdaily
,weekly
andmonthly
to false likemonthly=false
so it looks like this:
Set time of HP printers via cron script
- Shell-Script to set printer time of HP printer
-
The time in HP printers is not correctly using the timezone when sending mails. However it would be nice if the printer time would get synchronized with the time of your server.
To do so, we create a shell script/opt/setPrinterTime.sh
containing the following:
Replace<IP-OF-PRINTER>
with the IP address of your printer!
You may want to remove the comment '#' at the end to get a syslog entry for debugging, but remember that when the script runs as a cron job you might revcieve a mail with that line every time the script runs. The crontab line presented here will redirect all and every output to/dev/null
, so no output is send (also no error!)
Do not forget to make the script executable withchmod 755 /opt/setPrinterTime.sh
Now add this script to cron tab of root (can also be a user). Do this for instance like this:
sudo crontab -e
to change cron tab of root.
Add a line like this to run the script every 2 hours (adopt the path to your script):
0 0,2,4,6,8,10,12,14,16,18,20,22 * * * /opt/setPrinterTime.sh >/dev/null 2>&1
Re-Compile NVidia drivers for older kernel (Tumbleweed 5.16.8 / nvidia problem)
Before you start messing around with kernel versions you might want to read Installing multiple kernel versions from Suse DOCsAfter installing kernel 5.16.8 with Tumbleweed problems occurred with graphic cards. No console and no x-server. This is because SimpleDRM is now a content of the kernel but interferes with NVidia drivers. That way you will not see any console output and no graphical UI after boot.
As a temporary workaround you can add
initcall_blacklist=simpledrm_platform_driver_init
as kernel boot parameter to solve this. Additionally the 510.54 driver version was
released - but that did not solve the problem completely. So it is a good idea to fall back to previous kernel 5.16.5 till 5.16.10 will be released, which will be the real fix to this.All of this is documented in the bug tracking
But if you installed the nvidia drivers 510.54 as a fix, something weird happens: the driver files are deleted from all kernels installed, but it will only be re-compiled for current default kernel. You can verify this by looking into
/lib/modules/5.16.*/updates
.BTW: your nvidia driver files are located at
/usr/src/kernel-modules/
- you might want to clean this up and remove all unneeded drivers from time to time.To do a re-compile of installed nvidia drivers for an older kernel, this can be achieved by re-installing that kernel modules. It's the easiest way.
- Force re-compile for 5.16.5
-
First you need to temporarily change to a different repo. For that edit
/etc/zypp/repos.d/repo-oss.repo
and changebaseurl
tohttps://download.opensuse.org/history/20220210/tumbleweed/repo/oss/
, so that it looks like this. It's best to work with comments here:
Now we force the re-install of the kernel of that repo:
root@server:~>zypper in -f kernel-default kernel-devel kernel-default-devel
Let zypper do it's magic, recompile of NVIDIA for this kernel will be initiated after install of kernel-devel.
- Force re-compile for 5.16.8 to revert default kernel change
-
As all defaults are now pointing to 5.16.5, we should force install of current kernel 5.16.8 again to be in the state before forced installation. You !could! of course revert any changes by hand, but personally I would not recommend. Chances of missing something are far too high!
To do so first revert the change in repo-oss, than do zypper ref and again the zypper in -f
The repo-oss with reverted changes looks like this:
then:
root@server:~>zypper ref
root@server:~>zypper in -f kernel-default kernel-devel kernel-default-devel
That way you are back to where you started from. Now you can start 5.16.8 with kernel parameter or 5.16.5 and both work with graphical console and desktop.
90s wait at shutdown/reboot because of scdaemon
With one update of Tumbleweed suddenly the shutdown / reboot of your system will stop for 90s because of a service that cannot be stopped. In the System-Log you might find the culprit "scdaemon" that does not like to be stopped.This will be installed, if you need for instance Kleopatra because of PGP-Keys you might use for E-Mails. However scdaemon is a daemon for security usb keys for 2FA, like Yubi-Keys.
You will not be able to de-install scdaemon, but you can disable it, especially if you do not need the service.
To do so, simply do the following:
- Disable scdaemon
-
Edit
~/.gnupg/gpg-agent.conf
in the users home directory and add the linedisable-scdaemon
. That's it.
After that the file might look like:
After a reboot scdaemon will not run and not block shutdowns or reboots.
7. Update Leap 15.3 -> 15.4: bind does not work anymore
I updated Leap 15.3 to 15.4 with an existing and working bind. However, after the update bind will not start anymore andsystemctl start named
will result
in the error Control process exited, code=exited, status=6/NOTCONFIGURED
This is because the script
/usr/share/bind/createNamedConfInclude
is not provided anymore and the present one from 15.3 will get deleted during install. This script is used to
create /etc/named.conf.include
which is then included in /etc/named.conf
. The script is referred in /etc/sysconfig/named
with
NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude"
To fix this:
Step 1: In
/etc/named.conf
delete the statement include "/etc/named.conf.include";
or place a #
comment in frontStep 2: delete the include file
/etc/named.conf.include
Step 3: edit
/etc/sysconfig/named
and change NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude"
to NAMED_INITIALIZE_SCRIPTS=""
With these three steps, the problem should be solved.
8. Update Leap 15.3 -> 15.4: php-fpm and AppArmor
With openSUSE Leap 15.4 comes AppAmor which gets enabled by default. This leads to irritating "permission denied" errors, when this happens unnoticed and you did not have AppArmor active with 15.3.I personally had problems with access to the socket file of php-fpm. It could not get created, but not because of wrong directory permissions but because of AppArmor.
One way to solve this is of course to deactivate AppArmor as root with
However this is not the best solution if you want to keep AppArmor as a security layer. In that case you can let AppArmor audit php-fpm. This might work for you:
This might also help when you get "Could not acquire a shared lock on the config file" with nextcloud.
9. Update Leap 15.3 -> 15.4: Re-install certbot
With openSUSE Leap 15.4 there is no repo that provides certbot. The repos at /home:/* that can be found did not do the trick for me.The straight forward way to install certbot with openSUSE is described here
For your conveniance the steps are repeated:
Your previous config is not touched.
10. Enable ClearView Fonts with WINE
Besides what you read on the internet, WINE referes to Linux system settings to enable font smoothing, with Windows commonly known as ClearType. It is not using theFontSmoothing*
registry entries to enable that.
However these entries might still be useful as Windows itself uses those to define the way ClearType is rendered.- Install Windows fonts for WINE or systemwide
-
The first thing you might want to do is to install Windows fonts. There are two ways to do so. Either by
winetricks
or by copying them from a Windows installation. The first option will provide the fonts only for WINE or Windows programs running with WINE respectively - the other way will provide those fonts also for all Linux applications like OpenOffice, which might be a good idea.To install basic Windows fonts for WINE via winetricks use
winetricks allfonts
in a shell as normal user, not root! This will download and install core microsoft fonts to~/.wine/dosdevices/c:/windows/Fonts/
These fonts will only be visible for WINE or Windows programs running under WINE.The other way to install fonts system-wide or at least for your user is to copy fonts from a Windows installation. When doing so, skip "desktop.ini" or any other file that is not a font.
There might be copyright restrictions to take care of!
The target folders can be:- /usr/share/fonts
- /usr/local/share/fonts
- ~/.local/share/fonts - this is in your home directory and local to your user (i.e.
<dir prefix="xdg">fonts</dir>
- ~/.fonts - DEPRECATED
After copying new fonts to your Linux system you should runsudo fc-cache -fv
andfc-cache -fv
(i.e. as root / as normal user) to recreate the font caches. - Activating font smoothing
-
If all fonts where installed system wide, font smoothing might already work. However when fonts were copied to
~/.fonts
you might need to activate fontsmoothing for it. Do so by simply adding a local config in the file~/.config/fontconfig/fonts.conf
with at least the following content, if it's not existing.
Also look out for a potential~/.fonts.conf
file in your home directory. There never should be both - only one of these, as their content will conflict each other!
(Knowing XML you could want to shorten this. However, this is the way it is created by the KDE system configuration utility - and if not set like this, entries will be added and not replaced.)
These entries can also be changed by Linux font configuration. However, if there were no fonts in~/.fonts
present when configuring it or the file~/.config/fontconfig/fonts.conf
does not exist, it has to be created by hand first.
At least it was not present on my installation, so WINE did no font smoothing for the user-installed fonts at all. After I created the file and restarted a Windows program with WINE, it worked out of the box. - Add registry entries
-
Althogh I am not sure if this is still necessary, I guess these registry entries still change the way the windows subsystem in WINE will perform the ClearType font smooting.
There are three ways to add those entries to your registry.
- First you can do this by running
winetricks fontsmooth-rgb
in a shell. - Second, if you want to have full control over what is added to the registry, you can add the following entries manually:
-
Or as a third option you can download this shell script,
make it executable with
chmod +x winefontssmoothing_en.sh
and run it by./winefontssmoothing_en.sh
.
This will create the REG-File on the fly based on your choices.
The
FontSmoothingGamma
can have different values. The default used bywinetricks
or the shell script isdword:00000578
but I usedword:000004b0
- First you can do this by running
10a: Update to fonts and font sizes
There is currently a hassle with KDE and GTK / GDK Apps like Thunderbird, Firefox, Chrome, Wine, ... regarding font size and DPI settings. The displayed fonts are either too big on displays with less than 96 DPI or too small on displays with more than 96 DPI (4K displays).The first thing to know is that Plasma 5.27 dropped use of GDK_SCALE/GDK_DPI_SCALE variables and switched to Xsettingsd. The daemon
xsettingsd
is installed and running.
There is no systemd service file with Tumbleweed.The good thing is, that you can control your DPI-Settings in
~/.config/xsettingsd/xsettingsd.conf
. The bad news is, that the DPI values set are overwritten. According to
this bug they are working on it.But there is help: set the settings in
xsettingsd.conf
and make that file immutable.The values we need to set are
Xft/DPI
and Gdk/UnscaledDPI
. The value is multiplied by 1024, so for my display the value is 81DPI*1024=82944. To get your current DPI
setting you can read them out with this command: xdpyinfo | grep -b2 resolution
Edit the
~/.config/xsettingsd/xsettingsd.conf
as normal user with preferred editor to look something like this (additionally with font smoothing set):After that we make that file immutable so it is not changed by some arbitrary process which thinks to know better. This can only be done by
root
:sudo chattr +i xsettingsd.conf
After that check the setting with
lsattr
. It should look like ----i---------e------- ./xsettingsd.conf
.The easiest way to achieve the same result or to return to the previous state is to disable the autostart of
xsettingsd
daemon. You may do so by using
KDE System Settings->Startup and Shutdown->Background Services->disable GNOME/GTK Settings SynchronisationOther discussions on that topic can be found here: openSUSE Forum and on reddit
10b: Mouse cursor themes - setting does not change for all
If you change the mouse cursor theme, this does often not affect some software like FireFox, Thunderbird, ... Those rely on the entries in~/.config/gtk-3.0/settings.ini
, which are
often not changed to the same value when changing the cursor theme via system settings. So we will do that manually!First we need to find the name of our cursor theme. That is basically the name of the directory where the theme lies. This can be found either in
~/.icons
or /usr/share/icons
, depending
on the saved location of your cursor theme. However, you can easily find out the current theme name set by using env | grep XCURSOR_THEME
.Next we will add or change two entries in the
settings.ini
file. The entries are gtk-cursor-theme-name
and gtk-cursor-theme-size
, which should be 24. Be advised, that
there are more than one settings.ini
file in maybe ~/.config/gtk-2.0
, ~/.config/gtk-3.0
and ~/.config/gtk-4.0
- or even more versions. Change occurances in
all settings.ini
where you can find one.Additionally also have a look for
~/.gtkrc*
-files in your home directory. There might also be a cursor theme set. Wayland might be using this config file.The changes will take emmediate effect on restarting the application - e.g. FireFox.
Be advised, that deleting the entrys and hoping for the system to inherit the value from
XCURSOR_THEME
might not work. At least it did not for me. Also, it might be that after some time and reboots, the
scheme is set anyways, but I did not want to wait. We could think of a script adopting these values to the current setting of XCURSOR_THEME
at startup. You might want to do that yourself.With openSUSE Tumbleweed in particular and maybe also with LEAP 15.4, Steams Counter-Strike Global Offensive (CS:GO) does not start. This is a long time discussion with a lot of hints what can be done.
Because in the journal we can see that the crash was caused by
libtcmalloc_minimal.so
most suggest to change the library delivered with steam to the
one of the OS by creating links. This however does not work.The easiest solution is to disable the videos!
To do so, simply move the
videos
folder to videos.bak
. The folder is located at ~/.local/share/Steam/steamapps/common/Counter-Strike\ Global\ Offensive/csgo/panorama
So open a console and use
mv ~/.local/share/Steam/steamapps/common/Counter-Strike\ Global\ Offensive/csgo/panorama/videos
~/.local/share/Steam/steamapps/common/Counter-Strike\ Global\ Offensive/csgo/panorama/videos.bak
to move the video folder out of the way.Keep in mind: with updates of CS:GO this folder might reappear. If that happens and CS:GO does not start anymore, simply go the the
videos
folder, move everything in it to the videos.bak
folder
and delete it afterwards.12. Kernel 6.2.1 with lockdown of unsigned kernel modules and secure boot
With kernel version 6.2.1 the loading of unsigned kernel modules will not work when secure boot is enabled. This mostly affects NVidia drivers but also others like VMWare kernel modules (vmmon and vmnet).In various forums you can find a solution to sign these modules on your own with self created keys. The signing tool
sign-file
however is not found at the location in ./source/scripts
like
stated in many places referring to Ubuntu. But of course, it is existing. With a script contianing the following lines, you can create a link for the current active kernel.
kver="$(uname -r)"
ln -fs /usr/src/linux-${kver%-*}-obj/x86_64/default/scripts/sign-file /lib/modules/$kver/source/scripts/sign-file
In theory you can then create your own key pair, sign the kernel modules and promote them to bios with
mokutil
. The basic commands would be:
openssl req -new -x509 -newkey rsa:2048 -keyout key.pri -outform DER -out key.pub -nodes -days 36500 -subj "/CN=FREE DESCRIBING NAME HERE" #-addext "extendedKeyUsage=codeSigning" -nodes
kver="$(uname -r)"
/lib/modules/"$kver"/source/scripts/sign-file sha256 key.pri key.pub $(modinfo -n KERNEL_MODULE_NAME)
mokutil --import key.pub --root-pw
A full script might look like this (signing VMWare):
This works now for me.
13. Zypper: force a mirror if downloads are lame
Sometimes when doing azypper up
or zypper dup
the refresh of the repos is very slow, and also the download of packages. This is quite anoying and really bad if you need
to do an update or simply have to install a certain package.The base download URL used with openSUSE packages is
https://download.opensuse.org/
. With this download location also meta-data is downloaded to identify a valid mirror near to your location, from which
downloads should be fast. For whatever reason this sometimes seems to fail. Then you might want to force the usage of a certain local mirror, but zypper does not support the setting of a general mirror - for reasons.To still use a different mirror, we will have to adjust the files in
/etc/zypp/repos.d
and replace the default https://download.opensuse.org/
with a different URL.First, you should visit the Mirrors Report Site of openSUSE and from there select a valid mirror for your purpose. To select a valid mirror, first find your country and then take a look in the column of your used version (Leap, Tumbleweed). You should select a mirror providing all needed repo types like update, source, repo, port, iso and debug.
After finding a valid URL you want to use as a mirror, we will adjust the repo URLs of our local repos. The following script will do that for you, but you can of course take it as an inspiration to do it manually:
Remarks:
- Make sure, the replacement is correctly selected. In this example there is a final
/
at the end!- After running the script, the old repos are in
repos.d.bak
. To revert it you need to do:
mv repos.d repos.d.FAST
mv repos.d.bak repos.d
zypper ref -f # just in case
If the
zypper ref -f
works without an error, everything is fine now and you can start your update or install a new package.Just so you know: the caching directory of zypper is in
/var/cache/zypp
. You can delete all contend (i.e. move all contend to a backup directory!) in there if you want a real fresh update
and get rid of possible old downloaded packages.14. Make a "Pi-Hole" without a Rasberry PI but with your own DNS (BIND 9)
This is for all useres who already have their own DNS server running to e.g. resolve internal devices by name and not IP, want to have control over DNSSEC, want to forward to a certain DNS-Server like Cloudflare instead of the provider's DNS, and so on, and now want to use that DNS to block certain domain names that only deliver SPAM or ads. A DNS server is a good choice for that as browser plugins only work in a browser. This will do with all devices trying to connect to unwanted URLs.So if you want to block certain domains and have your own DNS already up and running, you do not want to add a PI-Hole just for this only purpose. Furthermore, you would have to chain these two DNS servers.
Some additional thoughts:
-
On the internet there are basically two different approaches discussed to achieve this.
1.: Some prefere to create one default ZONE file with* in A 127.0.0.1
and* in AAAA ::1
entries plus an additionalnamed_include.conf
containing entries likezone "blockeddomain.com" {type master; file "/var/lib/named/THE_DEFAULT_BLOCK_ZONE.zone";};
that is then included innamed.conf
2.: Others prefere to create only one ZONE file containing entries likeblockeddomain.com CNAME .
and refere to that one by only one zone definition innamed.conf
.
As these lists will easily contain thousands of entries, I prefere the second approach, as that one is much faster at reload and has much less memory consumption.
-
The lists with the domains to block sometimes do not contain FQDN-like domain names. These names need to be converted. I use
idn2
to do so. If you want to use my script provided here, you will need to installidn2
. yast will do that for you if you installlibidn2-tools
. - We create all files to be run only by root, because we want to write into the CHROOT environment of BIND at the end. You might come up with a better solution to that.
-
Some domains listed are for counting access to certain sites. One prominent example is
t.co
that enables X (aka Twitter) to count clicks on links. If you encounter unwanted restricted access you need to change the script for whitelisting certain domains. I have not implemented that yet. -
Internet sites, when providing a service free of charge, finance themself via advertising. With this script you will not support those sites anymore and some sites might even restrict access to contend then.
However, switching off the blocking is not done at one click. You will have to remove the ZONE file definition in/etc/named.conf
, restart/reload BIND and reload the page.
You have been warned.
That said, let's go into this. To enable a DNS to block certain domain names the basic idea behind this is to provide a ZONE file that will resolve all unwanted domains to NXDOMAIN. To achieve that we need three basic things:
- add a new zone file reference to in your
/etc/named.conf
- download domain lists from e.g. someonewhocares.org, parse them, create valid FQDNs and create the zone file.
- create a CRON to regulary recreate this ZONE file
- Step 1: add ZONE file reference to named.conf
-
You need a zone file to handle the unwanted domains. To make BIND load that, we need a reference in
/etc/named.conf
like this one:
Just add that to all other ZONE definitions or at the end of the file. Do not forget to change the location of the ZONE file to your own needs! - Step 2: The shell script to create the ZONE file
-
Here now I provide you with a script that will download a domain list from two different providers, merge these together, convert the domains provided to valid FQDNs and distinctly sort the list.
The files downloaded are either a plain list of domains or (mostly) ahost
file. The latter needs parsing to extract the domain names. Of course, we need to get rid of everything regarding special domains like "localhost".
We also provide the opportunity to add additinal domains via a localextra.adservers
, if you have to block something, no list is already blocking. This is a plain text file listing domain names on separate lines.
The ZONE file created here follows a basic structure with a static block at the beginning. A ZONE file has a unique identifier and if it changes, this identifier also has to change. We use the current date to generate that unique identifier. You may of course adopt this zone file to your personal needs or strip down the static head to the bare minimum.
The script is quite long, but should be very self explanatory. Copy and past it to e.g./opt/adserver/get_adservers.sh
, change the variables in the head to your needs, and make that script executable withchmod 755 get_adservers.sh
.
To verify the output of all conversions, you might want to remove the deletion of the temporary files at the end of the script and inspect those in/tmp
.
Here it is:
- Step 3: add your script to root cron
-
To add your script to root's crontab, add the following line:
0 0 * * 1 /opt/adserver/get_adservers.sh #retrieve new list of adservers
by callingcrontab -e
. With this, the script will be called weekly.
You can of course also use webmin for such tasks.
After running the script your BIND will reload its configuration, i.e. also load the new ZONE file with all unwanted domains to return NXDOMAIN for those. Have fun!