MISTEL_L Wappen Becker im Winter MISTEL_R

Linux Tips & Tricks on openSUSE Leap 15 and Tumbleweed


On this page I summarize things I had to do some research for to make them work. That way others might find somthing handy to solve a similar problem without the need to do a horrendous research on their own.

Be advised that this is not a forum for discussing a problem - just a compendium of Tips & Tricks for your conveniance. What I put down here worked for me. That does not mean it will work for you. It's just another list of things you might want to try out. Use at own risk without any guarantees whatsoever - this is more a scrapbook to me I share with others.

To make these pages usable for a wide audience, it is completely in English.

Currently this all referes to an openSUSE Leap 15.3, 15.4 and Tumbleweed installation. However with Ubuntu and other distros some of these will also work or give a hint where to start.

Content:
1. Convert MBR to uEFI - openSUSE Linux Leap 15.3
1a. Re-Install uEFI after e.g. a BIOS update
1b. Remove an "accidental" windows install into your Linux uEFI
2. Sound Blaster Z SE (Sound Core3D [Sound Blaster Recon3D / Z-Series] (SB1570)
3. Stop auto updater (PackageKit) widget in KDE
4. Set time of HP printers via cron script
5. Re-Compile NVidia drivers for older kernel
6. 90s wait at shutdown/reboot because of scdaemon
7. Update Leap 15.3 -> 15.4: bind does not work anymore
8. Update Leap 15.3 -> 15.4: php-fpm and AppArmor
9. Update Leap 15.3 -> 15.4: Re-install certbot
10. Enable ClearView Fonts with WINE
10a. Update to fonts and font sizes
10b. Mouse cursor themes - setting does not change for all
11. Run CS:GO with openSUSE
12. Kernel 6.2.1 with lockdown of unsigned kernel modules and secure boot
13. Zypper: force a mirror if downloads are lame
14. Make a "Pi-Hole" without a Rasberry PI but with your own DNS (BIND 9)


Convert MBR to uEFI without data loss

Convert MBR to uEFI - openSUSE Linux Leap 15.3

If you, like me, have had a computer for a very long time and could finally use EFI after upgrading, you have to change your installation from MBR boot to uEFI boot. This is possible by a new installation, or by migrating to uEFI without data loss.
Here are the instructions for download

CHECK FIRST

- Read kernel parameter line to restore it. You can do that with Yast.
- check if "Grub2 efi" and "mokutil" are installed - if not, install them via Yast beforehand
- Further: we need a live system (only for using KDEpart) and a rescue system (to do the magic)
- The mount point /boot/efi can be created already with mkdir /boot/efi

Definitions:

This tutorial assumes that the Linux disk is the second disk in the system (/dev/sdb), partition 1 is SWAP, partition 2 is the data partition.
- sdb1 remains untouched
- sdb2 is to be shrunk to create the efi partition as sdb3

Basic procedure:

- Make space for the EFI drive (500MiB would be standard, less is also possible, 200KiB should be at least)
- Format and
- extend fstab with the mount point
- let's yast do its magic

Tips:

Create two bootable USB sticks - one with the live OS and one with the rescue OS.
Put downloaded ISOs on USB-Stick with belenaEtcher - is available for linux and windows


STEP 1: Reboot with Live-CD to make space with KDEpart

Since the disk to be adjusted is the system disk, creating space is not so easy. We need a live system or any other system that can access our disk. With any live Linux plus KDE you can do this quickly and easy, because we can use a graphical tool. You can also do this in the rescue system but you will then have to use a command line tool.
--> Free 500MiB at end of partition /dev/sdb2 with KDEPart

STEP 2: Reboot with Rescue (already in EFI-Mode!!)

Then we need some commands to create the file system and change fstab for mounting it. Do not forget fstab or you will be doomed (na, just reboot with a rescue system...)

1: Create partition and change from MBR to GPT with gdisk (NOT fdisk!!!)

This will also convert your disk from MBR to GPT - which also means, that when writing the changes there is no way back!

gdisk /dev/sdb
n # new partition
type: EF00 (-> show with 'L') EFI System
c # give name, we can use that later
EFI-System
w # <-- now there is no turning back! MBR converted to GPT in this step!
q


2: read the partitions

partprobe /dev/sdb

3: create filesystem - if you do it with UUID or sdb3, you don't need the name

mkfs -t vfat -v /dev/disk/by-partlabel/EFI-System

4: mount system to mnt

mount /dev/sdb2 /mnt

5: create efi mountpoint in sdb2 (if not already done):

mkdir /mnt/boot/efi

6: and mount efi partition to it

mount /dev/sdb3 /mnt/boot/efi

7: now mount additional directories

mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/proc


8: start chroot environment - we are in our old system then:

chroot /mnt
mount -a # just in case


9: add EFI mountpoint in fstab - first line

ll /dev/disk/by-UUID # find out UUID of /dev/sdb3
mcedit /etc/fstab
UUID=A1B2-D3E4 /boot/efi vfat defaults 0 0


Do not forget to change the UUID to the correct value. Simply add this line at the top.

10: now change boot configuration in yast

yast
--> boot loader
tab bootcode
--> change to "GRUB2 for EFI"
--> X Secure Boot
--> X NVRam
--> protective MBR flag "no change"
Kernel parameters tab
--> resume=/dev/sdb1 nosplash noplymouth quiet # or whatever you need here!
--> graphics: choose resolution and theme


select "OK" and Yast does its magic.

11: finish up

exit yast
exit
shutdown -r now


STEP 3: Test after reboot:

Remember: in bios you should now have selected efi boot mode for sdb - other will not work anymore!
Now test your efi after reboot:

efibootmgr -v

You should be on efi now...



Re-Install uEFI after e.g. a BIOS update

For uEFI and secure boot to work with openSUSE (Leap or Tumbleweed), the uEFI-Entry "opensuse-secureboot" must be selected in BIOS for boot. This will start SHIM, which might install keys and will then start GRUB.
After a BIOS-Update this entry was gone for me - and I have no idea, why. Booting the entry "openSUSE" will not work with secure boot and will end up in a GRUB rescue mode.
However, to get it back, there are some simple things you can do:
First: change in BIOS to boot in BIOS/CSM mode

When you cannot boot "opensuse-secureboot", no secure boot is possible and GRUB will quit service. To get back into your installation, go into your BIOS and select CSM as your boot mode. There might be several places to look for. With me this was in Advanced Options under Windows OS Configuration. There you have to select CSM mode.
After that you will be able to boot into openSUSE installation via GRUB again.

Second: re-install bootloader

When back in your openSUSE installation you can now re-install the boot with SHIM. Simply open a console and enter sudo yast2 bootloader
That will display current settings of your openSUSE bootloader and re-install everything when exited with "OK". Make sure, that the following is selected:
GRUB2 for EFI
X Secure Boot support
X Support for Trusted Boot
X NVRAM
protective MBR flag --> do not change

After this you can check the boot entries by calling sudo efibootmgr -v in the console. opensuse-secureboot should be the first selected entry now

Third: re-activate uEFI secure boot

Now reboot your machine and instantly enter BIOS again. There
- change back from CSM to UEFI
- go to the boot order selection and activate opensuse-secureboot

You should be done now!


Remove an "accidental" windows install into your Linux uEFI

If you have to re-install windows in a dual boot environment, where you use two disks for each OS - with their own boot EFI partitions to still run standalone - Windows will use the Linux EFI boot partition if you completly emtpied your Windows disc for a fresh install.
You can avoid that by disconnecting your Linux disc. But if you forgot about that (and I did...) you will have a Windows entry in that partition.

Don't hesitate. It's is very simple to get rid of that again. First you can remove entries from the bios by using efibootmgr. That however only works for invalid entries that are deleted on discs but were not deleted in the bios. With our scenario we will need the second approach. But to be complete I also describe this:
First: How to delete an entry (is not successfull in this scenario!)

Check the boot entries with sudo efibootmgr -v. You will see all available boot entries. Each entry has an ID like Boot0000. You now can remove an entry with its ID by calling sudo efibootmgr -b -B and mark the default boot entry by specifying the boot order with sudo efibootmgr -o . YYYY and XXXX are the number of the entry - so Boot0001 is simply 1 (no need to give all four numbers)

In this example scenario however this does not do the trick. As in our Linux partition still is an entry for Windows, the BIOS will automatically find that one again and add it to the boot order. YAST will by the way also identify it and add it to the bootloader.
This only works for entries that are invalid and nevertheless were not deleted.

Second: remove entry in uEFI partition

To realy get rid of that illegal boot entry we need to delete it in the uEFI partition. This is simply done in Linux as the EFI-Partition is mounted to /boot/efi/ and can be manipulated with the tools of your choice. In the directory /boot/efi/EFI/ you will find a directory named Microsoft which we want to get rid of.
However, to find out if we are dealing with the right place, first do this minimally invasive by renaming /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi to /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi.BAK - or whatever you prefere. That way the boot entry will not be found anymore.
You can now regenerate the boot loader with yast like discribed above and the superflues entry will be gone. Do a reboot and verify if your Windows installation can still be booted via GRUB.
If everything is fine you can then delete the whole directory /boot/efi/EFI/Microsoft anytime to gain back space.

ADVICE

Fooling around with uEFI boot partitions and their content can lead to an unbootable system. Do this on your own risc. There should always be the possibility to boot with the MBR version like described above. Change to CSM boot mode and try that. If that does not work you will need a rescue system and a CHROOT envirnoment. Some ideas to that are in the first chapter of this block.

You should be done now!


Sound Blaster Z SE (Sound Core3D [Sound Blaster Recon3D / Z-Series] (SB1570)

The Sound Blaster Z SE does not really want to work with Linux. This has several causes:
1. The output lines need to be changed to get redirected to the correct output jacks.
2. After reboot some speakers are not enabled by default.

To solve this we need to redirect the output first, so the right speakers receive the correct output. To then activate the speakers we simply need to set the volume. Use alsamixer to change the volume one down and up again. This writes the volume value to the card and activates the speakers.

This is all done with your local user, not with root!

Change speaker output lines (swap speakers):

This is done in a local user file called .asound.rc in the root of your home dir. We copy a configuration of 5.1 surround specification from /usr/share/alsa/pcm and add an entry ttable where we swap the channels 4/5 with 2/3. Do that like the following:


The whole file should then look like this:


Change volume at startup to activate speakers

The sound output is now directed to the right channels, however the sound card still will not do output to all speakers. You can "activate" the speakers by using alsamixer. Select your sound card with F6 and then adjust every volume one down and up again. This will activate all speakers.
But as we do not want to do that after every reboot, we can let an autostart script do the job for us.

So create a script somewhere, let's call it "~/bin/setSpeakers.sh", and fill it with the following:


and make it executable with chmod 755 ~/bin/setSpeaker.sh.

For auto start we create a link in autostart-scripts to make it run after login:
ln -s ~/bin/setSpeaker.sh ~/.config/autostart-scripts/setSpeaker.sh

This script now uses 80% and 100% - adjust these to the values you prefere.
Also adjust the index -c 1 used here. You can find out the index of your card by aplay -l.

Change / fix the index of your sound card

However, the index of the card can change. That is, if for instance a USB camera device is sometimes connected (like with me), sometimes not. It might get somewhere in between and so change the index.
If you want to fix the index of your soundcard you need to set that in a config file under /etc/modprobe.d. You can create a new one named e.g. sound.conf or you alter the 50-sound.conf which was created by yast.

BE ADVISED:
- this file is alterd by yast if you mess with audio there. Luckily a copy .YastSaved will be created.
- watch out for other settings somewhere else that might interfere. Do a cat * | grep snd or use mc to verify that your file is the only one messing with snd-hda-intel

What you need to add, are some or one options line for the intel driver, setting a certain index order. So first let's find out the IDs and current Index: cat /proc/asound/cards - you might also use aplay -l for that, but that will not necessarily list the camera. That info can be used to create the needed option lines. Consider the following output:


We would now need something like options snd_hda_intel index=3,0,1,2 to move the creative card to the top. But that does not work because of two things:
1. without the USB camera the creative would be at index 2, so the given index 3 would be empty
2. the camera does not use the snd-hda-intel but snd-usb-audio - so configuring in that way will not help
So what we do first is to define which driver should be loaded first and at which slot. This is done by options snd slots=snd-hda-intel,snd-hda-intel,snd-hda-intel - that way the intel driver is reserved for three slots making room for the onboard, the graphics and creative sound card output.

On the internet you will find the idea of using "ID=" like options snd_hda_intel id=Creative,PCH,NVidia index=2,0,1. This also does not do the trick. It simply sets the names of the index meaning whatever now lands on index 0 (card number 2) will be named "Creative", no matter what its generic name would be.

Additionally something might come in handy: if you have an onboard INTEL soundcard, you might want to blacklist snd_soc_skl and additionally stop power saving.

This all leads to my example of 50-sound.conf: (you now need root access to alter that file and do a reboot afterwards to make the changes take effect)


Change pulse audio mixing for LFE

We want PulseAudio to remix the output to add bass to LFE. Typically our Sound Blaster can do that itself, but this seems to be helpful.
So if you still experience any difficulties with sound being not directed to the SubWoofer (LFE), as root add the following to "/etc/pulse/daemon.conf"


Adopt this to your own preferences.

How to save settings done with alsamixer

When you changed settings with alsamixer for your local user, these settings should be written to /var/lib/alsa/asound.state from where those values will be loaded after reboot. To do so, just user sudo alsactl store. This will write all settings into that file.

There is also the possibility to write settings to a different file and restore those with a script running at startup. This can be achieved with
alsactl --file ~/.config/asound.state store for saving the values, and
alsactl --file ~/.config/asound.state restore for restoring these values.

Remember that always all values for all settings of all soundcards are written.

Migration to Pipewire

Maybe you already noticed it that the new Counter Strike 2 is not really running with Pulse Audio. As this is the default with OpenSuse, we can solve this by switching to PipeWire. The development is already smoothed out and things are working very well. The best thing is, that it is also compatible to Pulse Audio - so most of the software above does still work.

Installing pipewire pipewire-pulseaudio pipewire-alsa should already do the trick. De-install pulseaudio but keep pavucontrol.

However, you will need a minimal update of your config after de-installing Pulse Audio and migrating to PipeWire.
If wireplumber is installed (which should automatically), one suggestion is to deactivate the suspend of Wireplumber:
Do mkdir -p /etc/wireplumber/main.lua.d && cp /usr/share/wireplumber/main.lua.d/50-alsa-config.lua /etc/wireplumber/main.lua.d/50-alsa-config.lua
Then edit /etc/wireplumber/main.lua.d/50-alsa-config.luaand replace
   --["session.suspend-timeout-seconds"] = 5, -- 0 disables suspend
with
   ["session.suspend-timeout-seconds"] = 0, -- 5 is default, 0 disables suspend
This will prevent wireplumber from sleeping und promises to avoid crackling sound, but e.g. an installed webcam will be then switched on forever. I highly suggest NOT to use this adoption!

For pipewire do the following:
Do mkdir -p /etc/pipewire && cp /usr/share/pipewire/pipewire.conf /etc/pipewire
Then edit /etc/pipewire/pipewire.conf and replace:
   #default.clock.allowed-rates = [ 48000 ]
with
   default.clock.allowed-rates = [ 44100 48000 96000]
This is not default because of this

With these changes, audio crackling should be minimized.



Stop auto updater (PackageKit) widget in KDE

To stop PackageKit from checking for updates, we need to set the periodic checks in its config file. We could do that with the widget itself, but there is a bug that prevents the changes do be written to the additional config for root, as the config file can only be changed by root and the widget is run by current user.
So we simply do it by hand as root:
Change all periodic scans to false for root:

Just edit the main.xml and change daily, weekly and monthly to false to prevent PackageKit to ever come up again for root, only for your desktop user. The main.xml is in the directory /usr/share/plasma/plasmoids/org.kde.plasma.pkupdates/contents/config

sudo mcedit /usr/share/plasma/plasmoids/org.kde.plasma.pkupdates/contents/config/main.xml

Change all periodic scans to false for your own user:

To also change this for your user and disable update checks completely, the corresponding file is ~/.config/plasma-org.kde.plasma.desktop-appletsrc.
In there is an entry for the applet No. 14: [Containments][7][Applets][14][Configuration][General]. In that section you might find entries like monthly=true.
Set all entries daily, weekly and monthly to false like monthly=false so it looks like this:

This should stop package kit from showing up any updates. However, do your updates regulary on your own then!


Set time of HP printers via cron script

Shell-Script to set printer time of HP printer

The time in HP printers is not correctly using the timezone when sending mails. However it would be nice if the printer time would get synchronized with the time of your server.
To do so, we create a shell script /opt/setPrinterTime.sh containing the following:

Replace <IP-OF-PRINTER> with the IP address of your printer!

You may want to remove the comment '#' at the end to get a syslog entry for debugging, but remember that when the script runs as a cron job you might revcieve a mail with that line every time the script runs. The crontab line presented here will redirect all and every output to /dev/null, so no output is send (also no error!)

Do not forget to make the script executable with chmod 755 /opt/setPrinterTime.sh

Now add this script to cron tab of root (can also be a user). Do this for instance like this:
sudo crontab -e
to change cron tab of root.
Add a line like this to run the script every 2 hours (adopt the path to your script):

0 0,2,4,6,8,10,12,14,16,18,20,22 * * * /opt/setPrinterTime.sh >/dev/null 2>&1



Re-Compile NVidia drivers for older kernel (Tumbleweed 5.16.8 / nvidia problem)

Before you start messing around with kernel versions you might want to read Installing multiple kernel versions from Suse DOCs

After installing kernel 5.16.8 with Tumbleweed problems occurred with graphic cards. No console and no x-server. This is because SimpleDRM is now a content of the kernel but interferes with NVidia drivers. That way you will not see any console output and no graphical UI after boot.

As a temporary workaround you can add initcall_blacklist=simpledrm_platform_driver_init as kernel boot parameter to solve this. Additionally the 510.54 driver version was released - but that did not solve the problem completely. So it is a good idea to fall back to previous kernel 5.16.5 till 5.16.10 will be released, which will be the real fix to this.
All of this is documented in the bug tracking

But if you installed the nvidia drivers 510.54 as a fix, something weird happens: the driver files are deleted from all kernels installed, but it will only be re-compiled for current default kernel. You can verify this by looking into /lib/modules/5.16.*/updates.
BTW: your nvidia driver files are located at /usr/src/kernel-modules/ - you might want to clean this up and remove all unneeded drivers from time to time.

To do a re-compile of installed nvidia drivers for an older kernel, this can be achieved by re-installing that kernel modules. It's the easiest way.
Force re-compile for 5.16.5

First you need to temporarily change to a different repo. For that edit /etc/zypp/repos.d/repo-oss.repo and change baseurl to https://download.opensuse.org/history/20220210/tumbleweed/repo/oss/, so that it looks like this. It's best to work with comments here:


Now we force the re-install of the kernel of that repo:
root@server:~>zypper in -f kernel-default kernel-devel kernel-default-devel

Let zypper do it's magic, recompile of NVIDIA for this kernel will be initiated after install of kernel-devel.

Force re-compile for 5.16.8 to revert default kernel change

As all defaults are now pointing to 5.16.5, we should force install of current kernel 5.16.8 again to be in the state before forced installation. You !could! of course revert any changes by hand, but personally I would not recommend. Chances of missing something are far too high!
To do so first revert the change in repo-oss, than do zypper ref and again the zypper in -f
The repo-oss with reverted changes looks like this:

then:
root@server:~>zypper ref
root@server:~>zypper in -f kernel-default kernel-devel kernel-default-devel


That way you are back to where you started from. Now you can start 5.16.8 with kernel parameter or 5.16.5 and both work with graphical console and desktop.



90s wait at shutdown/reboot because of scdaemon

With one update of Tumbleweed suddenly the shutdown / reboot of your system will stop for 90s because of a service that cannot be stopped. In the System-Log you might find the culprit "scdaemon" that does not like to be stopped.

This will be installed, if you need for instance Kleopatra because of PGP-Keys you might use for E-Mails. However scdaemon is a daemon for security usb keys for 2FA, like Yubi-Keys.

You will not be able to de-install scdaemon, but you can disable it, especially if you do not need the service.
To do so, simply do the following:
Disable scdaemon

Edit ~/.gnupg/gpg-agent.conf in the users home directory and add the line disable-scdaemon. That's it.

After that the file might look like:


After a reboot scdaemon will not run and not block shutdowns or reboots.



7. Update Leap 15.3 -> 15.4: bind does not work anymore

I updated Leap 15.3 to 15.4 with an existing and working bind. However, after the update bind will not start anymore and systemctl start named will result in the error Control process exited, code=exited, status=6/NOTCONFIGURED

This is because the script /usr/share/bind/createNamedConfInclude is not provided anymore and the present one from 15.3 will get deleted during install. This script is used to create /etc/named.conf.include which is then included in /etc/named.conf. The script is referred in /etc/sysconfig/named with NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude"

To fix this:
Step 1: In /etc/named.conf delete the statement include "/etc/named.conf.include"; or place a # comment in front
Step 2: delete the include file /etc/named.conf.include
Step 3: edit /etc/sysconfig/named and change NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude" to NAMED_INITIALIZE_SCRIPTS=""

With these three steps, the problem should be solved.


8. Update Leap 15.3 -> 15.4: php-fpm and AppArmor

With openSUSE Leap 15.4 comes AppAmor which gets enabled by default. This leads to irritating "permission denied" errors, when this happens unnoticed and you did not have AppArmor active with 15.3.

I personally had problems with access to the socket file of php-fpm. It could not get created, but not because of wrong directory permissions but because of AppArmor.

One way to solve this is of course to deactivate AppArmor as root with


However this is not the best solution if you want to keep AppArmor as a security layer. In that case you can let AppArmor audit php-fpm. This might work for you:


This might also help when you get "Could not acquire a shared lock on the config file" with nextcloud.


9. Update Leap 15.3 -> 15.4: Re-install certbot

With openSUSE Leap 15.4 there is no repo that provides certbot. The repos at /home:/* that can be found did not do the trick for me.

The straight forward way to install certbot with openSUSE is described here

For your conveniance the steps are repeated:


Your previous config is not touched.


10. Enable ClearView Fonts with WINE

Besides what you read on the internet, WINE referes to Linux system settings to enable font smoothing, with Windows commonly known as ClearType. It is not using the FontSmoothing* registry entries to enable that. However these entries might still be useful as Windows itself uses those to define the way ClearType is rendered.

Install Windows fonts for WINE or systemwide

The first thing you might want to do is to install Windows fonts. There are two ways to do so. Either by winetricks or by copying them from a Windows installation. The first option will provide the fonts only for WINE or Windows programs running with WINE respectively - the other way will provide those fonts also for all Linux applications like OpenOffice, which might be a good idea.

To install basic Windows fonts for WINE via winetricks use winetricks allfonts in a shell as normal user, not root! This will download and install core microsoft fonts to ~/.wine/dosdevices/c:/windows/Fonts/
These fonts will only be visible for WINE or Windows programs running under WINE.

The other way to install fonts system-wide or at least for your user is to copy fonts from a Windows installation. When doing so, skip "desktop.ini" or any other file that is not a font.

There might be copyright restrictions to take care of!

The target folders can be:
  • /usr/share/fonts
  • /usr/local/share/fonts
  • ~/.local/share/fonts - this is in your home directory and local to your user (i.e. <dir prefix="xdg">fonts</dir>
  • ~/.fonts - DEPRECATED

After copying new fonts to your Linux system you should run sudo fc-cache -fv and fc-cache -fv (i.e. as root / as normal user) to recreate the font caches.

Activating font smoothing

If all fonts where installed system wide, font smoothing might already work. However when fonts were copied to ~/.fonts you might need to activate fontsmoothing for it. Do so by simply adding a local config in the file ~/.config/fontconfig/fonts.conf with at least the following content, if it's not existing.
Also look out for a potential ~/.fonts.conf file in your home directory. There never should be both - only one of these, as their content will conflict each other!
(Knowing XML you could want to shorten this. However, this is the way it is created by the KDE system configuration utility - and if not set like this, entries will be added and not replaced.)


These entries can also be changed by Linux font configuration. However, if there were no fonts in ~/.fonts present when configuring it or the file ~/.config/fontconfig/fonts.conf does not exist, it has to be created by hand first.
At least it was not present on my installation, so WINE did no font smoothing for the user-installed fonts at all. After I created the file and restarted a Windows program with WINE, it worked out of the box.

Add registry entries

Althogh I am not sure if this is still necessary, I guess these registry entries still change the way the windows subsystem in WINE will perform the ClearType font smooting.

There are three ways to add those entries to your registry.

  • First you can do this by running winetricks fontsmooth-rgb in a shell.
  • Second, if you want to have full control over what is added to the registry, you can add the following entries manually:
  • Or as a third option you can download this shell script, make it executable with chmod +x winefontssmoothing_en.sh and run it by ./winefontssmoothing_en.sh.
    This will create the REG-File on the fly based on your choices.

The FontSmoothingGamma can have different values. The default used by winetricks or the shell script is dword:00000578 but I use dword:000004b0

This way I was able to add font smoothing to WINE.


10a: Update to fonts and font sizes

There is currently a hassle with KDE and GTK / GDK Apps like Thunderbird, Firefox, Chrome, Wine, ... regarding font size and DPI settings. The displayed fonts are either too big on displays with less than 96 DPI or too small on displays with more than 96 DPI (4K displays).

The first thing to know is that Plasma 5.27 dropped use of GDK_SCALE/GDK_DPI_SCALE variables and switched to Xsettingsd. The daemon xsettingsd is installed and running. There is no systemd service file with Tumbleweed. It can be turned on and off by adjusting background processes running - see below.

The good thing is, that you can control your DPI-Settings in ~/.config/xsettingsd/xsettingsd.conf. The bad news is, that the DPI values set are overwritten. According to this bug they are working on it.
But there is help: set the settings in xsettingsd.conf and make that file immutable.

The values we need to set are Xft/DPI and Gdk/UnscaledDPI. The value is multiplied by 1024, so for my display the value is 81DPI*1024=82944. To get your current DPI setting you can read them out with this command: xdpyinfo | grep -b2 resolution

Edit the ~/.config/xsettingsd/xsettingsd.conf as normal user with preferred editor to look something like this (additionally with font smoothing set):

After that we make that file immutable so it is not changed by some arbitrary process which thinks to know better. This can only be done by root:
sudo chattr +i xsettingsd.conf
After that check the setting with lsattr. It should look like ----i---------e------- ./xsettingsd.conf.

The easiest way to achieve the same result or to return to the previous state is to disable the autostart of Xsettingsd daemon. You may do so by using KDE System Settings->Startup and Shutdown->Background Services->disable GNOME/GTK Settings Synchronisation. However, with Plasma 6.1 this setting was removed from System Settings on purpose. But you can still reach them with kcmshell6 kcm_kded or by using "background" (in the language of your UI) as a search term in KRunner.

If disabling Xsettingsd or setting a propper DPI value suddenly leads to very small fonts in FireFox (but everything else looks just fine) you can adjust this in FireFox by tweaking layout.css.devPixelsPerPx and setting it to a value like 1.25 or 1.1. -1 (not set) is the same as 1.

Other discussions on that topic can be found here: openSUSE Forum and on reddit


10b: Mouse cursor themes - setting does not change for all

If you change the mouse cursor theme, this does often not affect some software like FireFox, Thunderbird, ... Those rely on the entries in ~/.config/gtk-3.0/settings.ini, which are often not changed to the same value when changing the cursor theme via system settings. So we will do that manually!

First we need to find the name of our cursor theme. That is basically the name of the directory where the theme lies. This can be found either in ~/.icons or /usr/share/icons, depending on the saved location of your cursor theme. However, you can easily find out the current theme name set by using env | grep XCURSOR_THEME.

Next we will add or change two entries in the settings.ini file. The entries are gtk-cursor-theme-name and gtk-cursor-theme-size, which should be 24. Be advised, that there are more than one settings.ini file in maybe ~/.config/gtk-2.0, ~/.config/gtk-3.0 and ~/.config/gtk-4.0 - or even more versions. Change occurances in all settings.ini where you can find one.
Additionally also have a look for ~/.gtkrc*-files in your home directory. There might also be a cursor theme set. Wayland might be using this config file.
The changes will take emmediate effect on restarting the application - e.g. FireFox.

Be advised, that deleting the entrys and hoping for the system to inherit the value from XCURSOR_THEME might not work. At least it did not for me. Also, it might be that after some time and reboots, the scheme is set anyways, but I did not want to wait. We could think of a script adopting these values to the current setting of XCURSOR_THEME at startup. You might want to do that yourself.


11. Run CS:GO with openSUSE

With openSUSE Tumbleweed in particular and maybe also with LEAP 15.4, Steams Counter-Strike Global Offensive (CS:GO) does not start. This is a long time discussion with a lot of hints what can be done.
Because in the journal we can see that the crash was caused by libtcmalloc_minimal.so most suggest to change the library delivered with steam to the one of the OS by creating links. This however does not work.

The easiest solution is to disable the videos!

To do so, simply move the videos folder to videos.bak. The folder is located at ~/.local/share/Steam/steamapps/common/Counter-Strike\ Global\ Offensive/csgo/panorama
So open a console and use mv ~/.local/share/Steam/steamapps/common/Counter-Strike\ Global\ Offensive/csgo/panorama/videos ~/.local/share/Steam/steamapps/common/Counter-Strike\ Global\ Offensive/csgo/panorama/videos.bak to move the video folder out of the way.

Keep in mind: with updates of CS:GO this folder might reappear. If that happens and CS:GO does not start anymore, simply go the the videos folder, move everything in it to the videos.bak folder and delete it afterwards.


12. Kernel 6.2.1 with lockdown of unsigned kernel modules and secure boot

With kernel version 6.2.1 the loading of unsigned kernel modules will not work when secure boot is enabled. This mostly affects NVidia drivers but also others like VMWare kernel modules (vmmon and vmnet).
In various forums you can find a solution to sign these modules on your own with self created keys. The signing tool sign-file however is not found at the location in ./source/scripts like stated in many places referring to Ubuntu. But of course, it is existing. With a script contianing the following lines, you can create a link for the current active kernel.
kver="$(uname -r)"
ln -fs /usr/src/linux-${kver%-*}-obj/x86_64/default/scripts/sign-file /lib/modules/$kver/source/scripts/sign-file


In theory you can then create your own key pair, sign the kernel modules and promote them to bios with mokutil. The basic commands would be:
openssl req -new -x509 -newkey rsa:2048 -keyout key.pri -outform DER -out key.pub -nodes -days 36500 -subj "/CN=FREE DESCRIBING NAME HERE" #-addext "extendedKeyUsage=codeSigning" -nodes
kver="$(uname -r)"
/lib/modules/"$kver"/source/scripts/sign-file sha256 key.pri key.pub $(modinfo -n KERNEL_MODULE_NAME)
mokutil --import key.pub --root-pw

A full script might look like this (signing VMWare):

This works now for me.

13. Zypper: force a mirror if downloads are lame

Sometimes when doing a zypper up or zypper dup the refresh of the repos is very slow, and also the download of packages. This is quite anoying and really bad if you need to do an update or simply have to install a certain package.

The base download URL used with openSUSE packages is https://download.opensuse.org/. With this download location also meta-data is downloaded to identify a valid mirror near to your location, from which downloads should be fast. For whatever reason this sometimes seems to fail. Then you might want to force the usage of a certain local mirror, but zypper does not support the setting of a general mirror - for reasons.

To still use a different mirror, we will have to adjust the files in /etc/zypp/repos.d and replace the default https://download.opensuse.org/ with a different URL.

First, you should visit the Mirrors Report Site of openSUSE and from there select a valid mirror for your purpose. To select a valid mirror, first find your country and then take a look in the column of your used version (Leap, Tumbleweed). You should select a mirror providing all needed repo types like update, source, repo, port, iso and debug.

After finding a valid URL you want to use as a mirror, we will adjust the repo URLs of our local repos. The following script will do that for you, but you can of course take it as an inspiration to do it manually:
Remarks:
- Make sure, the replacement is correctly selected. In this example there is a final / at the end!
- After running the script, the old repos are in repos.d.bak. To revert it you need to do:
mv repos.d repos.d.FAST
mv repos.d.bak repos.d
zypper ref -f # just in case

If the zypper ref -f works without an error, everything is fine now and you can start your update or install a new package.

Just so you know: the caching directory of zypper is in /var/cache/zypp. You can delete all contend (i.e. move all contend to a backup directory!) in there if you want a real fresh update and get rid of possible old downloaded packages.


14. Make a "Pi-Hole" without a Rasberry PI but with your own DNS (BIND 9)

This is for all useres who already have their own DNS server running to e.g. resolve internal devices by name and not IP, want to have control over DNSSEC, want to forward to a certain DNS-Server like Cloudflare instead of the provider's DNS, and so on, and now want to use that DNS to block certain domain names that only deliver SPAM or ads. A DNS server is a good choice for that as browser plugins only work in a browser. This will do with all devices trying to connect to unwanted URLs.
So if you want to block certain domains and have your own DNS already up and running, you do not want to add a PI-Hole just for this only purpose. Furthermore, you would have to chain these two DNS servers.

Some additional thoughts:
  • On the internet there are basically two different approaches discussed to achieve this.

    1.: Some prefere to create one default ZONE file with * in A 127.0.0.1 and * in AAAA ::1 entries plus an additional named_include.conf containing entries like zone "blockeddomain.com" {type master; file "/var/lib/named/THE_DEFAULT_BLOCK_ZONE.zone";}; that is then included in named.conf

    2.: Others prefere to create only one ZONE file containing entries like blockeddomain.com CNAME . and refere to that one by only one zone definition in named.conf.

    As these lists will easily contain thousands of entries, I prefere the second approach, as that one is much faster at reload and has much less memory consumption.

  • The lists with the domains to block sometimes do not contain FQDN-like domain names. These names need to be converted. I use idn2 to do so. If you want to use my script provided here, you will need to install idn2. yast will do that for you if you install libidn2-tools.

  • We create all files to be run only by root, because we want to write into the CHROOT environment of BIND at the end. You might come up with a better solution to that.

  • Some domains listed are for counting access to certain sites. One prominent example is t.co that enables X (aka Twitter) to count clicks on links. If you encounter unwanted restricted access you need to change the script for whitelisting certain domains. I have not implemented that yet.

  • Internet sites, when providing a service free of charge, finance themself via advertising. With this script you will not support those sites anymore and some sites might even restrict access to contend then.
    However, switching off the blocking is not done at one click. You will have to remove the ZONE file definition in /etc/named.conf, restart/reload BIND and reload the page.
    You have been warned.

That said, let's go into this. To enable a DNS to block certain domain names the basic idea behind this is to provide a ZONE file that will resolve all unwanted domains to NXDOMAIN. To achieve that we need three basic things:
  • add a new zone file reference to in your /etc/named.conf
  • download domain lists from e.g. someonewhocares.org, parse them, create valid FQDNs and create the zone file.
  • create a CRON to regulary recreate this ZONE file

Step 1: add ZONE file reference to named.conf

You need a zone file to handle the unwanted domains. To make BIND load that, we need a reference in /etc/named.conf like this one:
Just add that to all other ZONE definitions or at the end of the file. Do not forget to change the location of the ZONE file to your own needs!

Step 2: The shell script to create the ZONE file

Here now I provide you with a script that will download a domain list from two different providers, merge these together, convert the domains provided to valid FQDNs and distinctly sort the list.
The files downloaded are either a plain list of domains or (mostly) a host file. The latter needs parsing to extract the domain names. Of course, we need to get rid of everything regarding special domains like "localhost".

We also provide the opportunity to add additinal domains via a local extra.adservers, if you have to block something, no list is already blocking. This is a plain text file listing domain names on separate lines.

The ZONE file created here follows a basic structure with a static block at the beginning. A ZONE file has a unique identifier and if it changes, this identifier also has to change. We use the current date to generate that unique identifier. You may of course adopt this zone file to your personal needs or strip down the static head to the bare minimum.

The script is quite long, but should be very self explanatory. Copy and past it to e.g. /opt/adserver/get_adservers.sh, change the variables in the head to your needs, and make that script executable with chmod 755 get_adservers.sh.

To verify the output of all conversions, you might want to remove the deletion of the temporary files at the end of the script and inspect those in /tmp.

Here it is:

Step 3: add your script to root cron

To add your script to root's crontab, add the following line: 0 0 * * 1 /opt/adserver/get_adservers.sh #retrieve new list of adservers by calling crontab -e. With this, the script will be called weekly.
You can of course also use webmin for such tasks.


After running the script your BIND will reload its configuration, i.e. also load the new ZONE file with all unwanted domains to return NXDOMAIN for those. Have fun!
© 2004 - 2023 by Daniel Becker

Valid HTML 4.01 Transitional Valid CSS!