OpenSuse

The observatory's servers and control computers run on the OpenSuse distribution of Linux-based software, currently Leap 15.5 . We have chosen the Leap series because of its conservative testing and stability. Generally the slowed cycle of new versions does not cause problems, except where we need software that is pushing the edge, notably AstroPy and Stellarium. We have been using Tumbleweed as well since it was introduced on selected telescopes where the most recent packages were required, usually without stability issues.

These evolving installation notes originated with much earlier versions of OpenSuse and are rewritten as we gain experience with the most recent releases and work-around solutions to problems. The following describes how to build a system with OpenSuse that provides a solid foundation of software for physics and astronomy for real-time control of telescopes and observatories, use in the laboratory or the field, operating small servers, and processing astronomical data.

Tumbleweed

Installation of Tumbleweed as an upgrade to an existing system may be done remotely, but note that it can fail if many packages are changed.

https://en.opensuse.org/openSUSE:Tumbleweed_upgrade

The process has a few simple steps to update the current OS, then change repositories, and perform the update. Following the instructions at these links will result in a new system that should reboot and run immediately.

Because of the very large number of packages involved as a new installation, it is best to remove latex and texlive first before doing the update, and then if needed re-install at leisure. It can take many hours on a high speed network to get the texlive files.

DHCP networking in Tumbleweed and Leap 15 does not send a pure MAC address even when it supposed to. That is, it transmits a longer identifier that may not be recognized by network DHCP services if a pseudo-static IP based on the MAC has been assigned. While the solution to this is simple, it should be done with yast before rebooting the new system, especially when the system is built remotely for Tumbleweed. If this is not done for networks that require the identifier the system networking will not find the assigned pseudo-static IP.

• Network Settings
• Global Options
• DHCP client identifier
• Paste MAC address of the DHCP network interface card
• Edit the field to insert "01:" before the MAC address

Now when the network is configured it will restart and should receive the assigned IP for this card. Make sure that only one Ethernet connection from the computer is presenting to the network with DHCP to avoid issues with booting with unexpected assignments.

Check the results with

 ip a
 ethtool eth0
 nslookup www

where the latter tests that DNS services are properly provided. The configuration is saved in /etc/sysconfig/network/dhcp .

Given the cutting edge character, we are concerned that issues could arise during routine updates. Opensuse Leap has a 18 month development cycle that allows sufficient time between upgrades that it can be a stable solution for production, with the disadvantage that updates require physical presence at the server. As of June 2021, Tumbleweed has been a reliable platform with the advantage of the most recent libraries.

The following instructions should work for installing Tumbleweed or Leap.

Before Installation

If possible, for a new installation of the operating system or a major update to a disk in service, consider installing it on a new disk and copying the important files over from the old one. This is the safest path.

Prepare a DVD or a USB memory stick with the ISO image of the distribution. OpenSuse's imagewriter is a convenient way to create the correct structure on the USB device. Newer hardware will accept a USB memory stick for booting, but older (say prior to 2015) may require a DVD drive.

On a new system not using RAID, deselect RAID in BIOS if it is offered. This will prevent OpenSuse from creating disk partitions with RAID. However, if RAID information has already been written to the disk the OpenSuse installer will assume a RAID configuration even if hardware raid is not enabled. A simple cure is to install the system twice. On the first pass use the Expert Partitioner option and delete the proposed raid configuration. Then in /dev/sda (or equivalent) add a root and a home ext4 partition but intentionally do not add a boot partition. The installer will warn you this will not work. Ignore those warnings and let the installer prepare the disk. Once that is accomplished you can abort the installation, or let it run to the end. The disk will not be bootable but it will be cleaned of RAID and on the next installation pass you will have a proposal to use the full disk with conventional structure and btrfs for the root partition.

For most new machines allow UEFI (custom option, if available) and disable compatibility mode in the BIOS. The installer will identify the system as allowing UEFI and properly select the boot configuration. However, also use the BIOS setup to change the boot priority to the medium reflecting this choice. The boot medium and a UEFI installation must match.

Opensuse will detect and set up a UEFI boot protocol unless this option is turned off in the BIOS. With that selection it will handle and format large disks.

Some recent hardware, notably the Supermicro X10-SRA, may hang on booting with older USB devices attached. While we do not know the cause, the cure in this instance was to enable EHCI-Hand-off in the USB configuration options presented for the BIOS. This may apply only to specific applications, and could be kernel-dependent,. In general, the default BIOS settings are fine for installation and need modification later if specific applications raise issues.

During installation

If your computer has more than one network connection, for example for a local subnet and for a global or institutional network, physically disconnect the local one until installation is complete. This will prevent the installation scripts from mis-identifying the network assignments.

Insert the medium, reboot the system, and select Installation from the splash screen. If there is a booting problem, use the keyboard to bring up a boot selection screen (often "Del", F11 or F12), and check the boot order and if needed also the BIOS setup.

If there is a proxy for network access at this point it may be necessary to enter that information before proceedings to the actual installation. At the OpenSuse boot screen press F4 for access to the manual network configuration and enter the information. At Mt. Kent, for example, there is a proxy but it is handled automatically for browsers. For zypper and yast, however, it has to be explicitly configured to http://proxy.usq.edu.au:8000 so that yast will find the repositories. After installation for normal use this would be turned off by deselecting the proxy in the yast configuration screen.

On laptops with Nvidia Quadro graphics and GPU combined with Intel graphics, if the BIOS allows it, deselect options that use the Intel graphics and then enable sole use of Nvidia. This avoids a multitude of booting and configuration issues, and provides a platform for GPU computing. The downside is increased power consumption and loss of battery life. If those are the primary considerations, then it may be best to not use Nvidia at all. Alternatively, it is possible to install Bumblebee to enable switching between video hardware for specific uses. Nvidia Quadro, which provides GPU computing, requires their proprietary driver for full support.

At this point if the system has a recent Nvidia card it also may be best to disable modeset. The symptom this is necessary is that subsequent booting freezes before the installation begins. Edit the boot options if needed by pressing "e" before the system tries to start an installation. This will open a simple boot editing screen with instructions.

At the end of the line for linux add "nouveau.nomodeset=0" . Similarly, a problem with an Intel graphics card that was switching, perhaps to a Displayport interface, was fixed with simply "nomodeset".

Continue with the installation as instructed on this editing screen. The default settings should work with the following additions and exceptions.

Deselect software by taking the checkmark off with a spacebar press. After installation is complete, return to the software menu of YAST and make sure that those items never to be install (pk-update is the worst of them, AppArmor not far behind) are marked "Taboo". Do not install them.

Leap 15.1 installation offers KDE, Gnome (Wayland), and a basic system for customizing. We prefer the customized soluiton, and when selecting software add Xfce for an environment that is lightweight but fully functional. Add their development code for Gnome and KDE (Qt will be present by default).

LaTeX and related content is under the "Technical Writing" group. It is a lengthy download and may be installed later. For an upgrade, if it is already installed, it may also be best to delete it first, then reinstall when it can run overnight if your network connection is is not very fast.

Set the computer system clock to use UTC, check the time zone and the local time.

The gparted and gnome-disks packages are useful to manage disks larger than 2 TB. With new disks the installer will use BTRFS and as of Leap 15.1 it will create a large partition for the entire disk. In the event of a failure, leaving a critical disk formatted in the wrong size or filesystem, add gdisk from a repository and reformat the disk. Reboot, and re-install the operating system on the reformatted disk. Earlier versions of Leap would install the operating system in a small partition that limited the space available, and then allocated the balance to an XFS partition for user space. Check that adequate space is left for your system needs and use the expert mode if needed to allocate space before installing the operating system. Once partitioned, OpenSuse will use existing partitions as a guide and it is difficult to override these choices later.

Deselect and mark "taboo" Apparmor for systems which do not require its access controls. Delete pk-update to avoid nagware about package updates and mark it for non-installation permanently by selecting "taboo"

Turn off firewall (assuming your system is already behind an adequate institutional or local firewall)

Open the port for SSH

Check the boot option for grub2 matches that of your machine (should be UEFI if available)

Complete the installation from the media (either USB or DVD)

Remove the medium, reset the boot priority to the hard disk first, reboot

From OpenSuse using YAST

Start yast from the command line as su with yast --qt or "yast2"

Disable DVD or USB in software repositories

Unless doing GPU development or you have recent nvidia hardware, do not include the repository for nvidia (creates a long term maintenance problem) and use the Nouveau Xorg driver instead. If you have an older nvidia card that may not be supported properly in either nouveau or nnvidia drivers, remove nouveau and rely on the VESA driver. It almost always works with any graphics card and display.

Perform all updates based on default repositories as needed

Note that in removing packages select Options --> Cleanup when deleting packages to prevent their automatic reinstalling though the pre-selection feature of Yast. Generally it is not necessary to remove packages unless there is something about them that interferes with your use of the system. In most cases they may be disabled in subsequent system configuration.

Remove really annoying pk-update-icon if you missed deleting it initially. You will have to mark it in YAST for permanent deletion.

Add Nvidia public repository if needed and nvidia graphics and gpu drivers. Select the most recent driver unless Nvidia's documentation suggests otherwise for your hardware.

Add texlive if it has not already been selected. This is a very large package with long download time.

Add lsb

Add apache if used as web server

Add blas-devel

Add php and packages if used as web server

Add gsl and gsl-devel

Add nano

Add timidity

Add audacity

Add audio-recorder

Add stellarium

Add geany

Add gedit

Add gnome-disk-utility (previously palimpsest)

Add gtkglext-devel

Add hdf5 (required by Python Pynpoint-exoplanet)

Add hdf5-devel

Add hdf5-devel-static

Add imagewriter

Add libcurl-devel

Add liblapack

Add liblapack3 (development files)

Add libatlas3 (optional required by astromatic software not in Leap 15)

Add libatlas3-devel (optional required by astromatic software not in Leap 15)

Add liblua5_3-5

Add mlocate

Add nasm (used by openh264)

Add netpbm

Add libnetpbm-devel

Add okular

Add pavucontrol (pulse audio control to work around problems with defaults)

Add plplot

Add plplot-devel (optionally other plplot packages as needed)

Opensuse Tumbleweed installs Python 3.11. The default system python command in /etc/alternatives. Do not use its pip3 option for installing packages, and instead install them from Yast if the are available. If not, the preferred scientific Python solution is to install from source as an end user in your /home directory and build a version that is independent of the operating system's Python. This provides for long term maintenance, and few conflicts between dependencies for system code and for cutting edge science code. If that solution is taken, then do not install optional Python 3 packages unless they are needed for system routines (e.g. in an Apache service) but instead build the local version and add modules with pip.

The following packages could go to the system Python 3.11 for useful code run system-wide. If our code is to use the system version of Python 3, then the following optional packages would be needed on new systems. For a complete OpenSuse Python3 installation, use the search option in yast for python3-, right click on the field of search results and select all entries. Then deselect any you do not want. This will install packages that have conflicts to resolve. Make your best choice on those. Packages we know we need and are adequately provided by the operating system are .

Add python3-Beautifulsoup4

Add python3-Cython

Add Python3-Sphinx

Add python3-cairo-devel

Add python3-certifi (optional, may cause other issues)

Add python3-dateutil

Add python3-distutils-extra

Add python3-Flask

Add python3-idle

Add python3-numpy or use pip.

Add python3-numpy-devel or use pip.

Add python3-qt4

Add python3-qt5

Add python3-scipy or use pip for this and related packages to get the most recent versions.

Add python3-sympy

You will also need matplotlib and its add-ons.

Add python3-matplotlib

Add python3-matplotlib-tk

Leap 15 and Tumbleweed should supply Tk with a consistent matplotlib. If there are issues with it, you may deselect the matplotlib packages marking them "taboo" in yast, and instead, after work with yast is over, use pip and install matplotlib from pip as described below. This will insure the latest version of matplotlib, especially as Leap ages and matplotlib moves forward with new releases. Nevertheless, best to leave all this alone and install an independent Python solution.

Additional packages you will need from YAST are --

Add libevent-devel

Add libffi-devel (for compiling Python 3.7+)

Add libopenssl-1_1-devel

Add fftw3-devel, libfftw3-threads, and fftw3-threads-devel

Add ncurses-devel (for compiling Python 3.7+)

Add openssl-1_1

Add python-devel (for compiling Python 3.7+)

Add readline-devel (for compiling Python 3.7+ with readline rather than gnulreadline)

Add sk1

Add xfig

Add ufraw

Add gimp-ufraw

Add gphoto but not gphotofs

Add qiv

Add guvcview or luvcview for webcamera viewing

Add motif

Add motif-devel

Add motif-devel-32bit

Add other motif libraries if they are not installed by default

Add libXmu-devel

Add libXp-devel

Remove all virtualbox rpm's installed from OpenSuse

Add yasm

Add yasm-devel

Add libpng12-devel (optional)

Add libpng16-devel

If using Grace earlier than 5.1.25 deselect libpng16-compat-devel and select libpng12-compat-devel

Add fxload (used by SBIG cameras)

If building Python from source as of version 3.6 in order to get urllib to work add the ghc- packages

After updates

Disable modemmanager because it interferes with serial ports used for instruments

Configure dnsmasq if used to run a subnet and start it from yast

Disable avahi as unnecessary in our environment

Edit /etc/sysconfig to set locate default search to root

Use YAST to set NTP servers for your domain rather than Opensuse's defaults. New installations of Leap will use chrony rather than ntp for improved synchronization. With ntp, check the performance using "/usr/sbin/ntpq -p" or with chrony use "/usr/bin/chronyc tracking". As of July 2018, chronyc is a preferred option.

On a longer term, routine updates that will change repositories as needed can be done from the command line

 zypper dup

Add any needed Python3 modules requiring pip, notably matplotlib (see below)

Your own local binary file directory

The Unix system resource directory /usr/local with its bin, src, lib, lib64 and other subdirectories is the normal place to drop software that is not available as a package and is used system wide. There are potential conflicts with identically named code in the system that may be resolved by the PATH environment, and by rename files to be distinctive. Python installed in /usr/local/bin/ can be especially problematic because it is used for system utilities, and if the system Python is set up to run a virtual environment for an end user who has venv activated, even knowing which Python is running a code can be uncertain. The preferred solution for our systems is to let any end user install their own versions of software in their personal /home/user/local directory and put the /home/user/local/bin/ directory in their search PATH. That works for AstroImageJ as well, which can be installed anywhere in a user's space with a softlink from /home/user/bin or from /home/user/local/bin to the executable "AstroImageJ".

Some distributions of software source files require fine tuning to compile and install in other than the default directories, notably astrometry.net uses

 make install INSTALL_DIR=/home/user/local/astrometry CFITS_INC="-I/home/john/local/include" CFITS_LIB="-L/home/user/local/lib64 -lcfitsio"

for a "user" where cfitsio is also installed in that local directory.

Python

For OpenSUSE Tumbleweed (current as of March 2024) Python-3.11 is installed. A preferred solution is not to bother with the system versions at all, and to install Python 3 from source.

Python - installing the latest from source

For Astropy and perhaps other modules that are under rapid development, the system Python 3 and the latest package requirements may be incompatible. With that option your local programs will call your local python explicitly, for example as /home/user/local/bin/. You can also set your PATH so that it searches /home/user/local/bin before /usr/bin to circumvent the system version. You can make code in your personal /local/bin readable by other uses if you want to share executable. This technique may be preferrable to running in a virtual environment using the "venv" option of recent Python3 since it offers the explicit execution of a version with its installed packages, and no possibility of conflict with the system python or its updates.

To install from source follow these instructions exactly:

# Add the packages from OpenSUEnoted above with attention to the patterns for development
# Download the source tar fil, for example Python-3.11.8.tar.xz and as a normal user create in your home directory a "local" directory with /local/bin and /local/src.  Copy to this /local/src 
# Untar the file
# Within the source directory  run ./configure --prefix=/home/user/local/ --exec-prefx=/home/user/local/  where "user" is your user ID on this system.

There may be missing system development packages which this process will reveal. Simply add them one at a time until you can successfully configure the code and build with "make" below. One to look for is "readline", which is essential for core python and is not packaged with it as a module.

# The other defaults will be fine.  Your new Python will go into your /user/local/ directory.  Some users prefer /opt, which can be changed as a configuration option.
# make
# make test (if in doubt)
# make install (running as a user, not as su or root)

If this fails it is probably a missing package. Check the ones that are required, install them, make clean, make, make install again. The in OpenSUSE you must provide a link in the "lib" directory for lib-dynload pointing to the libraries in lib64.

# ln -s /home/user/local/lib64/python3.11/lib-dynload/ /home/user/local/lib/python3.11/lib-dynload

It is not necessary to assign either PYTHONHOME or PYTHONPATH, or to use an environment manager to have this version work independently of the system version. However, be aware that the functions you need are explicity in your /local/bin and that they refer to python by its version, that is python3.11 and pip3. To run your own locally built Python echo PYTHONHOME and echo PYTHONPATH should return empty strings.

Modules by pip

Because they are not available as a package in OpenSUSE for Python 3, or because you are updating another installation, use explicitly the pip for your Python. That is, for the system python3, /usr/bin/pip points to /etc/alternatives/pip which points to /usr/bin/pip3.11 in Tumbleweed . Our separately installed python has your /local/bin/pip3 .

If the system is behind a firewall requiring a proxy, possibly pip will see the system proxy configuration. If not, try

 export https_proxy=http://proxy.domain:port

where typically the port is 8000 or 8080.

For installing in the system python, if matplotlib for Python 3 was installed with yast it must be removed in a two-step process. First delete it from yast and then and mark it taboo so that it will not re-install. Afterward, remove it from the system python this way.

pip uninstall matplotlib

pip install matplotlib --upgrade --no-cache-dir

Also for the system python you may need to do this

pip uninstall six

pip install six --upgrade --no-cache-dir

Now if you are building a separate Python for science, use the pip for it and add the modules you need. This may include several that were installed on the system using yast, as well the matplotlib ones and these. Start with these since pip will resolve dependencies, probably use cached source unless you tell it not to, and in the process grow the missing branches of your Python tree. Later, if you find something missing, you can add it as needed.

Install matplotlib will install numpy (pip install matplotlib)

Install scipy (pip install scipy)

Install cython (pip install cython)

Install scikit-image which will install pillow (pip install scikit-image)

Install astropy (pip install astropy)

Install skyfield (pip install skyfield) replaces deprecated pyphem

Install healpy (pip install healpy)

Install reproject (pip install reproject)

Install quantities (pip install quantities) to have physical constants

Install emcee (pip install emcee) to have an MCMC library

Install pyastronomy (pip install pyastronomy) or from source on github pyastronomy

Install bokeh for browser-based graphics (pip install bokeh)

Install pycurl for remotely communicating with a server (pip install pycurl)

If there is an error from the SSL library, use these two commands to resolve the dependency:

 export PYCURL_SSL_LIBRARY=openssl

 pip install  --upgrade --force-reinstall  pycurl

Dowloading files from Google drive requires two modules

 pip install --upgrade google-api-python-client
 pip install oauth2client

The first of these provides the module "apiclient" and the other provides tools for authorization which would be imported this way

 from apiclient import discovery
 from oauth2client import client
 from oauth2client import tools
 from oauth2client.file import Storage

as described by the official google download api respository here

Lastly, install the software chain for data visualization with Python using pip rather than the system package because Pandas is developing rapidly

Install pandas (pip install pandas)

Install scrapy (pip install scrapy)

Install requests (pip install requests)

Install flask (pip install flask)

Astropy

Astropy is a collaboration to provide a consistent and comprehensive distribution of astronomical software to the research community. For systems running Python 3.5 and above it can be installed as other packages

Install astropy (pip install astropy)

The recent restriction excluding Python 3.4 means that new installations on older operating systems cannot add astropy without some work around solution such as described above.

Astropy resolves dependencies on pyfits, originally developed at the Space Telescope Science Institute. Code requiring pyfits will work by adding

 import astropy.io.fits as pyfits

to the Python 3 source.

From source in /usr/local

For rpm packages use

 zypper --non-interactive install package.rpm  

or add --no-gpg-checks if necessary. For java routines. install the source in /usr/local and provide a softlink through a startup script in /usr/localbin. Larger packages such as alternative python builds would also go in /usr/local in preference to /opt. The entire /usr/local tree should not be in the root partition, but linked to it from a user partitiion that will not be lost in system re-installation.

Install nedit from updated source to /usr/local/bin with a link in /usr/bin/

Add lame and lame library packages for mp3 audio

Install mplayer through the command line svn checkout svn://svn.mplayerhq.hu/mplayer/trunk mplayer or from a stable package along with skin and codecs

Install AstroImageJ and update to the latest daily build. Copy the current best practice configuration from a working system.

Install AstroCC

Install Alsvid updated for Python3

Install ds9 using a recent version from https://sites.google.com/cfa.harvard.edu/saoimageds9/download.

Install xpa

Install cfitsio with make, make shared, and make install. Then manually copy lib64 and include installation directories to /usr/local/lib64 and /usr/local/include, and run ldconfig.

Install grace (build from source with local FFT modifications for normalization)

Install Aladin

Install xephem -

Copy the XEphem source from the licensed archive to a temporary directory. Install each disk by default in /usr/local. Remove all the ._ files which are created on a Mac OS and remove the execute permissions on many files that come from the source. Copy the xephem.sites list with augmented sites into the auxil directory. Update the Soft* catalogs. Copy XEphem to the /etc directory for global defaults to the home observatory. Optionally, recompile the source code and copy it to /usr/local/bin/, removing the default pre-compiled version in /usr/bin/ . Copy xephem.man (not xephem.1) to /usr/local/man/man1.

Install astrometry.net

Download the latest from the astrometry.net website

http://astrometry.net/

which will be a recent stable version ready to compile. The cutting edge is on the git repository

https://github.com/dstndstn/astrometry.net

and it will not compile with editing and is not recommended.

Astrometry.net uses the system default Python unless you chose otherwise. In Opensuse Leap 15.1 with Python 2.7 as the system default, compilation of astrometry.net still falls back on having some 2.7 packages present. Before building astrometry.net from source, check that they system has

python-devel python2-numpy-devel swig git libnetpbm-devel

to avoid errors on the first attempt.

Other python utilities may use a locally installed Python, say /usr/local/bin/python3.9, if you are compiling with a library path that will find it. That is, echo $LD_LIBRARY_PATH should show /usr/local/lib and /usr/local/lib64. The environment variables are not preserved when compiling after "su". Two simple solutions are either to change ownership of Astrometry.net and compile as a normal user, or connect directly as root user and compile. Either way, check the environment first. Once that is done, edit util/makefile.common so that it reads this way

 # don't change this one -- it must match what is in the bin/* scripts
 PYTHON_SCRIPT_DEFAULT := /usr/bin/env python

 # change this if you want to set exactly which python program gets run to
 # execute the python scripts in bin/ (image2pnm and friends).
 # Note that this must be a full path (this is a bash requirement).
 #PYTHON_SCRIPT ?= $(PYTHON_SCRIPT_DEFAULT)
 # eg,
 PYTHON_SCRIPT ?= /usr/local/bin/python3.9

The only change required is to point specifically to the python you need. Opensuse Leap 15 also installs Python 3.6, which is one release behind the current one (at this writing) of 3.9. The simplest solution to this and staying up with the requirements of astropy is to install Python from source in /lusr/local and then link to it here and elsewhere as needed. However astrometry.net will have a dependence on the systems Python 2.7.

In OpenSuse Leap you will also have edit util/makefile.netpbm if compilation does not find the library. You may later change the #! lines in the scripts in the installed bin directory if another Python on the system is preferred.

If netpbm is not be found, edit the file util/makefile.netpbm to point it to the correct place:

NETPBM_INC ?= -I/usr/include/netpbm
NETPBM_LIB ?= -L/usr/lib64 -lnetpbm 

Astrometry.net by default installs in /usr/local/astrometry. Add /usr/local/astrometry/bin to the $PATH in /etc/profile.local. Replace the data directory with a soft link to the system archive of astrometry data files, currently the 4200 series. On systems witih limited root disk space, install astrometry on another disk and link it to /usr/local for consistency with scripts.

Install swarp

Install sextractor

Install psfex (current release does not build in Opensuse Leap due to cblas package incompatibility)

Install hp15c

Install tightvnc_viewer

Install moodle (depends on mysql, apache, and php) on educational servers

Install mediawiki (on servers as needed)

Install cfitsio

Install xpa

Install xmtel (if needed)

Install xmccd (if needed, also provides libcfitsio and xpa)

Update /etc

Copy motd

Edit HOSTNAME

Add entries to /etc/rc.d/boot.local

Add profile.local

Edit /etc/dnsmasq.conf as needed

Settings for the network

Configure network as needed for additional cards defined for internal zone

Configure dnsmasq as needed to service one or more cards

Add masquerade to firewall settings if internal zone present (required for dnsmasq ip forwarding)

Start the firewall if using dnsmasq or needing the security it provides

Start dnsmasq

Run services manager and turn off unused services

Run lsof -i to confirm there are no insecure open ports

Reboot the system

With Opensuse's use of the wicked network daemon, a configured network device will not show its IP until it is physically connected to an active network. The yast configuration option "at boot time" for network configuration means that these ports must see a live connection when the system is booted to find their configuration. This is not a bug, it is a "feature". The alternative option "on cable connection" is not useful for a fixed instrument controller. If a device is physically connected and does not show its IP in ifconfig, try "systemctl restart network.service" or a reboot.

Additional security

The OpenSuse network monitoring daemon xinetd provides tcpd wrapper service within the systemd framework. This enables use of hosts.allow and hosts.deny to filter access in a simple way. By default, xinetd will not be started with a new installation. Enable it in the system configuration on YAST and start it on boot. In hosts.deny put "ALL: ALL" to close the network for everything the software is aware of, and then allow specific IP addresses to access the services with entries in hosts.allow. Insure that xinetd is running, and check journalctl for failed login attempts routinely as a basic security front line, usually behind a more secure institutional firewall.

Desktop

Run nvidia-settings to set display for a system with Nvidia hardware if the Nvidia drivers are installed. The latest community Nvidia support is adequate for most purposes without installing the proprietary Nvidia driver and kernel module. The system is more easily maintained if it runs using the community supported package which is improving quickly.

The default desktop is set this way

• update-alternatives --config default-xsession.desktop

and respond to the options. The WM system configuration is not read by most managers. Set xfce.deskop or else it will default to gnome and make remote starting of VNC with xfce impossible.

OpenGL with NVidia

Users should be members of the video group to have access to opengl applications. If they are not, the application may run slowly (glxgears) or crash (celestia). For some applications with older hardware the Nouveau open source driver will suffice and be less likely to interfere with system updates later. This driver is compatible with randr and allows command line setting of multiple displays. For example if there are two displays on the graphics card, a command line such as

• xrandr -q

will list the available displays and their capabilities, while one such as

• xrandr --output DVI-I-2 --right-of DVI-I-1

will configure them as one screen providing acceleration across the desktop.

Newer Nvidia cards and all of the Quadro family require loading the lastest nvidia driver and the kernel modification. Add Nvidia as a repository and use YAST to manage the updates. Reboot the system afterwards. Run nvidia-settings to configure the desktop. If needed, save the xorg.conf file and copy it to /etc/X11 so that it applies on the next restart of the X server.

Google Chrome

Install the Chrome public keys

• wget https://dl.google.com/linux/linux_signing_key.pub
• sudo rpm --import linux_signing_key.pub

and then with the Firefox browser retrieve the latest 64-bit rpm package of Chrome and install it

• zypper --non-interactive install google-chrome-stable_current_x86_64.rpm

Installation of Google Earth is similar

• zypper --non-interactive install google-earth-stable_current_x86_64.rpm

Adobe Flash

Flash is obsolete and no longer needed, or supported. It is best forgotten.

gPhoto2

The gphoto2 application runs Nikon DSLR cameras for real-time observing, scripted imaging, and called by cgi routines from a web server. To give the USB device the proper permissions without invoking unwanted software (the default for a Gnome installation in OpenSuse), we make sure that libgphoto2 is installed, but not the file system. In OpenSuse there will not be a udev rules file installed by default.

As root user,

cd /etc/udev/rules.d

/usr/lib64/libgphoto2/print-camera-list udev-rules version 175 group video mode 0666 > 90-gphoto.rules

where the version given has to be high enough to work with udev and still be recognized by libgphoto2.

Add the video group to users who will be observers, and to the user wwwrun by editing /etc/group or by using YAST.

When a camera is connected or turned on, it will accessible by any user in the video group, including the cgi applications used for remote operations.

exFAT

Add fuse-exfat from OpenSuse package search, currently version 1.2.4

• zypper --non-interactive install fuse-exfat-1.2.4-2.1.x86_64.rpm

This provides support where needed for SDXC memory cards through the Microsoft exfat filesystem.

VLC

The version of VLC that can be installed with Yast lacks all proprietary codecs necessary for many common uses. The OpenSuse version should not be installed. To build from source --

• Install lua and lua-devel if not already installed

• Download the latest source tarball from VLC (currently 2.2.1)
• Use the latest x264 source also from VLC, compile, and install
• Use the latest ffmpeg source tar file best taken from mplayer, compile, and install

• Untar ffmpeg
• ./configure --enable-pic --libdir=/usr/local/lib64 --enable-libmp3lame --enable-libx264 -enable-gpl
• make
• make install
• ldconfig

• Untar vlc
• ./configure --disable-mad --disable-a52
• make
• make install

Mplayer and ffmpeg

Mplayer is no longer recommended because it may not build, or will build with errors even from the most recent source. Instead, install mpv from the OpenSUSE repository. Use ffmpeg as installed by the most recent version of Tumbleweed.

Blender

Blender is available in the OpenSUSE archive but as of March 2023 it is the outdated version 2.8. As a single user, install Blender from its website using the executable package because it comes with all the components and runs flawlessly. See [1] for details on version 4.0, current as of March 2024.

Simple Screen Recorder

This very effective tool for making on-line instructional videos and lecture content is included in the Opensuse distribution. However, the distributed version lacks many useful codecs. Retrieve the source code, probably best from Packman where it will have been prepared for Opensuse. Compile it as an unprivileged user with the configuration flags ./configure --without-jack --oldincludedir=/usr/local/include that currently make it work without jack and with x264 on Opensuse. Install it as root with "make install". This version will have the codecs of ffmpeg and be broadly useful without needing subsequent file conversions.

VirtualBox

With Tumbleweed, the version of Virtualbox in the latest distribution will be sufficiently current that it will work well simply installed from Yast. With Leap, it may require manual installation from source once a year or so has passed since that version of Leap was introduced. If VirtualBox is going to be used, it may be best to start with Tumbleweed to make long term maintenance easier.

OpenGL

Users must belong to the video group to have access to OpenGL when NVidia drivers are in use.

Sound

Tumbleweed comes with Pulseaudio and Pipewire installed and working with Bluetooth as well. Add Audacity for sound editing.

Conferencing with Zoom

Zoom conferencing requires the installation of a package from their website. As root user you would run

 zypper install zoom_openSUSE_x86_64.rpm

It may be necessary to ignore the missing or incomplete public key signing. If a working key is available, then first add it with rpm where "RPM-KEY" is the downloaded key file

 rpm --import RPM-KEY

Zoom provides access to select and control the audio and video sources for your meeting. Sometimes the audio connections will have to be reviewed since these are automatic. Pipewire appears to work better than Pulseaudio with Tumbleweed following changes implemented in the distribution in July 2022.

Google Meet works in the Chrome browser. Microsoft TEAMS has a browser version and a downloadable application. If you chose to use TEAMS or are required to do so by your institution then consider disabling its default which is to run it whenever you are logged in. This is controlled by the contents of the hidden directory

 .config/autostart

Wireless

Laptops by default will have networkmanager running their hardware and wireless connections. Desktops will not. To enable desktop wireless with minimal need for configuration, use Yast, Network Settings, and Global Settings to select networkmanager rather than wickedd. With that change, there will be a desktop icon in the system tray and the interface may be selected by the user.

Few USB network adapters work with the Linux kernel in OpenSuse . Only one we have found readily available new is the Buffalo Nfinity Wireless-N compact USB 2.0 adapter. It is recognized immediately and requires no additional configuration, other than the selection of networkmanager, and the user's choice of connection.

When configuring a laptop that will need flexible control of the network, consider changing the default /etc/sysconfig/network/config entry from "no" to

 NETCONFIG_FORCE_REPLACE="yes"

This change will insure that if you change networks the resolv.conf file will be rewritten, and it may affect other files that get modified in some way. The downside is that you will need to use the root password when restarting the network.

Static LAN and dnsmasq

We use dnsmasq to manage local area networks (LAN) from a second network device on telescope computers. Typically the device address is set to 192.168.0.1/24, or to 1.1/24 if there is another LAN operating. The configuration file for dnsmasq is set to point to the device, i.e. eth1, to which the switch is attached.

This works well if (a) there is a switch attached and turned on, and (b) the computer is running the wickedd manager which is the default in current Opensuse releases based on systemd. It is seeming not possible, or certainly not straightforward, to run a lan from a laptop which is configured with networkmanager.

To attach a networked instrument such as a camera to a laptop that by default is configured with network manager the options are

• Attach the device to a switch which itself is integrated into a LAN with DHCP provided by another computer system.
• Custom configure the wired network interface using nmcli.
• Change the laptop networking to run wickedd instead of networkmanager.

The second method using the powerful console command line interface for Network Manager is the best solution but requires specific commands for each situation. A common problem has been network management when a device is to be attached to an Ethernet adapter on a USB3 connection. For example, we use a StarTech adapter that runs on a powered laptop port to provide both ethernet and additional USB3 connections to a camera and environmental sensors. The network connection has to be associated with dnsmasq to enable DHCP connections from cameras. With networkmanager on opensuse, this new device is not configurable through the YAST tools. The solution is

1. Boot the computer with the device installed so that it is recognized without an issue

2. As root create the connection and bring it up

 nmcli con add con-name "usb-ethernet" ifname eth1 type ethernet ip4 192.168.1.1/24
 nmcli con up usb-ethernet

3. Check that it is present

 ifconfig 
 
 eth1  Link encap:Ethernet  HWaddr 00:05:1B:D0:88:E3  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

4. Configure dnsmasq.conf with lines such as

 interface=eth1  
 dhcp-range=192.168.1.50,192.168.1.100,12h

5. Enable and start dnsmasq in sysconfigure

These changes should remain in effect until removed, and a camera attached to the new network connection will be seen on the local "usb-ethernet",

The third option is the default for a desktop system. The disadvantage to the third option in the laptop world is that wickedd does not have the end-user support for wireless networking that networkmanager provides. Further, when switching from one system to another, there are inevitable configuration issues, particularly with the management of host resolution and the file /etc/resolv.conf.

The basic process is to use yast or yast2, select network device configuration, and change the manager to wickedd. This will allow editing the individual network devices. Set the static ip address for the device that will handle the LAN, edit the device entry, change it to "internal", and set it to activate on boot through the setting in the Global tab. Shutdown and reboot the system. The ethernet adapter must be inserted at boot time.

As superuser use "wicked show all" to see the status of the devices, or "wicked ifstatus eth1" to see the status of one network device. Each device has a configuration file in /etc/sysconfig/network/, such as ifcfg-eth1 for eth1. Within that file there should be a line which says

LINK_REQUIRED=no

As of Opensuse 42.3, this line is not inserted by the yast2 configurator, and consequently the network device will stall and wickedd will report "setup-in-progress". The simple solution is to enter this by hand if you see this error and need a second network active on power up.

Proxy

The system proxy settings are set globally in /etc/sysconfig/proxy . It is best to use yast to configure them. At USQ for normal use these fields are blank. However for installation through yast and zypper and for updates the fields have to be populated with http://proxy.usq.edu.au:8000. Also for use of curl where there is a proxy, it can be set in .curlrc for that user by adding a line such as

proxy = proxy.usq.edu.au:8080

without the "http" prefix. Alternatively, if there is a system proxy, then curl can be run with a command line that over rides it for specific addresses or for everything with a wildcard

curl --no-proxy *

Both Firefox and Chrome browsers will negotiate an automatic proxy server while curl, zypper, and yast will not.

Julia Language

Increasingly useful for data analysis, Julia is added on servers and computers where processing is done. The Julia package provided by OpenSUSE is the stable version, while Julia is developing so quickly that the most recent version is best to have on hand. We use the source distribution from the Julia Lanuage Download website [2]. Untar the package in /usr/local, and link to the "julia" executable from /usr/local/bin/. This will make it first on your PATH and supercede a system installation.

Google Chrome

OpenSUSE does not provide the Chrome browser. To install it follow these steps from the command line as root or sudo

• zypper ar http://dl.google.com/linux/chrome/rpm/stable/x86_64 Google-Chrome
• wget https://dl.google.com/linux/linux_signing_key.pub
• rpm --import linux_signing_key.pub
• zypper ref -f
• zypper in google-chrome-stable

Tight VNC

Tumbleweed and Leap 15.5 need the the "vncserver" script to start a persistent session with the user's preferences. The script may be copied from other recent installations and edited. It is not currently in either Leap or Tumbleweed, but should be available online elsewhere. The previously distributed script will start a VNC server

Using the one from 15.4, comment out the line

 #$default_opts{rfbwait} = 30000;

which requires a feature of Xvnc that is not included in the 15.5 system. Also use zypper or YAST to install the package

 xorg-x11-vnc

to implement the TigerVNC version used by the script.

The VNC server uses a configuration file .vnc in the user's home directory. Two typical entries are

 geometry=2000x1200
 localhost

which set the size of the virtual terminal and make the service only available locally for security. Use SSH to tunnel to this service from the remote user

 ssh -L 5901:localhost:5901 user@remote.site

as an example.

Once the server is running, use TigerVNC from the distribution to access it remotely rather than TightVNC because TigerVNC will interactively adapt to the available screen size if as end user you resize the window on the client. However, TigerVNC does not have an option to tunnel through SSH, so from the client

ssh -L 5901:localhost:5901 user@server

to create a tunnel and then point the client to the port on which the server has VNC.