Turris Build issueshttps://gitlab.nic.cz/turris/os/build/-/issues2023-08-16T11:06:45+02:00https://gitlab.nic.cz/turris/os/build/-/issues/69Helpers/new_release.sh: Add release notes to tags2023-08-16T11:06:45+02:00Josef SchlehoferHelpers/new_release.sh: Add release notes to tagsI think it would be really cool if the script can add to tags release notes from `NEWS` file.I think it would be really cool if the script can add to tags release notes from `NEWS` file.Michal HruseckyMichal Hruseckyhttps://gitlab.nic.cz/turris/os/build/-/issues/75Use samba4 instead of samba32023-08-16T11:06:41+02:00Josef SchlehoferUse samba4 instead of samba3In PR !28, I noticed some changes regarding samba.
Shouldn't we use samba4 instead of samba(3)? The only issue what I am thinking is that samba4 is not available in OpenWrt 18.06.
In 19.07 or master is included. I asked in #openwrt-deve...In PR !28, I noticed some changes regarding samba.
Shouldn't we use samba4 instead of samba(3)? The only issue what I am thinking is that samba4 is not available in OpenWrt 18.06.
In 19.07 or master is included. I asked in #openwrt-devel why samba3 is still present in OpenWrt `master` branch.
```
20:13:11 <Pepe> I am wondering why in the master branch, there is still samba3, which was EOL 4 years ago.
20:31:18 <pkgadd> Pepe: because samba4 is unsuitable for most devices
22:45:51 <mangix> Pepe: size
22:45:56 <mangix> and laziness
22:47:07 <mangix> It should be removed from the main branch
```
We have powerful routers with a large amount of space, so it shouldn't be an issue to have supported version of samba4 or am I wrong? It depends how much we are going to diverge from OpenWrt. On the other hand, I am against it, but samba3 is vulnerable and reached EoL a long time ago. This should be handled directly in OpenWrt, they should decide what they are going to do with samba3, because this ancient version is not even in [Debian](https://packages.debian.org/search?keywords=samba).Turris OS 5.0https://gitlab.nic.cz/turris/os/build/-/issues/62[feature request] provide an easy to install foris package to enable multicas...2023-08-16T11:04:21+02:00Claude Nobs[feature request] provide an easy to install foris package to enable multicast iptv supportVarious isp's (telekom.de, fiber7.ch, ...) come with a bundled iptv solution based on multicast technology. Apart from internet access, access to tv is one of the features a router should support out-of-the-box or provide a checkbox solu...Various isp's (telekom.de, fiber7.ch, ...) come with a bundled iptv solution based on multicast technology. Apart from internet access, access to tv is one of the features a router should support out-of-the-box or provide a checkbox solution in it's gui.
However currently it's neither supported out-of-the box, nor is it possible to setup using either foris or luci. Only if one is comfortable using ssh/bash it's rather trivial to setup :
```
IP=`ip -4 -br addr show br-lan | grep -E -o '[0-9.]+' | head -n 1`
opkg install igmpproxy
sed -i -e "s/$IP\/24/0.0.0.0\/0/g" /etc/config/igmpproxy
sed -i -e "s/option ipaddr '$IP'/option ipaddr '$IP'\n\toption igmp_snooping '1'/g" /etc/config/network
/etc/init.d/igmpproxy enable
/etc/init.d/igmpproxy start
```https://gitlab.nic.cz/turris/os/build/-/issues/63[feature request] enable NFT's full potential in kernel conf2023-08-16T11:04:20+02:00Ghost User[feature request] enable NFT's full potential in kernel conf> {"kernel":"4.14.131","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"c01f9ad","target":"mvebu/cortexa9...> {"kernel":"4.14.131","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"c01f9ad","target":"mvebu/cortexa9","description":"TurrisOS 5.0-dev c01f9ad"}}
____
With the below settiings disabled NFT is sort of castrated. Fail to see any potential harm it could cause enabling the feature set.
`# CONFIG_NFT_RT is not set`
> This option adds the "rt" expression that you can use to match packet routing information such as the packet nexthop.
`# CONFIG_NFT_SET_BITMAP is not set`
> This option adds the "bitmap" set type that is used to build sets whose keys are smaller or equal to 16 bits.
`# CONFIG_NFT_OBJREF is not set`
> This option adds the "objref" expression that allows you to refer to stateful objects, such as counters and quotas.
`# CONFIG_NFT_QUEUE is not set`
> This is required if you intend to use the userspace queueing infrastructure (also known as NFQUEUE) from nftables.
`# CONFIG_NFT_COMPAT is not set`
> This is required if you intend to use any of existing x_tables match/target extensions over the nf_tables framework.
`# CONFIG_NFT_FIB_NETDEV is not set`
> This option allows using the FIB expression from the netdev table. The lookup will be delegated to the IPv4 or IPv6 FIB depending on the protocol of the packet.
`# CONFIG_NFT_DUP_IPV4 is not set`
> This module enables IPv4 packet duplication support for nf_tables.
`# CONFIG_NFT_DUP_IPV6 is not set`
> This module enables IPv6 packet duplication support for nf_tables.
____
`# CONFIG_NFT_RT is not set`
is likely causing some grievance with TCP MSS clamping (essential for PPPoE) since
`nft add rule ip filter forward oifname pppoe-wan tcp flags syn tcp option maxseg size set rt mtu`
`nft add rule ip filter forward oifname pppoe-wan tcp flags syn tcp option maxseg size set 1452`
either is producing
> Error: Could not process rule: No such file or directoryhttps://gitlab.nic.cz/turris/os/build/-/issues/64[feature suggestion] enhance NF filter capabilities2023-08-16T11:04:18+02:00Ghost User[feature suggestion] enhance NF filter capabilities> {"kernel":"4.14.131","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"c01f9ad","target":"mvebu/cortexa9...> {"kernel":"4.14.131","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"c01f9ad","target":"mvebu/cortexa9","description":"TurrisOS 5.0-dev c01f9ad"}}
___
Please consider enhancement of NF filter capabilities
`# CONFIG_NETFILTER_XT_TARGET_HMARK is not set`
> This option adds the "HMARK" target.
The target allows you to create rules in the "raw" and "mangle" tables which set the skbuff mark by means of hash calculation within a given range. The nfmark can influence the routing method and can also be used by other subsystems to change their behaviour.
`# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set`
> This option adds a "TCPOPTSTRIP" target, which allows you to strip TCP options from TCP packets.
`# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set`
> Socket/process control group matching allows you to match locally generated packets based on which net_cls control group processes belong to.
`# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set`
> This match extension allows you to match a range of CPIs(16 bits) inside IPComp header of IPSec packets.
`# CONFIG_NETFILTER_XT_MATCH_L2TP is not set`
> This option adds an "L2TP" match, which allows you to match against L2TP protocol header fields.
`# CONFIG_NETFILTER_XT_MATCH_OSF is not set`
> This option selects the Passive OS Fingerprinting match module that allows to passively match the remote operating system by analyzing incoming TCP SYN packets.
Rules and loading software can be downloaded from http://www.ioremap.net/projects/osf
`# CONFIG_NETFILTER_XT_MATCH_SCTP is not set`
> With this option enabled, you will be able to use the `sctp' match in order to match on SCTP source/destination ports and SCTP chunk types.https://gitlab.nic.cz/turris/os/build/-/issues/115Replace dependency and file insert patches for turris-webapps with dedicated ...2023-08-16T11:01:11+02:00Karel KociReplace dependency and file insert patches for turris-webapps with dedicated packages and conditional install requestsTurris updater now supports conditional install requests. We should use that instead of patching various packages for webapps. We have to create appropriate packages and then it is just:
```
Install("turris-webapps-FOO", { condition = "F...Turris updater now supports conditional install requests. We should use that instead of patching various packages for webapps. We have to create appropriate packages and then it is just:
```
Install("turris-webapps-FOO", { condition = "FOO" })
```Turris OS 5.2.0https://gitlab.nic.cz/turris/os/build/-/issues/293[Feature request]: Add watchcat plugin configuration directly to the reForris...2023-08-16T10:57:04+02:00Marek Ľach[Feature request]: Add watchcat plugin configuration directly to the reForris user interface itself, active by defaultBecause the WiFi sometimes disconnects in mid-day for me, and TurrisOS, by default, is not able to reboot/restart such a once lost connection immediately on its own, without the need for a lenghty manual intervention.
The `OpenWRT` pack...Because the WiFi sometimes disconnects in mid-day for me, and TurrisOS, by default, is not able to reboot/restart such a once lost connection immediately on its own, without the need for a lenghty manual intervention.
The `OpenWRT` package `watchcat` seems to be the sought after remedy in these situations, with which I was eventually able to configure an automated re-connect if ping's lost, so **TurrisOS** could _have watchcat included_, and active by default in its own *reForis* interface, to make it even more convenient, useful and user-friendly.
It’d be worth it implementing this plugin into the latest iteration of TurrisOS proper out-of-the-box in the future... for laymen like myself :-)https://gitlab.nic.cz/turris/os/build/-/issues/333UBNT SFP GPON support2023-08-16T10:55:31+02:00Karel KociUBNT SFP GPON supportBackport UBNT SFP GPON patches to ensure functionality.Backport UBNT SFP GPON patches to ensure functionality.Turris OS 6.0https://gitlab.nic.cz/turris/os/build/-/issues/32cfq & ionice for file/media centre2023-08-16T10:54:59+02:00dim-geocfq & ionice for file/media centrePlease activate CFQ on kernel io schedulers. No need to change the default io scheduler.
It is very useful for external hard disks (rotational) where competing processes try to access the hard disk. Also, if you can please activate ionic...Please activate CFQ on kernel io schedulers. No need to change the default io scheduler.
It is very useful for external hard disks (rotational) where competing processes try to access the hard disk. Also, if you can please activate ionice in busybox so cfq can be used as well.
It would help on scenarios where the turris acts as a small file/media centre.Turris OS 6.0https://gitlab.nic.cz/turris/os/build/-/issues/348MOX: Enable earlyprintk for easier UART debugging2022-07-27T13:51:46+02:00Josef SchlehoferMOX: Enable earlyprintk for easier UART debuggingSimilar as for Turris Omnia (turris/os/build#347), we need similar stuff for Turris MOX:
```
CONFIG_CMDLINE="earlycon=ar3700_uart,0xd0012000 console=ttyMV0,115200"
CONFIG_CMDLINE_FROM_BOOTLOADER=y
CONFIG_SERIAL_EARLYCON=y
CONFIG_SERIAL_...Similar as for Turris Omnia (turris/os/build#347), we need similar stuff for Turris MOX:
```
CONFIG_CMDLINE="earlycon=ar3700_uart,0xd0012000 console=ttyMV0,115200"
CONFIG_CMDLINE_FROM_BOOTLOADER=y
CONFIG_SERIAL_EARLYCON=y
CONFIG_SERIAL_MVEBU_UART=y
CONFIG_SERIAL_MVEBU_CONSOLE=y
```Turris OS 6.0https://gitlab.nic.cz/turris/os/build/-/issues/201Move lists to separate feed2021-09-21T12:25:59+02:00Karel KociMove lists to separate feedWe should move lists to separate feed. We build them separately but we do not have them separate in feeds description. Moving them to separate repository is not essential for separate hash but makes it cleaner as they are updated only wh...We should move lists to separate feed. We build them separately but we do not have them separate in feeds description. Moving them to separate repository is not essential for separate hash but makes it cleaner as they are updated only when it is required. It also opens doors for implementation of some sort of limit "use these lists only with build of specific commit and newer". This could fix common issue when packages take time to build but at the meantime lists are broken.Turris OS 5.3.0https://gitlab.nic.cz/turris/os/build/-/issues/247Replace Nikola with FWLogs2021-09-21T12:25:14+02:00Karel KociReplace Nikola with FWLogsFWLogs is much better implementation. We should use that.
On Sentinel meeting we checked that FWLogs is fully compatible with Nikola on Sentinel server side so there should be no issue in doing the replace.FWLogs is much better implementation. We should use that.
On Sentinel meeting we checked that FWLogs is fully compatible with Nikola on Sentinel server side so there should be no issue in doing the replace.Turris OS 5.3.0https://gitlab.nic.cz/turris/os/build/-/issues/167Add options to hardening with option for common passwords inclusion2021-01-25T09:58:41+01:00Karel KociAdd options to hardening with option for common passwords inclusionWe have package with common passwords that should not be used for authentication. This is nice thing to include as option in hardening package list.We have package with common passwords that should not be used for authentication. This is nice thing to include as option in hardening package list.Turris OS 5.2.0https://gitlab.nic.cz/turris/os/build/-/issues/184Lists: essential packages should not be pulled in only exclusively by Foris p...2021-01-04T09:05:41+01:00Karel KociLists: essential packages should not be pulled in only exclusively by Foris packagesThere are components such as diagnostics that are pulled in only as Foris dependency. We should locate such packages and include them in default installation.
The ideal solution would be to make all Foris plugins optional and pulled in ...There are components such as diagnostics that are pulled in only as Foris dependency. We should locate such packages and include them in default installation.
The ideal solution would be to make all Foris plugins optional and pulled in only if specific package they need is requested.
The reason is that some users are removing Foris (although not supported it makes sense to not break system because of it) and because of that also other essential packages.Turris OS 5.2.0https://gitlab.nic.cz/turris/os/build/-/issues/81[feature suggestion] Enable ATH9K_SUPPORT_PCOEM on ath9k module2020-12-08T19:56:56+01:00Sami Viitanen[feature suggestion] Enable ATH9K_SUPPORT_PCOEM on ath9k moduleI think ATH9K_SUPPORT_PCOEM isn't enabled for ath9k modules on Turris packages, limiting amount of supported ath9k mPCIe cards.
Normally keeping it disable might make sense to keep module smaller for normal OpenWRT routers, but this sho...I think ATH9K_SUPPORT_PCOEM isn't enabled for ath9k modules on Turris packages, limiting amount of supported ath9k mPCIe cards.
Normally keeping it disable might make sense to keep module smaller for normal OpenWRT routers, but this shouldn't be a real issue with Mox/Omnia/1.x devices, right?
Run into this issue when I was trying to upgrade original AR9287 to AR9462 on my Turris Omnia. And it looks like it's ID wasn't on whitelist because missing ATH9K_SUPPORT_PCOEM.Turris OS 5.2.0Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/build/-/issues/166collectd: Consider enabling signing/encryption support2020-08-01T18:57:35+02:00Elvenlord Elrondcollectd: Consider enabling signing/encryption supportcollectd's network plugin has the option to sign or encrypt the contents for data transfer to other collectd instances.
OpenWrt added this feature [here](https://github.com/openwrt/packages/commit/4ba4d8232d4431170faffadfa80fbb0ba76d20f...collectd's network plugin has the option to sign or encrypt the contents for data transfer to other collectd instances.
OpenWrt added this feature [here](https://github.com/openwrt/packages/commit/4ba4d8232d4431170faffadfa80fbb0ba76d20f1).
It is probably only a matter of adding `PACKAGE_COLLECTD_ENCRYPTED_NETWORK=y` to `configs/common/packages`?
Yes, this will introduce a new dependency on libgcrypt. On a small embedded platform this might be of concern. But for omnia and mox, it shouldn't be a big problem. And only people installing the network plugin will actually get that extra depeendencies. Which sounds acceptable to me.Turris OS 5.1https://gitlab.nic.cz/turris/os/build/-/issues/153Add wifi card ids to iwinfo database2020-06-04T16:54:54+02:00Ghost UserAdd wifi card ids to iwinfo databaseiwinfo patches:
* http://lists.infradead.org/pipermail/openwrt-devel/2020-May/023479.html
* http://lists.infradead.org/pipermail/openwrt-devel/2020-May/023480.htmliwinfo patches:
* http://lists.infradead.org/pipermail/openwrt-devel/2020-May/023479.html
* http://lists.infradead.org/pipermail/openwrt-devel/2020-May/023480.htmlTurris OS 5.0.1https://gitlab.nic.cz/turris/os/build/-/issues/33Kernel enable CONFIG_ADVISE_SYSCALLS2020-01-08T13:12:07+01:00Jan PavlinecKernel enable CONFIG_ADVISE_SYSCALLSThis could help run docker in lxc container
https://forum.turris.cz/t/docker-on-turris-omnia/242/15
and
https://forum.turris.cz/t/requesting-new-packages-new-versions/4187/32
Enable these kernel configs
* [ ] CONFIG_MEMCG_SWAP_ENABLED...This could help run docker in lxc container
https://forum.turris.cz/t/docker-on-turris-omnia/242/15
and
https://forum.turris.cz/t/requesting-new-packages-new-versions/4187/32
Enable these kernel configs
* [ ] CONFIG_MEMCG_SWAP_ENABLED
* [x] CONFIG_MEMCG_KMEM
* [ ] CONFIG_BLK_DEV_THROTTLING
* [ ] CONFIG_IOSCHED_CFQ
* [ ] CONFIG_CFQ_GROUP_IOSCHED
* [ ] CONFIG_CGROUP_PERF
* [ ] CONFIG_CGROUP_HUGETLB
* [ ] CONFIG_CGROUP_NET_PRIO
* [x] CONFIG_CFS_BANDWIDTH
* [x] CONFIG_FAIR_GROUP_SCHED
* [x] CONFIG_RT_GROUP_SCHEDTurris OS 5.1Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/build/-/issues/94New package_list for reForis.2019-12-11T15:13:04+01:00Bogdan BodnarNew package_list for reForis.Turris OS 4.0.3https://gitlab.nic.cz/turris/os/build/-/issues/43Pls include "kmod-br-netfilter" in 4.x and on2019-10-25T04:22:13+02:00Ghost UserPls include "kmod-br-netfilter" in 4.x and onThe Netfilter functionality is a part of the kernel in 3.11.4, but it is a separate module in OpenWRT 18.06 thus it is missing from 4.x. This breaks backward compatibility between releases and the users who used Netfilter might no realiz...The Netfilter functionality is a part of the kernel in 3.11.4, but it is a separate module in OpenWRT 18.06 thus it is missing from 4.x. This breaks backward compatibility between releases and the users who used Netfilter might no realize that their setup is no longer working after the upgrade.
Can you include "kmod-br-netfilter" in 4.x?
This is not a dupe of #38 as that issue can be solved in separate different ways and using netfilter is just one of them. I just wanted to make sure the addition of this module is considered independent from the guest isolation issue.Turris OS 5.1