Turris OS packages issueshttps://gitlab.nic.cz/turris/os/packages/-/issues2023-03-22T12:44:10+01:00https://gitlab.nic.cz/turris/os/packages/-/issues/916broadband provider defaults database2023-03-22T12:44:10+01:00Filip Hronbroadband provider defaults databaseIt is possible to read `MCC` and `MNC` from SIM card. We can automate some queries to make it easier (not to say flawless) to help user to set up his LTE broadband connection.
# Problems
- the source database is in `XML`, we'd rather us...It is possible to read `MCC` and `MNC` from SIM card. We can automate some queries to make it easier (not to say flawless) to help user to set up his LTE broadband connection.
# Problems
- the source database is in `XML`, we'd rather use `JSON` as **turris** devices have the library out of the box (python target)
- we need to do this in build process, we don't want to query some API in case the device is intended to use connection from `LTE` modem
# Solution steps
## Prepare
- narrow down properties to only what is required (filter the source)
- convert to `JSON` file
## Ship
- ship it to all routers
## GUI requirements
- make sure the license is visible on `LTE` **GUI** page
# Extras/question
- validate source `XML` before building against schema provided by source?
# Usage
- `foris-controller`
backref: https://gitlab.nic.cz/turris/project/-/issues/108
### resources:
https://wiki.gnome.org/Projects/NetworkManager/MobileBroadband/ServiceProviders
https://gitlab.gnome.org/GNOME/mobile-broadband-provider-info/-/blob/main/serviceproviders.xmlFilip HronFilip Hronhttps://gitlab.nic.cz/turris/os/packages/-/issues/888consider dropping turris-backup a and turris-backup-restore scripts from tur...2022-11-30T15:08:40+01:00Simon Borekconsider dropping turris-backup a and turris-backup-restore scripts from turris-maintain packageThose scripts (coming from `config-backup.sh` and `config-restore.sh` in [`turris-maintain`](https://gitlab.nic.cz/turris/os/packages/-/tree/master/utils/turris-maintain) package) seem to be an unused relic of the old OpenWrt-like backup...Those scripts (coming from `config-backup.sh` and `config-restore.sh` in [`turris-maintain`](https://gitlab.nic.cz/turris/os/packages/-/tree/master/utils/turris-maintain) package) seem to be an unused relic of the old OpenWrt-like backup system.
Because the old backup system has been superseded by schnapps and is no longer supported, there is probably no reason to keep the backup scripts installed in routers.
According to @mmatejek there are (probably not used) references to these scripts in [`foris-controller`](https://gitlab.nic.cz/turris/foris-controller) - in case of dropping these should be removed as well.
Verification, nothing depends on those scripts, needed before the change.
@jschlehoferhttps://gitlab.nic.cz/turris/os/packages/-/issues/875foris-controller: Consider dropping the modules "-src" packages2022-11-11T18:44:12+01:00Martin Matějekforis-controller: Consider dropping the modules "-src" packagesWe don't actively use "-src" packages (e.g. `foris-controller-diagnostics-module-src`).
And they also break foris-controller in case there is just "-src" variant of packages installed, because they don't include json schema files. Just ...We don't actively use "-src" packages (e.g. `foris-controller-diagnostics-module-src`).
And they also break foris-controller in case there is just "-src" variant of packages installed, because they don't include json schema files. Just python source code from `sdist`.
---
Reference: https://forum.turris.cz/t/nefunkcni-reforis/16958/19https://gitlab.nic.cz/turris/os/packages/-/issues/825Let user define own DNS server in the OpenVPN server configuration2023-06-15T18:54:18+02:00Jan BetikLet user define own DNS server in the OpenVPN server configurationSome users do not use the DNS server provided by the router but its own DNS server.
In this case, while being connected as a client to VPN and using option `Use DNS via VPN` the client cannot resolve the hostnames of machines behind the ...Some users do not use the DNS server provided by the router but its own DNS server.
In this case, while being connected as a client to VPN and using option `Use DNS via VPN` the client cannot resolve the hostnames of machines behind the VPN.
The user should be able to set its own DNS server to be passed as an option to VPN clients.https://gitlab.nic.cz/turris/os/packages/-/issues/819Kresd does not resolve DHCPv6 leases2022-01-18T10:18:01+01:00Jan BetikKresd does not resolve DHCPv6 leasesKresd does not resolve DHCPv6 leases, works for IPv4 only.
Workaround found on https://doc.turris.cz/doc/en/public/dns_knot_misc#local_resolution_of_a_fully_qualified_domain_name cannot be used with `/tmp/hosts/odhcpd` as this file is ...Kresd does not resolve DHCPv6 leases, works for IPv4 only.
Workaround found on https://doc.turris.cz/doc/en/public/dns_knot_misc#local_resolution_of_a_fully_qualified_domain_name cannot be used with `/tmp/hosts/odhcpd` as this file is dynamically generated and can get changed over the time, but kresd loads that file only during startup and is not able to detect the changes.https://gitlab.nic.cz/turris/os/packages/-/issues/805Guest network does not work while device is acting as VPN client2023-05-15T15:43:20+02:00Jan BetikGuest network does not work while device is acting as VPN clientWhile the Turris is connected as VPN client with default route tunneled through the VPN gateway, the guest network does not have access to the Internet.
The Internet connectivity is re-enabled when the VPN client disconnects.
https://fo...While the Turris is connected as VPN client with default route tunneled through the VPN gateway, the guest network does not have access to the Internet.
The Internet connectivity is re-enabled when the VPN client disconnects.
https://forum.turris.cz/t/vpn-client-muze-koexistovat-s-guest-wifi/16204https://gitlab.nic.cz/turris/os/packages/-/issues/791Adblock package doesn't update unblock config2021-09-03T16:33:19+02:00Vlastimil ZimaAdblock package doesn't update unblock configTo make adblock work on Turris 1.X I had to append
```
config resolver 'unbound_includes'
list include_path "/var/lib/unbound/adb_list.overall"
```
to the `/etc/config/resolver`.
I suspect that adblock can update `unbound` config, but ...To make adblock work on Turris 1.X I had to append
```
config resolver 'unbound_includes'
list include_path "/var/lib/unbound/adb_list.overall"
```
to the `/etc/config/resolver`.
I suspect that adblock can update `unbound` config, but its overridden by the `resolver-conf` anyway and thus adblock stops working.Turris OS 6.2.0https://gitlab.nic.cz/turris/os/packages/-/issues/765knot-resolver: remove duplicit /etc/kresd2021-10-06T14:07:51+02:00Jan Pavlinecknot-resolver: remove duplicit /etc/kresdIntroduced by https://gitlab.nic.cz/turris/os/packages/-/commit/e5bfc2c1d6cdfee3eada1ed461a90b557d147e9b#note_213178Introduced by https://gitlab.nic.cz/turris/os/packages/-/commit/e5bfc2c1d6cdfee3eada1ed461a90b557d147e9b#note_213178https://gitlab.nic.cz/turris/os/packages/-/issues/746FW reload via LuCi makes sentinel traps unreachable2022-06-06T14:10:02+02:00Martin PrudekFW reload via LuCi makes sentinel traps unreachableAfter a FW change via LuCi - e.g. enabling/disabling some FW rule or adding a new one, FW reload is needed. It could be
applied using standard `Save & Apply` button.
![image](/uploads/3e793e5bb4bfa4e8eca6c8735e71c9c2/image.png)
Subse...After a FW change via LuCi - e.g. enabling/disabling some FW rule or adding a new one, FW reload is needed. It could be
applied using standard `Save & Apply` button.
![image](/uploads/3e793e5bb4bfa4e8eca6c8735e71c9c2/image.png)
Subsequent **firewall reload** causes sentinel traps like HaaS Proxy and minipots to be **unreachable** from WAN - resulting in "Connection refused".
This could be locally fixed by running one of the following commands:
* `sentinel-reload`
* `fw3 reload`
* `/etc/init.d/firewall restart`
* `service firewall restart`
Originally reported in: https://gitlab.nic.cz/turris/project/-/issues/116#note_204548
More research in: https://gitlab.nic.cz/turris/reforis/reforis/-/issues/316#note_205002Filip HronFilip Hronhttps://gitlab.nic.cz/turris/os/packages/-/issues/745schnapps rollback to factory on Shield print errors2021-11-13T01:06:26+01:00Vojtech Myslivecschnapps rollback to factory on Shield print errorsSample of factory rollback from Shield's console:
```
Current state saved as snapshot number 10
Rolled back to snapshot factory
/etc/schnapps/rollback.d/10_cert-backup.sh: line 2: cert-backup: not found
Everything done, rebooting!
```
E...Sample of factory rollback from Shield's console:
```
Current state saved as snapshot number 10
Rolled back to snapshot factory
/etc/schnapps/rollback.d/10_cert-backup.sh: line 2: cert-backup: not found
Everything done, rebooting!
```
Either `schnapps` should depends on `cert-backup` or `schnapps` should handle its missing quietly/systematically.https://gitlab.nic.cz/turris/os/packages/-/issues/742sentinel-certgen: Release with option to force regenerate mailpass2023-03-03T01:54:47+01:00Martin Prudeksentinel-certgen: Release with option to force regenerate mailpassBlocked by turris/sentinel/certgen#14Blocked by turris/sentinel/certgen#14https://gitlab.nic.cz/turris/os/packages/-/issues/731Improving NextCloud experience on the Omnia2021-08-18T00:52:55+02:00Amit ShahImproving NextCloud experience on the OmniaThe NextCloud version that is installed on a fresh install is quite outdated - 18.04. Even with the v18 series, it's not the latest. This is two major versions behind; and the v18 series has also seen its last release last month. Since...The NextCloud version that is installed on a fresh install is quite outdated - 18.04. Even with the v18 series, it's not the latest. This is two major versions behind; and the v18 series has also seen its last release last month. Since the NC install does not get any patch updates or security updates on TurrisOS, it goes against the philosophy of being a security-focused router.
I realize there are good reasons for not just updating the NC version installed by default. Referencing issue #680 here. But that also leads to long-standing bugs like issue #662.
I'd like to start a discussion to fix the situation, and also help improving it.
Here are the problems with the current setup:
a. TurrisOS updates (important, security updates for the core router functionality) should not interfere with NC updates. With the current setup, if an NC update was to be pushed, it'll have to compete with these core updates. How does one distinguish between an NC update, that does not need a reboot, vs an OS update, that does? What is a regular cadence for NC updates vs OS updates?
b. NC updates landing via OS package updates need to ensure to put the NC in maintenance mode before installing the package, otherwise there's risk of DB corruption. Currently, this is not taken care of.
c. NC updates may take a long time to activate due to DB upgrades. That is not desirable to happen asynchronously, without admin involvement. OS updates, on the other hand, are important to be pushed to routers, so that they are rebooted into the most secure state as soon as possible.
Suggestions to improve on the situation:
1. NextCloud should get its own opkg feed repository. It's currently packaged as part of the `turrispackages` repo; we should move to a separate `nextcloud` repo. Separating out the NC feeds into one, possibly multiple, helps us manage the upgrades from v18 -> v20 series.
2. OS updates and NC updates will not be tied together with this change in point 1. When the OS updates are being installed, the NC repository can be masked, so that NC updates are installed and checked for *after* OS updates are installed.
3. A separate configurations page in the ReForis UI for NC maintenance. This will include options to put NC in maint mode; upgrade NC
4. Optionally, take a snapshot of the /srv subvolume so that "bad" NC updates can be rolled back as well.
5. [Not sure completely of this point] Does NC have to be put in maintenance mode before reboot or update activities? To ensure consistency of data, that the sequence of events is: NC in maint mode -> mysql service stopped -> reboot. On the next bootup, NC will be put out of maint mode after /srv is mounted and after mysql has restarted.
I've previously suggested in https://forum.turris.cz/t/nextcloud-data-consistency-issues-and-suggested-workarounds/14835 to offer NC as an LXC image instead; but I think offering it in a separate feed/repo makes more sense.
I'd first like to discuss the problem and the solutions here; but it's clear we need to improve the situation w.r.t. NextCloud on TurrisOS.Michal HruseckyMichal Hruseckyhttps://gitlab.nic.cz/turris/os/packages/-/issues/712lists/base-fix: some fixes should be ordered after some others2022-06-06T14:14:07+02:00Karel Kocilists/base-fix: some fixes should be ordered after some othersThere are some fixes that work only when previous fix was applied. We should ensure that order is correct in such case.
To do this we need https://gitlab.nic.cz/turris/updater/updater/-/issues/137.There are some fixes that work only when previous fix was applied. We should ensure that order is correct in such case.
To do this we need https://gitlab.nic.cz/turris/updater/updater/-/issues/137.https://gitlab.nic.cz/turris/os/packages/-/issues/709The msata disk is not recognized in the rescue2022-08-18T18:41:23+02:00Jan HoracekThe msata disk is not recognized in the rescueThe current rescue system on the Omnia does not recognize the msata disk, so it is not possible to prepare the disk directly in the omnia in case the emmc memory is damaged.The current rescue system on the Omnia does not recognize the msata disk, so it is not possible to prepare the disk directly in the omnia in case the emmc memory is damaged.Michal HruseckyMichal Hruseckyhttps://gitlab.nic.cz/turris/os/packages/-/issues/698resolvers: add option for canary domain2021-07-09T16:51:16+02:00Jan Pavlinecresolvers: add option for canary domainIn case browser detects canary domain it should send DNS to router instead of DOH channel defined in browser.
https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnetIn case browser detects canary domain it should send DNS to router instead of DOH channel defined in browser.
https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnethttps://gitlab.nic.cz/turris/os/packages/-/issues/694Initial snapshot after finishing guide2020-11-09T13:52:22+01:00Lukas JelinekInitial snapshot after finishing guideI think that an initial filesystem snapshot should be done after finishing (or leaving) the first setup guide. This snapshot would allow to get back a clean but configured system.I think that an initial filesystem snapshot should be done after finishing (or leaving) the first setup guide. This snapshot would allow to get back a clean but configured system.https://gitlab.nic.cz/turris/os/packages/-/issues/692Shield presented as Mox Board2021-04-14T16:10:19+02:00Lukas JelinekShield presented as Mox BoardTurris Shield is currently presented as _Mox Board_ on the **About** page. I think that it should display a string specific for Shield.Turris Shield is currently presented as _Mox Board_ on the **About** page. I think that it should display a string specific for Shield.https://gitlab.nic.cz/turris/os/packages/-/issues/689initial-config: Allow hashed passwords to be specified in config2020-10-31T02:57:21+01:00Karel Kociinitial-config: Allow hashed passwords to be specified in configInitial version of initial-config addressed only unsecure but simple configuration. It would be better to allows users to use hashed password even when generating of it is more complicated. It would be an option for advanced users having...Initial version of initial-config addressed only unsecure but simple configuration. It would be better to allows users to use hashed password even when generating of it is more complicated. It would be an option for advanced users having to do configuration without ethernet as well.
The following discussion from !560 should be addressed:
- [ ] @vmyslivec started a [discussion](https://gitlab.nic.cz/turris/turris-os-packages/-/merge_requests/560#note_178336): (+5 comments)
> follow-up from https://gitlab.nic.cz/turris/turris-os-packages/-/merge_requests/560#note_177635
>
> Is it intended to let users generate a config that would be left on some USB flash drive with cleartext (non-hashed) passwords?
>
> I know we can't get rid of Wi-Fi password in clear text but foris and system password can be prepared in their hashed form.
>
> This README can include steps to generate desired hash.https://gitlab.nic.cz/turris/os/packages/-/issues/681knot-resolver: refactor kresd.init2020-10-20T15:20:37+02:00Jan Pavlinecknot-resolver: refactor kresd.initkresd.init should folow our requirements for shell scripts.
- fix double-quotes in variables
- fix indentation
- other issues (shellcheck)kresd.init should folow our requirements for shell scripts.
- fix double-quotes in variables
- fix indentation
- other issues (shellcheck)https://gitlab.nic.cz/turris/os/packages/-/issues/670Minipot: allow separate redirect for input and forward2020-09-21T12:09:51+02:00Karel KociMinipot: allow separate redirect for input and forwardIn general deployment it is different if you are redirecting to minipot input or/and forward. We should not automatically redirect both as we do now. We should somehow let users to choose. Right now user has only option and that is to di...In general deployment it is different if you are redirecting to minipot input or/and forward. We should not automatically redirect both as we do now. We should somehow let users to choose. Right now user has only option and that is to disable minipot or to have both input and forward redirected to router itself.