At some point several years ago, SUSE and Redhat migrated to new multi-file and sub-directory approaches (search anacron) for their system crontabs. A helpful comment posted to my 2 March entry motivated me to learn how these are set up. Here’s how openSUSE 10.2 structures its cron configuration and provides the means of controlling it:

• YaST, System, sysconfig editor, cron – edits various configuration parameters stored in the /etc/sysconfig/cron file (this file can also be edited directly).
• YaST, System, System Services – turn the cron service on/off here.
• /etc/crontab, /etc/cron.d/*, /var/spool/cron/tab/<userid> – these files all use the format described in the crontab 5 man page. My as-installed configuration has one line in /etc/crontab that calls run-crons every 15 minutes (*/15). All of the other directories were empty. Also, the one line starts with a dash, a special feature for root that prevents sending a message to the syslog file.
• /usr/lib/cron/run-crons – shell script called by the default /etc/crontab entry. run-crons runs all pending shell scripts in the /etc/cron.* sub-directories. This is an extensive script containing the logic to handle systems that don’t run 24×7.
• /etc/cron.{hourly, daily, weekly, monthly} – these directories contain bash scripts, not crontab-format files.

As installed, /etc/crontab runs dailies within the first 15 minutes after rebooting and every 24 hours thereafter. If one has the misfortune to get that first run during work hours, cron will continue to run the dailies every day at that time! The daily tasks have a lot of system-wide finds (core files, locate, beagle, etc) that consume 100% of the cpu. This annoyed me frequently in my SUSE 10.0 days.

From reading the run-crons code, I found out about the DAILY_TIME parameter in /etc/sysconfig. If this is set, cron runs the daily tasks only during the hour specified. The trade-off is that the computer must be running at DAILY_TIME (but if not, cron will run daily tasks anyway after MAX_NOT_RUN days). The weekly and monthly tasks aren’t controlled by DAILY_TIME, so I guess if I reboot one minute after noon, weekly and monthly tasks will run at 12:15 pm thereafter.

To try all this out, I set DAILY_TIME to 14:00 and changed the /etc/crontab minutes parameter to 22,52, and will expect to see activity each day at 2:22 pm.

A nice extension would be a WORK_DAY parameter; a time span during which cron would avoid running any of the periodic tasks. This would retain cron‘s ability to run tasks within the first 15 minutes after a reboot, so long as it didn’t occur during work hours.

Update, Dec 07: Have successfully removed ZENworks/zmd, solving all problems described herein. See post of 12-Dec-07.

My happiness with openSUSE 10.2 disappears when the Zen Updater runs. Every time it starts, does an update, restarts, etc, update-status (a compiled 64-bit executable, not a Perl or Python script) runs for 5-7 minutes with 99% cpu usage.

Others have complained about this problem, so it’s not just my installation. When I first wrote this, I had a couple of angry paragraphs about the ills of ZENworks and zmd. Since then, I located a more well-reasoned critique of ZENworks (complete with screen shots). It reviews openSUSE 10.1, but most everything still applies.

I started YaST, Software, Online Update Configuration. This turns out to be a canned task that accepts no user input and assigns you randomly to a SUSE update repository each time it runs. So I was moved from utah.edu to somewhere else (with a couple 6 minute update-status runs thrown in).

How shall I deal with ZENworks? First I read an article in SUSEWiki.org on Adding YaST Sources. This discussed how to use a local ISO file instead of the installation CD as the main package catalog, and pointed out a second, YaST update configuration screen: YaST, Software, Installation Source. This is the familiar YaST interface that allows one to configure all package and update repository catalogs.

A log of the various steps I tried (long and tedious, scroll down to the Conclusions):

• YaST, Software, Installation Source.
• Add, Media Type -> Local Directory.
• I checked the ISO image box, browsed to my new /iso directory where I had placed the 10.2 ISO image.
• YaST scanned the image and a new “Configured Software Catalog” appeared.
• To test, I turned the Status Source Setting to Off for the DVD, left the “Synchronize with ZENworks option turned on, and clicked Finish.
• A “synchronizing with ZENworks” info box appeared, so off to the kitchen for a snack during a few minutes of parse-metadata followed by another 6 minutes of update-status.
• Started YaST, Software, Online Update (called YOU in SUSE 10). It suggested an update to Firefox 1.5.0.9, which I new was wrong because openSUSE 10.2 is on 2.0. Where did the problem come from: using YOU, or the ZEN reconfig that switched repositories?
• Installation Source GUI confirms my ISO catalog and the osuosl.org update catalog are both 10.2. Software Management GUI shows the correct version of Firefox currently installed.
• Noticed in the ZEN Software Updater, Configure, that one of the catalogs I had deleted with YaST still appeared. I removed it here also, and the process took only a few seconds! Something is different with update-status.
• Lots of changes through two separate interfaces, so let’s reboot … update-status ran less than 2 min, but both zen-updater and YOU don’t present the correct pending updates.
• Tar file of /var/lib/rpm, then rpm –initdb; rpm –rebuilddb to see if rebuilding the RPM database would fix things. The dates on the DB files were no different upon completion.
• Hid the files, re-ran rpm, no new rpm databases appeared. Apparently rebuilddb is no longer functional. Replaced the files, now YaST Software Management looks normal again. ZEN’s database seems to be in /var/lib/zypp.
• Perhaps the ZEN Management Daemon (zmd) is responsible. Crossing my fingers, I ran Online Update Configuration again. update-status completed in less than a minute. ZEN failed, saying that it had updated YaST (ftp.ale.org this time) but could not update ZEN. Indeed ZEN still retains the old update repository.
• Started YOU, and the correct updates appear!
• Accepted all updates, and they installed correctly, even the Nokia one that had choked ZEN, starting this problem in the first place. Also, new dates have appeared on all of the /var/lib/rpm database files, so they are apparently okay.
• Read some Novell instructions and decided to add a third party repository packman.unixheads.com/suse/10.2 which now appears as a YUM repository. This triggered “synchronizing with ZENworks”; let’s see if the YUM update repository gets fixed.
• The ZEN updater is now showing the exclamation point. It wants to update a bunch of packages that I don’t have installed, packages from packman apparently. I guess it thinks this is the update repository. I turned off packman in the configure screen.
• update-status ran 3 minutes with packman added. So it appears that nothing was wrong with my system: ZEN is just cpu intensive.
• YaST, Software Management now shows ksensor, which I know is from packman. Installation was successful.
• YaST Online Updater is currently working fine with one update catalog and ZEN now presents only the local ISO catalog. Bad news. Options:
  • Keep re-running YaST Online Update Configuration until ZEN installs a catalog that both it and YaST accept. But I’m worried that I’ve broken ZEN somehow and it won’t accept any catalog.
  • Switch the panel updater applet from ZEN to YaST (an earlier post describes the controlling /etc/sysconfig option). Does this also turn off zmd?
  • Make no changes. See if the ZEN applet shows new updates. If not, periodically run YOU to check. Take further action in the event that YOU shows updates and ZEN does not.
• I don’t know what process updates the rpm database and since rpm –rebuilddb was shown to have no effect, I’d better make sure to make a copy of the database before doing anything risky.

Conclusions:

• ZEN processes (zmd, parse-metadata, update-status) are cpu intensive. With no progress bar or feedback of any kind in zen-updater to show concerned users what’s happening, it’s easy to think “infinite loop” when cpu times skyrocket. But it’s probably just a catalog that takes a long time to process.
• ZEN’s configuration of and interaction with YUM update catalogs is fragile. Running YaST, Online Update Configuration to assign a different update catalog is a good option to solve unexplained updater failures and error messages. Sometimes it must be run more than once. Consider it a ZEN reboot.

Current Status:

• Both YaST and ZEN have accepted the switch from the DVD to the local ISO file that I installed. So I won’t ever need to load the DVD again. Excellent – will add this step to my Linux upgrade checklist.
• I now better understand the repositories and DVDs. The retail package DVD (which is double layer) contains noarch, i586, and x86_64 packages for both oss and non-oss. My downloaded ISO DVD image is missing i586 packages. Online repositories have all architectures, but are split between oss and non-oss. I need a source for oss and non-oss i586 packages. Options:
  • Add two online i586 repositories. But update-status run times might return to 6 minutes.
  • Download the i586 DVD ISO image and install that locally.
• Re-ran YaST Online Update Configuration, ZEN installed mirrors.usc.edu successfully such that both zen-updater and opensuseupdater report the same updates.
• Switched the panel updater applet (/etc/sysconfig/sw_management) from the zlm (zen-updater) update manager to opensuse. The SUSE updater now appears (but only in KDE because the updater applet is part of KDE).
• My updating process now looks like it did in SUSE 10.0: the GUI that resembles the package installer with the detailed progress log above and the double progress bars at the bottom. I left the “sync with ZEN” option turned on.

Other information related to package updating:

• Offical openSUSE pages: Using the ZEN Updater, Package Repositories.
• From a LinuxQuestions.org post:
  

  – only common lib is libzypp. For example I deleted all zmd/mono/rug (with exception of single libzypp) and I am using Yast/smart only.
  – rpm db is common to all package managers otherwise eat time you would use different PM different installed/not installed packages would be shown.

• The SMART Package Updater was recommended by a forum post, but a detailed, multi-step installation process and co-existence with ZEN are concerns.
• The Package Management Category at SUSEWiki.org is the source for several of the above links. Other links on Finding RPMs and Package Database Management might be helpful.

Amazon S3 instructions require the following PEAR packages:HMAC, HTTP_Request, Net_Socket, and Net_URL. After my problems with PEAR in SuSE 10.0, I want good notes of what I did here:

• All commands run as root.
• pear remote-list
  WARNING: channel “pear.php.net” has updated its protocols, use “channel-update pear.php.net” to update.
• pear update-channels – successful.
• pear info <pkg> – always responded “No information found for ‘pkg’. I tried both installed packages and the packages I wanted to install.
• pear remote-list – listed available packages and Net_Socket was not listed, even though I could see it on the PEAR web site.
• pear install HTTP_Request –
  install ok: channel://pear.php.net/Net_Socket-1.0.6
  install ok: channel://pear.php.net/Net_URL-1.0.14
  install ok: channel://pear.php.net/HTTP_Request-1.4.0
• pear info HTTP_Request – now it lists information about this package. Something isn’t working; I certainly should be able to get info about a package before installing.
• pear list –
  Installed packages, channel pear.php.net:
Package Version State
Archive_Tar 1.3.1 stable
Console_Getopt 1.2 stable
Crypt_HMAC 1.0.1 stable
HTTP_Request 1.4.0 stable
Net_Socket 1.0.6 stable
Net_URL 1.0.14 stable
PEAR 1.4.11 stable
• This shows another problem. YaST offered a few PEAR packages at install time and I selected a few including PEAR::DB. The DB package appears in /usr/share/php5/PEAR along with Archive Tar and Console Getopt, yet is not listed above. Why not?
• pear run-tests -pr Crypt_HMAC – “running 0 tests”, even though HMAC has a test.php file under the test subdirectory. So I don’t understand this command either.

Overall, I’m satisfied with the improvements in openSUSE 10.2 as compared to SuSE 10.0. A “.0” release is always a bit of a bumpy ride, and 10.2 has certainly cleaned up a lot of the problems and rough edges. I was disenchanted enough with 10.0 to load Fedora Core 6, but after a brief trial I decided to continue on with SUSE.

I still have complaints, but when I catch myself ranting about something I stop and contemplate my good fortune that such a comprehensive operating system and development environment is available for free!

Miscellaneous Notes:

• I’ve yet to install the ATI Proprietary Linux drivers for my Radeon Xpress 200 onboard graphics. This was troublesome under 10.0, so I’ve put it off for 10.2 so far.
• Didn’t install beagle. Couldn’t find out how to control it in SUSE 10; seemingly no crontab file, all of its processes ran as nobody, etc.
• kpowersave is able to put my Compaq Athlon into standby, which it couldn’t do in SuSE 10.0. But it is a strange state that doesn’t save much power: the disk shuts down and the power light begins blinking, yet the fans continue to run and the monitor doesn’t go into standby (i.e. a video signal is still being sent). WindowsXP (this is a dual-boot PC) standby does turn off the fans and the monitor hibernates immediately.
• YaST, System, /etc/sysconfig Editor, System/Yast2, preferred_sw_manager_stack (file: /etc/sysconfig/sw_management) allows one to switch from the zlm (zen-updater) update manager back to opensuse_updater.
• SuSE 10 versions: gcc 4.0.2, php 5.0.4, perl 5.8.7.
• openSUSE 10.2 versions: gcc 4.1.2, php 5.2.0, perl 5.8.8.

With all of my applications and projects upgraded from SuSE 10.0 to openSUSE 10.2 and seemingly working fine, I stumbled over a roadblock today: ftp is blocked from running active mode in 10.2. In my regression testing I had two utilities fail, perl CPAN.pm being the well-known one. In each case, the process would request a directory listing and then hang.

The first utility had a passive mode option; I enabled it and the process completed. CPAN does not have such an option. But both utilities use perl’s Net::FTP module and I eventually learned about the FTP_PASSIVE environment variable here and within the CPAN.pm documentation. So I was finally able to run CPAN.

Even though I now have my ftp tasks operational using passive mode (which is preferable), it is risky when an unknown agent intervenes surreptitiously. What future networking applications will be blocked by this agent? Better to discover and learn how to configure this agent to report its actions to a system log file now, rather than wait until it is silently blocking a critical development task.

Since I believe it is a firewall within openSUSE that is blocking the ftp messages, I set out to confirm this. I rebooted my multi-boot PC back up under SuSE 10.0. “ftp -A -d ftp.anysite.com” worked fine, eliminating my Internet router’s firewall and anything else in my hardware or LAN/WAN path as the source of the problem. The same ftp command hangs when booted to openSUSE 10.2. Thus the filtering is being done within openSUSE.

But all efforts to find the culprit within openSUSE have come to naught. grep found no mention of any filtered packets in any of the var/log/* files. I left SUSEfirewall2 disabled during installation and it remains off. I turned off Novell AppArmor and that did not solve the problem. My final clue is the following line from dmesg:

ip_tables: (C) 2000-2006 Netfilter Core Team

Yet there is no /var/log/firewall, which is where syslog-ng is told to put iptables messages. Nor does iptables appear in the YaST System Services screen. However, there is an ip_table_filter entry in standby.log.

So after several fruitless hours, I’m still clueless as to the openSUSE agent that is blocking active mode ftp requests. Suggestions anyone?