Thomas’ Lab Notes

Stuff worth not forgetting

IPv6 and Netgraph Ethernet Pseudo-interface

On a NanoBSD firewall, I want to have a separate MAC address on one of the Ethernet interfaces to act as the outer endpoint for IPv6 traffic. This is achieved using a Netgraph eiface:

kldload ng_ether
ngctl mkpeer sis0: bridge lower link0
ngctl name sis0:lower sis0bridge
ngctl connect sis0: sis0bridge: upper link1
ngctl mkpeer sis0bridge: eiface link2 ether
ngctl msg sis0: setpromisc 1
ngctl msg sis0: setautosrc 0

ifconfig ngeth0 link 06:00:00:00:00:06

Note that this does not include an ifconfig call to set the interface’s IPv6 address: this is done by devd, which calls the boot scripts’ ifconfig routine when the interface comes up. Thus I have the following line in /etc/rc.conf:

ifconfig_ngeth0_ipv6="inet6 fe80::6/64"

If instead of this line I have an explicit ifconfig in /etc/rc.local then there is a race condition between rc.local and devd. If devd runs last, the boot scripts won’t see any IPv6 address configured for the newly created interface in /etc/rc.conf, and they will set ifdisabled on it (blocking all IPv6 traffic, and marking the configured link local address as “tentative”). If devd runs first, the problem is dormant, because setting the link local address clears ifdisabled as a side effect.

Linux on Dell Precision 7520

Three years after the M4800, it’s time to upgrade again. Let’s start with debian-9.2.1-amd64-netinst.iso.

Booting it up

My new laptop came with an OEM Windows 10 preinstalled. I wanted to keep it just in case, but it turns out that:

  • since I want BitLocker, SecureBoot needs to be enabled
  • Ubuntu supports SecureBoot, but Debian does not
  • since I want LVM+encryption, I need to use Debian

So I’m ditching the pre-installed Windows (I’ll make a VirtualBox VM later on if I really need it).


System install is pretty uneventful, except for the fact that the trackpad is apparently not working within the installer. I was able to install on LVM with encryption as desired. I was happy to find MATE as one of the desktop options.

Post-install customization


Keyboard and trackpad setup appear to work just fine out of the box (including for GDM).

The default driver appears to work just fine with the embedded LCD display, but is unable to handle my two external DP monitors (see below).

Nvidia driver

I am using this laptop on a docking station with two DisplayPort monitors. This works only if the builtin Intel GPU is disabled, and the add-on Nvidia GPU only is enabled.

Using the nvidia (non-free) driver

To install the nVidia driver:

  • make sure installed kernel headers (linux-headers) match kernel (linux-image), otherwise DKMS won’t build.
  • install nvidia-driver (note: this will build a kernel module, so requires a working compiler)
  • install nvidia-xconfig
  • run nvidia-xconfig --query-gpu-info by hand and make note of PCI BusID
  • run nvidia-xconfig --busid=PCI:x:x:x to generate xorg.conf

BIOS setup

To disable the built-in Intel GPU:

  • Video -> Switchable graphics -> uncheck Enable Switchable Graphics

(I have also checked Graphics Special Mode, not sure whether this is needed).

Desktop environment

  • Set focus-follows-mouse
  • Set keyboard shortcut for lock screen to Win+L
  • Set MATE terminal to white-on-black

Disable GNOME Keyring SSH agent:

$ gsettings get org.mate.session gnome-compat-startup
['smproxy', 'keyring']
$ gsettings set org.mate.session gnome-compat-startup "['smproxy']"
$ gsettings get org.mate.session gnome-compat-startup

$ mate-session-properties
# uncheck SSH Key Agent and maybe others.
# This will create a copy of /etc/xdg/autostart/gnome-keyring-ssh.desktop
# in ~/.config/autostart, with appropriate settings to turn it off.

Sudo configuration

Add myself to group sudo.

APT sources

In /etc/apt/sources.list: add contrib and non-free.

Wifi drivers

The Intel wireless drivers require non-free binary components, see


firmware-iwlwifo vim rsync net-tools pcscd apt-transport-https openvpn binutils ltrace strace scdaemon


Hipchat is linked against Qt libraries that assume OpenSSL 1.0, but Debian provides 1.1.

Work around:

# apt-get install libssl1.0.2
# ln -s /usr/lib/x86_64-linux-gnu/ /opt/HipChat4/lib/
# ln -s /usr/lib/x86_64-linux-gnu/ /opt/HipChat4/lib/

(Note: the Atlassian web site gives incomplete instructions – they do not mention libcrypto).

Chaging Default Browser for GNOME on Debian

Problem position

I have chromium and firefox-esr installed. I want gvfs-open to default to the latter when opening a web URL.


There are /etc/alternatives entries for x-www-browser and gnome-www-browser that can be manually edited using

# update-alternatives --config gnome-www-browser
# update-alternatives --config x-www-browser

Unsuprisingly, this won’t have the desired effect. Life would be too simple…


The default browser for GNOME applications is determined using gvfs-mime. Per-user overrides can be specified in ~/.local/share/applications/mimeapps.list. System-wide defaults are generated by update-desktop-database and stored in /usr/share/applications/mimeinfo.cache.


The mimeinfo.cache is basically a raw reverse cache for the .desktop information. There is no way to define priorities in it. To be able to specify default applications, a mimeapps.list file (previously named defaults.list up to debian 5) must be created. It can be system-wide (in /usr/share/applications or a subdirectory) or user-specific (in $HOME/.local/share/applications).

And indeed the fix was to reorder the list from mimeinfo.cache, and create the following file:

[Default Applications]

HP Laserjet M1217nfw Setup With CUPS on FreeBSD 10

This is an entry level network-connected multi function printer. It does not have a built-in Postscript interpreter. Instead, it receives raster data through a proprietary network protocol implemented as a closed source binary plugin to the CUPS filtering system.

In addition to CUPS, the following ports must be installed:

  • print/hplip
  • print/hplip-plugin

Once this is done, the printer can be added to CUPS. The standard socket connection options cannot be used. Instead, the “HPLIP” transport must be selected. The printer URI must be set manually from the output of hp-makeuri <IP-address>. (The plugin requires an URI starting with “hp:”, and will reject any other device URI with an error message saying “Error: This module is designed to work with HP Printers only”).

GDM Keyboard Layout Revisited

So, I wanted to upgrade Firefox on my FreeBSD 10 workstation, and this in turn caused some supporting libraries to be upgraded, and this broke all sorts of things again.

Initially gdm just segfaulted. After more manual upgrades, it turned out to work again, except that GDM had lost all localization, and in particular got the wrong keymap for the login screen.

It appears that gdm_lang is no longer honored (despite still being mentioned in /usr/local/etc/rc.d/gdm): you now need to set gdm’s locale in /usr/local/etc/gdm/locale.conf. Also note that unlike other user-editable configuration files, this one is overwritten each time gdm is reinstalled.


Notes on setting up a machine to use GPT partitioning, LVM for all filesystems (including root), and GRUB2 to boot.

Starting with a vanilla Debian 7.8 setup. Here we assume that /dev/sdb is the disk that will ultimately contain the system.

GPT setup

(parted) mklabel gpt
(parted) mkpart primary 2048s 4095s                                       
(parted) set 1 bios_grub on                                               
(parted) name 1 "BIOS Boot Partition"                                     
(parted) mkpart primary 4096s 100%                                        
(parted) set 2 lvm on                                                     
(parted) name 2 "LVM"

Do we want a swap partition there??? If we don’t provision one now, we’ll have to swap to an LVM LV.

LVM setup

pvcreate /dev/sdb1
# Format given disk for LVM

vgcreate tank /dev/sdb2
# Create a volume group with that disk as the underlying storage

lvcreate -n rootfs -L 10G tank
lvcreate -n home -l 100%FREE tank


mkfs.ext4 /dev/mapper/tank-rootfs
mkfs.ext4 /dev/mapper/tank-home
mount -t ext4 /dev/mapper/tank-rootfs /mnt

Set up root filesystem (including /boot subdirectory) in /mnt.

Make sure that /etc/fstab on tank-rootfs points to the proper root fs.


for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt$i; done
chroot /mnt
rm -f /boot/grub/
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sdb

FreeBSD Unicode Symbols Support

The font packages available on a desktop environment with a default FreeBSD installation do not support the Miscellaneous Symbols and Pictographs Unicode range (U+1F300..U+1F5FF), which contains various dingbats and emoji.

A nice vector font providing these symbols is however available from ports: x11-fonts/symbola.

(Note: x11-fonts/gnu-unifont and x11-fonts/gnu-unifont-ttf are not nearly as exhaustive.)

Update 2017-01-23 Similar problem on Debian (CIRCLED LATIN CAPITAL LETTER V (U+24CB), Ⓥ was missing). Resolved by installing fonts-linuxlibertine.

Digikam, Dependencies, and Building KDE Libraries


I have a very basic KDE environment, just enough to be able to run Digikam. Anytime I try to delete a photo, I get an error message:

Could not start process
Unable to create io-slave: klauncher said: Unknown protocol 'trash'.

Oh, well. So I guess the FreeBSD port for Digikam fails to list a required dependency. Fixing this is a long (ongoing) journey, with lots of interesting adventures all along. This is not a step by step buid, but a series of notes about various traps I fell on the way.

KDE libraries versioning

Executive summary: you cannot build KDE libraries (such as sysutils/kfilemetadata) of a given version if it does not match exactly the installed version of kdelibs:

Build log
===>   Registering installation for kfilemetadata-4.14.3_2 as automatic
pkg-static: Unable to access file /var/ports/work/usr/ports/sysutils/kfilemetadata/work/stage/usr/local/lib/ No such file or directory
*** Error code 74

kfilemetadata fails to install. That file is indeed missing; the staging area does however contain a So why does the source package of 4.14.3 generate a 4.14.2 library?

Answer: the library version is not set by the package itself, it comes from a default value from: o


Where does this come from?

$ pkg which /usr/local/share/apps/cmake/modules/KDE4Defaults.cmake
/usr/local/share/apps/cmake/modules/KDE4Defaults.cmake was installed by package kdelibs-4.14.2_5

Conclusion: the build dependency for kfilemetadata should list the exact same version of kdelibs, or the port won’t build.

Upgrading kdelibs

Let’s instead upgrade kdelibs from binary package, and hope for the best:

# pkg install -f kdelibs

This breaks because the binary package depends on a newer libpng, so let’s upgrade this one, keeping the old shared lib intact just in case.

$ digikam 
/usr/local/lib/ version PNG16_0 required by /usr/local/lib/ not defined

Strange that libpng 1.6.16 does not have version 16… Sigh… OK, upgrading from png-1.6.16 to png-1.6.18 appears to fix the problem. Back on track…

Now Digikam displays its splash screen and starts initializing, then segfaults. Hell, I’ll have to bite the bullet and upgrade a few hundred packages from ports. :-(

VLC ports variants

The vlc port by defaults depends on QT5, whereas the rest of the KDE system depends on QT4. You can rebuild vlc with the QT4 option, but that’s not quite sufficient: actually phonon (part of KDE) depends explicitly on slave port vlc-qt4 (so you can’t just install vlc with QT4 option, you have to go through the separate slave port).


Digikam does not segault anymore, CUPS is repaired (I had to reinstall it somewhere in the process, as it would silently fail to startup due to a missing symbol) but I still cannot delete photos. On second guess, the missing item might be kde4-runtime, not kde4-workspace.

Here the dead end is quickly reached: x11/kde4-runtime depends on net/openslp, which won’t build because of a security vulnerability… Oh well, let’s build with DISABLE_VULNERABILITIES=yes


At long last, small victory: the missing piece was indeed x11/kde4-runtime. The problem has been reported. I must admit I’m getting sick and tired of the amount of breakage I need to investigate and fix most times I want to install something using the ports system. Desktop work nowadays requires humongous dependency closures that are extremely fragile, and I’m very much tempted these days to switch back to Debian for that.

Subsonic, FreeBSD 10, and UTF-8

In the context of upgrading to FreeBSD 10, I reinstalled the Subsonic media server from ports.

Servlet container

It turns out that using Jetty as the underlying servlet container would not work: I would get an obscure Java exception during various operations:

Message  /WEB-INF/jsp/settingsHeader.jsp(12,0) PWC6340: According to the TLD, rtexprvalue is true, and deferred-value is specified for the attribute items of the tag handler org.apache.taglibs.standard.tag.rt.core.ForTokensTag, but the argument for the setter method is not a java.lang.Object

Switching to Tomcat 8 worked.

Changing filesystem charset to UTF-8

I had been using ISO-8859-15 filenames for ever. As part of the OS ugprade, I decided it was more than time to switch the whole system to UTF-8. (One specific issue that prompted this was the fact that GDM now seems to not support ISO 8859-15 GECOS user names anymore).

In order to have Subsonic properly handle file and directory names encoded in UTF-8, I had to set LANG for it:

export LANG=fr_FR.UTF-8

and to re-create the database from scratch (remove everything from /var/subsonic/db/ except subsonic.script).

GnuPG 2.1.2 Doesn’t Work With Caff

Today I signed a GnuPG key using my air-gapped master private key, and then tried to send the signature to the key owner from my network-connected workstation using caff. This failed miserably, with caff unable to find a valid signature, and gpg --list-secret-keys missing the (stub) private key.

It turns out that I had inadvertently upgraded GnuPG on this workstation to version 2.1.2, which has a completely revamped secret keys handling: secret key material is now entirely handled by gpg-agent, and the --secret-keyring command line option for gpg (which caff depends on) is now obsolete.

GnuPG 2.1 apparently also chokes on some legacy keys, and the work-around is to reimport the keyring manually.

caff has been fixed to support GnuPG 2.1. However this depends on GnuPG 2.1.3 or newer, which is not in the ports tree yet, so for the time being I have reverted to the “stable” 2.0 release: portmaster -o security/gnupg20 gnupg.