fedora snapper, tuned, and selinux policies

2025-10-14 12:32:57 -04:00
parent 8d98cd06fa
commit cb66fb6195
6 changed files with 199 additions and 12 deletions
--- a/active/os_fedora/fedora-server.md
+++ b/active/os_fedora/fedora-server.md
@@ -2,23 +2,28 @@

 - [Fedora Server](#fedora-server)
  - [Installation](#installation)
+  - [Power Profiles with Tuned](#power-profiles-with-tuned)
  - [Setup SSH](#setup-ssh)
  - [DNF](#dnf)
  - [Fail2Ban](#fail2ban)
  - [BTRFS Parent Volumes](#btrfs-parent-volumes)
  - [BTRFS Snapshots](#btrfs-snapshots)
+    - [Snapper Installation](#snapper-installation)
+    - [Snapper Cleanup](#snapper-cleanup)
  - [BTRFS Maintenance](#btrfs-maintenance)
  - [TPM2 Luks Decryption](#tpm2-luks-decryption)
  - [Change your password](#change-your-password)
  - [Automatic Updates](#automatic-updates)
  - [Monitoring](#monitoring)
+    - [Glances](#glances)
    - [Disk Usage](#disk-usage)
    - [Disk Wear](#disk-wear)
  - [Common Storage Mounts](#common-storage-mounts)
  - [Network Bridge](#network-bridge)
  - [Virtualization](#virtualization)
-    - [Troubleshooting](#troubleshooting)
+    - [Virtualization Troubleshooting](#virtualization-troubleshooting)
    - [QEMU Images](#qemu-images)
+    - [Shared directory with VM Guest](#shared-directory-with-vm-guest)
  - [Firewalld](#firewalld)
  - [Backups](#backups)
    - [Connect to the ISCSI Backup Target](#connect-to-the-iscsi-backup-target)
@@ -28,6 +33,7 @@
      - [Troubleshooting Backup ISCSI Connection](#troubleshooting-backup-iscsi-connection)
    - [Quick Backup](#quick-backup)
    - [Regular Backups with Borg](#regular-backups-with-borg)
+  - [Version Upgrades](#version-upgrades)
  - [Optional Steps](#optional-steps)
    - [Disable Swap](#disable-swap)
    - [Disable Selinux](#disable-selinux)
@@ -37,7 +43,7 @@
    - [LVM Thin Provisioning](#lvm-thin-provisioning)
    - [Set eui64 on network interface](#set-eui64-on-network-interface)
    - [Install and Enable Cockpit](#install-and-enable-cockpit)
-  - [Troubleshooting](#troubleshooting-1)
+  - [Troubleshooting](#troubleshooting)
    - [Cockpit Terminal Unusable or Weird Colors](#cockpit-terminal-unusable-or-weird-colors)
    - [Chroot into a mounted disk](#chroot-into-a-mounted-disk)
    - [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space)
@@ -69,6 +75,12 @@ and the operator will store information about each server.
 5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
 6. Install and reboot

+## Power Profiles with Tuned
+
+1. `dnf install tuned`
+2. `systemctl enable --now tuned`
+3. `tuned-adm profile virtual-host`
+
 ## Setup SSH

 See [README](/README.md#ssh-setup)
@@ -150,6 +162,8 @@ mount -a --mkdir

 <http://snapper.io/manpages/snapper-configs.html>

+### Snapper Installation
+
 We'll be using snapper, a tool for automating and controlling snapshot behavior.

 ```bash
@@ -169,13 +183,19 @@ systemctl enable --now snapper-timeline.timer
 systemctl enable --now snapper-cleanup.timer
 # Enable snapshots on boot
 systemctl enable --now snapper-boot.timer
+```

+### Snapper Cleanup
+
+```bash
 # List snapshots
 snapper -c root list
 # Create snapshot manually
 snapper -c root create --description "test snapshot"
 # Delete first snapshot
 snapper -c root delete 1
+# Delete snapshots between 655-857
+snapper -c root delete 655-857  
 ```

 Note - you probably don't want to keep yearly snapshots.
@@ -184,8 +204,14 @@ Edit `/etc/snapper/configs/root` and change `TIMELINE_LIMIT_YEARLY=` to `0`.
 ## BTRFS Maintenance

 ```bash
-# Start a scrub in the foreground (-B) at /
-btrfs scrub start -B /
+# Start a scrub with low impact/priority at / (good for servers)
+btrfs scrub start -c idle /
+
+# Start a scrub in the foreground and monitor
+btrfs scrub start -c idle -B -d /
+
+# Check for errors
+dmesg -T | grep btrfs
 ```

 ## TPM2 Luks Decryption
@@ -278,9 +304,30 @@ In Cockpit navigate to software updates -> automatic updates -> install -> secur

 In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics

+### Glances
+
+```bash
+dnf install -y glances python3-jinja2
+systemctl enable --now glances
+firewall-cmd --permanent --zone=FedoraServer --add-port=61208/tcp
+firewall-cmd --reload
+```
+
 ### Disk Usage

-TODO
+```bash
+# Show size of folder exclude snapshots
+du --exclude .snapshots -sh .
+
+# Show size of all files in your current dir
+for folder in $(ls); do du --exclude .snapshots -sh $folder; done
+
+# Calculate all folder sizes in current dir 
+alias {dudir,dud}='du -h --max-depth 1 | sort -h'
+
+# Calculate all file sizes in current dir
+alias {dufile,duf}='ls -lhSr'
+```

 ### Disk Wear

@@ -343,7 +390,7 @@ systemctl enable --now libvirtd

 Install the cockpit machines application.

-### Troubleshooting
+### Virtualization Troubleshooting

 ```bash
 # Oops, I did this after I installed virtualization
@@ -369,6 +416,12 @@ qemu-img convert -f vmdk -O raw in.vmdk out.img
 qemu-img convert -f qcow2 -O raw in.raw out.img
 ```

+### Shared directory with VM Guest
+
+```bash
+mount -t virtiofs [mount tag] [mount point]
+```
+
 ## Firewalld

 Set the default firewalld zone to `public`
@@ -381,6 +434,8 @@ Set the default firewalld zone to `public`
 Firewalld will be on and blocking by default. You can check the zone and allowed ports with:

 ```bash
+firewall-cmd --get-active-zones
+firewall-cmd --get-default-zone
 firewall-cmd --zone=public --list-ports
 firewall-cmd --zone=public --list-services
 ```
@@ -392,6 +447,21 @@ firewall-cmd --permanent --zone=public --add-port=9090/tcp
 firewall-cmd --reload
 ```

+Remove cockpit with
+
+```bash
+firewall-cmd --permanent --zone=public --remove-port=9090/tcp
+```
+
+Add a custom source for a service
+
+```bash
+sudo firewall-cmd --new-zone=home --permanent
+sudo firewall-cmd --zone=home --add-source=10.2.0.0/24 --permanent
+sudo firewall-cmd --zone=home --add-port=10700/tcp --permanent
+sudo firewall-cmd --reload
+```
+
 ## Backups

 Note: this assumes you've set up [an iscsi backup disk](/active/os_truenas/truenas.md#iscsi-backup-volumes)
@@ -483,6 +553,18 @@ rsync -av --progress --exclude '.snapshots' /btrfs/yellow/root /btrfs/backup-yel

 See [borg.md](/active/systemd_borg/borg.md)

+## Version Upgrades
+
+```bash
+# Make sure to be fully up to date first
+dnf upgrade --refresh
+reboot
+
+# Set the releasever to the version you want to upgrade to
+dnf system-upgrade download --releasever=42
+dnf system-upgrade reboot
+```
+
 ## Optional Steps

 ### Disable Swap
--- a/active/os_fedora/fedora-software.md
+++ b/active/os_fedora/fedora-software.md
@@ -56,6 +56,10 @@
  - [Pipenv](#pipenv)
  - [Docker](#docker)
  - [Boxes](#boxes)
+  - [ffmpeg](#ffmpeg)
+    - [AMD GPU VAAPI ffmpeg Acceleration](#amd-gpu-vaapi-ffmpeg-acceleration)
+  - [Containers](#containers)
+  - [XSane](#xsane)

 Flatpak installs are from Flathub unless otherwise noted.

@@ -87,8 +91,6 @@ sudo dnf install \
  ansible \
  # Terminal multiplexer.
  tmux \
-  # Multimedia player with support for a wide range of codecs and file formats.
-  ffmpeg \
  # Microsoft Windows compatibility layer.
  wine \
  # Archive utility similar to GNU tar, used to package files into single archive files.
@@ -112,7 +114,7 @@ sudo dnf install \
  # Document conversion tool and markup language converter.
  pandoc \
  # Comprehensive LaTeX distribution for high-quality typesetting of documents.
-  texlive-latex \
+  texlive-latex texlive-scheme-full \
  # Generate strong passwords.
  pwgen \
  # Reattach to running processes
@@ -207,6 +209,10 @@ flatpak install com.bitwarden.desktop
 Video player (like VLC but can frame-by-frame in reverse).

 ```bash
+# DNF
+dnf install mpv
+
+# Flatpak
 flatpak install io.mpv.Mpv
 ```

@@ -643,3 +649,61 @@ Virtualization at its boxiest.
 ```bash
 flatpak install org.gnome.Boxes
 ```
+
+## ffmpeg
+
+- 1080p h264 at 10M is good quality
+
+### AMD GPU VAAPI ffmpeg Acceleration
+
+1. Enable [RPM Fusion](https://docs.fedoraproject.org/en-US/quick-docs/rpmfusion-setup/)
+2. Install [ffmpeg non-free](https://rpmfusion.org/Howto/Multimedia)
+
+```bash
+# Enable RPM Fusion
+sudo dnf install \
+  https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm
+sudo dnf install \
+  https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
+
+# Install ffmpeg non-free
+sudo dnf swap ffmpeg-free ffmpeg --allowerasing
+sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
+sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld
+sudo dnf swap mesa-vdpau-drivers mesa-vdpau-drivers-freeworld
+sudo dnf swap mesa-va-drivers.i686 mesa-va-drivers-freeworld.i686
+sudo dnf swap mesa-vdpau-drivers.i686 mesa-vdpau-drivers-freeworld.i686
+```
+
+ffmpeg with vaapi
+
+```bash
+ffmpeg \
+-hwaccel vaapi \
+-hwaccel_output_format vaapi \
+-i VID_20250804_120159.mp4 \
+-vf 'format=nv12,hwupload' \
+-vf scale_vaapi=1080:1920 \
+-c:v h264_vaapi \
+-c:a copy \
+-qp 18 \
+VID_20250804_120159_1.mp4
+```
+
+## Containers
+
+In order to enter a shell with systemd-user access via `machinectl`, install systemd-container
+
+```bash
+dnf install -y systemd-container
+```
+
+Then you can run `machinectl shell myuser@` to enter a shell which can execute `systemctl --user` commands.
+
+## XSane
+
+Scan stuff
+
+```bash
+dnf install xsane
+```
--- a/active/os_fedora/fedora-workstation.md
+++ b/active/os_fedora/fedora-workstation.md
@@ -19,6 +19,7 @@
  - [Display](#display)
    - [Scripted Display Modes](#scripted-display-modes)
  - [Fixing generic Wayland icons on task alt tab](#fixing-generic-wayland-icons-on-task-alt-tab)
+  - [Tuned Power Profiles](#tuned-power-profiles)

 ## Framework 16 Fixes

@@ -103,14 +104,21 @@ toolbox enter
 Set the default firewall to `drop`

 ```bash
-firewall-cmd --set-default-zone=drop
-firewall-cmd --reload
+sudo firewall-cmd --set-default-zone=drop
+sudo firewall-cmd --reload
 ```

 Allow KDE Connect via 1714-1764 tcp/udp

 ```bash
-firewall-cmd --add-port=1714-1764/udp --add-port=1714-1764/tcp --permanent
+# Set source address to allow connections
+sudo firewall-cmd \
+--zone=drop \
+--permanent \
+--add-port=1714-1764/udp \
+--add-port=1714-1764/tcp
+
+sudo firewall-cmd --reload
 ```

 You can check if the firewall is working via `nmap` from another machine
@@ -343,3 +351,11 @@ output.eDP-2.scale.1'

    Apply the new settings and close the application if it was open. The next
    time you open the application, it should show the correct icon.
+
+## Tuned Power Profiles
+
+Default profiles are in `/usr/lib/tuned/profiles`.
+
+Configuration file is in `/etc/tuned/ppd.conf`.
+
+Used `tuned-adm` CLI to interface with tuned.
--- a/active/os_fedora/selinux.md
+++ b/active/os_fedora/selinux.md
@@ -0,0 +1,9 @@
+# Selinux Findings
+
+## Cloning a Virtual Machine
+
+```bash
+cd active/os_fedora/selinux_policies
+sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
+sudo semodule -X 300 -i my-rpcvirtstorage.pp
+```
--- a/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp
+++ b/active/os_fedora/selinux_policies/my-rpcvirtstorage.pp
--- a/active/os_fedora/selinux_policies/my-rpcvirtstorage.te
+++ b/active/os_fedora/selinux_policies/my-rpcvirtstorage.te
@@ -0,0 +1,16 @@
+
+module my-rpcvirtstorage 1.0;
+
+require {
+	type user_home_t;
+	type virtstoraged_t;
+	type qemu_var_run_t;
+	class dir setattr;
+	class capability fowner;
+	class file setattr;
+}
+
+#============= virtstoraged_t ==============
+allow virtstoraged_t qemu_var_run_t:file setattr;
+allow virtstoraged_t self:capability fowner;
+allow virtstoraged_t user_home_t:dir setattr;