CentOS Stream 10 (Coughlan) and Redhat Enterprise 10 Beta

CentOS Stream 10 has been released end of last year. Meanwhile it is available at Hetzner and other providers.
So let's have a quick look and get the Domino container project ready for CentOS 10 and Redhat Enterprise ready.

I am not a big fan of CentOS Stream any more since they dropped CentOS Stream 8 quite early.
But on the other side CentOS Stream is a the base for the Redhat Enterprise Linux major and minor releases.
This makes it a perfect sandbox to try out the next Redhat versions.

CentOS Stream 10 has been released and Redhat Enterprise Linux 10 is in beta.
The following diagram nicely shows how Fedora, CentOS and Redhat Enterprise are maintained.

For details check the video in the official blog post where I also borrowed the diagram https://blog.centos.org/2024/12/introducing-centos-stream-10/





WARNING: The operating system CentOS Stream 10 (Coughlan) has NOT been tested by HCL!


CentOS stream is brand new and not tested by HCL.
Actually HCL is focusing on enterprise versions and is expected to test Redhat Enterprise 10 as soon it is available.

I looked into CentOS Stream 10 and also the Redhat Enterprise Linux 10 Beta which are both available as container images.
The container image did not work because a packet was missing which includes "whereis" -- which was always installed and is needed for NSD to work correctly.


CentOS Stream 10 VM installation

I also looked at the native installation on a Proxmox server.

There are no surprises in the setup UI. Just some minor art work.
The file system used by default is XFS instead of the expected ext4 most systems use.


How to download CentOS Stream 10

You can find the ISO here. This is a download link you can directly paste into for example a Proxmox ISO download.

https://mirrors.xtom.de/centos-stream/10-stream/BaseOS/x86_64/iso/CentOS-Stream-10-latest-x86_64-dvd1.iso


Docker Pull

The container image is on Redhat Quay like the previous images

docker pull quay.io/centos/centos:stream10


Testing with Red Hat Enterprise Linux 10.0 Beta (Coughlan)

The beta for Redhat Enterprise 10 is also already available.

The easiest way to test is to use the container image. The container image brings everything beside the kernel.
But that's fine for most of the tests. There are distributions with later kernel versions.

Here is the official blog post:

https://www.redhat.com/en/blog/red-hat-enterprise-linux-10-beta-now-available


podman run -it --rm registry.redhat.io/ubi10-beta/ubi:10.0-beta bash


Conclusion

All in all there are no surprises and it just works if you add the missing package - which I have added to the container build process.
On a native machine I had to add openssl to the native Domino Linux installer, because it is not part of the standard minimum install.

But beside that it all worked out of the box.


NSD shows a repeated warning

I noticed a new message in NSD which I have seen in other distributions.

egrep: warning: egrep is obsolescent; using grep -E

NSD is a cross platform script which still uses "egrep" for Linux.
Now the "egrep" package starts warning about egrep. The better option is "grep -E".

This should be addressed on Domino side to avoid warnings.

The warning is coming from a script which replaces egrep.
For now you can just remove the warning.


#!/usr/bin/sh
cmd=${0##*/}
echo "$cmd: warning: $cmd is obsolescent; using grep -E" >&2
exec grep -E "$@"


Comments Disabled

How to add a trusted root to Linux

The Domino container project is a very flexible way to install Domino.
Many business partners and consultants are using containers for their production environments and for testing.

The container project https://opensource.hcltechsw.com/domino-container/ supports many different distributions because there is no one size fits all.
In addition there might be needs to test software on different Linux distributions.

The container project is a great option to run with different distributions.
In fact you can switch between distributions for the same server very quickly by just applying a different base image.

For a new customer project we are looking into Debian as the host platform for the host OS running Docker and also for the container.
One of the reasons is that in the corporate world you need proxies to access the internet for example to get packet sources to install and update Linux.

But some customers have the need to run their own mirrors to tighter control the software they are building with and to optimize resources.

I recently added custom repository support for Ubuntu which is also supported by providers like Hetzner.
Now I am extending the custom repository support to also Debian 12 for this customer.

But because this is a community project, this will be available for anyone of course.

The customer also has the need to add their trusted root to the container image.
Usually I would recommend to build an own customer standard container image to derive all images from.
This base image would be build on top of the standard base image from the vendor and build the base for all of your Domino or other application container builds.

But I am still adding custom trusted root support to the Domino container project.
You will be able to just specify a trusted root to add to the local Linux trust store.

Like other low level functionality this works differently on different Linux flavors.

Here is what I am adding for SUSE, for Debian/Ubuntu and basically all the other Redhat/RPM based systems (I rested Rocky, Alma & Co so far).


if [ -x /usr/bin/zypper ]; then
  cp -f root.pem /usr/share/pki/trust/anchors
  update-ca-certificates

elif [ -x /usr/bin/apt-get ]; then
  apt install ca-certificates -y
  cp -f root.pem /usr/local/share/ca-certificates
  # Certs must have the .crt extension
  mv /usr/local/share/ca-certificates/*.pem /usr/local/share/ca-certificates/*.crt
  update-ca-certificates

else
  cp -f root.pem /etc/pki/ca-trust/source/anchors
  update-ca-trust
fi


You can test if a certificate is trusted using OpenSSL or Curl

curl -v https://microca.nashcom.org

openssl verify root-pem
root.pem: OK

• Comments [1171]

Must watch: Unlocking the Power of Nomad for Browsers and Mobile Devices

If you never looked into Nomad Mobile and/or Nomad Web or if you use it already: This is a great video of one after another new feature of the Nomad platform.

https://www.youtube.com/watch?v=lsgpr_P12WE

Nomad is a great platform for mobile devices but also for Desktop experience running a basic client experience in the browsers.
Over the last years the Nomad team did an outstanding job implementing feature after feature.

Since Nomad Server is available  it is super easy to deploy Nomad Web. No extra components are needed.
The Nomad server gets it's TLS certificate from CertMgr and can meanwhile passthru ACME Challenges to the Domino server.

AdminCentral is the first HCL provided template which is working on the Notes Client, Nomad Web and Nomad Mobile.
It shows what you can do with standard Notes application functionality today.

Our DNUG Lab environment has all components enabled. I am using AdminCentral to register and manage all lab users.

Have a look into the latest features. Kudos to the HCL Nomad team! You rock!

-- Daniel

• Comments [1176]

Domino CertMgr and TLS detailed information on GitHub

The CertMgr GitHub repository was initially mainly intended to provide information to CertMgr ACME DNS-TXT integration information.
But I added GitHub pages and a lot of other material over time.

When you work with certificates in Domino this is a must read!
There is howto material. tutorials. FAQs and also integrations to use CertMgr certificates outside Domino.

This would be a recommended read from beginning to the end.
It's complementing standard HCL documentation, which is mainly reference documentation like most vendor documentation.

The howto section also provides OpenSSL command line information how to retrieve and convert certificates.

https://opensource.hcltechsw.com/domino-cert-manager/

• Comments [1171]

Domino 14.5 EA2 Community Image patch for fixing December 2024 issue

HCL published a new Notes & Domino Windows DLL and Linux Lib for the problem occurred December 13 in the Early Access Program forum (EAP) --> https://hclsw.co/domino-14-5-eap-forum
This isn't a IF. Just a replacement of the main Notes/Domino DLL/Lib to address the problem also for the early access release.

The fix was on hold because the focus was on production and customer environments first.
Daily builds don't have support for IF/HF. Therefore there is a simple "sidepack" with just the affected files to replace.

You just stop your server or client and replace the files.
For a container image patching a container image isn't the right way.

But the container project supports custom add-ons. Usually this is intended to add software from 3rd parties, like a server task or extension manager.
The same process can also be used to patch Domino in the container at container build time.

Here is the official documentation --> https://opensource.hcltechsw.com/domino-container/concept_custom_addons/.

Let me share the steps I just took to patch my server.
I can't make the tar file available for download to just include it in our build options referenced via a HTTPS link.
But this process should be pretty straightforward and you can share this tar file for all internal servers you are building an image for.

Building the add-on to patch Domino 14.5 EA2

The first steps it to create a new directory to hold your file structure for the software you and to distribute
In the next step you create  sub directory for the Domino binary directory.

The -p options allows you to create the whole directory path a once:

mkdir -p /tmp/patch/domino-bin
cd /tmp/patch/domino-bin

Then you add the two files into that directory and package them up into a tar file.

tar -cvf /local/software/domino145ea2patchx.tar *

The directory structure look like this:

tree
.
└── domino-bin
 ├── libnotes.so
 └── libnotes.so.sym

Because the data needs to be verified to be added to the container, you have to provide the SHA256 of the tar file when getting it installed.
Linux provides the a command-line tool to generate the SHA256 checksum like this:

sha256sum /local/software/domino145ea2patch.tar
d088983544651940f71b8b7d9d942aaad84ecbe9fdbd24464178c858b9daff3b  /mnt/storagebox/software/domino145ea2patch.tar


Once you have the file in place and the checksum, you just add the custom add-on to your container build command-line.
The build script will take care for patching the binaries for your during the build process.

Custom add-ons are installed at the end of the build processes and therefore allow to patch also Domino binaries if needed.
The same process works for all kind of business partner applications.


-custom-addon=domino145ea2patch.tar#d088983544651940f71b8b7d9d942aaad84ecbe9fdbd24464178c858b9daff3b

• Comments [1181]

Microsoft critical CVEs are daily business? Be aware of this critical Outlook CVE

Interesting how different the acceptance of issues is in software can be.
The following CVE is something I would rate as a quite critical issue -> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298

I have not found much reference about it. For heise it is just one of the bugs fixed at patch day.

The critical problem is just worth a side note. It's listed as other risks also patched.
The wording "verschlucken" is also interesting. Sounds like not a big deal the way it is worded in German.

If you are using Outlook be aware of this issue and get patches in place!

https://www.heise.de/news/Microsoft-Patchday-Angreifer-nutzen-drei-Luecken-in-Hyper-V-aus-10242955.html

• Comments [1174]

Two Domino 14.5 EA events next week

Domino 14.5 EA2 is around for a while. Some of you have joined the EAP forum https://hclsw.co/domino-14-5-eap-forum.
There are two Domino 14.5 events next week to present the latest information about Domino 14.5, which also give the opportunity to provide feedback.

The OpenNTF Webinar on Thursday focuses on Domino AutoUpdate & AutoInstall, which is a highlight feature in Domino 14.5.
Joing the HCL Domino AutoUpdate development team for an introduction, deep dive and questions on Thursday.

If you can understand German, there is another event on Tuesday afternoon CET.
Sadly Thomas Hampel (HCL) and Marc Thomas (Panagenda) can't join us on short notice.
That gives me a busy week and weekend preparing multiple slides decks to cover the full 4 hours.

The Domino 14.5 AutoUpdate slides for both events will be mainly the same just in 60 instead of 90 minutes.
The 4 hour DNUG even covers Domino IQ and many other Domino 14.5 features and current best practices and lessons learned from the critical fix end of last year.

I am looking forward to see many of you at those two events.

-- Daniel


DNUG Domino Day

- Lessons learned from last years critical fix and best practices
- Domino 14.5 EA2 Auto Update&Install
- Domino 14.5 EA2 IQ
- More Domino 14.5 features

Tuesday, January 14,2025  1 - 5pm CET

https://dnug.de/event/dnug-online-domino-4/

Registration: https://www.eventbrite.de/e/dnug-online-domino-day-tickets-1079209036279


OpenNTF Webinar: Domino 14.5 AutoInstall Feature Overview and Deep Dive Domino


14.5 brings a new AutoInstall feature to extend update notifications from previous versions.
Join us in this webinar to see it in action on Windows and Linux. Learn from the development team,
get all your questions answered, and provide feedback about the latest feature details in Domino 14.5 EA2

This session will be presented by team members Gary Rheaume, Daniel Nashed, and Dick Annichiarico.

Thursday January 16th from 11:00 AM (New York time) to 12:30 PM

https://www.openntf.org/main.nsf/page.xsp?name=Interact_With_Us&subName=Webinars

Registation: https://attendee.gotowebinar.com/register/4884186125784079453

• Comments [1169]

DBMT tool enhancements in Domino 14.5 EA2

Sometimes small changes open many new possibilities.
The following DBMT tool command line options are added to DBMT in Domino 14.5 EA2:

-systemDbs (-sd for short)
Allows compact to process system dbs, which are usually ignored), as well as databases listed in the dbmt_compact_filter.ind file.

-regex (-re for short)
Now a database name can be specified using regular expressions. If an .ind file is specified, the database names listed in the .ind file can be regular expressions.

-validateDbs (-vd for short)
Does not execute the updall or compacts, but outputs the list of databases that could be affected by the DBMT command (mainly to validate -regex inputs). Can be used in combination with -sd

---

There was an issue with system databases which have not been compacted any more.
Even if they have been specified via an .IND file they have been skipped.

This has been addressed with a new switch to explicitly allow system databases to be processed.
It was actually a regression and is now formalized a an explicit option.
The option works in combination with other selection options.

Selecting databases wasn't fully flexible. Now you can specify a regular expression.
It allows full flexibility but can be a bit tricky to get right.

Therefore there is a new option to dry run your selection.

lo dbmt -sd -vd -re *names*

Again a small step to develop. But it might completely change the way you schedule your DBMT operations in future.


Documentation

https://help.hcl-software.com/domino/14.5.0/admin/wn_145ea2_administration_features.html

Regular expressions for the DBMT tool

https://help.hcl-software.com/domino/14.5.0/admin/admn_general_expressions_dbmt_tool.html#admn_general_expressions_dbmt_tool__table_ws2_chn_zcc

• Comments [1170]

Checking leap year rules in Notes -- With historic view

This is a follow-on post to my previous Notes TIMEDATE post.
To sum it up. Notes is handing it right.

Checking if the calendar rules work for dates long time ago, made me look into history behind our modern time system.
I wrote a program to check Notes leap rules leveraging the Gregorian calendar.
The only year in question I found 1700. But it turned out this really depends when the Gergorian calendar became effective.

In the Julian calendar the dividable by 400 rule was not in place. It's arguable if this is an issue. That depends on the county ..
The US changed to the Gregorian calendar in 1752. For all future dates the Gregorian rules apply and future century leap days look right in my testing.

Here is what ChatGPT found out.. But you have to read it right and it is interesting to read.
I can't recall hearing about those history details in school ... I did know the rules. But not when they had been introduced in different countries.

-- Daniel

Leap year exceptions are related to the rules of the Gregorian calendar and its predecessor, the Julian calendar. These exceptions address the need to keep the calendar year aligned with Earth's orbit around the Sun. Here is a breakdown:

Leap Year Rules

1. Julian Calendar (Introduced in 45 BCE):
   - A year is a leap year if it is divisible by 4.
   - This rule overestimated the length of the solar year, causing an error of about 11 minutes annually. Over centuries, this accumulated, leading to calendar drift.

2.Gregorian Calendar (Introduced in 1582):
   - To correct the Julian calendar's drift, the Gregorian calendar added two additional rules:
     - A year is a leap year if it is divisible by 4.
     - **Exception:** If the year is divisible by 100, it is not a leap year, unless:
     - **Exception to the exception:** If the year is divisible by 400, it is a leap year.
   - This refinement corrected the annual discrepancy and aligned the calendar more closely with the solar year.

Historical Exceptions

1. Switch from Julian to Gregorian Calendar:
   - In 1582, Pope Gregory XIII introduced the Gregorian calendar. Ten days were skipped to realign the calendar with the seasons. Different countries adopted the Gregorian calendar at different times, causing discrepancies.
   - Example: In England and its colonies, the switch occurred in 1752, skipping 11 days (September 2 was followed by September 14).

2. Non-implementation of Leap Years:
   - Leap years that would occur under the Julian rules but not under the Gregorian rules (e.g., 1700, 1800, 1900) are exceptions. These were not leap years in Gregorian calendar countries but remained so in Julian calendar countries.

3. Adoption Delays:
   - Some countries, like Russia and Greece, retained the Julian calendar for centuries after 1582. Russia adopted the Gregorian calendar in 1918, and Greece in 1923.

Rare Leap Year Events

- Year 2000:
   - While divisible by 100 (not a leap year under the basic rule), it was also divisible by 400, making it a leap year under the Gregorian rules.

Summary of Leap Year Exceptions

- 1700, 1800, 1900: Not leap years in the Gregorian calendar, but leap years in the Julian calendar.
- Year 2000: A leap year in both systems due to the "divisible by 400" rule.

These rules and exceptions ensure the calendar remains synchronized with Earth's orbit, minimizing long-term drift.

• Comments [1172]

Notes Timedate explained

There have been a couple of partner blog posts speculating about the background of the recent Domino 13.12.2024 problem, which might be a bit misleading.
For the background of what happened in detail and how HCL addressed the problem please wait for the official technote update.
But what I can tell is that HCL fixed it on a lower level function addressing all functionality in Domino and business partner applications using the effected functionality.

This means the only safe way is to apply the Interim fix provided by HCL for all supported releases including the extended support versions!
What I also can state is that all Notes TIMEDATE functionality is working as intended and are designed to handle date times from 1.1.1 to the end of all times.

Sorry for a long blog post like this. But I hope this helps to understand the Notes TIMEDATE a bit better.
The takeaway is that the Notes TIMEDATE works as intended for now and the far future.


I am briefly comparing the approach Notes took compared to the Linux/UNIX date, but will not go into all details about the Linux EPOCH date -- which would be maybe something for a future blog post.
But comparing two implementations makes it easier to understand.

To understand how time date functionality works it makes sense to look into the lowest level of presentation, which you can find in the C-API toolkit.
Notes/Domino uses the TIMEDATE structure to internally represent time.

The time is stored always in GMT/UTC and contains timezone and summer/winter (DST) information of how the data was stored.
The internal representation is always in UTC to ensure all operations are compatible for all timezones in summer and winter time and that no conversion is needed to compare them.
That also means everything displayed is only a conversion based on UTC with the choosen timezone at run-time.

typedef struct tagTIMEDATE
{
DWORD Innards[2];
} TIMEDATE;


The structure is a binary representation which should not be manipulated low level. It contains the date and time + zone + DST flag.

Linux time

In contrast the Linux timedate is a single number of seconds since 1.1.1970 midnight UTC, which will wrap around in 2038 in it's 32bit implementation.
The good news here is that Linux glibc has switched to a 64bit integer when 64bit Linux was introduced.
So today you will hopefully all run Linux environments with a time_t with 64bit which will work far beyond year 2028.
But there might be many older legacy environments without a 64bit time_t format which are limited to the 32bit integer design of the Linux time which can only hold around 68 years in seconds.

Notes TIMEDATE functions

The TIMEDATE can be converted to a TIME structure very similar to how Linux converts it's internal format to a human readable structure.
This structure is mainly intended for input/output.
There are also conversion functions to format a date based on time settings to format and read from/string buffers.


Structure

typedef struct {
int year;       /* 1-32767 */
int month;      /* 1-12 */
int day;        /* 1-31 */
int weekday;    /* 1-7, Sunday is 1 */
int hour;       /* 0-23 */
int minute;     /* 0-59 */
int second;     /* 0-59 */
int hundredth;  /* 0-99 */
int dst;        /* FALSE or TRUE */
int zone;       /* -11 to +11 */
TIMEDATE GM;
} TIME;


Most relevant functions to handle conversions to help understanding the TIMEDATE.


BOOL LNPUBLIC TimeLocalToGM(TIME far *Time);
BOOL LNPUBLIC TimeGMToLocal(TIME far *Time);
BOOL LNPUBLIC TimeGMToLocalZone(TIME far *Time);

Conversions take either the GM TIMEDATE format to convert it to individual values or the other way round.
The internally structure of a TIMEDATE contains two main components:

1.The elapsed in days since a certain EPOCH time which is different then the Linux EPOC and much lower.
2. Number of 1/100 seconds since midnight UTC/GMT


Both values are DWORD values which can hold the hundred seconds since midnight and sufficient number of days until the end of all times.
The Notes EPOC value is also way below 1.1.1 so it can handle dates earlier than 1900.

So both assumptions that Domino's EPOCH date is 1.1.1970 or 1.1.1900 are wrong.


TIMEDATE implementation benefits and facts

The design of the TIMEDATE brings a couple of benefits which makes it more flexible then other time formats.

1. Works since 1.1.1 until very far into the future
2. Supports timezone and summer/winter time
3. Compatible between timezones (this is specially important for replication)
4. Resolution is 1/100 second in contrast to for example Linux where the resolution is 1 second

How to make sure you are not running into issues in your applications

All the functionality described here is part of the original design of Notes and work unchanged since then.
This includes a function to calculate the difference between two TIMEDATES in seconds.

The resulting number if a LONG, which is a 32bit signed integer. This integer value can represent the delta in seconds for a round 68 years.

Usually this isn't a problem in applications and in the time when Notes was designed there was no 64bit Integer value.
68 years in seconds was sufficient and you could not calculate with larger numbers.

When calculating larger numbers you had always to switch to a float value else the resulting value would have wrapped.
Notes also provides a function returning the difference in seconds in a float value returning a NUMBER.
This result will allow longer time intervals but might loose precision in detail.


Compare without calculating the difference

In many cases you don't need to know the difference. You just want to check which date is younger.
The TimeDateCompare() works independently of the time difference and is the safer bet when comparing.

In future Notes should introduce a TIMEDATE difference routine returning LONG64.
This would help to calculate longer time spans without switching to floating point operations, which work well for larger numbers but might loose precision.

Today Notes and Domino is only available for 64bit and all platforms support 64bit integer data types. So it would be possible to implement a LONG64 version of the time difference function.
But until then you just need to take care of the LONG (32bit signed integer limits of 68 years -- more exact 2147483647 seconds).

-----

Side Note:

Usually you would not use time functionality for earlier dates than 1900.
I have tested with 1.1.1 but I would assume this isn't officially intended to work since that time.
There is a special leap year rule that might not have been taken into account those special rules omitting certain leap years (see reference below).
I have not spent any time validating that for earlier times or later times. But maybe I will look into this in another blog post.

"The Gregorian calendar therefore omits 3 leap days every 400 years, which is the length of its leap cycle.
This is done by omitting 29 February in the 3 century years (multiples of 100) that are not multiples of 400.
The years 2000 and 2400 are leap years, but not 1700, 1800, 1900, 2100, 2200, and 2300."
--- Ref: https://en.wikipedia.org/wiki/Leap_year


References:

I would also have a small C-API program to play around with the Notes TIMEDATE and to see how the functionality works.
But I am leaving that out here. If anyone is interested, I could share it including a Linux makefile.


LONG LNPUBLIC TimeDateDifference(const TIMEDATE far *t1, const TIMEDATE far *t2);
void LNPUBLIC TimeDateDifferenceFloat(const TIMEDATE far *t1, const TIMEDATE far *t2, NUMBER far *difference);
int  LNPUBLIC TimeDateCompare(const TIMEDATE far *t1, const TIMEDATE far *t2);


Extract from global.h

BYTE    = unsigned  8 bit integer
WORD    = unsigned 16 bit integer
DWORD   = unsigned 32 bit integer
LONG    = signed   32 bit integer

DWORD64 = unsigned 64 bit integer (on 32 and 64 bit operating systems)
LONG64  = signed 64 bit integer (on 32 and 64 bit operating systems)
NUMBER  = A platform-independent IEEE-64 floating point number


Number 2147483647

The number 2147483647 (or hexadecimal 7FFFFFFF) is the maximum positive value for a 32-bit signed binary integer
More information -->  https://en.wikipedia.org/wiki/2,147,483,647

----

Update 6. January 2025

There is an interesting technote Julian came up with. I wasn't aware of those details about the historic dates.
But this really matches what the C-API provides.

KB0039502  -- Error "Unable to interpret time or date" when entering specific dates from the year 1752

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0039502

Now you know the base year for the Notes TIMEDATE: year 4713 B.C.

If you take the number of days from today's date and divide them by 365,25 + take into account that there was no year zero, this matches the start date 4713 B.C.

So in contrast to most implementations taking 1970 or 1900 as the base, Notes uses the Julian date EPOCH.  

Now looking into it closer, there is a call to extract the Julian date:

DWORD LNPUBLIC TimeExtractJulianDate(const TIMEDATE far *Time);

Which turns out to be the TIMEDATE Innards value for the days.

See details about the Julian date here --> https://en.wikipedia.org/wiki/Julian_day

• Comments [8]