core-admin/rpm_spec/core-netvm.spec

#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010  Joanna Rutkowska <joanna@invisiblethingslab.com>
# Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
#

%{!?version: %define version %(cat version_vm)}

Name:		qubes-core-netvm
Version:	%{version}
Release:	1
Summary:	The Qubes core files for NetVM

Group:		Qubes
Vendor:		Invisible Things Lab
License:	GPL
URL:		http://www.qubes-os.org
Requires:	/usr/bin/xenstore-read
Requires:   fedora-release = 13
Provides:   qubes-core-vm

%define _builddir %(pwd)/netvm

%description
The Qubes core files for installation inside a Qubes NetVM.

%pre

mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then 
mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig
fi


%build

%install

mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig
mkdir -p $RPM_BUILD_ROOT/etc
cp fstab $RPM_BUILD_ROOT/etc/fstab
mkdir -p $RPM_BUILD_ROOT/etc/init.d
cp qubes_core $RPM_BUILD_ROOT/etc/init.d/
mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes
cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes
mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh 
mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
mkdir -p $RPM_BUILD_ROOT/sbin   
cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin
mkdir -p $RPM_BUILD_ROOT/etc
cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/
mkdir -p $RPM_BUILD_ROOT/var/run/qubes
mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts
cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts

%triggerin -- initscripts
cp /var/lib/qubes/serial.conf /etc/init/serial.conf

%post

if ! grep -q ^no-auto-default.*=.*FE:FF:FF:FF:FF:FF /etc/NetworkManager/nm-system-settings.conf ; then
	echo no-auto-default=FE:FF:FF:FF:FF:FF >> /etc/NetworkManager/nm-system-settings.conf
fi

if [ "$1" !=  1 ] ; then
# do this whole %post thing only when updating for the first time...
exit 0
fi

sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/'  -i /etc/sysctl.conf
usermod -L root
if ! [ -f /var/lib/qubes/serial.orig ] ; then
	cp /etc/init/serial.conf /var/lib/qubes/serial.orig
fi

#echo "--> Disabling SELinux..."
sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
mv /etc/selinux/config.processed /etc/selinux/config
setenforce 0 2>/dev/null

#echo "--> Turning off unnecessary services..."
# FIXME: perhaps there is more elegant way to do this? 
for f in /etc/init.d/*
do
        srv=`basename $f`
        [ $srv = 'functions' ] && continue
        [ $srv = 'killall' ] && continue
        [ $srv = 'halt' ] && continue
        [ $srv = 'single' ] && continue
        chkconfig $srv off
done

#echo "--> Enabling essential services..."
chkconfig iptables on
chkconfig rsyslog on
chkconfig haldaemon on
chkconfig messagebus on
chkconfig NetworkManager on
chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"


# TODO: make this not display the silly message about security context...
sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab

# Remove most of the udev scripts to speed up the VM boot time
# Just leave the xen* scripts, that are needed if this VM was
# ever used as a net backend (e.g. as a VPN domain in the future)
#echo "--> Removing unnecessary udev scripts..."
mkdir -p /var/lib/qubes/removed-udev-scripts
for f in /etc/udev/rules.d/*
do
    if [ $(basename $f) == "xen-backend.rules" ] ; then
        continue
    fi

    if [ $(basename $f) == "xend.rules" ] ; then
        continue
    fi

    if [ $(basename $f) == "qubes.rules" ] ; then
        continue
    fi

    if [ $(basename $f) == "90-hal.rules" ] ; then
        continue
    fi


    mv $f /var/lib/qubes/removed-udev-scripts/
done

#rm -f /etc/mtab
#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0

%preun
if [ "$1" = 0 ] ; then
    # no more packages left
    chkconfig qubes_core off
    mv /var/lib/qubes/fstab.orig /etc/fstab
    mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
    mv /var/lib/qubes/serial.orig /etc/init/serial.conf
fi

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root,-)
/etc/fstab
/etc/sysconfig/iptables
/etc/init.d/qubes_core
/var/lib/qubes
/usr/lib/qubes/qubes_setup_dnat_to_ns
/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
/etc/NetworkManager/dispatcher.d/qubes_nmhook
/etc/yum.repos.d/qubes.repo
/sbin/qubes_serial_login
/etc/xen/scripts/vif-route-qubes
%dir /var/run/qubes
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`#`
			`# The Qubes OS Project, http://www.qubes-os.org`
			`#`
			`# Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>`
			`# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License`
			`# as published by the Free Software Foundation; either version 2`
			`# of the License, or (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, write to the Free Software`
			`# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.`
			`#`
			`#`

			`%{!?version: %define version %(cat version_vm)}`

			`Name: qubes-core-netvm`
			`Version: %{version}`
			`Release: 1`
			`Summary: The Qubes core files for NetVM`

			`Group: Qubes`
			`Vendor: Invisible Things Lab`
			`License: GPL`
			`URL: http://www.qubes-os.org`
			`Requires: /usr/bin/xenstore-read`
Require F13 in VM 2010-06-18 01:48:56 +02:00			`Requires: fedora-release = 13`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`Provides: qubes-core-vm`

			`%define _builddir %(pwd)/netvm`

			`%description`
			`The Qubes core files for installation inside a Qubes NetVM.`

			`%pre`

			`mkdir -p $RPM_BUILD_ROOT/var/lib/qubes`
appvm,netvm spec: Fix [ -e fstab ] conditional in %pre 2010-06-18 01:48:18 +02:00			`if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then`
			`mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig`
			`fi`

Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00
			`%build`

			`%install`

			`mkdir -p $RPM_BUILD_ROOT/etc/sysconfig`
Unify dom0 and netvm sysconfig/iptables Plus: - dedicated chain for DNAT to nameservers - prevent intervm networking. Can be conveniently overriden in necessary cases by inserting ACCEPT clauses (per VM, probably) at the top of FORWARD 2010-09-06 15:10:01 +02:00			`cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`mkdir -p $RPM_BUILD_ROOT/etc`
			`cp fstab $RPM_BUILD_ROOT/etc/fstab`
			`mkdir -p $RPM_BUILD_ROOT/etc/init.d`
			`cp qubes_core $RPM_BUILD_ROOT/etc/init.d/`
			`mkdir -p $RPM_BUILD_ROOT/var/lib/qubes`
Pathnames cleanup Move internal scripts to /usr/lib/qubes plus a couple of similar. 2010-07-16 10:26:55 +02:00			`mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes`
			`cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes`
Get rid of dnsmasq in netvm. qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is triggered by dhclient or NetworkManager, and manually (in case there is a static resolv.conf). Put IP-dependent rules in qubes-core, after local ip is known. It could be further improved by introducing custom chains, to enable iptables save. Restrict FORWARD. 2010-05-19 16:19:01 +02:00			`mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d`
Pathnames cleanup Move internal scripts to /usr/lib/qubes plus a couple of similar. 2010-07-16 10:26:55 +02:00			`ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh`
Get rid of dnsmasq in netvm. qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is triggered by dhclient or NetworkManager, and manually (in case there is a static resolv.conf). Put IP-dependent rules in qubes-core, after local ip is known. It could be further improved by introducing custom chains, to enable iptables save. Restrict FORWARD. 2010-05-19 16:19:01 +02:00			`mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/`
Install qubes_{setup_dnat_to_ns,nmhook} from common/ 2010-05-31 13:17:04 +02:00			`cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/`
Add qubes.repo to all qubes-core-* rpms. 2010-05-20 12:54:05 +02:00			`mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d`
Make dom0, appvm, netvm use different qubes.repo 2010-06-18 01:41:10 +02:00			`cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d`
Lock out root and user passwords; provide passwordless login on the serial console 2010-05-20 15:16:07 +02:00			`mkdir -p $RPM_BUILD_ROOT/sbin`
			`cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin`
			`mkdir -p $RPM_BUILD_ROOT/etc`
Fix serial console on VM to work on F13 (REQUIRES F13) 2010-06-18 01:45:27 +02:00			`cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/`
Pathnames cleanup Move internal scripts to /usr/lib/qubes plus a couple of similar. 2010-07-16 10:26:55 +02:00			`mkdir -p $RPM_BUILD_ROOT/var/run/qubes`
Switch to routed VM network (instead of bridging) No headache from layer 2 attacks. 2010-09-06 17:07:42 +02:00			`mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts`
			`cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts`
Lock out root and user passwords; provide passwordless login on the serial console 2010-05-20 15:16:07 +02:00
			`%triggerin -- initscripts`
Fix serial console on VM to work on F13 (REQUIRES F13) 2010-06-18 01:45:27 +02:00			`cp /var/lib/qubes/serial.conf /etc/init/serial.conf`
Add qubes.repo to all qubes-core-* rpms. 2010-05-20 12:54:05 +02:00
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`%post`

Tell Network Manager to keep hands off vif interfaces ...somehow indirectly, by specifying the mac; unfortunately I do not see any other way. 2010-09-07 13:18:08 +02:00			`if ! grep -q ^no-auto-default.=.FE:FF:FF:FF:FF:FF /etc/NetworkManager/nm-system-settings.conf ; then`
			`echo no-auto-default=FE:FF:FF:FF:FF:FF >> /etc/NetworkManager/nm-system-settings.conf`
			`fi`

rpm specs: %post cleanup Moved some stuff from the begging of %post sections after the 'if installing-for-the-first-time' check. 2010-06-14 23:52:21 +02:00			`if [ "$1" != 1 ] ; then`
			`# do this whole %post thing only when updating for the first time...`
			`exit 0`
			`fi`

Turn on IP forwarding in sysctl.conf 2010-05-21 15:02:47 +02:00			`sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' -i /etc/sysctl.conf`
			`usermod -L root`
			`if ! [ -f /var/lib/qubes/serial.orig ] ; then`
Fix serial console on VM to work on F13 (REQUIRES F13) 2010-06-18 01:45:27 +02:00			`cp /etc/init/serial.conf /var/lib/qubes/serial.orig`
Turn on IP forwarding in sysctl.conf 2010-05-21 15:02:47 +02:00			`fi`

appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`#echo "--> Disabling SELinux..."`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed`
			`mv /etc/selinux/config.processed /etc/selinux/config`
appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`setenforce 0 2>/dev/null`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00
appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`#echo "--> Turning off unnecessary services..."`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`# FIXME: perhaps there is more elegant way to do this?`
			`for f in /etc/init.d/*`
			`do`
			srv=`basename $f`
			`[ $srv = 'functions' ] && continue`
			`[ $srv = 'killall' ] && continue`
			`[ $srv = 'halt' ] && continue`
appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`[ $srv = 'single' ] && continue`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`chkconfig $srv off`
			`done`

appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`#echo "--> Enabling essential services..."`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`chkconfig iptables on`
			`chkconfig rsyslog on`
			`chkconfig haldaemon on`
			`chkconfig messagebus on`
			`chkconfig NetworkManager on`
			`chkconfig --add qubes_core \|\| echo "WARNING: Cannot add service qubes_core!"`
			`chkconfig qubes_core on \|\| echo "WARNING: Cannot enable service qubes_core!"`


appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`# TODO: make this not display the silly message about security context...`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab`

			`# Remove most of the udev scripts to speed up the VM boot time`
			`# Just leave the xen* scripts, that are needed if this VM was`
			`# ever used as a net backend (e.g. as a VPN domain in the future)`
appvm, netvm spec: be quite in %post 2010-06-18 01:50:43 +02:00			`#echo "--> Removing unnecessary udev scripts..."`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`mkdir -p /var/lib/qubes/removed-udev-scripts`
			`for f in /etc/udev/rules.d/*`
			`do`
			`if [ $(basename $f) == "xen-backend.rules" ] ; then`
			`continue`
			`fi`

			`if [ $(basename $f) == "xend.rules" ] ; then`
			`continue`
			`fi`

			`if [ $(basename $f) == "qubes.rules" ] ; then`
			`continue`
			`fi`

			`if [ $(basename $f) == "90-hal.rules" ] ; then`
			`continue`
			`fi`


			`mv $f /var/lib/qubes/removed-udev-scripts/`
			`done`

			`#rm -f /etc/mtab`
			`#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"`
			`#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig`
			`#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0`

			`%preun`
			`if [ "$1" = 0 ] ; then`
			`# no more packages left`
			`chkconfig qubes_core off`
			`mv /var/lib/qubes/fstab.orig /etc/fstab`
			`mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/`
Fix serial console on VM to work on F13 (REQUIRES F13) 2010-06-18 01:45:27 +02:00			`mv /var/lib/qubes/serial.orig /etc/init/serial.conf`
Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska <joanna@invisiblethingslab.com> Rafal Wojtczuk <rafal@invisiblethingslab.com> 2010-04-05 20:58:57 +02:00			`fi`

			`%clean`
			`rm -rf $RPM_BUILD_ROOT`

			`%files`
			`%defattr(-,root,root,-)`
			`/etc/fstab`
			`/etc/sysconfig/iptables`
			`/etc/init.d/qubes_core`
Fix serial console on VM to work on F13 (REQUIRES F13) 2010-06-18 01:45:27 +02:00			`/var/lib/qubes`
Pathnames cleanup Move internal scripts to /usr/lib/qubes plus a couple of similar. 2010-07-16 10:26:55 +02:00			`/usr/lib/qubes/qubes_setup_dnat_to_ns`
Get rid of dnsmasq in netvm. qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is triggered by dhclient or NetworkManager, and manually (in case there is a static resolv.conf). Put IP-dependent rules in qubes-core, after local ip is known. It could be further improved by introducing custom chains, to enable iptables save. Restrict FORWARD. 2010-05-19 16:19:01 +02:00			`/etc/dhclient.d/qubes_setup_dnat_to_ns.sh`
			`/etc/NetworkManager/dispatcher.d/qubes_nmhook`
Add qubes.repo to all qubes-core-* rpms. 2010-05-20 12:54:05 +02:00			`/etc/yum.repos.d/qubes.repo`
Lock out root and user passwords; provide passwordless login on the serial console 2010-05-20 15:16:07 +02:00			`/sbin/qubes_serial_login`
Switch to routed VM network (instead of bridging) No headache from layer 2 attacks. 2010-09-06 17:07:42 +02:00			`/etc/xen/scripts/vif-route-qubes`
Pathnames cleanup Move internal scripts to /usr/lib/qubes plus a couple of similar. 2010-07-16 10:26:55 +02:00			`%dir /var/run/qubes`