From 0218ab0b2a13784d25238761f5873460952889fe Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 15:12:41 +0200
Subject: [PATCH 01/11] dom0/core: remove appmenus when removing NetVM (#627)

---
 dom0/qvm-core/qubes.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 7e13c407..d6cabefa 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1870,6 +1870,15 @@ class QubesNetVm(QubesVm):
         if not self.internal:
             self.create_appmenus (verbose, source_template=source_template)
 
+    def remove_from_disk(self):
+        if dry_run:
+            return
+
+        if not self.internal:
+            self.remove_appmenus()
+        super(QubesNetVm, self).remove_from_disk()
+
+
 class QubesProxyVm(QubesNetVm):
     """
     A class that represents a ProxyVM, ex FirewallVM. A child of QubesNetVM.

From c0ffdd6fa5514de77a738db72a4bd8f0ca0459d3 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 15:55:46 +0200
Subject: [PATCH 02/11] dom0/dom0-updates: remove updates-pending flag after
 update installation

---
 dom0/qvm-tools/qubes-dom0-update | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dom0/qvm-tools/qubes-dom0-update b/dom0/qvm-tools/qubes-dom0-update
index 6ff8603f..fc1cc62e 100755
--- a/dom0/qvm-tools/qubes-dom0-update
+++ b/dom0/qvm-tools/qubes-dom0-update
@@ -1,6 +1,8 @@
 #!/bin/bash
 
 UPDATEVM=`qubes-prefs --get updatevm`
+UPDATES_STAT_FILE=/var/lib/qubes/updates/dom0-updates-available
+
 if [ -z "$UPDATEVM" ]; then
     echo "UpdateVM not set, exiting"
     exit 1
@@ -97,6 +99,7 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then
             yum $YUM_OPTS update
         fi
     fi
+    yum -q check-updates && rm $UPDATES_STAT_FILE
 else
     echo "No updates avaliable" >&2
 fi

From 1083fad626e8b6642f8bd15ec66f9629dd9481d8 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 16:07:35 +0200
Subject: [PATCH 03/11] dom0/core: remove duplicated remove_from_disk
 definition

---
 dom0/qvm-core/qubes.py | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index d6cabefa..ad35b587 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1510,13 +1510,6 @@ class QubesVm(object):
 
         xc.domain_unpause(self.get_xid())
 
-    def remove_from_disk(self):
-        if dry_run:
-            return
-
-
-        shutil.rmtree (self.dir_path)
-
     def get_xml_attrs(self):
         attrs = {}
         attrs_config = self._get_attrs_config()

From b220b6a5fee656e572d126231fc7d6173ef09815 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 22:54:23 +0200
Subject: [PATCH 04/11] dom0+vm/qrexec-services: pass remote domain via env
 variable not argument

Most qrexec services doesn't use remote domain name, as policy is enforced
earlier. So pass it in way that will allow use of generic command as qrexec
service.
---
 qrexec/qubes_rpc_multiplexer | 3 ++-
 qubes_rpc/qfile-unpacker.c   | 8 +++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/qrexec/qubes_rpc_multiplexer b/qrexec/qubes_rpc_multiplexer
index 8f03137a..89cdbed7 100755
--- a/qrexec/qubes_rpc_multiplexer
+++ b/qrexec/qubes_rpc_multiplexer
@@ -5,8 +5,9 @@ if ! [ $# = 2 ] ; then
 	exit 1
 fi
 CFG_FILE=$QUBES_RPC/"$1"
+export QREXEC_REMOTE_DOMAIN="$2"
 if [ -s "$CFG_FILE" ] ; then
-	exec $(cat "$CFG_FILE") "$2"
+	exec $(cat "$CFG_FILE")
 	echo "$0: failed to execute handler for" "$1" >&2
 	exit 1
 fi
diff --git a/qubes_rpc/qfile-unpacker.c b/qubes_rpc/qfile-unpacker.c
index eaa5c067..dd0a510d 100644
--- a/qubes_rpc/qfile-unpacker.c
+++ b/qubes_rpc/qfile-unpacker.c
@@ -51,13 +51,19 @@ int main(int argc, char ** argv)
 	char *incoming_dir;
 	int pipefds[2];
 	int uid;
+	char *remote_domain;
 
 	pipe(pipefds);
 
 	uid = prepare_creds_return_uid("user");
 
+	remote_domain = getenv("QREXEC_REMOTE_DOMAIN");
+	if (!remote_domain) {
+		gui_fatal("Cannot get remote domain name");
+		exit(1);
+	}
 	mkdir(INCOMING_DIR_ROOT, 0700);
-	asprintf(&incoming_dir, "%s/from-%s", INCOMING_DIR_ROOT, argv[1]);
+	asprintf(&incoming_dir, "%s/from-%s", INCOMING_DIR_ROOT, remote_domain);
 	mkdir(incoming_dir, 0700);
 	if (chdir(incoming_dir))
 		gui_fatal("Error chdir to %s", incoming_dir); 

From b55c08d49c32f8ea64865ab2fe6351e57b856c82 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 22:59:32 +0200
Subject: [PATCH 05/11] dom0+vm: execute qrexec service as shell script

This will allow to pass quoted arguments and some variable expansion. Basically
one-line shell command service can be embeded in the configuration.
In previus version use of "command path with spaces" whould result in try to
execute '"command' with arguments 'path', 'with' and 'spaces"'.
---
 qrexec/qubes_rpc_multiplexer | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qrexec/qubes_rpc_multiplexer b/qrexec/qubes_rpc_multiplexer
index 89cdbed7..191be91b 100755
--- a/qrexec/qubes_rpc_multiplexer
+++ b/qrexec/qubes_rpc_multiplexer
@@ -7,7 +7,7 @@ fi
 CFG_FILE=$QUBES_RPC/"$1"
 export QREXEC_REMOTE_DOMAIN="$2"
 if [ -s "$CFG_FILE" ] ; then
-	exec $(cat "$CFG_FILE")
+	exec /bin/sh "$CFG_FILE"
 	echo "$0: failed to execute handler for" "$1" >&2
 	exit 1
 fi

From 20f6c6c6dc573dca3451af8453d114bb266b7801 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 22:58:15 +0200
Subject: [PATCH 06/11] vm: simplify qubes.VMShell service

Now additional wrapper not required to skip cmdline argument
---
 qubes_rpc/qubes.VMShell | 2 +-
 qubes_rpc/vm-shell      | 3 ---
 rpm_spec/core-vm.spec   | 3 +--
 3 files changed, 2 insertions(+), 6 deletions(-)
 delete mode 100755 qubes_rpc/vm-shell

diff --git a/qubes_rpc/qubes.VMShell b/qubes_rpc/qubes.VMShell
index 7ca3b5e5..01dca2d7 100644
--- a/qubes_rpc/qubes.VMShell
+++ b/qubes_rpc/qubes.VMShell
@@ -1 +1 @@
-/usr/lib/qubes/vm-shell
\ No newline at end of file
+/bin/bash
diff --git a/qubes_rpc/vm-shell b/qubes_rpc/vm-shell
deleted file mode 100755
index d06e3986..00000000
--- a/qubes_rpc/vm-shell
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# just ignore the cmdline argument (the remote vm name)
-exec /bin/bash
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index f24c679b..e73cdb8d 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -156,7 +156,7 @@ install qubes_rpc/wrap_in_html_if_url.sh $RPM_BUILD_ROOT/usr/lib/qubes
 install qubes_rpc/qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes
 install qubes_rpc/qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes
 install qubes_rpc/{vm-file-editor,qfile-agent,qopen-in-vm,qfile-unpacker} $RPM_BUILD_ROOT/usr/lib/qubes
-install qubes_rpc/{vm-shell,qrun-in-vm} $RPM_BUILD_ROOT/usr/lib/qubes
+install qubes_rpc/qrun-in-vm $RPM_BUILD_ROOT/usr/lib/qubes
 install qubes_rpc/sync-ntp-clock $RPM_BUILD_ROOT/usr/lib/qubes
 install qubes_rpc/prepare-suspend $RPM_BUILD_ROOT/usr/lib/qubes
 install -d $RPM_BUILD_ROOT/%{kde_service_dir}
@@ -419,7 +419,6 @@ rm -rf $RPM_BUILD_ROOT
 /usr/lib/qubes/serial.conf
 /usr/lib/qubes/setup_ip
 /usr/lib/qubes/vm-file-editor
-/usr/lib/qubes/vm-shell
 /usr/lib/qubes/wrap_in_html_if_url.sh
 /usr/lib/yum-plugins/yum-qubes-hooks.py*
 /usr/sbin/qubes_firewall

From 06ba3f6e4975bd04ea8ba7646c5fdfeeefaff0c0 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 23:07:01 +0200
Subject: [PATCH 07/11] vm: implement qubes.GetAppmenus to reduce code
 duplication

As one-liner services are now real one-line, just do it.
---
 misc/qubes_trigger_sync_appmenus.sh | 2 +-
 qubes_rpc/qubes.GetAppmenus         | 2 ++
 rpm_spec/core-vm.spec               | 3 ++-
 3 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 qubes_rpc/qubes.GetAppmenus

diff --git a/misc/qubes_trigger_sync_appmenus.sh b/misc/qubes_trigger_sync_appmenus.sh
index 5390c2d2..e848ea34 100755
--- a/misc/qubes_trigger_sync_appmenus.sh
+++ b/misc/qubes_trigger_sync_appmenus.sh
@@ -3,5 +3,5 @@
 UPDATEABLE=`/usr/bin/xenstore-read qubes_vm_updateable`
 
 if [ "$UPDATEABLE" = "True" ]; then
-    /usr/lib/qubes/qrexec_client_vm dom0 qubes.SyncAppMenus /bin/grep -H = /usr/share/applications/*.desktop
+    /usr/lib/qubes/qrexec_client_vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes_rpc/qubes.GetAppmenus
 fi
diff --git a/qubes_rpc/qubes.GetAppmenus b/qubes_rpc/qubes.GetAppmenus
new file mode 100644
index 00000000..cada68ca
--- /dev/null
+++ b/qubes_rpc/qubes.GetAppmenus
@@ -0,0 +1,2 @@
+shopt -s nullglob
+/bin/grep -H = /usr/share/applications/*.desktop /usr/local/share/applications/*.desktop 2> /dev/null
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index e73cdb8d..9509403f 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -163,7 +163,7 @@ install -d $RPM_BUILD_ROOT/%{kde_service_dir}
 install -m 0644 qubes_rpc/{qvm-copy.desktop,qvm-dvm.desktop} $RPM_BUILD_ROOT/%{kde_service_dir}
 install -d $RPM_BUILD_ROOT/etc/qubes_rpc
 install -m 0644 qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $RPM_BUILD_ROOT/etc/qubes_rpc
-install -m 0644 qubes_rpc/{qubes.SuspendPre,qubes.SuspendPost} $RPM_BUILD_ROOT/etc/qubes_rpc
+install -m 0644 qubes_rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $RPM_BUILD_ROOT/etc/qubes_rpc
 
 install qrexec/qrexec_agent $RPM_BUILD_ROOT/usr/lib/qubes
 install qrexec/qrexec_client_vm $RPM_BUILD_ROOT/usr/lib/qubes
@@ -371,6 +371,7 @@ rm -rf $RPM_BUILD_ROOT
 %dir /etc/qubes_rpc
 /etc/qubes_rpc/qubes.Filecopy
 /etc/qubes_rpc/qubes.OpenInVM
+/etc/qubes_rpc/qubes.GetAppmenus
 /etc/qubes_rpc/qubes.VMShell
 /etc/qubes_rpc/qubes.SyncNtpClock
 /etc/qubes_rpc/qubes.SuspendPre

From 6c74db3aace2516299fe273fe1a51ea361a40d8d Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sat, 14 Jul 2012 23:09:04 +0200
Subject: [PATCH 08/11] dom0/qvm-sync-appmenus: use qubes.GetAppmenus service

---
 dom0/qvm-tools/qvm-sync-appmenus | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dom0/qvm-tools/qvm-sync-appmenus b/dom0/qvm-tools/qvm-sync-appmenus
index fa9db396..fef07274 100755
--- a/dom0/qvm-tools/qvm-sync-appmenus
+++ b/dom0/qvm-tools/qvm-sync-appmenus
@@ -62,7 +62,7 @@ def get_appmenus(xid):
             raise QubesException("Line count limit exceeded")
     else:
         p = subprocess.Popen ([qrexec_client_path, '-d', str(xid),
-                'user:grep -H = /usr/share/applications/*.desktop'], stdout=subprocess.PIPE)
+                'user:QUBESRPC qubes.GetAppmenus dom0'], stdout=subprocess.PIPE)
         while appmenus_line_count > 0:
             line = p.stdout.readline(appmenus_line_size)
             if line == "":

From d9291ab2b474089393344568cf774f004677ecc0 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Sun, 15 Jul 2012 00:09:52 +0200
Subject: [PATCH 09/11] dom0/appmenus: Rename dir entry for ServiceVMs (#627)

---
 dom0/aux-tools/create_apps_for_appvm.sh      | 7 +++++--
 dom0/misc/qubes-servicevm.directory.template | 5 +++++
 rpm_spec/core-dom0.spec                      | 2 ++
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 dom0/misc/qubes-servicevm.directory.template

diff --git a/dom0/aux-tools/create_apps_for_appvm.sh b/dom0/aux-tools/create_apps_for_appvm.sh
index 0b6e53dd..0624162f 100755
--- a/dom0/aux-tools/create_apps_for_appvm.sh
+++ b/dom0/aux-tools/create_apps_for_appvm.sh
@@ -45,10 +45,13 @@ if [ "$SRCDIR" != "none" ]; then
     /usr/lib/qubes/convert_apptemplate2vm.sh /usr/share/qubes/qubes-appmenu-select.desktop $APPSDIR $VMNAME $VMDIR
 
     if [ "$VMTYPE" = "vm-templates" ]; then
-        /usr/lib/qubes/convert_dirtemplate2vm.sh /usr/share/qubes/qubes-templatevm.directory.template $APPSDIR/$VMNAME-vm.directory $VMNAME $VMDIR
+        DIR_TEMPLATE=/usr/share/qubes/qubes-templatevm.directory.template
+    elif [ "$VMTYPE" = "servicevms" ]; then
+        DIR_TEMPLATE=/usr/share/qubes/qubes-servicevm.directory.template
     else
-        /usr/lib/qubes/convert_dirtemplate2vm.sh /usr/share/qubes/qubes-vm.directory.template $APPSDIR/$VMNAME-vm.directory $VMNAME $VMDIR
+        DIR_TEMPLATE=/usr/share/qubes/qubes-vm.directory.template
     fi
+    /usr/lib/qubes/convert_dirtemplate2vm.sh $DIR_TEMPLATE $APPSDIR/$VMNAME-vm.directory $VMNAME $VMDIR
 fi
 
 echo "--> Adding Apps to the Menu..."
diff --git a/dom0/misc/qubes-servicevm.directory.template b/dom0/misc/qubes-servicevm.directory.template
new file mode 100644
index 00000000..74ce62f3
--- /dev/null
+++ b/dom0/misc/qubes-servicevm.directory.template
@@ -0,0 +1,5 @@
+[Desktop Entry]
+Encoding=UTF-8
+Type=Directory
+Name=ServiceVM: %VMNAME%
+Icon=%VMDIR%/icon.png
diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec
index fe48739c..62aefa24 100644
--- a/rpm_spec/core-dom0.spec
+++ b/rpm_spec/core-dom0.spec
@@ -155,6 +155,7 @@ mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons
 cp icons/*.png $RPM_BUILD_ROOT/usr/share/qubes/icons
 cp misc/qubes-vm.directory.template $RPM_BUILD_ROOT/usr/share/qubes/
 cp misc/qubes-templatevm.directory.template $RPM_BUILD_ROOT/usr/share/qubes/
+cp misc/qubes-servicevm.directory.template $RPM_BUILD_ROOT/usr/share/qubes/
 cp misc/qubes-dispvm.directory $RPM_BUILD_ROOT/usr/share/qubes/
 cp misc/qubes-dispvm-firefox.desktop $RPM_BUILD_ROOT/usr/share/qubes/
 cp misc/qubes-appmenu-select.desktop $RPM_BUILD_ROOT/usr/share/qubes/
@@ -365,6 +366,7 @@ fi
 /usr/share/qubes/icons/*.png
 /usr/share/qubes/qubes-vm.directory.template
 /usr/share/qubes/qubes-templatevm.directory.template
+/usr/share/qubes/qubes-servicevm.directory.template
 /usr/share/qubes/qubes-dispvm.directory
 /usr/share/qubes/qubes-dispvm-firefox.desktop
 /usr/share/qubes/qubes-appmenu-select.desktop

From 0f6f445ece0ea05d41a1a20f2c5854ea61440013 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Mon, 16 Jul 2012 12:49:41 +0200
Subject: [PATCH 10/11] Revert "vm/spec: disable pam_systemd globally (#607)"
 (#626)

This reverts commit 8ec4b6963b71b95bc0cda6dd80d99bf60aa9caec.
This caused regression (#626).

Conflicts:

	rpm_spec/core-vm.spec
---
 rpm_spec/core-vm.spec | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index 9509403f..7e2b0348 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -188,13 +188,6 @@ install -D u2mfn/libu2mfn.so $RPM_BUILD_ROOT/%{_libdir}/libu2mfn.so
 %triggerin -- initscripts
 cp /usr/lib/qubes/serial.conf /etc/init/serial.conf
 
-%triggerin -- systemd
-# Disable pam_systemd - we (hopefully) don't need it, but it cause some minor
-# problems (http://wiki.qubes-os.org/trac/ticket/607)
-# /etc/pam.d/common-* are automatically (re)generated by authconfig, so its
-# modification will not be persistent -> must be done this way
-mv -f /%{_lib}/security/pam_systemd.so /%{_lib}/security/pam_systemd.so.disabled 2> /dev/null || :
-
 %post
 
 # disable some Upstart services
@@ -336,7 +329,6 @@ if [ "$1" = 0 ] ; then
     mv /var/lib/qubes/fstab.orig /etc/fstab
     mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
     mv /var/lib/qubes/serial.orig /etc/init/serial.conf
-    mv /%{_lib}/security/pam_systemd.so.disabled /%{_lib}/security/pam_systemd.so
 fi
 
 %postun

From 4b92f6390a44bf81572807274f80fcc24fca00da Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Mon, 16 Jul 2012 13:31:43 +0200
Subject: [PATCH 11/11] dom0/qvm-core: ignore stderr from VM commands when not
 needed for sure (#626)

pam_systemd.so has a bug, which cause spurious '...killed' output on stderr.
---
 dom0/qvm-core/qubes.py           | 29 +++++++++++++++++++++++++----
 dom0/qvm-tools/qubes-dom0-update |  2 +-
 dom0/qvm-tools/qvm-sync-clock    |  6 +++---
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index ad35b587..25634f0c 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1286,9 +1286,14 @@ class QubesVm(object):
 
         return conf
 
-    def run(self, command, verbose = True, autostart = False, notify_function = None, passio = False, passio_popen = False, localcmd = None, wait = False, gui = True):
-        """command should be in form 'user:cmdline'"""
+    def run(self, command, verbose = True, autostart = False, notify_function = None, passio = False, passio_popen = False, passio_stderr=False, ignore_stderr=False, localcmd = None, wait = False, gui = True):
+        """command should be in form 'user:cmdline'
+            When passio_popen=True, popen object with stdout connected to pipe.
+            When additionally passio_stderr=True, stderr also is connected to pipe.
+            When ignore_stderr=True, stderr is connected to /dev/null.
+            """
 
+        null = None
         if not self.is_running():
             if not autostart:
                 raise QubesException("VM not running")
@@ -1315,12 +1320,28 @@ class QubesVm(object):
         if passio:
             os.execv(qrexec_client_path, args)
             exit(1)
+
+        call_kwargs = {}
+        if ignore_stderr:
+            null = open("/dev/null", "w")
+            call_kwargs['stderr'] = null
+
         if passio_popen:
-            p = subprocess.Popen (args, stdout=subprocess.PIPE)
+            popen_kwargs={'stdout': subprocess.PIPE}
+            if passio_stderr:
+                popen_kwargs['stderr'] = subprocess.PIPE
+            else:
+                popen_kwargs['stderr'] = call_kwargs.get('stderr', None)
+            p = subprocess.Popen (args, **popen_kwargs)
+            if null:
+                null.close()
             return p
         if not wait:
             args += ["-e"]
-        return subprocess.call(args)
+        retcode = subprocess.call(args, **call_kwargs)
+        if null:
+            null.close()
+        return retcode
 
     def attach_network(self, verbose = False, wait = True, netvm = None):
         if dry_run:
diff --git a/dom0/qvm-tools/qubes-dom0-update b/dom0/qvm-tools/qubes-dom0-update
index fc1cc62e..6a31ad22 100755
--- a/dom0/qvm-tools/qubes-dom0-update
+++ b/dom0/qvm-tools/qubes-dom0-update
@@ -75,7 +75,7 @@ echo "Checking for dom0 updates" >&2
 # Start VM if not running already
 qvm-run -a $UPDATEVM true || exit 1
 
-/usr/lib/qubes/qrexec_client -d "$UPDATEVM" -l 'tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null' 'user:tar x -C /var/lib/qubes/dom0-updates'
+/usr/lib/qubes/qrexec_client -d "$UPDATEVM" -l 'tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null' 'user:tar x -C /var/lib/qubes/dom0-updates' 2> /dev/null
 
 qvm-run --pass-io $UPDATEVM "/usr/lib/qubes/qubes_download_dom0_updates.sh --doit --nogui $ALL_OPTS"
 RETCODE=$?
diff --git a/dom0/qvm-tools/qvm-sync-clock b/dom0/qvm-tools/qvm-sync-clock
index c162aa89..8066f09c 100755
--- a/dom0/qvm-tools/qvm-sync-clock
+++ b/dom0/qvm-tools/qvm-sync-clock
@@ -64,14 +64,14 @@ def main():
 
     # Ignore retcode, try even if nm-online failed - user can setup network manually
     #  on-online has timeout 30sec by default
-    net_vm.run('user:nm-online -x', verbose=verbose, wait=True)
+    net_vm.run('user:nm-online -x', verbose=verbose, wait=True, ignore_stderr=True)
 
     # Sync clock
-    if clock_vm.run('root:QUBESRPC qubes.SyncNtpClock dom0', verbose=verbose, wait=True) != 0:
+    if clock_vm.run('root:QUBESRPC qubes.SyncNtpClock dom0', verbose=verbose, wait=True, ignore_stderr=True) != 0:
         print >> sys.stderr, 'Time sync failed, aborting!'
         sys.exit(1)
     
-    p = clock_vm.run('user:date -u', verbose=verbose, passio_popen=True)
+    p = clock_vm.run('user:date -u', verbose=verbose, passio_popen=True, ignore_stderr=True)
     date_out = p.stdout.read(100)
     date_out = date_out.strip()
     if not re.match(r'^[A-Za-z]* [A-Za-z]* [ 0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [A-Z]* [0-9][0-9][0-9][0-9]$', date_out):