From ceeed3bd8b86f23ab3a83d2b66d58c994ba04810 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 17 Apr 2012 02:52:26 +0200 Subject: [PATCH 001/117] dom0/qvm-start: fix --no-guid switch (#528) --- dom0/qvm-core/qubes.py | 4 ++-- dom0/qvm-tools/qvm-start | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 44315a4f..8f6c7d0c 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1322,7 +1322,7 @@ class QubesVm(object): if notify_function is not None: notify_function("error", "ERROR: Cannot start the Qubes Clipboard Notifier!") - def start(self, debug_console = False, verbose = False, preparing_dvm = False): + def start(self, debug_console = False, verbose = False, preparing_dvm = False, start_guid = True): if dry_run: return @@ -1405,7 +1405,7 @@ class QubesVm(object): self.force_shutdown() raise OSError ("ERROR: Cannot execute qrexec_daemon!") - if not preparing_dvm and os.path.exists('/var/run/shm.id'): + if start_guid and not preparing_dvm and os.path.exists('/var/run/shm.id'): self.start_guid(verbose=verbose) if preparing_dvm: diff --git a/dom0/qvm-tools/qvm-start b/dom0/qvm-tools/qvm-start index 23027c03..4ee41b6f 100755 --- a/dom0/qvm-tools/qvm-start +++ b/dom0/qvm-tools/qvm-start @@ -62,7 +62,7 @@ def main(): try: vm.verify_files() - xid = vm.start(debug_console=options.debug_console, verbose=options.verbose, preparing_dvm=options.preparing_dvm) + xid = vm.start(debug_console=options.debug_console, verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid) except (IOError, OSError, QubesException) as err: print >> sys.stderr, "ERROR: {0}".format(err) exit (1) From 3d316ca2f96f156f4582cf8854d08294afb66c89 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 19 Apr 2012 01:13:26 +0200 Subject: [PATCH 002/117] dom0/core: introduce "Starting" state (#520) Represent VM which is running, but gui daemon hasn't connected yet. --- dom0/qvm-core/qubes.py | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 8f6c7d0c..b081777c 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -632,14 +632,28 @@ class QubesVm(object): elif dominfo['dying']: return "Dying" else: - return "Running" + if not self.is_fully_usable(): + return "Starting" + else: + return "Running" else: return 'Halted' return "NA" + def is_fully_usable(self): + xid = self.get_xid() + if xid < 0: + return False + if not os.path.exists('/var/run/qubes/guid_running.%d' % xid): + return False + # currently qrexec daemon doesn't cleanup socket in /var/run/qubes, so + # it can be left from some other VM + return True + def is_running(self): - if self.get_power_state() == "Running": + # in terms of Xen and internal logic - starting VM is running + if self.get_power_state() in ["Running", "Starting"]: return True else: return False From a6d38480c6f5c430e6dc29177c1e7f84e391913f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 19 Apr 2012 14:43:05 +0200 Subject: [PATCH 003/117] dom0/core: do not write netvm_domid for halted VMs --- dom0/qvm-core/qubes.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index b081777c..a0d49568 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1881,11 +1881,17 @@ class QubesProxyVm(QubesNetVm): self.write_iptables_xenstore_entry() def write_netvm_domid_entry(self, xid = -1): + if not self.is_running(): + return + if xid < 0: xid = self.get_xid() - xs.write('', "/local/domain/{0}/qubes_netvm_domid".format(xid), - "{0}".format(self.netvm.get_xid())) + if self.netvm is None: + xs.write('', "/local/domain/{0}/qubes_netvm_domid".format(xid), '') + else: + xs.write('', "/local/domain/{0}/qubes_netvm_domid".format(xid), + "{0}".format(self.netvm.get_xid())) def write_iptables_xenstore_entry(self): xs.rm('', "/local/domain/{0}/qubes_iptables_domainrules".format(self.get_xid())) From 665363fa33053b577d535f8c6b6cce823344eacc Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 02:52:05 +0200 Subject: [PATCH 004/117] dom0/backup-restore: restore all attributes --- dom0/qvm-core/qubesutils.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/dom0/qvm-core/qubesutils.py b/dom0/qvm-core/qubesutils.py index 09f63401..1fe573bb 100644 --- a/dom0/qvm-core/qubesutils.py +++ b/dom0/qvm-core/qubesutils.py @@ -834,6 +834,12 @@ def backup_restore_prepare(backup_dir, options = {}, host_collection = None): else: netvm_name = vm.netvm.name vms_to_restore[vm.name]['netvm'] = netvm_name + # Set to None to not confuse QubesVm object from backup + # collection with host collection (further in clone_attrs). Set + # directly _netvm to suppress setter action, especially + # modifying firewall + vm._netvm = None + netvm_on_host = host_collection.get_vm_by_name (netvm_name) # No netvm on the host? @@ -1037,6 +1043,12 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca host_collection.pop(new_vm.qid) continue + try: + new_vm.clone_attrs(vm) + except Exception as err: + error_callback("ERROR: {0}".format(err)) + error_callback("*** Some VM property will not be restored") + try: new_vm.create_appmenus(verbose=True) except Exception as err: @@ -1096,6 +1108,12 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca new_vm.uses_default_netvm = False new_vm.netvm = netvm + try: + new_vm.clone_attrs(vm) + except Exception as err: + error_callback("ERROR: {0}".format(err)) + error_callback("*** Some VM property will not be restored") + try: new_vm.verify_files() except Exception as err: @@ -1150,6 +1168,12 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca new_vm.uses_default_netvm = False new_vm.netvm = netvm + try: + new_vm.clone_attrs(vm) + except Exception as err: + error_callback("ERROR: {0}".format(err)) + error_callback("*** Some VM property will not be restored") + try: new_vm.create_appmenus(verbose=True) except Exception as err: From aaa07f455959f50016b36a41d4c71324c68a821e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 02:56:09 +0200 Subject: [PATCH 005/117] dom0/backup-restore: display netvm of proxyvm --- dom0/qvm-core/qubesutils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubesutils.py b/dom0/qvm-core/qubesutils.py index 1fe573bb..1483fbfc 100644 --- a/dom0/qvm-core/qubesutils.py +++ b/dom0/qvm-core/qubesutils.py @@ -899,7 +899,7 @@ def backup_restore_print_summary(restore_info, print_callback = print_stdout): "template": {"func": "'n/a' if vm.is_template() or vm.template is None else\ vm_info['template']"}, - "netvm": {"func": "'n/a' if vm.is_netvm() else\ + "netvm": {"func": "'n/a' if vm.is_netvm() and not vm.is_proxyvm() else\ ('*' if vm.uses_default_netvm else '') +\ vm_info['netvm'] if vm.netvm is not None else '-'"}, From 798e3d8c96ba03f27f18438cda6c4051a1f03fd8 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 02:56:46 +0200 Subject: [PATCH 006/117] dom0/backup-restore: set network dependencies when all VMs are restored To avoid complex restore order resolution. --- dom0/qvm-core/qubesutils.py | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/dom0/qvm-core/qubesutils.py b/dom0/qvm-core/qubesutils.py index 1483fbfc..c800f58c 100644 --- a/dom0/qvm-core/qubesutils.py +++ b/dom0/qvm-core/qubesutils.py @@ -1077,12 +1077,6 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca template_name = vm_info['template'] template = host_collection.get_vm_by_name(template_name) - if not vm.uses_default_netvm: - uses_default_netvm = False - netvm = host_collection.get_vm_by_name (vm_info['netvm']) if vm_info['netvm'] is not None else None - else: - uses_default_netvm = True - new_vm = None try: restore_vm_dir (backup_dir, vm.dir_path, qubes_servicevms_dir); @@ -1104,10 +1098,6 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca host_collection.pop(new_vm.qid) continue - if vm.is_proxyvm() and not uses_default_netvm: - new_vm.uses_default_netvm = False - new_vm.netvm = netvm - try: new_vm.clone_attrs(vm) except Exception as err: @@ -1144,12 +1134,6 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca template_name = vm_info['template'] template = host_collection.get_vm_by_name(template_name) - if not vm.uses_default_netvm: - uses_default_netvm = False - netvm = host_collection.get_vm_by_name (vm_info['netvm']) if vm_info['netvm'] is not None else None - else: - uses_default_netvm = True - new_vm = None try: restore_vm_dir (backup_dir, vm.dir_path, qubes_appvms_dir); @@ -1164,10 +1148,6 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca host_collection.pop(new_vm.qid) continue - if not uses_default_netvm: - new_vm.uses_default_netvm = False - new_vm.netvm = netvm - try: new_vm.clone_attrs(vm) except Exception as err: @@ -1188,6 +1168,21 @@ def backup_restore_do(backup_dir, restore_info, host_collection = None, print_ca host_collection.pop(new_vm.qid) continue + # Set network dependencies - only non-default netvm setting + for vm_info in restore_info.values(): + if not vm_info['good-to-go']: + continue + if 'vm' not in vm_info: + continue + vm = vm_info['vm'] + host_vm = host_collection.get_vm_by_name(vm.name) + if host_vm is None: + # Failed/skipped VM + continue + + if not vm.uses_default_netvm: + host_vm.netvm = host_collection.get_vm_by_name (vm_info['netvm']) if vm_info['netvm'] is not None else None + host_collection.save() if lock_obtained: host_collection.unlock_db() From 0633e35fa69d327e6ea71d2c739a03a9ce9f0fd9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 03:12:06 +0200 Subject: [PATCH 007/117] dom0/core: include pcidevs and include_in_backups in cloned attrs Preserve it in qvm-clone and backup-restore --- dom0/qvm-core/qubes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index a0d49568..b0e8b66f 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1000,7 +1000,7 @@ class QubesVm(object): def get_clone_attrs(self): return ['kernel', 'uses_default_kernel', 'netvm', 'uses_default_netvm', \ 'memory', 'maxmem', 'kernelopts', 'uses_default_kernelopts', 'services', 'vcpus', \ - '_mac'] + '_mac', 'pcidevs', 'include_in_backups'] def clone_attrs(self, src_vm): for prop in self.get_clone_attrs(): From 28666c47f518631c6cbd55a544cc609293832a16 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 24 Feb 2012 04:22:14 +0100 Subject: [PATCH 008/117] dom0/core: check if object has attr before using it --- dom0/qvm-core/qubes.py | 15 +++++++++------ dom0/qvm-tools/qvm-prefs | 34 ++++++++++++++++++++++------------ 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index b0e8b66f..cbc8acd1 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -856,7 +856,8 @@ class QubesVm(object): def get_config_params(self, source_template=None): args = {} args['name'] = self.name - args['kerneldir'] = self.kernels_dir + if hasattr(self, 'kernels_dir'): + args['kerneldir'] = self.kernels_dir args['vmdir'] = self.dir_path args['pcidev'] = str(self.pcidevs).strip('[]') args['mem'] = str(self.memory) @@ -883,11 +884,13 @@ class QubesVm(object): args['rootdev'] = self.get_rootdev(source_template=source_template) args['privatedev'] = "'script:file:{dir}/private.img,xvdb,w',".format(dir=self.dir_path) args['volatiledev'] = "'script:file:{dir}/volatile.img,xvdc,w',".format(dir=self.dir_path) - modulesmode='r' - if self.updateable and self.kernel is None: - modulesmode='w' - args['otherdevs'] = "'script:file:{dir}/modules.img,xvdd,{mode}',".format(dir=self.kernels_dir, mode=modulesmode) - args['kernelopts'] = self.kernelopts + if hasattr(self, 'kernel'): + modulesmode='r' + if self.updateable and self.kernel is None: + modulesmode='w' + args['otherdevs'] = "'script:file:{dir}/modules.img,xvdd,{mode}',".format(dir=self.kernels_dir, mode=modulesmode) + if hasattr(self, 'kernelopts'): + args['kernelopts'] = self.kernelopts return args diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 75463e22..c99148ec 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -53,21 +53,26 @@ def do_list(vm): print fmt.format ("root COW img", vm.rootcow_img) if vm.template is not None: print fmt.format ("root img", vm.template.root_img) - print fmt.format ("root volatile img", vm.volatile_img) + if hasattr(vm, 'volatile_img'): + print fmt.format ("root volatile img", vm.volatile_img) - print fmt.format ("private img", vm.private_img) + if hasattr(vm, 'private_img'): + print fmt.format ("private img", vm.private_img) print fmt.format ("vcpus", str(vm.vcpus)) print fmt.format ("memory", vm.memory) - print fmt.format ("maxmem", vm.maxmem) + if hasattr(vm, 'maxmem'): + print fmt.format ("maxmem", vm.maxmem) print fmt.format ("MAC", "%s%s" % (vm.mac, " (auto)" if vm._mac is None else "")) - if vm.uses_default_kernel: - print fmt.format ("kernel", "%s (default)" % vm.kernel) - else: - print fmt.format ("kernel", vm.kernel) - if vm.uses_default_kernelopts: - print fmt.format ("kernelopts", "%s (default)" % vm.kernelopts) - else: - print fmt.format ("kernelopts", vm.kernelopts) + if hasattr(vm, 'kernel'): + if vm.uses_default_kernel: + print fmt.format ("kernel", "%s (default)" % vm.kernel) + else: + print fmt.format ("kernel", vm.kernel) + if hasattr(vm, 'kernelopts'): + if vm.uses_default_kernelopts: + print fmt.format ("kernelopts", "%s (default)" % vm.kernelopts) + else: + print fmt.format ("kernelopts", vm.kernelopts) def set_label(vms, vm, args): if len (args) != 1: @@ -293,6 +298,10 @@ def do_set(vms, vm, property, args): print >> sys.stderr, "ERROR: Wrong property name: '{0}'".format(property) return False + if not hasattr(vm, property): + print >> sys.stderr, "ERROR: Property '{0}' not available for this VM".format(property) + return False + return properties[property](vms, vm, args) @@ -337,7 +346,8 @@ def main(): print >> sys.stderr, "You must specify the property you wish to set..." print >> sys.stderr, "Available properties:" for p in properties.keys(): - print >> sys.stderr, "--> '{0}'".format(p) + if hasattr(vm, p): + print >> sys.stderr, "--> '{0}'".format(p) exit (1) property = args[1] From d7b80fe3d48267cdff6120615c2e5c2d28f0c269 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 14:47:55 +0200 Subject: [PATCH 009/117] dom0/core: parse memory and maxmem as int --- dom0/qvm-core/qubes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index cbc8acd1..e6c62488 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -233,8 +233,8 @@ class QubesVm(object): "uses_default_netvm": { "default": True, 'order': 20 }, "netvm": { "default": None, "attr": "_netvm", 'order': 20 }, "label": { "attr": "_label", "default": QubesVmLabels["red"], 'order': 20 }, - "memory": { "default": default_memory, 'order': 20 }, - "maxmem": { "default": None, 'order': 25 }, + "memory": { "default": default_memory, 'order': 20, "eval": "int(value)" }, + "maxmem": { "default": None, 'order': 25, "eval": "int(value) if value eles None" }, "pcidevs": { "default": '[]', 'order': 25, "eval": \ '[] if value in ["none", None] else eval(value) if value.find("[") >= 0 else eval("[" + value + "]")' }, # Internal VM (not shown in qubes-manager, doesn't create appmenus entries From 9d3c008ecb73736dc23d91cd61b00c1befbf2e2c Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 15:39:13 +0200 Subject: [PATCH 010/117] dom0/core: fix memory parse fix --- dom0/qvm-core/qubes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index e6c62488..509117e0 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -234,7 +234,7 @@ class QubesVm(object): "netvm": { "default": None, "attr": "_netvm", 'order': 20 }, "label": { "attr": "_label", "default": QubesVmLabels["red"], 'order': 20 }, "memory": { "default": default_memory, 'order': 20, "eval": "int(value)" }, - "maxmem": { "default": None, 'order': 25, "eval": "int(value) if value eles None" }, + "maxmem": { "default": None, 'order': 25, "eval": "int(value) if value else None" }, "pcidevs": { "default": '[]', 'order': 25, "eval": \ '[] if value in ["none", None] else eval(value) if value.find("[") >= 0 else eval("[" + value + "]")' }, # Internal VM (not shown in qubes-manager, doesn't create appmenus entries From 1076e09dc09d072bc08ddfdd03366421e42114e3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 20 Apr 2012 13:49:33 +0200 Subject: [PATCH 011/117] dom0/core: rename "Starting" start to "Transient" This state can also appear at VM shutdown. --- dom0/qvm-core/qubes.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 509117e0..f38829bb 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -633,7 +633,7 @@ class QubesVm(object): return "Dying" else: if not self.is_fully_usable(): - return "Starting" + return "Transient" else: return "Running" else: @@ -653,7 +653,7 @@ class QubesVm(object): def is_running(self): # in terms of Xen and internal logic - starting VM is running - if self.get_power_state() in ["Running", "Starting"]: + if self.get_power_state() in ["Running", "Transient"]: return True else: return False From bb301844527b9d1bfb6d64df962efe6cf6e42b8e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 12:15:50 +0200 Subject: [PATCH 012/117] dom0/qvm-prefs: typo fix --- dom0/qvm-tools/qvm-prefs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index c99148ec..c09ca194 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -122,7 +122,7 @@ def set_maxmem(vms, vm, args): return False if new_maxmem < vm.memory: - print >> sys.stderr, "WARNING: new maxmem smaller than memory property - VM will be able to use only 'maxmem' memory amount". + print >> sys.stderr, "WARNING: new maxmem smaller than memory property - VM will be able to use only 'maxmem' memory amount" vm.maxmem = new_maxmem From aa99c411db89c98dcc22a664753b6b63efd53d3d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 12:17:28 +0200 Subject: [PATCH 013/117] dom0/qvm-prefs: remove duplicated set_include_in_backups --- dom0/qvm-tools/qvm-prefs | 8 -------- 1 file changed, 8 deletions(-) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index c09ca194..70a24738 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -269,14 +269,6 @@ def set_name(vms, vm, args): return True -def set_include_in_backups(vms, vm, args): - if len (args) != 1: - print >> sys.stderr, "Missing value (True/False)!" - return False - - vm.include_in_backups = bool(eval(args[0].capitalize())) - return True - properties = { "include_in_backups": set_include_in_backups, "pcidevs": set_pcidevs, From 073cce723f8c046d926a86a470eb556bbbb77fe8 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 12:18:44 +0200 Subject: [PATCH 014/117] dom0/qvm-start: remove obsolete --console switch --- dom0/qvm-tools/qvm-start | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/dom0/qvm-tools/qvm-start b/dom0/qvm-tools/qvm-start index 4ee41b6f..0ae844e3 100755 --- a/dom0/qvm-tools/qvm-start +++ b/dom0/qvm-tools/qvm-start @@ -35,8 +35,12 @@ def main(): parser.add_option ("-q", "--quiet", action="store_false", dest="verbose", default=True) parser.add_option ("--no-guid", action="store_true", dest="noguid", default=False, help="Do not start the GUId (ignored)") - parser.add_option ("--console", action="store_true", dest="debug_console", default=False, - help="Attach debugging console to the newly started VM") + parser.add_option ("--drive", dest="drive", default=None, + help="Temporarily attach specified drive as CD/DVD or hard disk (can be specified with prefix 'hd:' or 'cdrom:', default is cdrom)") + parser.add_option ("--hddisk", dest="drive_hd", default=None, + help="Temporarily attach specified drive as hard disk") + parser.add_option ("--cdrom", dest="drive_cdrom", default=None, + help="Temporarily attach specified drive as CD/DVD") parser.add_option ("--dvm", action="store_true", dest="preparing_dvm", default=False, help="Do actions necessary when preparing DVM image") parser.add_option ("--custom-config", action="store", dest="custom_config", default=None, @@ -62,7 +66,7 @@ def main(): try: vm.verify_files() - xid = vm.start(debug_console=options.debug_console, verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid) + xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid) except (IOError, OSError, QubesException) as err: print >> sys.stderr, "ERROR: {0}".format(err) exit (1) From e73b13c68d595198e2cd75c300050d3525c29091 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 12:19:54 +0200 Subject: [PATCH 015/117] dom0/core: add 'debug' VM property (#537) --- dom0/qvm-core/qubes.py | 16 +++++++++++++--- dom0/qvm-tools/qvm-prefs | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index f38829bb..6b98a41a 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -248,6 +248,7 @@ class QubesVm(object): "mac": { "attr": "_mac", "default": None }, "include_in_backups": { "default": True }, "services": { "default": {}, "eval": "eval(str(value))" }, + "debug": { "default": False }, ##### Internal attributes - will be overriden in __init__ regardless of args "appmenus_templates_dir": { "eval": \ 'self.dir_path + "/" + default_appmenus_templates_subdir if self.updateable else ' + \ @@ -264,7 +265,7 @@ class QubesVm(object): for prop in ['qid', 'name', 'dir_path', 'memory', 'maxmem', 'pcidevs', 'vcpus', 'internal',\ 'uses_default_kernel', 'kernel', 'uses_default_kernelopts',\ 'kernelopts', 'services', 'installed_by_rpm',\ - 'uses_default_netvm', 'include_in_backups' ]: + 'uses_default_netvm', 'include_in_backups', 'debug' ]: attrs[prop]['save'] = 'str(self.%s)' % prop # Simple paths for prop in ['conf_file', 'root_img', 'volatile_img', 'private_img']: @@ -891,6 +892,9 @@ class QubesVm(object): args['otherdevs'] = "'script:file:{dir}/modules.img,xvdd,{mode}',".format(dir=self.kernels_dir, mode=modulesmode) if hasattr(self, 'kernelopts'): args['kernelopts'] = self.kernelopts + if self.debug: + print >> sys.stderr, "--> Debug mode: adding 'earlyprintk=xen' to kernel opts" + args['kernelopts'] += ' earlyprintk=xen' return args @@ -1324,7 +1328,10 @@ class QubesVm(object): print >> sys.stderr, "--> Starting Qubes GUId..." xid = self.get_xid() - retcode = subprocess.call ([qubes_guid_path, "-d", str(xid), "-c", self.label.color, "-i", self.label.icon, "-l", str(self.label.index)]) + guid_cmd = [qubes_guid_path, "-d", str(xid), "-c", self.label.color, "-i", self.label.icon, "-l", str(self.label.index)] + if self.debug: + guid_cmd += ['-v', '-v'] + retcode = subprocess.call (guid_cmd) if (retcode != 0) : raise QubesException("Cannot start qubes_guid!") @@ -2487,7 +2494,7 @@ class QubesVmCollection(dict): "installed_by_rpm", "internal", "uses_default_netvm", "label", "memory", "vcpus", "pcidevs", "maxmem", "kernel", "uses_default_kernel", "kernelopts", "uses_default_kernelopts", - "mac", "services", "include_in_backups" ) + "mac", "services", "include_in_backups", "debug" ) for attribute in common_attr_list: kwargs[attribute] = element.get(attribute) @@ -2545,6 +2552,9 @@ class QubesVmCollection(dict): kwargs.pop("kernelopts") kwargs["uses_default_kernelopts"] = True + if "debug" in kwargs: + kwargs["debug"] = True if kwargs["debug"] == "True" else False + return kwargs def set_netvm_dependency(self, element): diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 70a24738..d19a93a5 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -73,6 +73,8 @@ def do_list(vm): print fmt.format ("kernelopts", "%s (default)" % vm.kernelopts) else: print fmt.format ("kernelopts", vm.kernelopts) + if hasattr(vm, 'debug'): + print fmt.format("debug", "on" if vm.debug else "off") def set_label(vms, vm, args): if len (args) != 1: @@ -269,6 +271,19 @@ def set_name(vms, vm, args): return True +def set_debug(vms, vm, args): + if len (args) != 1: + print >> sys.stderr, "Missing value (True/False or on/off)!" + return False + + if args[0].lower() == "on": + vm.debug = True + elif args[0].lower() == "off": + vm.debug = False + else: + vm.debug = bool(eval(args[0].capitalize())) + return True + properties = { "include_in_backups": set_include_in_backups, "pcidevs": set_pcidevs, @@ -282,6 +297,7 @@ properties = { "kernelopts": set_kernelopts, "name": set_name, "mac": set_mac, + "debug": set_debug, } From 865ea14473dcc382aa256533b8cc516fce4e1d76 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 12:38:55 +0200 Subject: [PATCH 016/117] dom0/qvm-start: allow temporally enable debug mode (#537) --- dom0/qvm-tools/qvm-start | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/dom0/qvm-tools/qvm-start b/dom0/qvm-tools/qvm-start index 0ae844e3..66c0edb6 100755 --- a/dom0/qvm-tools/qvm-start +++ b/dom0/qvm-tools/qvm-start @@ -45,6 +45,8 @@ def main(): help="Do actions necessary when preparing DVM image") parser.add_option ("--custom-config", action="store", dest="custom_config", default=None, help="Use custom Xen config instead of Qubes-generated one") + parser.add_option ("--debug", action="store_true", dest="debug", default=False, + help="Enable debug mode for this VM (until its shutdown)") (options, args) = parser.parse_args () if (len (args) != 1): @@ -64,6 +66,9 @@ def main(): if options.custom_config: vm.conf_file = options.custom_config + if options.debug: + vm.debug = True + try: vm.verify_files() xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid) @@ -71,4 +76,10 @@ def main(): print >> sys.stderr, "ERROR: {0}".format(err) exit (1) + if options.debug: + print >> sys.stderr, "--> Debug mode enabled. Useful logs: " + print >> sys.stderr, " /var/log/xen/console/guest-%s.log" % vmname + print >> sys.stderr, " /var/log/qubes/guid.%d.log" % xid + print >> sys.stderr, " /var/log/qubes/qrexec.%d.log" % xid + main() From c35e655d663cb5333024c8358b1fc594ffe711ca Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 22:01:13 +0200 Subject: [PATCH 017/117] dom0/qvm-prefs: relax memory check Allow memory > maxmem, anyway it will be enforced at VM boot. This allows to set memory and maxmem in any order. Also required to increase memory for HVM. --- dom0/qvm-tools/qvm-prefs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index d19a93a5..1b183742 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -101,8 +101,9 @@ def set_memory(vms, vm, args): print >>sys.stderr, "Memory size must be positive" return False - if new_memory > vm.maxmem: - print >>sys.stderr, "Memory size must be less or equal to maxmem" + qubes_host = QubesHost() + if new_memory > qubes_host.memory_total/1024: + print >> sys.stderr, "This host has only {0} MB of RAM".format(qubes_host.memory_total/1024) return False vm.memory = new_memory From d2ef0be450813a9745d63e5ed4afbd3fd544dfad Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 23 Apr 2012 23:26:40 +0200 Subject: [PATCH 018/117] dom0/core: setup xen logs permissions (#539) --- dom0/init.d/qubes_core | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/init.d/qubes_core b/dom0/init.d/qubes_core index a3974289..dbcadccc 100755 --- a/dom0/init.d/qubes_core +++ b/dom0/init.d/qubes_core @@ -36,6 +36,9 @@ start() touch /var/run/qubes/xl-lock chgrp qubes /var/run/qubes/xl-lock chmod 660 /var/run/qubes/xl-lock + chgrp -R qubes /var/log/xen + chmod -R g+rX /var/log/xen + chmod g+s /var/log/xen/console mkdir -p /var/run/xen-hotplug xenstore-write /local/domain/0/name dom0 From c5cc6620d39f8aa3529e51b11c787d0f69ef492f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 24 Apr 2012 01:38:02 +0200 Subject: [PATCH 019/117] dom0/core: include VM name in "insufficient memory" message (#534) --- dom0/qvm-core/qubes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 6b98a41a..7d0c9502 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1374,7 +1374,7 @@ class QubesVm(object): qmemman_client = QMemmanClient() if not qmemman_client.request_memory(mem_required): qmemman_client.close() - raise MemoryError ("ERROR: insufficient memory to start this VM") + raise MemoryError ("ERROR: insufficient memory to start VM '%s'" % self.name) # Bind pci devices to pciback driver for pci in self.pcidevs: From 9927244670ef809d4f9873c1ccb73f24107c5a00 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 24 Apr 2012 01:40:56 +0200 Subject: [PATCH 020/117] dom0/qvm-tools: add GUI (tray balloon) error reporing to qvm-start and extend it in qvm-run (#534) --- dom0/qvm-tools/qvm-run | 2 ++ dom0/qvm-tools/qvm-start | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-tools/qvm-run b/dom0/qvm-tools/qvm-run index db5ad720..84f7e099 100755 --- a/dom0/qvm-tools/qvm-run +++ b/dom0/qvm-tools/qvm-run @@ -87,6 +87,8 @@ def vm_run_cmd(vm, cmd, options): notify_function = tray_notify_generic if options.tray else None, passio = options.passio, localcmd = options.localcmd) except QubesException as err: + if options.tray: + tray_notify_error(str(err)) print >> sys.stderr, "ERROR: %s" % str(err) exit(1) diff --git a/dom0/qvm-tools/qvm-start b/dom0/qvm-tools/qvm-start index 66c0edb6..7ac573e0 100755 --- a/dom0/qvm-tools/qvm-start +++ b/dom0/qvm-tools/qvm-start @@ -26,13 +26,24 @@ from optparse import OptionParser import subprocess import os import sys +import dbus qubes_guid_path = "/usr/bin/qubes_guid" +notify_object = None + +def tray_notify(str, label, timeout = 3000): + notify_object.Notify("Qubes", 0, label.icon, "Qubes", str, [], [], timeout, dbus_interface="org.freedesktop.Notifications") + +def tray_notify_error(str, timeout = 3000): + notify_object.Notify("Qubes", 0, "dialog-error", "Qubes", str, [], [], timeout, dbus_interface="org.freedesktop.Notifications") + def main(): usage = "usage: %prog [options] " parser = OptionParser (usage) parser.add_option ("-q", "--quiet", action="store_false", dest="verbose", default=True) + parser.add_option ("--tray", action="store_true", dest="tray", default=False, + help="Use tray notifications instead of stdout" ) parser.add_option ("--no-guid", action="store_true", dest="noguid", default=False, help="Do not start the GUId (ignored)") parser.add_option ("--drive", dest="drive", default=None, @@ -53,6 +64,10 @@ def main(): parser.error ("You must specify VM name!") vmname = args[0] + if options.tray: + global notify_object + notify_object = dbus.SessionBus().get_object("org.freedesktop.Notifications", "/org/freedesktop/Notifications") + qvm_collection = QubesVmCollection() qvm_collection.lock_db_for_reading() qvm_collection.load() @@ -72,8 +87,11 @@ def main(): try: vm.verify_files() xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid) - except (IOError, OSError, QubesException) as err: - print >> sys.stderr, "ERROR: {0}".format(err) + except (IOError, OSError, QubesException, MemoryError) as err: + if options.tray: + tray_notify_error(str(err)) + else: + print >> sys.stderr, "ERROR: {0}".format(err) exit (1) if options.debug: From 804dc973ed37b3bd82a9bc1f78d7a5ec86e30b58 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 24 Apr 2012 02:08:49 +0200 Subject: [PATCH 021/117] dom0/qvm-firewall: clarify message (#24 pro) --- dom0/qvm-tools/qvm-firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-firewall b/dom0/qvm-tools/qvm-firewall index 301c6a0c..f85bc6ff 100755 --- a/dom0/qvm-tools/qvm-firewall +++ b/dom0/qvm-tools/qvm-firewall @@ -300,7 +300,7 @@ def main(): if not options.numeric: load_services() if not vm.has_firewall(): - print "INFO: This VM has no firewall set, below defaults are listed" + print "INFO: This VM has no firewall rules set, below defaults are listed" display_firewall(conf) if changed: From a96f6a1e81c550aff3fed1793e3ab34fddd6bd1b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 24 Apr 2012 14:01:22 +0200 Subject: [PATCH 022/117] Revert "dom0/qvm-prefs: remove duplicated set_include_in_backups" This reverts commit aa99c411db89c98dcc22a664753b6b63efd53d3d. This wasn't duplicated... Conflicts: dom0/qvm-tools/qvm-prefs --- dom0/qvm-tools/qvm-prefs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 1b183742..66664497 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -283,6 +283,15 @@ def set_debug(vms, vm, args): vm.debug = False else: vm.debug = bool(eval(args[0].capitalize())) + + return True + +def set_include_in_backups(vms, vm, args): + if len (args) != 1: + print >> sys.stderr, "Missing value (True/False)!" + return False + + vm.include_in_backups = bool(eval(args[0].capitalize())) return True properties = { From 87d4e1586df81807c3888c90b535835112f9626e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 25 Apr 2012 00:25:54 +0200 Subject: [PATCH 023/117] vm/qubes-dom0-update: display info when no updates available --- misc/qubes_download_dom0_updates.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/misc/qubes_download_dom0_updates.sh b/misc/qubes_download_dom0_updates.sh index 575ebe77..33bc46d3 100755 --- a/misc/qubes_download_dom0_updates.sh +++ b/misc/qubes_download_dom0_updates.sh @@ -57,6 +57,9 @@ fi if [ -z "$PKGLIST" ]; then # No new updates + if [ "$GUI" = 1 ]; then + zenity --info --text="No new updates available" + fi exit 0 fi From daa82bb62ca72bcec6aad1f4fb15e68175bc529f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 25 Apr 2012 23:37:03 +0200 Subject: [PATCH 024/117] dom0: fix check-updates cron job --- dom0/aux-tools/qubes-dom0-updates.cron | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dom0/aux-tools/qubes-dom0-updates.cron b/dom0/aux-tools/qubes-dom0-updates.cron index 4942ee6c..8cf805fe 100755 --- a/dom0/aux-tools/qubes-dom0-updates.cron +++ b/dom0/aux-tools/qubes-dom0-updates.cron @@ -13,7 +13,7 @@ echo $$ > $PIDFILE trap "rm $PIDFILE" EXIT # If no updates available - exit here -qvm-dom0-updates --check-only && exit +qubes-dom0-updates --check-only && exit RETCODE=$? if [ "$RETCODE" -ne 100 ]; then @@ -32,4 +32,4 @@ zenity --notification --window-icon=$NOTIFY_ICON --text="Qubes dom0 updates avai zenity --question --title="Qubes Dom0 updates" \ --text="There are updates for dom0 available, do you want to download them now?" || exit 0 -su -c "DISPLAY=:0 qvm-dom0-update --gui" $LOCAL_USER +su -c "DISPLAY=:0 qubes-dom0-update --gui" $LOCAL_USER From 07e1ca35e732a6c900743c73a206789ff44721a2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 25 Apr 2012 23:41:48 +0200 Subject: [PATCH 025/117] dom0+vm/hotplug-script: improve error checking, log only important messages (#477) --- misc/block-snapshot | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/misc/block-snapshot b/misc/block-snapshot index 719b10aa..c57cad4f 100755 --- a/misc/block-snapshot +++ b/misc/block-snapshot @@ -14,7 +14,9 @@ fi shopt -s nullglob -HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" +if [ -n "$XENBUS_PATH" ]; then + HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" +fi get_dev() { dev=$1 @@ -102,7 +104,10 @@ case "$command" in add) case $t in snapshot|origin) - p=$(xenstore_read "$XENBUS_PATH/params") + p=$(xenstore_read_default "$XENBUS_PATH/params" 'MISSING') + if [ "$p" == "MISSING" ]; then + fatal "Missing device parameters ($t $XENBUS_PATH/params)" + fi base=${p/:*/} cow=${p/*:/} @@ -191,18 +196,20 @@ case "$command" in if [ "$command" = "cleanup" ]; then t=$2 else - t=$(cat $HOTPLUG_STORE-type) + t=$(cat $HOTPLUG_STORE-type 2>/dev/null || echo 'MISSING') fi - case $t in + case "$t" in snapshot|origin) if [ "$command" = "cleanup" ]; then node=$3 else - node=$(cat "$HOTPLUG_STORE-node") + node=$(cat "$HOTPLUG_STORE-node" 2> /dev/null) fi if [ -z "$node" ]; then - fatal "No device node to remove" + #fatal "No device node to remove" + #Most likely already removed + exit 0 fi if [ ! -e "$node" ]; then @@ -258,10 +265,13 @@ case "$command" in for dev in $deps; do if [ -b "$dev" ]; then log debug "Removing $dev" - losetup -d $dev || true 2> /dev/null + losetup -d $dev 2> /dev/null || true fi done + if [ -n "$HOTPLUG_STORE" ]; then + rm $HOTPLUG_STORE-* + fi release_lock "block" exit 0 From 0c43635806490dcfab3fed9cd03c9557d6d37eb2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 26 Apr 2012 14:29:19 +0200 Subject: [PATCH 026/117] dom0: add missing 2> /dev/null to unbind_pci_device.sh (#550) --- dom0/aux-tools/unbind_pci_device.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/aux-tools/unbind_pci_device.sh b/dom0/aux-tools/unbind_pci_device.sh index 8df56f2c..f3839949 100755 --- a/dom0/aux-tools/unbind_pci_device.sh +++ b/dom0/aux-tools/unbind_pci_device.sh @@ -32,7 +32,7 @@ if [ -e /sys/bus/pci/drivers/pciback/$BDF ]; then # Check if device not assigned to any RUNNING VM XS_PATH=/local/domain/0/backend/pci GREP_RE="^$XS_PATH/[0-9]*/[0-9]*/dev-[0-9]* = \"$BDF\"" - if xenstore-ls -f $XS_PATH | grep -q "$GREP_RE"; then + if xenstore-ls -f $XS_PATH 2> /dev/null | grep -q "$GREP_RE"; then DOMID=`xenstore-ls -f $XS_PATH | grep "$GREP_RE"|cut -d/ -f7` echo "ERROR: Device already attached to the running VM '`xl domname $DOMID`'" >&2 exit 1 From c0f1d3c53b1bdac51daa70053e9b2f3475bc2564 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 28 Apr 2012 02:03:43 +0200 Subject: [PATCH 027/117] dom0/qvm-ls: show 'n/a' in disk usage for dom0 --- dom0/qvm-tools/qvm-ls | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-ls b/dom0/qvm-tools/qvm-ls index 2d2c750b..d4e4e0ee 100755 --- a/dom0/qvm-tools/qvm-ls +++ b/dom0/qvm-tools/qvm-ls @@ -174,7 +174,10 @@ def main(): for vm in vms_to_display: data_row = {} for f in fields_to_display: - data_row[f] = str(eval(fields[f]["func"])) + if vm.qid == 0 and (f.startswith('priv-') or f.startswith('root-') or f == 'disk'): + data_row[f] = 'n/a' + else: + data_row[f] = str(eval(fields[f]["func"])) l = len(data_row[f]) if l > fields[f]["max_width"]: fields[f]["max_width"] = l From db6eb497a65c3e57a7de72d871df172bde5b81b1 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 28 Apr 2012 02:17:04 +0200 Subject: [PATCH 028/117] dom0/core: do not relay on any max xid (#445) What is really required is the maximum number of domains, not its IDs. Use max QID as maximum number of domains. --- dom0/qvm-core/qubes.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 7d0c9502..878d5c49 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -59,7 +59,6 @@ qubes_servicevms_dir = qubes_base_dir + "/servicevms" qubes_store_filename = qubes_base_dir + "/qubes.xml" qubes_kernels_base_dir = qubes_base_dir + "/vm-kernels" -qubes_max_xid = 1024 qubes_max_qid = 254 qubes_max_netid = 254 vm_default_netmask = "255.255.255.0" @@ -134,7 +133,7 @@ class QubesHost(object): if previous is None: previous_time = time.time() previous = {} - info = xc.domain_getinfo(0, qubes_max_xid) + info = xc.domain_getinfo(0, qubes_max_qid) for vm in info: previous[vm['domid']] = {} previous[vm['domid']]['cpu_time'] = vm['cpu_time']/vm['online_vcpus'] @@ -143,7 +142,7 @@ class QubesHost(object): current_time = time.time() current = {} - info = xc.domain_getinfo(0, qubes_max_xid) + info = xc.domain_getinfo(0, qubes_max_qid) for vm in info: current[vm['domid']] = {} current[vm['domid']]['cpu_time'] = vm['cpu_time']/max(vm['online_vcpus'],1) @@ -545,7 +544,7 @@ class QubesVm(object): if start_xid < 0: start_xid = 0 try: - domains = xc.domain_getinfo(start_xid, qubes_max_xid-start_xid) + domains = xc.domain_getinfo(start_xid, qubes_max_qid) except xen.lowlevel.xc.Error: return None From 9d0af1731cd7037e387312167c255cca9fb7147d Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 1 May 2012 11:01:16 +0200 Subject: [PATCH 029/117] version 1.7.20 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index ae6ddf7e..ddb0f975 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.19 +1.7.20 diff --git a/version_vm b/version_vm index ae6ddf7e..ddb0f975 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.19 +1.7.20 From 9c7ab91491997762dec062db1508e94d50d26c8f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 30 Apr 2012 13:29:01 +0200 Subject: [PATCH 030/117] dom0: remove unused reset_vm_configs.py --- dom0/aux-tools/reset_vm_configs.py | 24 ------------------------ rpm_spec/core-dom0.spec | 2 -- 2 files changed, 26 deletions(-) delete mode 100755 dom0/aux-tools/reset_vm_configs.py diff --git a/dom0/aux-tools/reset_vm_configs.py b/dom0/aux-tools/reset_vm_configs.py deleted file mode 100755 index e7e6841e..00000000 --- a/dom0/aux-tools/reset_vm_configs.py +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/python2.6 -from qubes.qubes import QubesVmCollection -import sys -def main(): - if len(sys.argv) != 2: - print 'Usage: fixconf templatename' - sys.exit(1) - qvm_collection = QubesVmCollection() - qvm_collection.lock_db_for_reading() - qvm_collection.load() - qvm_collection.unlock_db() - templ = sys.argv[1] - tvm = qvm_collection.get_vm_by_name(templ) - if tvm is None: - print 'Template', templ, 'does not exist' - sys.exit(1) - if not tvm.is_template(): - print templ, 'is not a template' - sys.exit(1) - for vm in qvm_collection.values(): - if vm.template is not None and vm.template.qid == tvm.qid: - vm.create_config_file() - -main() diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 388ee256..2b56e349 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -102,7 +102,6 @@ cp aux-tools/convert_apptemplate2vm.sh $RPM_BUILD_ROOT/usr/lib/qubes cp aux-tools/convert_dirtemplate2vm.sh $RPM_BUILD_ROOT/usr/lib/qubes cp aux-tools/create_apps_for_appvm.sh $RPM_BUILD_ROOT/usr/lib/qubes cp aux-tools/remove_appvm_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes -cp aux-tools/reset_vm_configs.py $RPM_BUILD_ROOT/usr/lib/qubes cp qmemman/server.py $RPM_BUILD_ROOT/usr/lib/qubes/qmemman_daemon.py cp ../misc/meminfo-writer $RPM_BUILD_ROOT/usr/lib/qubes/ cp ../qrexec/qrexec_daemon $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -331,7 +330,6 @@ fi /usr/lib/qubes/convert_dirtemplate2vm.sh /usr/lib/qubes/create_apps_for_appvm.sh /usr/lib/qubes/remove_appvm_appmenus.sh -/usr/lib/qubes/reset_vm_configs.py* /usr/lib/qubes/qmemman_daemon.py* /usr/lib/qubes/meminfo-writer /usr/lib/qubes/qfile-daemon-dvm* From 370ad33c4416cd6aac17fa1cf76a69d5021135f9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 01:12:19 +0200 Subject: [PATCH 031/117] dom0: provide service for VM to notify about updates availability (#475) --- dom0/aux-tools/qubes-notify-updates | 74 +++++++++++++++++++++++ dom0/aux-tools/qubes.NotifyUpdates | 1 + dom0/aux-tools/qubes.NotifyUpdates.policy | 6 ++ dom0/qvm-core/qubes.py | 1 + rpm_spec/core-dom0.spec | 6 ++ 5 files changed, 88 insertions(+) create mode 100755 dom0/aux-tools/qubes-notify-updates create mode 100644 dom0/aux-tools/qubes.NotifyUpdates create mode 100644 dom0/aux-tools/qubes.NotifyUpdates.policy diff --git a/dom0/aux-tools/qubes-notify-updates b/dom0/aux-tools/qubes-notify-updates new file mode 100755 index 00000000..53bc57cd --- /dev/null +++ b/dom0/aux-tools/qubes-notify-updates @@ -0,0 +1,74 @@ +#!/usr/bin/python +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2012 Marek Marczykowski +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# +import os +import os.path +import sys +import subprocess +import shutil +from datetime import datetime +from qubes.qubes import QubesVmCollection +from qubes.qubes import updates_stat_file + +def main(): + + qvm_collection = QubesVmCollection() + qvm_collection.lock_db_for_reading() + qvm_collection.load() + qvm_collection.unlock_db() + + source = os.getenv("QREXEC_REMOTE_DOMAIN") + + source_vm = qvm_collection.get_vm_by_name(source) + if source_vm is None: + print >> sys.stderr, 'Domain ' + source + ' does not exists (?!)' + exit(1) + + update_count = sys.stdin.readline(128).strip() + if not update_count.isdigit(): + print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: ' + update_count + exit(1) + if source_vm.updateable: + # Just trust information from VM itself + update_f = open(vm.dir_path + '/' + updates_stat_file, "w") + update_f.write(update_count) + update_f.close() + elif source_vm.template is not None: + # Hint about updates availability in template + # If template is running - it will notify about updates itself + if source_vm.template.is_running(): + return + # Ignore no-updates info + if int(update_count) > 0: + stat_file = source_vm.template.dir_path + '/' + updates_stat_file + # If VM is started before last updates.stat - it means that updates + # already was installed (but VM still hasn't been restarted), or other + # VM has already notified about updates availability + if os.path.exists(stat_file) and \ + source_vm.get_start_time() < datetime.fromtimestamp(os.path.getmtime(stat_file)): + return + update_f = open(stat_file, "w") + update_f.write(update_count) + update_f.close() + else: + print >> sys.stderr, 'Ignoring notification of no updates' + +main() diff --git a/dom0/aux-tools/qubes.NotifyUpdates b/dom0/aux-tools/qubes.NotifyUpdates new file mode 100644 index 00000000..b2ea16ed --- /dev/null +++ b/dom0/aux-tools/qubes.NotifyUpdates @@ -0,0 +1 @@ +/usr/lib/qubes/qubes-notify-updates diff --git a/dom0/aux-tools/qubes.NotifyUpdates.policy b/dom0/aux-tools/qubes.NotifyUpdates.policy new file mode 100644 index 00000000..0f00b0b6 --- /dev/null +++ b/dom0/aux-tools/qubes.NotifyUpdates.policy @@ -0,0 +1,6 @@ +## Note that policy parsing stops at the first match, +## so adding anything below "$anyvm $anyvm action" line will have no effect + +## Please use a single # to start your custom comments + +$anyvm dom0 allow diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 878d5c49..41a9cc32 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -82,6 +82,7 @@ config_template_pv = '/usr/share/qubes/vm-template.conf' qubes_whitelisted_appmenus = 'whitelisted-appmenus.list' dom0_update_check_interval = 6*3600 +updates_stat_file = 'updates.stat' # how long (in sec) to wait for VMs to shutdown # before killing them (when used qvm-run with --wait option) diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 2b56e349..5994aebd 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -108,6 +108,7 @@ cp ../qrexec/qrexec_daemon $RPM_BUILD_ROOT/usr/lib/qubes/ cp ../qrexec/qrexec_client $RPM_BUILD_ROOT/usr/lib/qubes/ cp ../qrexec/qrexec_policy $RPM_BUILD_ROOT/usr/lib/qubes/ cp aux-tools/qfile-dom0-unpacker $RPM_BUILD_ROOT/usr/lib/qubes/ +cp aux-tools/qubes-notify-updates $RPM_BUILD_ROOT/usr/lib/qubes/ cp aux-tools/qubes-receive-updates $RPM_BUILD_ROOT/usr/lib/qubes/ cp ../misc/block_add_change $RPM_BUILD_ROOT/usr/lib/qubes/ cp ../misc/block_remove $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -120,6 +121,8 @@ cp ../qubes_rpc/qubes.VMShell.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes. cp qubes.SyncAppMenus.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.SyncAppMenus cp qubes.SyncAppMenus $RPM_BUILD_ROOT/etc/qubes_rpc/ cp ../qrexec/qubes_rpc_multiplexer $RPM_BUILD_ROOT/usr/lib/qubes +cp aux-tools/qubes.NotifyUpdates.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.NotifyUpdates +cp aux-tools/qubes.NotifyUpdates $RPM_BUILD_ROOT/etc/qubes_rpc/ cp aux-tools/qubes.ReceiveUpdates.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.ReceiveUpdates cp aux-tools/qubes.ReceiveUpdates $RPM_BUILD_ROOT/etc/qubes_rpc/ install -D aux-tools/qubes-dom0.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes-dom0.modules @@ -333,6 +336,7 @@ fi /usr/lib/qubes/qmemman_daemon.py* /usr/lib/qubes/meminfo-writer /usr/lib/qubes/qfile-daemon-dvm* +/usr/lib/qubes/qubes-notify-updates /usr/lib/qubes/qubes-receive-updates /usr/lib/qubes/block_add_change /usr/lib/qubes/block_remove @@ -376,9 +380,11 @@ fi %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.Filecopy %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.OpenInVM %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.SyncAppMenus +%attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.NotifyUpdates %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.ReceiveUpdates %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.VMShell /etc/qubes_rpc/qubes.SyncAppMenus +/etc/qubes_rpc/qubes.NotifyUpdates /etc/qubes_rpc/qubes.ReceiveUpdates %attr(4750,root,qubes) /usr/lib/qubes/qrexec_daemon %attr(2770,root,qubes) %dir /var/log/qubes From 950d848edec5b95a6d0d8b918aed206c6253050e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 01:14:04 +0200 Subject: [PATCH 032/117] vm: notify dom0 when updates available in VM (#475) --- rpm_spec/core-vm.spec | 5 +++++ vm-systemd/qubes-sysinit.sh | 6 +++--- vm-systemd/qubes-update-check.service | 7 +++++++ vm-systemd/qubes-update-check.timer | 11 +++++++++++ 4 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 vm-systemd/qubes-update-check.service create mode 100644 vm-systemd/qubes-update-check.timer diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index c11b699d..3158b57b 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -87,6 +87,7 @@ install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ install -d $RPM_BUILD_ROOT/lib/systemd/system $RPM_BUILD_ROOT/usr/lib/qubes/init install -m 0755 vm-systemd/*.sh $RPM_BUILD_ROOT/usr/lib/qubes/init/ install -m 0644 vm-systemd/qubes-*.service $RPM_BUILD_ROOT/lib/systemd/system/ +install -m 0644 vm-systemd/qubes-*.timer $RPM_BUILD_ROOT/lib/systemd/system/ install -m 0644 vm-systemd/NetworkManager.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ install -m 0644 vm-systemd/cups.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ install -m 0644 vm-systemd/ntpd.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ @@ -484,6 +485,8 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-netwatcher.service /lib/systemd/system/qubes-network.service /lib/systemd/system/qubes-sysinit.service +/lib/systemd/system/qubes-update-check.service +/lib/systemd/system/qubes-update-check.timer %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -502,6 +505,8 @@ for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes /bin/systemctl enable $srv.service 2> /dev/null done +/bin/systemctl enable qubes-update-check.timer 2> /dev/null + # Install overriden services only when original exists for srv in cups NetworkManager ntpd; do if [ -f /lib/systemd/system/$srv.service ]; then diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 65c36063..d78929ca 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,9 +1,9 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network" -DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher" -DEFAULT_ENABLED_APPVM="meminfo-writer cups" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check" +DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" +DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM DEFAULT_ENABLED="meminfo-writer" diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service new file mode 100644 index 00000000..5566eda4 --- /dev/null +++ b/vm-systemd/qubes-update-check.service @@ -0,0 +1,7 @@ +[Unit] +Description=Qubes check for VM updates and notify dom0 +ConditionPathExists=/var/run/qubes-service/qubes-update-check + +[Service] +Type=oneshot +ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l' diff --git a/vm-systemd/qubes-update-check.timer b/vm-systemd/qubes-update-check.timer new file mode 100644 index 00000000..d63cf45f --- /dev/null +++ b/vm-systemd/qubes-update-check.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Periodically check for updates +ConditionPathExists=/var/run/qubes-service/qubes-update-check + +[Timer] +OnBootSec=5min +OnUnitActiveSec=2d + +[Install] +WantedBy=multi-user.target + From 7b81659593c74823fb0298204278117ee1007f4a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 02:04:16 +0200 Subject: [PATCH 033/117] dom0: create appmenus template and icon for all VMs --- dom0/qvm-core/qubes.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 41a9cc32..ae984dd0 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -980,9 +980,18 @@ class QubesVm(object): for f in ("vmlinuz", "initramfs", "modules.img"): shutil.copy(kernels_dir + '/' + f, self.dir_path + '/kernels/' + f) + if verbose: + print >> sys.stderr, "--> Copying the template's appmenus templates dir:\n{0} ==>\n{1}".\ + format(source_template.appmenus_templates_dir, self.appmenus_templates_dir) + shutil.copytree (source_template.appmenus_templates_dir, self.appmenus_templates_dir) + # Create volatile.img self.reset_volatile_storage(source_template = source_template, verbose=verbose) + if verbose: + print >> sys.stderr, "--> Creating icon symlink: {0} -> {1}".format(self.icon_path, self.label.icon_path) + os.symlink (self.label.icon_path, self.icon_path) + def create_appmenus(self, verbose, source_template = None): if source_template is None: source_template = self.template @@ -2117,16 +2126,6 @@ class QubesAppVm(QubesVm): super(QubesAppVm, self).create_on_disk(verbose, source_template=source_template) - if self.updateable: - if verbose: - print >> sys.stderr, "--> Copying the template's appmenus templates dir:\n{0} ==>\n{1}".\ - format(source_template.appmenus_templates_dir, self.appmenus_templates_dir) - shutil.copytree (source_template.appmenus_templates_dir, self.appmenus_templates_dir) - - if verbose: - print >> sys.stderr, "--> Creating icon symlink: {0} -> {1}".format(self.icon_path, self.label.icon_path) - os.symlink (self.label.icon_path, self.icon_path) - if not self.internal: self.create_appmenus (verbose, source_template=source_template) From 9edc8451841b9605c152ecdf784b4358a961e185 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 02:05:07 +0200 Subject: [PATCH 034/117] dom0: create appmenus for NetVMs, using separate whitelist (#538) --- dom0/qvm-core/qubes.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index ae984dd0..c6145c54 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1004,9 +1004,9 @@ class QubesVm(object): try: if source_template is not None: - subprocess.check_call ([qubes_appmenu_create_cmd, source_template.appmenus_templates_dir, self.name]) + subprocess.check_call ([qubes_appmenu_create_cmd, source_template.appmenus_templates_dir, self.name, vmtype]) elif self.appmenus_templates_dir is not None: - subprocess.check_call ([qubes_appmenu_create_cmd, self.appmenus_templates_dir, self.name]) + subprocess.check_call ([qubes_appmenu_create_cmd, self.appmenus_templates_dir, self.name, vmtype]) else: # Only add apps to menu subprocess.check_call ([qubes_appmenu_create_cmd, "none", self.name, vmtype]) @@ -1831,6 +1831,22 @@ class QubesNetVm(QubesVm): self.__external_ip_allowed_xids.discard(int(xid)) self.update_external_ip_permissions() + def create_on_disk(self, verbose, source_template = None): + if dry_run: + return + + super(QubesNetVm, self).create_on_disk(verbose, source_template=source_template) + + if os.path.exists(source_template.dir_path + '/netvm-' + qubes_whitelisted_appmenus): + if verbose: + print >> sys.stderr, "--> Creating default whitelisted apps list: {0}".\ + format(self.dir_path + '/' + qubes_whitelisted_appmenus) + shutil.copy(source_template.dir_path + '/netvm-' + qubes_whitelisted_appmenus, + self.dir_path + '/' + qubes_whitelisted_appmenus) + + if not self.internal: + self.create_appmenus (verbose, source_template=source_template) + class QubesProxyVm(QubesNetVm): """ A class that represents a ProxyVM, ex FirewallVM. A child of QubesNetVM. From b771cb9f9087319822b8b4aad2281bec4552bdf2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 02:22:36 +0200 Subject: [PATCH 035/117] dom0/qvm-backup: chown user dir before backup (#492) --- dom0/qvm-core/qubesutils.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dom0/qvm-core/qubesutils.py b/dom0/qvm-core/qubesutils.py index c800f58c..83bdc407 100644 --- a/dom0/qvm-core/qubesutils.py +++ b/dom0/qvm-core/qubesutils.py @@ -645,6 +645,11 @@ def backup_prepare(base_backup_dir, vms_list = None, exclude_list = [], print_ca if not 'dom0' in exclude_list: local_user = grp.getgrnam('qubes').gr_mem[0] home_dir = pwd.getpwnam(local_user).pw_dir + # Home dir should have only user-owned files, so fix it now to prevent + # permissions problems - some root-owned files can left after + # 'sudo bash' and similar commands + subprocess.check_call(['sudo', 'chown', '-R', local_user, home_dir]) + home_sz = get_disk_usage(home_dir) home_to_backup = [ { "path" : home_dir, "size": home_sz, "subdir": 'dom0-home'} ] files_to_backup += home_to_backup From ebe74d1661749ab8d66cbd6ce0cd27aac87a79e7 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 23:48:25 +0200 Subject: [PATCH 036/117] vm: include /proc/xen in fstab (#466) --- misc/fstab | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/fstab b/misc/fstab index 877e6e49..b7d0feec 100644 --- a/misc/fstab +++ b/misc/fstab @@ -13,4 +13,5 @@ tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 +xen /proc/xen xenfs defaults 0 0 /dev/xvdi /mnt/removable auto noauto,user,rw 0 0 From 82851b7a88f8c12216bf9e270646d13536aad3a7 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 23:48:45 +0200 Subject: [PATCH 037/117] vm/systemd: do not depend on proc-xen.mount (#466) local-fs.target already covers /proc/xen --- vm-systemd/qubes-sysinit.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-sysinit.service b/vm-systemd/qubes-sysinit.service index c6ca7a0c..29bb1e4f 100644 --- a/vm-systemd/qubes-sysinit.service +++ b/vm-systemd/qubes-sysinit.service @@ -2,7 +2,7 @@ Description=Init Qubes Services settings DefaultDependencies=no Before=sysinit.target -After=local-fs.target proc-xen.mount +After=local-fs.target [Service] Type=oneshot From a5c80d4015d75a48942102a76dfdee7931f66e4d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 3 May 2012 03:54:05 +0200 Subject: [PATCH 038/117] dom0/qvm-pci: add info about required restart after PCI device add/remove --- dom0/qvm-tools/qvm-pci | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dom0/qvm-tools/qvm-pci b/dom0/qvm-tools/qvm-pci index e2b81a48..7a41bc0e 100755 --- a/dom0/qvm-tools/qvm-pci +++ b/dom0/qvm-tools/qvm-pci @@ -73,6 +73,8 @@ def main(): exit(1) if vm.pcidevs.count(pci) == 0: vm.pcidevs.append(pci) + if vm.is_running(): + print >>sys.stderr, "NOTICE: Changes will be seen by VM after VM restart" qvm_collection.save() qvm_collection.unlock_db() @@ -84,6 +86,8 @@ def main(): pci = args[1] if vm.pcidevs.count(pci) > 0: vm.pcidevs.remove(pci) + if vm.is_running(): + print >>sys.stderr, "NOTICE: Changes will be seen by VM after VM restart" qvm_collection.save() qvm_collection.unlock_db() From 50a58c63311bd8da50e364dad814a303adaabf25 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 4 May 2012 02:42:21 +0200 Subject: [PATCH 039/117] dom0/dom0-update: clean up metadata caches after downloading updates (#558) --- dom0/aux-tools/qubes-receive-updates | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/dom0/aux-tools/qubes-receive-updates b/dom0/aux-tools/qubes-receive-updates index 366066cc..02cbebee 100755 --- a/dom0/aux-tools/qubes-receive-updates +++ b/dom0/aux-tools/qubes-receive-updates @@ -75,6 +75,15 @@ def handle_dom0updates(updatevm): subprocess.check_call(["/usr/bin/createrepo", "-q", updates_dir]) os.chown(updates_repodata_dir, -1, qubes_gid) os.chmod(updates_repodata_dir, 0775) + # Clean old cache + subprocess.call(["/usr/bin/yum", "-q", "clean", "all"], stdout=sys.stderr) + # This will fail because of "smart" detection of no-network, but it will invalidate the cache + try: + null = open('/dev/null','w') + subprocess.call(["/usr/bin/pkcon", "refresh"], stdout=null) + null.close() + except: + pass exit(0) def main(): From 26985f85c720ad12e4854b5244b105ed99a93cb9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 13:20:14 +0200 Subject: [PATCH 040/117] version 1.7.21 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index ddb0f975..7bc3ecf9 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.20 +1.7.21 diff --git a/version_vm b/version_vm index ddb0f975..7bc3ecf9 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.20 +1.7.21 From 783ea782926b28df006728824bf0ae82bf54b0fe Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 15:54:29 +0200 Subject: [PATCH 041/117] dom0: var name fix, and one minor sanity check --- dom0/aux-tools/qubes-notify-updates | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/dom0/aux-tools/qubes-notify-updates b/dom0/aux-tools/qubes-notify-updates index 53bc57cd..2e09f411 100755 --- a/dom0/aux-tools/qubes-notify-updates +++ b/dom0/aux-tools/qubes-notify-updates @@ -37,6 +37,10 @@ def main(): source = os.getenv("QREXEC_REMOTE_DOMAIN") + if source is None: + print >> sys.stderr, 'This script must be called as qrexec service!' + exit(1) + source_vm = qvm_collection.get_vm_by_name(source) if source_vm is None: print >> sys.stderr, 'Domain ' + source + ' does not exists (?!)' @@ -48,7 +52,7 @@ def main(): exit(1) if source_vm.updateable: # Just trust information from VM itself - update_f = open(vm.dir_path + '/' + updates_stat_file, "w") + update_f = open(source_vm.dir_path + '/' + updates_stat_file, "w") update_f.write(update_count) update_f.close() elif source_vm.template is not None: From abd1f30c3e877b9e222d2d924d9ab482e9a3c85e Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 8 May 2012 18:30:21 +0200 Subject: [PATCH 042/117] vm: Add localhost alias to /etc/hosts ... or otherwise, some programs will hang for many secconds trying to resolve localhost. --- vm-init.d/qubes_core | 2 +- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index c3accd92..52bb1cdb 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -26,7 +26,7 @@ start() # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) # (let's be frank: nobody's gonna use xterm on DispVM) hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name") > /etc/hosts + (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts fi timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 65c36063..9e3c488c 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -52,7 +52,7 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name") > /etc/hosts + (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` From d9b009d6febad32919d17620f0a22bddb420d966 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 8 May 2012 18:36:30 +0200 Subject: [PATCH 043/117] version 1.7.22 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 7bc3ecf9..ff39d448 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.21 +1.7.22 diff --git a/version_vm b/version_vm index 7bc3ecf9..ff39d448 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.21 +1.7.22 From 21d86b81fc7763c8fccd93e5859e5e74ec27f9b2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 23:34:01 +0200 Subject: [PATCH 044/117] vm: do not override /etc/hosts, just add VMNAME to 127.0.0.1 --- vm-init.d/qubes_core | 2 +- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index 52bb1cdb..7193d386 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -26,7 +26,7 @@ start() # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) # (let's be frank: nobody's gonna use xterm on DispVM) hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts + sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 356a18ba..02e2a9a0 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -52,7 +52,7 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts + sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` From 0ebd1d0de6529ace3a5a5b23f935f9bbcdc23ba9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 23:41:53 +0200 Subject: [PATCH 045/117] vm/spec: fix /etc/hosts if it was broken by previous version --- rpm_spec/core-vm.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 3158b57b..0b9d5ffd 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -237,6 +237,14 @@ sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf sed -i -e '/^exclude = kernel/d' /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf +# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content +if ! grep -q localhost /etc/hosts; then + cat < /etc/hosts +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +EOF +fi + if [ "$1" != 1 ] ; then # do the rest of %post thing only when updating for the first time... exit 0 From b39ab203143fcd7f0abb72560eae205c7ba07160 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 12 May 2012 13:45:12 +0200 Subject: [PATCH 046/117] version 1.7.23-vm --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index ff39d448..52a89d41 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.22 +1.7.23 From 1e496fbfb7e81b646e2e58a7acce847cd54f99e4 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 14 May 2012 04:56:03 +0200 Subject: [PATCH 047/117] dom0/qubes-updates: one more qubes-dom0-update typo fix --- dom0/aux-tools/qubes-dom0-updates.cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/aux-tools/qubes-dom0-updates.cron b/dom0/aux-tools/qubes-dom0-updates.cron index 8cf805fe..4feb65f3 100755 --- a/dom0/aux-tools/qubes-dom0-updates.cron +++ b/dom0/aux-tools/qubes-dom0-updates.cron @@ -13,7 +13,7 @@ echo $$ > $PIDFILE trap "rm $PIDFILE" EXIT # If no updates available - exit here -qubes-dom0-updates --check-only && exit +qubes-dom0-update --check-only >/dev/null && exit RETCODE=$? if [ "$RETCODE" -ne 100 ]; then From 8d7811827f96b7dc9ab448c5c0019da6257a6a8f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 14 May 2012 04:56:30 +0200 Subject: [PATCH 048/117] dom0/qubes-updates: stat file for qubes-manager --- dom0/aux-tools/qubes-dom0-updates.cron | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dom0/aux-tools/qubes-dom0-updates.cron b/dom0/aux-tools/qubes-dom0-updates.cron index 4feb65f3..b30a0b43 100755 --- a/dom0/aux-tools/qubes-dom0-updates.cron +++ b/dom0/aux-tools/qubes-dom0-updates.cron @@ -4,6 +4,7 @@ LOCAL_USER=`users | sed -e 's/root *//' | cut -d' ' -f 1` PIDFILE=/var/run/qubes/dom0-update-notification.pid NOTIFY_ICON=/usr/share/qubes/icons/dom0-update-avail.svg +UPDATES_STAT_FILE=/var/lib/qubes/updates/dom0-updates-available # Do not allow multiple instances [ -r $PIDFILE ] && kill -0 `cat $PIDFILE` && exit 0 @@ -26,6 +27,9 @@ if [ -z "$LOCAL_USER" ]; then exit 1 fi +# Touch stat file for qubes-manager +touch $UPDATES_STAT_FILE + # Notify about updates using system tray zenity --notification --window-icon=$NOTIFY_ICON --text="Qubes dom0 updates available." @@ -33,3 +37,6 @@ zenity --question --title="Qubes Dom0 updates" \ --text="There are updates for dom0 available, do you want to download them now?" || exit 0 su -c "DISPLAY=:0 qubes-dom0-update --gui" $LOCAL_USER + +# Check if user installed updates +yum -q check-updates && rm $UPDATES_STAT_FILE From 44cec03c336c8eb330dc8c88c67030b1c5013856 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 16 May 2012 07:55:48 +0200 Subject: [PATCH 049/117] dom0/update-notify: ensure correct permissions for update stat file --- dom0/aux-tools/qubes-notify-updates | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dom0/aux-tools/qubes-notify-updates b/dom0/aux-tools/qubes-notify-updates index 2e09f411..d34de46c 100755 --- a/dom0/aux-tools/qubes-notify-updates +++ b/dom0/aux-tools/qubes-notify-updates @@ -24,6 +24,7 @@ import os.path import sys import subprocess import shutil +import grp from datetime import datetime from qubes.qubes import QubesVmCollection from qubes.qubes import updates_stat_file @@ -46,6 +47,9 @@ def main(): print >> sys.stderr, 'Domain ' + source + ' does not exists (?!)' exit(1) + os.umask(0002) + qubes_gid = grp.getgrnam('qubes').gr_gid + update_count = sys.stdin.readline(128).strip() if not update_count.isdigit(): print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: ' + update_count @@ -55,6 +59,7 @@ def main(): update_f = open(source_vm.dir_path + '/' + updates_stat_file, "w") update_f.write(update_count) update_f.close() + os.chown(source_vm.dir_path + '/' + updates_stat_file, -1, qubes_gid) elif source_vm.template is not None: # Hint about updates availability in template # If template is running - it will notify about updates itself @@ -72,6 +77,7 @@ def main(): update_f = open(stat_file, "w") update_f.write(update_count) update_f.close() + os.chown(stat_file, -1, qubes_gid) else: print >> sys.stderr, 'Ignoring notification of no updates' From 987a4901796faae7db792addd09fc317c7554c58 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 20 May 2012 02:08:56 +0200 Subject: [PATCH 050/117] dom0/core: don't force maxmem=memory for NetVM (#572) --- dom0/qvm-core/qubes.py | 1 - 1 file changed, 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index c6145c54..d919fc76 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1700,7 +1700,6 @@ class QubesNetVm(QubesVm): attrs_config['label']['default'] = default_servicevm_label attrs_config['vcpus']['default'] = default_servicevm_vcpus attrs_config['memory']['default'] = 200 - attrs_config['maxmem']['eval'] = 'self.memory' # New attributes attrs_config['netid'] = { 'save': 'str(self.netid)', 'order': 30 } From 3d783f7fa38cc2264897d563edec0bc4c7bd4437 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 22 May 2012 15:51:09 +0200 Subject: [PATCH 051/117] dom0: expose debug mode in xenstore (#567) --- dom0/qvm-core/qubes.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index d919fc76..87908e68 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -840,6 +840,9 @@ class QubesVm(object): "{0}/qubes-block-devices".format(domain_path), '') + xs.write('', "{0}/qubes-debug-mode".format(domain_path), + str(int(self.debug))) + # Fix permissions xs.set_permissions('', '{0}/device'.format(domain_path), [{ 'dom': xid }]) From 8d18c1291f1657977c9495b9567edfe1746661fc Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 22 May 2012 16:49:03 +0200 Subject: [PATCH 052/117] vm/systemd: generate opts for GUI based on debug-mode (#567) --- vm-systemd/qubes-sysinit.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 02e2a9a0..1fb463c1 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -61,3 +61,11 @@ if [ -n "$timezone" ]; then echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + +# Prepare environment for other services +echo > /var/run/qubes-service-environment + +debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null` +if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then + echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment +fi From 51326e3d1d2d5a0a7df913d370998cf778723661 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 28 May 2012 19:30:55 +0200 Subject: [PATCH 053/117] version 1.7.24 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index ff39d448..384e29da 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.22 +1.7.24 diff --git a/version_vm b/version_vm index 52a89d41..384e29da 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.23 +1.7.24 From 63d7cb5231deebfb62cca31ac18831d18ebe35e4 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 24 May 2012 12:11:03 +0200 Subject: [PATCH 054/117] qrexec: describe msg types in header file --- qrexec/qrexec.h | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/qrexec/qrexec.h b/qrexec/qrexec.h index e3a556ea..4313d119 100644 --- a/qrexec/qrexec.h +++ b/qrexec/qrexec.h @@ -19,6 +19,8 @@ * */ +/* See also http://wiki.qubes-os.org/trac/wiki/Qrexec */ + #define QREXEC_DAEMON_SOCKET_DIR "/var/run/qubes" #define MAX_FDS 256 #define MAX_DATA_CHUNK 4096 @@ -30,26 +32,52 @@ #define MEMINFO_WRITER_PIDFILE "/var/run/meminfo-writer.pid" enum { + /* messages from qrexec_client to qrexec_daemon (both in dom0) */ + /* start process in VM and pass its stdin/out/err to dom0 */ MSG_CLIENT_TO_SERVER_EXEC_CMDLINE = 0x100, + /* start process in VM discarding its stdin/out/err (connect to /dev/null) */ MSG_CLIENT_TO_SERVER_JUST_EXEC, + /* connect to existing process in VM to receive its stdin/out/err + * struct connect_existing_params passed as data */ MSG_CLIENT_TO_SERVER_CONNECT_EXISTING, + /* messages qrexec_daemon(dom0)->qrexec_agent(VM) */ + /* same as MSG_CLIENT_TO_SERVER_CONNECT_EXISTING */ MSG_SERVER_TO_AGENT_CONNECT_EXISTING, + /* same as MSG_CLIENT_TO_SERVER_EXEC_CMDLINE */ MSG_SERVER_TO_AGENT_EXEC_CMDLINE, + /* same as MSG_CLIENT_TO_SERVER_JUST_EXEC */ MSG_SERVER_TO_AGENT_JUST_EXEC, + /* pass data to process stdin */ MSG_SERVER_TO_AGENT_INPUT, + /* detach from process; qrexec_agent should close pipes to process + * stdin/out/err; it's up to the VM child process if it cause its termination */ MSG_SERVER_TO_AGENT_CLIENT_END, + /* flow control, qrexec_daemon->qrexec_agent */ + /* suspend reading of named fd from child process */ MSG_XOFF, + /* resume reading of named fd from child process */ MSG_XON, + /* messages qrexec_agent(VM)->qrexec_daemon(dom0) */ + /* pass data from process stdout */ MSG_AGENT_TO_SERVER_STDOUT, + /* pass data from process stderr */ MSG_AGENT_TO_SERVER_STDERR, + /* inform that process terminated and pass its exit code; this should be + * send after all data from stdout/err are send */ MSG_AGENT_TO_SERVER_EXIT_CODE, + /* call Qubes RPC service + * struct trigger_connect_params passed as data */ MSG_AGENT_TO_SERVER_TRIGGER_CONNECT_EXISTING, + /* messages qrexec_daemon->qrexec_client (both in dom0) */ + /* same as MSG_AGENT_TO_SERVER_STDOUT */ MSG_SERVER_TO_CLIENT_STDOUT, + /* same as MSG_AGENT_TO_SERVER_STDERR */ MSG_SERVER_TO_CLIENT_STDERR, + /* same as MSG_AGENT_TO_SERVER_EXIT_CODE */ MSG_SERVER_TO_CLIENT_EXIT_CODE }; From 812264cfb042d47ce13059e3148522793e1cdd50 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 25 May 2012 15:06:00 +0200 Subject: [PATCH 055/117] dom0/core: don't limit netvm/proxyvm vcpu count to 1 (#571) --- dom0/qvm-core/qubes.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 87908e68..4cf3af98 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -73,7 +73,6 @@ default_appmenus_template_templates_subdir = "apps-template.templates" default_kernels_subdir = "kernels" default_firewall_conf_file = "firewall.xml" default_memory = 400 -default_servicevm_vcpus = 1 default_kernelopts = "" default_kernelopts_pcidevs = "iommu=soft swiotlb=2048" @@ -1701,7 +1700,6 @@ class QubesNetVm(QubesVm): attrs_config = super(QubesNetVm, self)._get_attrs_config() attrs_config['dir_path']['eval'] = 'value if value is not None else qubes_servicevms_dir + "/" + self.name' attrs_config['label']['default'] = default_servicevm_label - attrs_config['vcpus']['default'] = default_servicevm_vcpus attrs_config['memory']['default'] = 200 # New attributes From 39b15033aaf077d7a33fb7f35fa271d70ab4ea38 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 26 May 2012 12:21:42 +0200 Subject: [PATCH 056/117] dom0/qvm-ls: add 'kernel' and 'kernelopts' columns --- dom0/qvm-tools/qvm-ls | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/dom0/qvm-tools/qvm-ls b/dom0/qvm-tools/qvm-ls index d4e4e0ee..ac94a71d 100755 --- a/dom0/qvm-tools/qvm-ls +++ b/dom0/qvm-tools/qvm-ls @@ -76,6 +76,9 @@ fields = { "label" : {"func" : "vm.label.name"}, + "kernel" : {"func" : "('*' if vm.uses_default_kernel else '') + str(vm.kernel) if hasattr(vm, 'kernel') else 'n/a'"}, + "kernelopts" : {"func" : "('*' if vm.uses_default_kernelopts else '') + str(vm.kernelopts) if hasattr(vm, 'kernelopts') else 'n/a'"}, + "on" : {"func" : "'*' if vm.is_running() else ''"} } @@ -102,6 +105,10 @@ def main(): action="store_true", default=False, help="Show VM disk utilization statistics") + parser.add_option ("-k", "--kernel", dest="kernel", + action="store_true", default=False, + help="Show VM kernel options") + parser.add_option ("-i", "--ids", dest="ids", action="store_true", default=False, help="Show Qubes and Xen id#s") @@ -141,6 +148,9 @@ def main(): fields_to_display.remove ("netvm") fields_to_display += ["priv-curr", "priv-max", "root-curr", "root-max", "disk" ] + if (options.kernel): + fields_to_display += ["kernel", "kernelopts" ] + vms_list = [vm for vm in qvm_collection.values()] no_vms = len (vms_list) From 1f8251eefbd60891a34c9977ab0b561e4c1864d0 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 30 May 2012 00:54:24 +0200 Subject: [PATCH 057/117] dom0/qvm-block: hide devices mounted in dom0 (#579) --- dom0/init.d/qubes_core | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/init.d/qubes_core b/dom0/init.d/qubes_core index dbcadccc..072f0ac2 100755 --- a/dom0/init.d/qubes_core +++ b/dom0/init.d/qubes_core @@ -53,6 +53,9 @@ start() MEMINFO_DELAY_USEC=100000 /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & + # Reply block events to hide mounted devices from qubes-block list (at first udev run, only / is mounted) + udevadm trigger --subsystem-match=block --action=add + touch /var/lock/subsys/qubes_core success echo From 7b00b8fbe6271e4a22221e76822e0cbe30ff09cd Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 30 May 2012 13:40:27 +0200 Subject: [PATCH 058/117] vm/notify-update: do not treat network problems as updates pending symptom --- vm-systemd/qubes-update-check.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index 5566eda4..6ac37e3d 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l' +ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' From a2b222166a6b409bfe1817203db425e7e7f1ccc2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 30 May 2012 13:47:25 +0200 Subject: [PATCH 059/117] dom0/qvm-tools: introduce qvm-service tool Allow setting vm services same as in qubes-manager --- dom0/qvm-tools/qvm-service | 97 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100755 dom0/qvm-tools/qvm-service diff --git a/dom0/qvm-tools/qvm-service b/dom0/qvm-tools/qvm-service new file mode 100755 index 00000000..6dbb8a6c --- /dev/null +++ b/dom0/qvm-tools/qvm-service @@ -0,0 +1,97 @@ +#!/usr/bin/python +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2012 Marek Marczykowski +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +from qubes.qubes import QubesVmCollection +from optparse import OptionParser; +import subprocess +import sys +import re + +def do_list(vm): + max_len = 0 + for s in vm.services.keys(): + max_len = max(max_len, len(s)) + fmt="{{0:<{0}}}: {{1}}".format(max_len) + + for s in vm.services.keys(): + print fmt.format (s, "Enabled" if vm.services[s] else "Disabled") + + +def main(): + usage = "usage: %prog [action] [service]\n" + parser = OptionParser (usage) + parser.add_option ("-l", "--list", dest="do_list", action="store_true", default=True, + help="List services (default action)") + parser.add_option ("-e", "--enable", dest="set_enable", action="store_true", default=False, + help="Enable service") + parser.add_option ("-d", "--disable", dest="set_disable", action="store_true", default=False, + help="Disable service") + parser.add_option ("-D", "--default", dest="set_default", action="store_true", default=False, + help="Reset service to its default state (remove from the list)") + + (options, args) = parser.parse_args () + if (len (args) < 1): + parser.error ("You must specify VM name!") + vmname = args[0] + args = args[1:] + + if options.set_enable or options.set_disable or options.set_default: + if (len(args) < 1): + parser.error("You must specify service name!") + options.do_list = False + + qvm_collection = QubesVmCollection() + if options.do_list: + qvm_collection.lock_db_for_reading() + qvm_collection.load() + qvm_collection.unlock_db() + else: + qvm_collection.lock_db_for_writing() + qvm_collection.load() + + vm = qvm_collection.get_vm_by_name(vmname) + if vm is None: + print >> sys.stderr, "A VM with the name '{0}' does not exist in the system.".format(vmname) + exit(1) + + changed = False + if options.do_list: + do_list(vm) + elif options.set_enable: + vm.services[args[0]] = True + changed = True + elif options.set_disable: + vm.services[args[0]] = False + changed = True + elif options.set_default: + if vm.services.has_key(args[0]): + vm.services.pop(args[0]) + changed = True + + if changed: + qvm_collection.save() + + if not options.do_list: + qvm_collection.unlock_db() + + +main() From 556bc7ac38a794c413105821aa07b6aa24cc2140 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:03:12 +0200 Subject: [PATCH 060/117] vm+dom0/vif-script: indent fix --- network/vif-route-qubes | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/network/vif-route-qubes b/network/vif-route-qubes index c8070177..f4e89893 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -53,8 +53,7 @@ if [ "${ip}" ] ; then for addr in ${ip} ; do ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done - echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP - ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP fi log debug "Successful vif-route-qubes $command for $vif." From 303355a168285e62a22c29a94dc455b4fdc9606d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:03:55 +0200 Subject: [PATCH 061/117] dom0+vm/vif-script: setup IP address of net backend interface This is needed to connect to ProxyVM/NetVM, not only pass traffic ahead. Still firewall rules applies. --- network/vif-route-qubes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network/vif-route-qubes b/network/vif-route-qubes index f4e89893..6809028b 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -54,6 +54,8 @@ if [ "${ip}" ] ; then ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + back_ip=${ip%.*}.1 + ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} fi log debug "Successful vif-route-qubes $command for $vif." From 32240263557269020ed30a7ceb8352aba853ddff Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:07:01 +0200 Subject: [PATCH 062/117] dom0+vm/iptables: add PR-QBS-SERVICES chain in PREROUTING nat table Additional chain for some qubes-related redirections. BTW PR-QBS should be renamed now to PR-QBS-DNS... --- network/iptables | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network/iptables b/network/iptables index 6e6e6d89..5977ff22 100644 --- a/network/iptables +++ b/network/iptables @@ -4,7 +4,9 @@ :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PR-QBS - [0:0] +:PR-QBS-SERVICES - [0:0] -A PREROUTING -j PR-QBS +-A PREROUTING -j PR-QBS-SERVICES -A POSTROUTING -o vif+ -j ACCEPT -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE From 341fbe012c0296404146368ea6ec06a948043947 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:17:09 +0200 Subject: [PATCH 063/117] vm/spec: remove executable perm where not needed --- rpm_spec/core-vm.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0b9d5ffd..4473e089 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -80,7 +80,7 @@ su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' %install -install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab +install -m 0644 -D misc/fstab $RPM_BUILD_ROOT/etc/fstab install -d $RPM_BUILD_ROOT/etc/init.d install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ @@ -116,7 +116,7 @@ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules -install network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules +install -m 0644 network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -126,7 +126,7 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes -install -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ From 96508abf2ce50a7e3b7f949f0014532969c35110 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:24:49 +0200 Subject: [PATCH 064/117] vm: qubes-yum-proxy service (#568) Introduce proxy service, which allow only http(s) traffic to yum repos. The filter rules are based on URL regexp, so it isn't full-featured content inspection and can be easy bypassed, but should be enough to prevent some erroneus user actions (like clicking on invalid link). It is set up to intercept connections to 10.137.255.254:8082, so VM can connect to this IP regardless of VM in which proxy is running. By default it is started in every NetVM, but this can be changed using qvm-service or qubes-manager (as always). --- network/filter-qubes-yum | 6 ++ network/tinyproxy-qubes-yum.conf | 30 +++++++ rpm_spec/core-vm.spec | 12 ++- vm-init.d/qubes-yum-proxy | 121 +++++++++++++++++++++++++++++ vm-systemd/qubes-sysinit.sh | 2 +- vm-systemd/qubes-yum-proxy.service | 14 ++++ 6 files changed, 183 insertions(+), 2 deletions(-) create mode 100644 network/filter-qubes-yum create mode 100644 network/tinyproxy-qubes-yum.conf create mode 100755 vm-init.d/qubes-yum-proxy create mode 100644 vm-systemd/qubes-yum-proxy.service diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum new file mode 100644 index 00000000..b244f3cf --- /dev/null +++ b/network/filter-qubes-yum @@ -0,0 +1,6 @@ +.*/repodata/[A-Za-z0-9-]*\(primary\|filelist\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +.*/repodata/repomd\.xml$ +.*\.rpm$ +.*\.drpm$ +mirrors.fedoraproject.org:443 +^http://mirrors\..*/mirrorlist diff --git a/network/tinyproxy-qubes-yum.conf b/network/tinyproxy-qubes-yum.conf new file mode 100644 index 00000000..43b5082f --- /dev/null +++ b/network/tinyproxy-qubes-yum.conf @@ -0,0 +1,30 @@ +User tinyproxy +Group tinyproxy +Port 8082 +Timeout 60 +DefaultErrorFile "/usr/share/tinyproxy/default.html" + +#StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +Syslog On +LogLevel Notice +PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +MaxClients 50 +MinSpareServers 2 +MaxSpareServers 10 +StartServers 2 +MaxRequestsPerChild 0 +ViaProxyName "tinyproxy" + +Allow 127.0.0.1 +Allow 10.137.0.0/16 + + +Filter "/etc/tinyproxy/filter-qubes-yum" +FilterURLs On +#FilterExtended On +#FilterCaseSensitive On +FilterDefaultDeny Yes +ConnectPort 443 + diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 4473e089..10da4d2a 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -37,6 +37,7 @@ Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: /sbin/ethtool +Requires: tinyproxy Provides: qubes-core-vm Obsoletes: qubes-core-commonvm Obsoletes: qubes-core-appvm @@ -127,6 +128,8 @@ install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf +install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ @@ -334,6 +337,8 @@ rm -rf $RPM_BUILD_ROOT /etc/sudoers.d/qubes /etc/sysconfig/iptables /etc/sysconfig/modules/qubes_core.modules +/etc/tinyproxy/filter-qubes-yum +/etc/tinyproxy/tinyproxy-qubes-yum.conf /etc/udev/rules.d/50-qubes_memory.rules /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules @@ -422,6 +427,7 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes_core_netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher +/etc/init.d/qubes-yum-proxy %post sysvinit @@ -454,6 +460,8 @@ chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" +chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab @@ -466,6 +474,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core_appvm off chkconfig qubes-firewall off chkconfig qubes-netwatcher off + chkconfig qubes-yum-proxy off fi %package systemd @@ -495,6 +504,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer +/lib/systemd/system/qubes-yum-proxy.service %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -509,7 +519,7 @@ The Qubes core startup configuration for SystemD init. %post systemd -for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall; do +for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy; do /bin/systemctl enable $srv.service 2> /dev/null done diff --git a/vm-init.d/qubes-yum-proxy b/vm-init.d/qubes-yum-proxy new file mode 100755 index 00000000..52f329ba --- /dev/null +++ b/vm-init.d/qubes-yum-proxy @@ -0,0 +1,121 @@ +#!/bin/sh +# +# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy +# +# chkconfig: - 85 15 +# description: small, efficient HTTP/SSL proxy daemon +# +# processname: tinyproxy +# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf +# config: /etc/sysconfig/tinyproxy-qubes-yum +# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid +# +# Note: pidfile is created by tinyproxy in its config +# see PidFile in the configuration file. + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ "$NETWORKING" = "no" ] && exit 0 + +exec="/usr/sbin/tinyproxy" +prog=$(basename $exec) +config="/etc/tinyproxy/tinyproxy-qubes-yum.conf" +pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum + +lockfile=/var/lock/subsys/tinyproxy-qubes-yum + +start() { + type=`/usr/bin/xenstore-read qubes_vm_type` + start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null` + if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then + # Yum proxy disabled + exit 0 + fi + + [ -x $exec ] || exit 5 + [ -f $config ] || exit 6 + # setup network redirection + /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + + echo -n $"Starting $prog (as Qubes yum proxy): " + daemon $exec -c $config + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $pidfile $prog + retval=$? + echo + /sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + /sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + echo -n $"Reloading $prog: " + killproc -p $pidfile $prog -HUP + echo +} + +force_reload() { + restart +} + +rh_status() { + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? + diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 1fb463c1..0c8e9d0f 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,7 +1,7 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service new file mode 100644 index 00000000..39c14ec8 --- /dev/null +++ b/vm-systemd/qubes-yum-proxy.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes yum proxy (tinyproxy) +ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy +After=iptables.service + +[Service] +ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT +ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf +ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + +[Install] +WantedBy=multi-user.target From 1a3a2a05e3b087692d2f40b1f87630902e38b0df Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:33:56 +0200 Subject: [PATCH 065/117] vm/qubes-yum-proxy: create dir for pidfile under FC15 (#568) On FC>=15 /var/run is on tmpfs, so /var/run/tinyproxy from rpm don't survive reboot. This is bug in Fedora package (should include config file for tmpfiles service). For now create dir just before starting service. --- vm-systemd/qubes-yum-proxy.service | 1 + 1 file changed, 1 insertion(+) diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service index 39c14ec8..b03c34de 100644 --- a/vm-systemd/qubes-yum-proxy.service +++ b/vm-systemd/qubes-yum-proxy.service @@ -4,6 +4,7 @@ ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy After=iptables.service [Service] +ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf From 4bac57818ea5c80a02de3d3ae2a6746de09c0e6e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:37:53 +0200 Subject: [PATCH 066/117] vm/qubes-yum-proxy: setup yum to use qubes-yum-proxy (#568) The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it is reasonable to bypass the proxy. Some examples: - usage of non-standard repos with some exotic file layout, which will be blocked by the proxy - usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM) This commit introduces 'yum-proxy-setup' pseudo-service, which can be controlled via standard qvm-service or qubes-manager. When enabled - yum will be configured at VM startup to use qubes proxy, otherwise - to connect directly (proxy setting will be cleared). --- rpm_spec/core-vm.spec | 10 ++++++++++ vm-init.d/qubes_core | 7 +++++++ vm-systemd/misc-post.sh | 6 ++++++ 3 files changed, 23 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 10da4d2a..06004ea5 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -131,6 +131,9 @@ install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum +install -d $RPM_BUILD_ROOT/etc/yum.conf.d +touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf + install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ @@ -236,6 +239,12 @@ fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf +if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then + echo >> /etc/yum.conf + echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf +fi + # Prevent unnecessary updates in VMs: sed -i -e '/^exclude = kernel/d' /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf @@ -343,6 +352,7 @@ rm -rf $RPM_BUILD_ROOT /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules /etc/xen/scripts/vif-route-qubes +/etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /lib/firmware/updates diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index 7193d386..de194f89 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -36,6 +36,13 @@ start() echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) + if [ "$yum_proxy_setup" != "0" ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + else + echo > /etc/yum.conf.d/qubes-proxy.conf + fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 9ebdf2e0..dbefd432 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,5 +1,11 @@ #!/bin/sh +if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf +else + echo > /etc/yum.conf.d/qubes-proxy.conf +fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case From 2ca4b11183a8f41dda5e52ffb627222f17118704 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:50:05 +0200 Subject: [PATCH 067/117] dom0/core-firewall: firewall setting for qubes-yum-proxy (#568) New setting for access to qubes-yum-proxy. The difference from other firewall setting (and reason for new top-level setting): 'deny' is enforced even if policy is set to 'allow'. This proxy service is mainly used to filter network traffic, so do not expose it to VMs which can connect to any host directly (eg 'untrusted' VM). --- dom0/qvm-core/qubes.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 4cf3af98..3b16486c 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -98,6 +98,9 @@ qubes_appmenu_create_cmd = "/usr/lib/qubes/create_apps_for_appvm.sh" qubes_appmenu_remove_cmd = "/usr/lib/qubes/remove_appvm_appmenus.sh" qubes_pciback_cmd = '/usr/lib/qubes/unbind_pci_device.sh' +yum_proxy_ip = '10.137.255.254' +yum_proxy_port = '8082' + class QubesException (Exception) : pass if not dry_run: @@ -392,7 +395,7 @@ class QubesVm(object): shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml" % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S'))) self.write_firewall_conf({'allow': False, 'allowDns': False, - 'allowIcmp': False, 'rules': []}) + 'allowIcmp': False, 'allowYumProxy': False, 'rules': []}) else: new_netvm.connected_vms[self.qid]=self @@ -1159,7 +1162,8 @@ class QubesVm(object): "QubesFirwallRules", policy = "allow" if conf["allow"] else "deny", dns = "allow" if conf["allowDns"] else "deny", - icmp = "allow" if conf["allowIcmp"] else "deny" + icmp = "allow" if conf["allowIcmp"] else "deny", + yumProxy = "allow" if conf["allowYumProxy"] else "deny" ) for rule in conf["rules"]: @@ -1205,7 +1209,7 @@ class QubesVm(object): return os.path.exists (self.firewall_conf) def get_firewall_conf(self): - conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True } + conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } try: tree = xml.etree.ElementTree.parse(self.firewall_conf) @@ -1214,6 +1218,7 @@ class QubesVm(object): conf["allow"] = (root.get("policy") == "allow") conf["allowDns"] = (root.get("dns") == "allow") conf["allowIcmp"] = (root.get("icmp") == "allow") + conf["allowYumProxy"] = (root.get("yumProxy") == "allow") for element in root: rule = {} @@ -1957,7 +1962,7 @@ class QubesProxyVm(QubesNetVm): if vm.has_firewall(): conf = vm.get_firewall_conf() else: - conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True } + conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } xid = vm.get_xid() if xid < 0: # VM not active ATM @@ -2000,6 +2005,10 @@ class QubesProxyVm(QubesNetVm): iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns) if conf["allowIcmp"]: iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip) + if conf["allowYumProxy"]: + iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port) + else: + iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port) iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action) iptables += "COMMIT\n" From ec52d15dfe16af1e3cbee94f7ae1f98fc0d8ef43 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:56:49 +0200 Subject: [PATCH 068/117] dom0/qvm-firewall: add support for 'allowYumProxy' setting (#568) --- dom0/qvm-tools/qvm-firewall | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-tools/qvm-firewall b/dom0/qvm-tools/qvm-firewall index f85bc6ff..b5af141e 100755 --- a/dom0/qvm-tools/qvm-firewall +++ b/dom0/qvm-tools/qvm-firewall @@ -189,7 +189,8 @@ def display_firewall(conf): print "Firewall policy: %s" % ( "ALLOW all traffic except" if conf['allow'] else "DENY all traffic except") print "ICMP: %s" % ("ALLOW" if conf['allowIcmp'] else 'DENY') - print "DMS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY') + print "DNS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY') + print "Qubes yum proxy: %s" % ("ALLOW" if conf['allowYumProxy'] else 'DENY') list_rules(conf['rules']) def add_rule(conf, args): @@ -251,6 +252,8 @@ def main(): help="Set ICMP access (allow/deny)") parser.add_option ("-D", "--dns", dest="set_dns", action="store", default=None, help="Set DNS access (allow/deny)") + parser.add_option ("-Y", "--yum-proxy", dest="set_yum_proxy", action="store", default=None, + help="Set access to Qubes yum proxy (allow/deny)") parser.add_option ("-n", "--numeric", dest="numeric", action="store_true", default=False, help="Display port numbers instead of services (makes sense only with --list)") @@ -261,7 +264,7 @@ def main(): vmname = args[0] args = args[1:] - if options.do_add or options.do_del or options.set_policy or options.set_icmp or options.set_dns: + if options.do_add or options.do_del or options.set_policy or options.set_icmp or options.set_dns or options.set_yum_proxy: options.do_list = False qvm_collection = QubesVmCollection() if options.do_list: @@ -289,6 +292,9 @@ def main(): if options.set_dns: conf['allowDns'] = allow_deny_value(options.set_dns) changed = True + if options.set_yum_proxy: + conf['allowYumProxy'] = allow_deny_value(options.set_yum_proxy) + changed = True if options.do_add: load_services() From 65fc62a989ab7528c93d36694892fa16ea2503e3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:57:28 +0200 Subject: [PATCH 069/117] dom0/core: setup yum to use proxy when it have access to it (#568) To simplify configuration, automatically enable 'yum-proxy-setup' pseudo-service when allowing access to the proxy. Also disable this service, when access is revoked. Thanks to this the user can enable this feature by one click in firewall settings. --- dom0/qvm-core/qubes.py | 7 +++++++ dom0/qvm-tools/qvm-firewall | 1 + 2 files changed, 8 insertions(+) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 3b16486c..a6550996 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1203,6 +1203,13 @@ class QubesVm(object): os.path.basename(sys.argv[0]), err) return False + # Automatically enable/disable 'yum-proxy-setup' service based on allowYumProxy + if conf['allowYumProxy']: + self.services['yum-proxy-setup'] = True + else: + if self.services.has_key('yum-proxy-setup'): + self.services.pop('yum-proxy-setup') + return True def has_firewall(self): diff --git a/dom0/qvm-tools/qvm-firewall b/dom0/qvm-tools/qvm-firewall index b5af141e..581fd3ca 100755 --- a/dom0/qvm-tools/qvm-firewall +++ b/dom0/qvm-tools/qvm-firewall @@ -314,6 +314,7 @@ def main(): if vm.is_running(): if vm.netvm is not None and vm.netvm.is_proxyvm(): vm.netvm.write_iptables_xenstore_entry() + qvm_collection.save() if not options.do_list: qvm_collection.unlock_db() From e4f64fd60019d49ae53622eea1db348bbc468874 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 03:00:06 +0200 Subject: [PATCH 070/117] dom0/core: remove trailing spaces --- dom0/qvm-core/qubes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index a6550996..0ead77f7 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1713,7 +1713,7 @@ class QubesNetVm(QubesVm): attrs_config['dir_path']['eval'] = 'value if value is not None else qubes_servicevms_dir + "/" + self.name' attrs_config['label']['default'] = default_servicevm_label attrs_config['memory']['default'] = 200 - + # New attributes attrs_config['netid'] = { 'save': 'str(self.netid)', 'order': 30 } attrs_config['netprefix'] = { 'eval': '"10.137.{0}.".format(self.netid)' } From 1732679b18bf09153fb31fc2c83a33d455aad730 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 1 Jun 2012 20:46:23 +0200 Subject: [PATCH 071/117] vm/qrexec: removed obsolete "directly:" command prefix support This was used for launching DispVM editor in pre-qrexec-RPC times. --- qrexec/qrexec_agent.c | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/qrexec/qrexec_agent.c b/qrexec/qrexec_agent.c index 0741f8e8..93fa100d 100644 --- a/qrexec/qrexec_agent.c +++ b/qrexec/qrexec_agent.c @@ -113,28 +113,6 @@ void no_colon_in_cmd() exit(1); } -void do_exec_directly(char *cmd) -{ - struct passwd *pwd; - char *sep = index(cmd, ':'); - if (!sep) - no_colon_in_cmd(); - *sep = 0; - pwd = getpwnam(cmd); - if (!pwd) { - perror("getpwnam"); - exit(1); - } - setgid(pwd->pw_gid); - initgroups(cmd, pwd->pw_gid); - setuid(pwd->pw_uid); - setenv("HOME", pwd->pw_dir, 1); - setenv("USER", cmd, 1); - execl(sep + 1, sep + 1, NULL); - perror("execl"); - exit(1); -} - void do_exec(char *cmd) { char *sep = index(cmd, ':'); @@ -144,8 +122,6 @@ void do_exec(char *cmd) signal(SIGCHLD, SIG_DFL); signal(SIGPIPE, SIG_DFL); - if (!strcmp(cmd, "directly")) - do_exec_directly(sep + 1); execl("/bin/su", "su", "-", cmd, "-c", sep + 1, NULL); perror("execl"); exit(1); From ea08560e4305731d93a696c6d5edf47f8338502e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 2 Jun 2012 12:32:49 +0200 Subject: [PATCH 072/117] makefile: rename vchan Makefile to not conflict with windows build --- rpm_spec/core-dom0.spec | 2 +- rpm_spec/core-vm.spec | 2 +- vchan/{Makefile => Makefile.linux} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename vchan/{Makefile => Makefile.linux} (100%) diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 5994aebd..e9c3cd67 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -54,7 +54,7 @@ python -O -m compileall qvm-core qmemman make -C restore make -C aux-tools make -C ../qubes_rpc -make -C ../vchan +make -C ../vchan -f Makefile.linux make -C ../u2mfn make -C ../qrexec diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 06004ea5..88b26870 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -54,7 +54,7 @@ The Qubes core files for installation inside a Qubes VM. %build make -C u2mfn -make -C vchan +make -C vchan -f Makefile.linux make -C misc make -C qubes_rpc make -C qrexec diff --git a/vchan/Makefile b/vchan/Makefile.linux similarity index 100% rename from vchan/Makefile rename to vchan/Makefile.linux From c5c916b74cd47f16b939305ef3f470c1ec076868 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 4 Jun 2012 15:29:26 +0200 Subject: [PATCH 073/117] vm/systemd: fix ProxyVM related services deps (#578) --- vm-systemd/qubes-firewall.service | 1 + vm-systemd/qubes-network.service | 1 + 2 files changed, 2 insertions(+) diff --git a/vm-systemd/qubes-firewall.service b/vm-systemd/qubes-firewall.service index df765dcd..e668271c 100644 --- a/vm-systemd/qubes-firewall.service +++ b/vm-systemd/qubes-firewall.service @@ -1,6 +1,7 @@ [Unit] Description=Qubes firewall updater ConditionPathExists=/var/run/qubes-service/qubes-firewall +After=qubes-network.service [Service] ExecStart=/usr/sbin/qubes_firewall diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service index afb53f03..cdb01a78 100644 --- a/vm-systemd/qubes-network.service +++ b/vm-systemd/qubes-network.service @@ -3,6 +3,7 @@ Names=qubes_firewall.service Description=Qubes network forwarding setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target +After=iptables.service [Service] Type=oneshot From 79f13d6c662f27bfc74335802b8084cec70eab10 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:28:59 +0200 Subject: [PATCH 074/117] vm: yum plugin to notify dom0 about installed updates (#592) --- misc/Makefile | 7 +++++-- misc/yum-qubes-hooks.py | 42 +++++++++++++++++++++++++++++++++++++++++ rpm_spec/core-vm.spec | 3 +++ 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 misc/yum-qubes-hooks.py diff --git a/misc/Makefile b/misc/Makefile index 3b015060..e6f653a0 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -1,9 +1,12 @@ CC=gcc CFLAGS=-Wall -g -O3 -all: meminfo-writer xenstore-watch +all: meminfo-writer xenstore-watch python meminfo-writer: meminfo-writer.o $(CC) -g -o meminfo-writer meminfo-writer.o -lxenstore xenstore-watch: xenstore-watch.o $(CC) -o xenstore-watch xenstore-watch.o -lxenstore +python: + python -m compileall . + python -O -m compileall . clean: - rm -f meminfo-writer xenstore-watch *.o *~ + rm -f meminfo-writer xenstore-watch *.o *~ *.pyc *.pyo diff --git a/misc/yum-qubes-hooks.py b/misc/yum-qubes-hooks.py new file mode 100644 index 00000000..f49eac2f --- /dev/null +++ b/misc/yum-qubes-hooks.py @@ -0,0 +1,42 @@ +#!/usr/bin/python +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2012 Marek Marczykowski +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + + +from yum.plugins import TYPE_CORE +from yum.constants import * +import subprocess + +requires_api_version = '2.4' +plugin_type = (TYPE_CORE,) + +def posttrans_hook(conduit): + # Get all updates available _before_ this transaction + pkg_list = conduit._base.doPackageLists(pkgnarrow='updates') + + # Get packages installed in this transaction... + ts = conduit.getTsInfo() + all = ts.getMembers() + # ...and filter them out of available updates + filtered_updates = filter(lambda x: x not in all, pkg_list.updates) + + # Notify dom0 about left updates count + subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', 'echo', str(len(filtered_updates))]) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 88b26870..7b647969 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -99,6 +99,8 @@ install -D -m 0644 misc/serial.conf $RPM_BUILD_ROOT/usr/lib/qubes/serial.conf install -D misc/qubes_serial_login $RPM_BUILD_ROOT/sbin/qubes_serial_login install -d $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ +install -d $RPM_BUILD_ROOT/usr/lib/yum-plugins/ +install -m 0644 misc/yum-qubes-hooks.py* $RPM_BUILD_ROOT/usr/lib/yum-plugins/ install -d $RPM_BUILD_ROOT/var/lib/qubes @@ -386,6 +388,7 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/vm-file-editor /usr/lib/qubes/vm-shell /usr/lib/qubes/wrap_in_html_if_url.sh +/usr/lib/yum-plugins/yum-qubes-hooks.py* /usr/sbin/qubes_firewall /usr/sbin/qubes_netwatcher /usr/share/glib-2.0/schemas/org.gnome.settings-daemon.plugins.updates.gschema.override From a8b992e64762d1c051073f48be1ae6cf0dad1c72 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:37:12 +0200 Subject: [PATCH 075/117] dom0/core: implement per-VM-type firewall defaults --- dom0/qvm-core/qubes.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 0ead77f7..28a2a591 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1215,8 +1215,11 @@ class QubesVm(object): def has_firewall(self): return os.path.exists (self.firewall_conf) + def get_firewall_defaults(self): + return { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } + def get_firewall_conf(self): - conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } + conf = self.get_firewall_defaults() try: tree = xml.etree.ElementTree.parse(self.firewall_conf) From a528befbc4234486c3753e2bef34025891aa9c1f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:37:39 +0200 Subject: [PATCH 076/117] dom0: default TemplateVM firewall: block all traffic and allow use of yum proxy (#590) --- dom0/qvm-core/qubes.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 28a2a591..1883f51f 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1565,6 +1565,9 @@ class QubesTemplateVm(QubesVm): def updateable(self): return True + def get_firewall_defaults(self): + return { "rules": list(), "allow": False, "allowDns": False, "allowIcmp": False, "allowYumProxy": True } + def get_rootdev(self, source_template=None): return "'script:origin:{dir}/root.img:{dir}/root-cow.img,xvda,w',".format(dir=self.dir_path) From 1a8682ace3dc3fa771e0b5de763628ec8c9917ae Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:38:37 +0200 Subject: [PATCH 077/117] vm: use yum proxy in TemplateVM by default (#590) --- vm-init.d/qubes_core | 3 ++- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index de194f89..c5fe5d2a 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -37,7 +37,8 @@ start() fi yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) - if [ "$yum_proxy_setup" != "0" ]; then + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf else echo > /etc/yum.conf.d/qubes-proxy.conf diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 0c8e9d0f..77dac3f4 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -4,7 +4,7 @@ DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" -DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM +DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" DEFAULT_ENABLED="meminfo-writer" XS_READ=/usr/bin/xenstore-read From aea8d189f0af4cc8644e5af7bacf4294b42e22b2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:57:19 +0200 Subject: [PATCH 078/117] dom0/core: fix QubesVM.gateway To be consistent with QubesNetVM, where gateway property contain gateway IP for _other_ VMs, in non-network-provider VM it should be empty. --- dom0/qvm-core/qubes.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 1883f51f..14aeda85 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -427,10 +427,8 @@ class QubesVm(object): @property def gateway(self): - if self.netvm is not None: - return self.netvm.gateway - else: - return None + # This is gateway IP for _other_ VMs, so make sense only in NetVMs + return None @property def secondary_dns(self): From 3b8272c1b671accede56bc78ce4420cc1eb2ebfe Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:58:58 +0200 Subject: [PATCH 079/117] dom0/qvm-ls: replace 'netmask' column with 'ip back' (#573) --- dom0/qvm-tools/qvm-ls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dom0/qvm-tools/qvm-ls b/dom0/qvm-tools/qvm-ls index ac94a71d..27e63d29 100755 --- a/dom0/qvm-tools/qvm-ls +++ b/dom0/qvm-tools/qvm-ls @@ -56,8 +56,8 @@ fields = { if vm.netvm is not None else '-'"}, "ip" : {"func": "vm.ip"}, - "netmask" : {"func": "vm.netmask"}, - "gateway" : {"func": "vm.gateway"}, + "ip back" : {"func": "vm.gateway if vm.is_netvm() else 'n/a'"}, + "gateway/DNS" : {"func": "vm.netvm.gateway if vm.netvm else 'n/a'"}, "xid" : {"func" : "vm.get_xid() if vm.is_running() else '-'"}, @@ -139,7 +139,7 @@ def main(): if (options.network): if 'template' in fields_to_display: fields_to_display.remove ("template") - fields_to_display += ["ip", "netmask", "gateway"] + fields_to_display += ["ip", "ip back", "gateway/DNS"] if (options.disk): if 'template' in fields_to_display: From f2abc5e26ddc51c356f7751cc30ce71a9bc6ce9c Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 20:57:40 +0200 Subject: [PATCH 080/117] dom0: populate unchanged firewall settings with previous values (#589) Missed settings in new firewall configuration caused exception. In old qubes-manager (before #582 done) this exception silently broke saving operation, leaving user with progress bar windows infinitely... --- dom0/qvm-core/qubes.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 14aeda85..c3f71e41 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1156,6 +1156,11 @@ class QubesVm(object): shutil.rmtree (self.dir_path) def write_firewall_conf(self, conf): + defaults = self.get_firewall_conf() + for item in defaults.keys(): + if item not in conf: + conf[item] = defaults[item] + root = xml.etree.ElementTree.Element( "QubesFirwallRules", policy = "allow" if conf["allow"] else "deny", From 4911ca7eb94007bf23ffa7203b1039b3a1d0eb0d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Jun 2012 02:59:07 +0200 Subject: [PATCH 081/117] vm/spec: depend on ethtool _package_ --- rpm_spec/core-vm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 7b647969..c0aac4c0 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -36,7 +36,7 @@ Requires: fedora-release Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen -Requires: /sbin/ethtool +Requires: ethtool Requires: tinyproxy Provides: qubes-core-vm Obsoletes: qubes-core-commonvm From ad6bfe3ca1a4ae197f3709c541c6812359562b72 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Jun 2012 03:00:05 +0200 Subject: [PATCH 082/117] vm/spec: create firmware symlink only when needed On new systems, like FC16+, firmware is provided by separate package (like linux-firmware), so no longer need to get it from kernel package. --- rpm_spec/core-vm.spec | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index c0aac4c0..45dfb3ac 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -140,9 +140,6 @@ install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ -install -d $RPM_BUILD_ROOT/lib/firmware -ln -s /lib/modules/firmware $RPM_BUILD_ROOT/lib/firmware/updates - install -d $RPM_BUILD_ROOT/usr/bin install qubes_rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run} $RPM_BUILD_ROOT/usr/bin @@ -241,6 +238,11 @@ fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf +# Install firmware link only on system which haven't it yet +if ! [ -e /lib/firmware/updates ]; then + ln -s /lib/modules/firmware /lib/firmware/updates +fi + if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then echo >> /etc/yum.conf echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf @@ -320,6 +322,10 @@ fi %postun if [ $1 -eq 0 ] ; then /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : + + if [ -l /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi fi %posttrans @@ -357,7 +363,6 @@ rm -rf $RPM_BUILD_ROOT /etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo /etc/yum/post-actions/qubes_trigger_sync_appmenus.action -/lib/firmware/updates /sbin/qubes_serial_login /usr/bin/qvm-copy-to-vm /usr/bin/qvm-open-in-dvm From b1ec6a624864bed8350884a6d4478cec7498a33a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Jun 2012 02:12:10 +0200 Subject: [PATCH 083/117] dom0+vm/qvm-block: speed up udev block handler (#560) xenstore is very slow, so don't bother it when unneeded. Namely do not try to remove entries, which haven't even created. --- misc/block_add_change | 16 ++++++++++++---- misc/qubes_block.rules | 4 ++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/misc/block_add_change b/misc/block_add_change index e1b25ca9..b366f9dd 100755 --- a/misc/block_add_change +++ b/misc/block_add_change @@ -6,19 +6,26 @@ SIZE=$[ $(cat /sys/$DEVPATH/size) * 512 ] MODE=w XS_KEY="qubes-block-devices/$NAME" +xs_remove() { + if [ "$QUBES_EXPOSED" == "1" ]; then + xenstore-rm "$XS_KEY" + fi + echo QUBES_EXPOSED=0 +} + # Ignore mounted... if fgrep -q $DEVNAME /proc/mounts; then - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi # ... and used by device-mapper if [ -n "`ls -A /sys/$DEVPATH/holders 2> /dev/null`" ]; then - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi # ... and "empty" loop devices if [ "$MAJOR" -eq 7 -a ! -d /sys/$DEVPATH/loop ]; then - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi @@ -26,7 +33,7 @@ fi if [ "$ID_TYPE" = "cd" ]; then if [ "$ID_CDROM_MEDIA" != "1" ]; then # Hide empty cdrom drive - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi MODE=r @@ -37,6 +44,7 @@ if [ -d /sys/$DEVPATH/loop ]; then DESC=$(cat /sys/$DEVPATH/loop/backing_file) fi xenstore-write "$XS_KEY/desc" "$DESC" "$XS_KEY/size" "$SIZE" "$XS_KEY/mode" "$MODE" +echo QUBES_EXPOSED=1 # Make sure that block backend is loaded /sbin/modprobe xen-blkback 2> /dev/null || /sbin/modprobe blkbk diff --git a/misc/qubes_block.rules b/misc/qubes_block.rules index 343553f5..14503eef 100644 --- a/misc/qubes_block.rules +++ b/misc/qubes_block.rules @@ -9,8 +9,8 @@ ENV{MAJOR}=="202", GOTO="qubes_block_end" # Skip device-mapper devices ENV{MAJOR}=="253", GOTO="qubes_block_end" -ACTION=="add", RUN+="/usr/lib/qubes/block_add_change" -ACTION=="change", RUN+="/usr/lib/qubes/block_add_change" +ACTION=="add", IMPORT{program}="/usr/lib/qubes/block_add_change" +ACTION=="change", IMPORT{program}="/usr/lib/qubes/block_add_change" ACTION=="remove", RUN+="/usr/lib/qubes/block_remove" LABEL="qubes_block_end" From b1cbd0d8c17997c9c8dbfa226c557b5ea7ee011c Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 8 Jun 2012 00:24:46 +0200 Subject: [PATCH 084/117] vm: disable gnome update plugin, not only unattended installation --- misc/org.gnome.settings-daemon.plugins.updates.gschema.override | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misc/org.gnome.settings-daemon.plugins.updates.gschema.override b/misc/org.gnome.settings-daemon.plugins.updates.gschema.override index da283e1d..c6c7b45a 100644 --- a/misc/org.gnome.settings-daemon.plugins.updates.gschema.override +++ b/misc/org.gnome.settings-daemon.plugins.updates.gschema.override @@ -1,2 +1,4 @@ [org.gnome.settings-daemon.plugins.updates] auto-update-type='none' +active=false +frequency-get-updates=0 From 288dcc562e9a0a49c581815a35e07ddd7db860ba Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 8 Jun 2012 00:34:11 +0200 Subject: [PATCH 085/117] vm: enable yum-qubes-hooks plugin (#592) --- misc/yum-qubes-hooks.conf | 2 ++ rpm_spec/core-vm.spec | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 misc/yum-qubes-hooks.conf diff --git a/misc/yum-qubes-hooks.conf b/misc/yum-qubes-hooks.conf new file mode 100644 index 00000000..8e4d76c7 --- /dev/null +++ b/misc/yum-qubes-hooks.conf @@ -0,0 +1,2 @@ +[main] +enabled=1 diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 45dfb3ac..1fef666e 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -101,6 +101,7 @@ install -d $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -d $RPM_BUILD_ROOT/usr/lib/yum-plugins/ install -m 0644 misc/yum-qubes-hooks.py* $RPM_BUILD_ROOT/usr/lib/yum-plugins/ +install -D -m 0644 misc/yum-qubes-hooks.conf $RPM_BUILD_ROOT/etc/yum/pluginconf.d/yum-qubes-hooks.conf install -d $RPM_BUILD_ROOT/var/lib/qubes @@ -362,6 +363,7 @@ rm -rf $RPM_BUILD_ROOT /etc/xen/scripts/vif-route-qubes /etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo +/etc/yum/pluginconf.d/yum-qubes-hooks.conf /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /sbin/qubes_serial_login /usr/bin/qvm-copy-to-vm From 9d10d6c668b0f8d167fdcf510f6b05b00440187d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 8 Jun 2012 04:36:33 +0200 Subject: [PATCH 086/117] vm: fix yum-qubes-hooks Program must be given as full path to qrexec_client_vm - it is passed directly to execv. --- misc/yum-qubes-hooks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/yum-qubes-hooks.py b/misc/yum-qubes-hooks.py index f49eac2f..9d851bf9 100644 --- a/misc/yum-qubes-hooks.py +++ b/misc/yum-qubes-hooks.py @@ -39,4 +39,4 @@ def posttrans_hook(conduit): filtered_updates = filter(lambda x: x not in all, pkg_list.updates) # Notify dom0 about left updates count - subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', 'echo', str(len(filtered_updates))]) + subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', '/bin/echo', str(len(filtered_updates))]) From 28ad00137560339351cc01b1dd5d82d1356cf3d9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 11 Jun 2012 22:33:57 +0200 Subject: [PATCH 087/117] vm: chown /home/user to user if user UID have changed FC16 and FC17 starts normal users at UID 1000, not 500 as in <=FC15. --- vm-systemd/misc-post.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index dbefd432..b86e6a7f 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -30,6 +30,11 @@ if [ -e /dev/xvdb ] ; then touch /var/lib/qubes/first_boot_completed fi + # Chown home if user UID have changed - can be the case on template switch + HOME_USER_UID=`ls -dn /home/user | awk '{print $3}'` + if [ "`id -u user`" -ne "$HOME_USER_UID" ]; then + find /home/user -uid "$HOME_USER_UID" -print0 | xargs -0 chown user:user + fi fi [ -x /rw/config/rc.local ] && /rw/config/rc.local From d4f0e618dcf292b721091905fb784914402f012d Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 12 Jun 2012 12:25:19 +0200 Subject: [PATCH 088/117] version 1.7.26 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 384e29da..130990e0 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.24 +1.7.26 diff --git a/version_vm b/version_vm index 384e29da..130990e0 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.24 +1.7.26 From e2a0c222999390163134eb4ffc46666dc91a92c9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 13 Jun 2012 01:59:25 +0200 Subject: [PATCH 089/117] vm/qubes-dom0-update: rebuild dom0 rpmdb before touching it with yum Dom0 can have different (older) rpmdb version than VM. Starting from FC17 yum refuses to work without rebuild. --- misc/qubes_download_dom0_updates.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/qubes_download_dom0_updates.sh b/misc/qubes_download_dom0_updates.sh index 33bc46d3..de869c55 100755 --- a/misc/qubes_download_dom0_updates.sh +++ b/misc/qubes_download_dom0_updates.sh @@ -43,6 +43,10 @@ fi mkdir -p $DOM0_UPDATES_DIR/etc sed -i '/^reposdir\s*=/d' $DOM0_UPDATES_DIR/etc/yum.conf +# Rebuild rpm database in case of different rpm version +rm -f $DOM0_UPDATES_DIR/var/lib/rpm/__* +rpm --root=$DOM0_UPDATES_DIR --rebuilddb + if [ "$CLEAN" = "1" ]; then yum $OPTS clean all rm -f $DOM0_UPDATES_DIR/packages/* From 3a8427cee57cab2a0f10c00586a8ccd967462aa5 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 13 Jun 2012 04:08:09 +0200 Subject: [PATCH 090/117] dom0: do not reply all udev events at system boot (#595) This can cause some rules to fail and eg remove dm-* devices. Replace it with what is really needed to hide mounted (and other ignored) devices from qubes-block-devices. --- dom0/init.d/qubes_core | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dom0/init.d/qubes_core b/dom0/init.d/qubes_core index 072f0ac2..d4d5b626 100755 --- a/dom0/init.d/qubes_core +++ b/dom0/init.d/qubes_core @@ -53,8 +53,12 @@ start() MEMINFO_DELAY_USEC=100000 /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & - # Reply block events to hide mounted devices from qubes-block list (at first udev run, only / is mounted) - udevadm trigger --subsystem-match=block --action=add + # Hide mounted devices from qubes-block list (at first udev run, only / is mounted) + for dev in `xenstore-list /local/domain/0/qubes-block-devices`; do + ( eval `udevadm info -q property -n $dev|sed -e 's/\([^=]*\)=\(.*\)/export \1="\2"/'`; + /usr/lib/qubes/block_add_change + ) + done touch /var/lock/subsys/qubes_core success From c534d5871b04842dc8fa97870dae81f5c20c1c25 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 13 Jun 2012 17:01:57 +0200 Subject: [PATCH 091/117] dom0/core: fix order of loading VM attributes Parsing kernelopts depends on uses_default_kernelopts, so set 'order' appropriate. --- dom0/qvm-core/qubes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index c3f71e41..b1bb384d 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -245,7 +245,7 @@ class QubesVm(object): "kernel": { "default": None, 'order': 30 }, "uses_default_kernel": { "default": True, 'order': 30 }, "uses_default_kernelopts": { "default": True, 'order': 30 }, - "kernelopts": { "default": "", 'order': 30, "eval": \ + "kernelopts": { "default": "", 'order': 31, "eval": \ 'value if not self.uses_default_kernelopts else default_kernelopts_pcidevs if len(self.pcidevs) > 0 else default_kernelopts' }, "mac": { "attr": "_mac", "default": None }, "include_in_backups": { "default": True }, From 844d43b0ef53a0d9338442ccabab6be0f8931995 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 13 Jun 2012 17:08:30 +0200 Subject: [PATCH 092/117] dom0/core: introduce is_guid_running() and use it in is_fully_usable() To improve code reuse, especially to remove direct checking for "/var/run/qubes/guid_running.{0}" in many places. --- dom0/qvm-core/qubes.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index b1bb384d..987537ee 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -642,12 +642,18 @@ class QubesVm(object): return "NA" - def is_fully_usable(self): + def is_guid_running(self): xid = self.get_xid() if xid < 0: return False if not os.path.exists('/var/run/qubes/guid_running.%d' % xid): return False + return True + + def is_fully_usable(self): + # Running gui-daemon implies also VM running + if not self.is_guid_running(): + return False # currently qrexec daemon doesn't cleanup socket in /var/run/qubes, so # it can be left from some other VM return True @@ -1298,7 +1304,7 @@ class QubesVm(object): raise QubesException("Not enough memory to start '{0}' VM! Close one or more running VMs and try again.".format(self.name)) xid = self.get_xid() - if os.getenv("DISPLAY") is not None and not os.path.isfile("/var/run/qubes/guid_running.{0}".format(xid)): + if os.getenv("DISPLAY") is not None and not self.is_guid_running(): self.start_guid(verbose = verbose, notify_function = notify_function) args = [qrexec_client_path, "-d", str(xid), command] From 8bdc5706f701f58d97656182faad4b68d9b5328d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 13 Jun 2012 17:16:12 +0200 Subject: [PATCH 093/117] dom0/core: allow to change default user for qvm-run (#577) This doesn't make all dom0 code VM-username independent, still 'user' is hardcoded in many places. This only change behavior of qvm-run, especially for use in HVM. --- dom0/qvm-core/qubes.py | 6 ++++-- dom0/qvm-tools/qvm-prefs | 11 +++++++++++ dom0/qvm-tools/qvm-run | 12 ++++++------ 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 987537ee..937bbad0 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -251,6 +251,7 @@ class QubesVm(object): "include_in_backups": { "default": True }, "services": { "default": {}, "eval": "eval(str(value))" }, "debug": { "default": False }, + "default_user": { "default": "user" }, ##### Internal attributes - will be overriden in __init__ regardless of args "appmenus_templates_dir": { "eval": \ 'self.dir_path + "/" + default_appmenus_templates_subdir if self.updateable else ' + \ @@ -267,7 +268,8 @@ class QubesVm(object): for prop in ['qid', 'name', 'dir_path', 'memory', 'maxmem', 'pcidevs', 'vcpus', 'internal',\ 'uses_default_kernel', 'kernel', 'uses_default_kernelopts',\ 'kernelopts', 'services', 'installed_by_rpm',\ - 'uses_default_netvm', 'include_in_backups', 'debug' ]: + 'uses_default_netvm', 'include_in_backups', 'debug',\ + 'default_user' ]: attrs[prop]['save'] = 'str(self.%s)' % prop # Simple paths for prop in ['conf_file', 'root_img', 'volatile_img', 'private_img']: @@ -2540,7 +2542,7 @@ class QubesVmCollection(dict): "installed_by_rpm", "internal", "uses_default_netvm", "label", "memory", "vcpus", "pcidevs", "maxmem", "kernel", "uses_default_kernel", "kernelopts", "uses_default_kernelopts", - "mac", "services", "include_in_backups", "debug" ) + "mac", "services", "include_in_backups", "debug", "default_user" ) for attribute in common_attr_list: kwargs[attribute] = element.get(attribute) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 66664497..98db27ac 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -76,6 +76,9 @@ def do_list(vm): if hasattr(vm, 'debug'): print fmt.format("debug", "on" if vm.debug else "off") + if hasattr(vm, 'default_user'): + print fmt.format("default user", str(vm.default_user)) + def set_label(vms, vm, args): if len (args) != 1: print >> sys.stderr, "Missing label name argument!" @@ -283,7 +286,14 @@ def set_debug(vms, vm, args): vm.debug = False else: vm.debug = bool(eval(args[0].capitalize())) + return True +def set_default_user(vms, vm, args): + if len (args) != 1: + print >> sys.stderr, "Missing user name!" + return False + + vm.default_user = args[0] return True def set_include_in_backups(vms, vm, args): @@ -308,6 +318,7 @@ properties = { "name": set_name, "mac": set_mac, "debug": set_debug, + "default_user": set_default_user, } diff --git a/dom0/qvm-tools/qvm-run b/dom0/qvm-tools/qvm-run index 84f7e099..89d53756 100755 --- a/dom0/qvm-tools/qvm-run +++ b/dom0/qvm-tools/qvm-run @@ -98,7 +98,7 @@ def main(): parser.add_option ("-q", "--quiet", action="store_false", dest="verbose", default=True) parser.add_option ("-a", "--auto", action="store_true", dest="auto", default=False, help="Auto start the VM if not running") - parser.add_option ("-u", "--user", action="store", dest="user", default="user", + parser.add_option ("-u", "--user", action="store", dest="user", default=None, help="Run command in a VM as a specified user") parser.add_option ("--tray", action="store_true", dest="tray", default=False, help="Use tray notifications instead of stdout" ) @@ -188,12 +188,12 @@ def main(): exit(1) vms_list.append(vm) - if takes_cmd_argument: - cmd = "{user}:{cmd}".format(user=options.user, cmd=cmdstr) - else: - cmd = None - for vm in vms_list: + if takes_cmd_argument: + cmd = "{user}:{cmd}".format(user=options.user if options.user else vm.default_user, cmd=cmdstr) + else: + cmd = None + vm_run_cmd(vm, cmd, options) From f81e36f75a725be82e0f2b587f0f8679c38b9533 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 14 Jun 2012 11:23:59 +0200 Subject: [PATCH 094/117] version 1.7.27 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 130990e0..6c56d77a 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.26 +1.7.27 diff --git a/version_vm b/version_vm index 130990e0..6c56d77a 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.26 +1.7.27 From ab9c2e503a02258f7245cbf7204e281f736d7bc3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 15 Jun 2012 17:37:19 +0200 Subject: [PATCH 095/117] dom0: qvm-run --nogui switch Can be used to not start guid. --- dom0/qvm-core/qubes.py | 4 ++-- dom0/qvm-tools/qvm-run | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 937bbad0..83828819 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1286,7 +1286,7 @@ class QubesVm(object): return conf - def run(self, command, verbose = True, autostart = False, notify_function = None, passio = False, passio_popen = False, localcmd = None, wait = False): + def run(self, command, verbose = True, autostart = False, notify_function = None, passio = False, passio_popen = False, localcmd = None, wait = False, gui = True): """command should be in form 'user:cmdline'""" if not self.is_running(): @@ -1306,7 +1306,7 @@ class QubesVm(object): raise QubesException("Not enough memory to start '{0}' VM! Close one or more running VMs and try again.".format(self.name)) xid = self.get_xid() - if os.getenv("DISPLAY") is not None and not self.is_guid_running(): + if gui and os.getenv("DISPLAY") is not None and not self.is_guid_running(): self.start_guid(verbose = verbose, notify_function = notify_function) args = [qrexec_client_path, "-d", str(xid), command] diff --git a/dom0/qvm-tools/qvm-run b/dom0/qvm-tools/qvm-run index 89d53756..d83236cd 100755 --- a/dom0/qvm-tools/qvm-run +++ b/dom0/qvm-tools/qvm-run @@ -85,7 +85,7 @@ def vm_run_cmd(vm, cmd, options): return vm.run(cmd, autostart = options.auto, verbose = options.verbose, notify_function = tray_notify_generic if options.tray else None, - passio = options.passio, localcmd = options.localcmd) + passio = options.passio, localcmd = options.localcmd, gui = options.gui) except QubesException as err: if options.tray: tray_notify_error(str(err)) @@ -130,6 +130,9 @@ def main(): parser.add_option ("--force", action="store_true", dest="force", default=False, help="Force operation, even if may damage other VMs (eg shutdown of NetVM)") + parser.add_option ("--nogui", action="store_false", dest="gui", default=True, + help="Run command without gui") + (options, args) = parser.parse_args () From 0e2aba228f4faffdd28e8c10df6f0e148b66611c Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 15 Jun 2012 17:42:14 +0200 Subject: [PATCH 096/117] dom0: minor qvm-sync-clock fix Catch any error in vm.run, to not break clock syncing of all VMs because one VM. --- dom0/qvm-tools/qvm-sync-clock | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-sync-clock b/dom0/qvm-tools/qvm-sync-clock index 30978af4..449c664f 100755 --- a/dom0/qvm-tools/qvm-sync-clock +++ b/dom0/qvm-tools/qvm-sync-clock @@ -91,7 +91,8 @@ def main(): print >> sys.stderr, '--> Syncing \'%s\' clock.' % vm.name try: vm.run('root:date -u -s "%s"' % date_out, verbose=verbose) - except NotImplementedError: + except Exception as e: + print >> sys.stderr, "ERROR syncing time in VM '%s': %s" % (vm.name, str(e)) pass main() From c978ce3a485ea51d5033cfff32bafe44c6b8ba18 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 18 Jun 2012 23:51:44 +0200 Subject: [PATCH 097/117] dom0/qvm-firewall: eliminate duplicate firewall defaults definition (#599) This caused ignore of different firewall defaults for TemplateVM. --- dom0/qvm-core/qubes.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 83828819..d33cd882 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1983,10 +1983,7 @@ class QubesProxyVm(QubesNetVm): vms = [vm for vm in self.connected_vms.values()] for vm in vms: iptables="*filter\n" - if vm.has_firewall(): - conf = vm.get_firewall_conf() - else: - conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True, "allowYumProxy": False } + conf = vm.get_firewall_conf() xid = vm.get_xid() if xid < 0: # VM not active ATM From e31228656d053f8ba99c8bf179bea0d7051eb141 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 19 Jun 2012 15:22:23 +0200 Subject: [PATCH 098/117] 1.7.28-dom0 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index 6c56d77a..c5c40e90 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.27 +1.7.28 From 96f7d4da814c46beca81bea095c9c163fc7ca2b1 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 21 Jun 2012 11:50:52 +0200 Subject: [PATCH 099/117] Revert "dom0/appmenus: do not add "Add more shortcuts" menu (#458)" (#548) This reverts commit 8b613a10b4b5f5aba7c0d2f8577f2c0d3f05aae2. Restore this option. --- dom0/aux-tools/create_apps_for_appvm.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/dom0/aux-tools/create_apps_for_appvm.sh b/dom0/aux-tools/create_apps_for_appvm.sh index 80fdf491..0b6e53dd 100755 --- a/dom0/aux-tools/create_apps_for_appvm.sh +++ b/dom0/aux-tools/create_apps_for_appvm.sh @@ -42,6 +42,7 @@ if [ "$SRCDIR" != "none" ]; then else find $SRCDIR -name "*.desktop" $CHECK_WHITELISTED -exec /usr/lib/qubes/convert_apptemplate2vm.sh {} $APPSDIR $VMNAME $VMDIR \; fi + /usr/lib/qubes/convert_apptemplate2vm.sh /usr/share/qubes/qubes-appmenu-select.desktop $APPSDIR $VMNAME $VMDIR if [ "$VMTYPE" = "vm-templates" ]; then /usr/lib/qubes/convert_dirtemplate2vm.sh /usr/share/qubes/qubes-templatevm.directory.template $APPSDIR/$VMNAME-vm.directory $VMNAME $VMDIR From ffa3d8732c7d0acba3cda2e855e47910b7d7d221 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 21 Jun 2012 11:57:36 +0200 Subject: [PATCH 100/117] dom0: use new qubes-manager appmenu applet (#548) --- dom0/misc/qubes-appmenu-select.desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/misc/qubes-appmenu-select.desktop b/dom0/misc/qubes-appmenu-select.desktop index 2275f779..29f3ee1d 100644 --- a/dom0/misc/qubes-appmenu-select.desktop +++ b/dom0/misc/qubes-appmenu-select.desktop @@ -1,7 +1,7 @@ [Desktop Entry] Version=1.0 Type=Application -Exec=qubes-appmenu-select %VMNAME% +Exec=qubes-vm-settings %VMNAME% applications Icon=/usr/share/qubes/icons/qubes.png Terminal=false Name=%VMNAME%: Add more shortcuts... From c34f10a6f691d0704f2511a5dc33bba6c98aeac0 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Fri, 22 Jun 2012 15:20:21 +0200 Subject: [PATCH 101/117] version 1.7.29-dom0 --- version_dom0 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_dom0 b/version_dom0 index c5c40e90..5f444567 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.28 +1.7.29 From 24352c3dce752d2af810c30080751d44e6a5607f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 22 Jun 2012 01:22:06 +0200 Subject: [PATCH 102/117] dom0: minor init.d script fix --- dom0/init.d/qubes_core | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/init.d/qubes_core b/dom0/init.d/qubes_core index d4d5b626..7e3e86dc 100755 --- a/dom0/init.d/qubes_core +++ b/dom0/init.d/qubes_core @@ -56,7 +56,7 @@ start() # Hide mounted devices from qubes-block list (at first udev run, only / is mounted) for dev in `xenstore-list /local/domain/0/qubes-block-devices`; do ( eval `udevadm info -q property -n $dev|sed -e 's/\([^=]*\)=\(.*\)/export \1="\2"/'`; - /usr/lib/qubes/block_add_change + /usr/lib/qubes/block_add_change > /dev/null ) done From 2ddd53e1e46767cf906e698b440dc5d5056d31c3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 22 Jun 2012 21:17:50 +0200 Subject: [PATCH 103/117] vm: support for magic QUBESRPC command Previously dom0 had to know full path of qubes_rpc_multiplexer in VM, which can differ between VMs (eg totally different on Windows). This commit enables dom0 to magic keyword instead of full path. --- qrexec/qrexec.h | 3 +++ qrexec/qrexec_agent.c | 17 +++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/qrexec/qrexec.h b/qrexec/qrexec.h index 4313d119..d19126dd 100644 --- a/qrexec/qrexec.h +++ b/qrexec/qrexec.h @@ -30,6 +30,9 @@ #define QREXEC_AGENT_TRIGGER_PATH "/var/run/qubes/qrexec_agent" #define QREXEC_AGENT_FDPASS_PATH "/var/run/qubes/qrexec_agent_fdpass" #define MEMINFO_WRITER_PIDFILE "/var/run/meminfo-writer.pid" +#define QUBES_RPC_MULTIPLEXER_PATH "/usr/lib/qubes/qubes_rpc_multiplexer" + +#define QUBES_RPC_MAGIC_CMD "QUBESRPC" enum { /* messages from qrexec_client to qrexec_daemon (both in dom0) */ diff --git a/qrexec/qrexec_agent.c b/qrexec/qrexec_agent.c index 93fa100d..f8d7e20e 100644 --- a/qrexec/qrexec_agent.c +++ b/qrexec/qrexec_agent.c @@ -115,14 +115,23 @@ void no_colon_in_cmd() void do_exec(char *cmd) { - char *sep = index(cmd, ':'); - if (!sep) + char buf[strlen(QUBES_RPC_MULTIPLEXER_PATH) + strlen(cmd) - strlen(QUBES_RPC_MAGIC_CMD) + 1]; + char *realcmd = index(cmd, ':'); + if (!realcmd) no_colon_in_cmd(); - *sep = 0; + /* mark end of username and move to command */ + *realcmd = 0; + realcmd++; + /* replace magic RPC cmd with RPC multiplexer path */ + if (strncmp(realcmd, QUBES_RPC_MAGIC_CMD " ", strlen(QUBES_RPC_MAGIC_CMD)+1)==0) { + strcpy(buf, QUBES_RPC_MULTIPLEXER_PATH); + strcpy(buf + strlen(QUBES_RPC_MULTIPLEXER_PATH), realcmd + strlen(QUBES_RPC_MAGIC_CMD)); + realcmd = buf; + } signal(SIGCHLD, SIG_DFL); signal(SIGPIPE, SIG_DFL); - execl("/bin/su", "su", "-", cmd, "-c", sep + 1, NULL); + execl("/bin/su", "su", "-", cmd, "-c", realcmd, NULL); perror("execl"); exit(1); } From f53ebfc3cd6d4b5bbb3fd18a80de4d7388a78360 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 22 Jun 2012 21:59:15 +0200 Subject: [PATCH 104/117] vm: RPC service for NTP time sync (#603) --- qubes_rpc/qubes.SyncNtpClock | 1 + qubes_rpc/sync-ntp-clock | 12 ++++++++++++ rpm_spec/core-vm.spec | 6 +++++- 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 qubes_rpc/qubes.SyncNtpClock create mode 100755 qubes_rpc/sync-ntp-clock diff --git a/qubes_rpc/qubes.SyncNtpClock b/qubes_rpc/qubes.SyncNtpClock new file mode 100644 index 00000000..087a421f --- /dev/null +++ b/qubes_rpc/qubes.SyncNtpClock @@ -0,0 +1 @@ +/usr/lib/qubes/sync-ntp-clock diff --git a/qubes_rpc/sync-ntp-clock b/qubes_rpc/sync-ntp-clock new file mode 100755 index 00000000..f5dfa1bb --- /dev/null +++ b/qubes_rpc/sync-ntp-clock @@ -0,0 +1,12 @@ +#!/bin/sh + +if [ -x /usr/libexec/ntpdate-wrapper ]; then + /usr/libexec/ntpdate-wrapper +elif [ -x /etc/init.d/ntpdate ]; then + /etc/init.d/ntpdate restart +elif [ -x /usr/sbin/ntpdate ]; then + /usr/sbin/ntpdate pool.ntp.org +else + echo "No ntpdate installed, giving up." + exit 1 +fi diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 1fef666e..df49f4e7 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -38,6 +38,7 @@ Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: ethtool Requires: tinyproxy +Requires: ntpdate Provides: qubes-core-vm Obsoletes: qubes-core-commonvm Obsoletes: qubes-core-appvm @@ -149,10 +150,11 @@ install qubes_rpc/qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/{vm-file-editor,qfile-agent,qopen-in-vm,qfile-unpacker} $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/{vm-shell,qrun-in-vm} $RPM_BUILD_ROOT/usr/lib/qubes +install qubes_rpc/sync-ntp-clock $RPM_BUILD_ROOT/usr/lib/qubes install -d $RPM_BUILD_ROOT/%{kde_service_dir} install -m 0644 qubes_rpc/{qvm-copy.desktop,qvm-dvm.desktop} $RPM_BUILD_ROOT/%{kde_service_dir} install -d $RPM_BUILD_ROOT/etc/qubes_rpc -install -m 0644 qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell} $RPM_BUILD_ROOT/etc/qubes_rpc +install -m 0644 qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $RPM_BUILD_ROOT/etc/qubes_rpc install qrexec/qrexec_agent $RPM_BUILD_ROOT/usr/lib/qubes install qrexec/qrexec_client_vm $RPM_BUILD_ROOT/usr/lib/qubes @@ -352,6 +354,7 @@ rm -rf $RPM_BUILD_ROOT /etc/qubes_rpc/qubes.Filecopy /etc/qubes_rpc/qubes.OpenInVM /etc/qubes_rpc/qubes.VMShell +/etc/qubes_rpc/qubes.SyncNtpClock /etc/sudoers.d/qubes /etc/sysconfig/iptables /etc/sysconfig/modules/qubes_core.modules @@ -375,6 +378,7 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/block_add_change /usr/lib/qubes/block_cleanup /usr/lib/qubes/block_remove +/usr/lib/qubes/sync-ntp-clock /usr/lib/qubes/meminfo-writer /usr/lib/qubes/network-manager-prepare-conf-dir /usr/lib/qubes/qfile-agent From 89aaa6075346806954a87628e9d16ad7cd2e6c4b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 22 Jun 2012 22:23:17 +0200 Subject: [PATCH 105/117] dom0: use RPC service to sync clock via NTP (#603) --- dom0/qvm-tools/qvm-sync-clock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-sync-clock b/dom0/qvm-tools/qvm-sync-clock index 449c664f..84f54ba8 100755 --- a/dom0/qvm-tools/qvm-sync-clock +++ b/dom0/qvm-tools/qvm-sync-clock @@ -67,7 +67,7 @@ def main(): net_vm.run('user:nm-online -x', verbose=verbose, wait=True) # Sync clock - if clock_vm.run('root:/etc/init.d/ntpdate restart', verbose=verbose, wait=True) != 0: + if clock_vm.run('root:QUBESRPC qubes.SyncNtpClock dom0', verbose=verbose, wait=True) != 0: print >> sys.stderr, 'Time sync failed, aborting!' sys.exit(1) From ad7d6957b133b6a52e58e3ce2a5730d3bf46109b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 22 Jun 2012 23:44:05 +0200 Subject: [PATCH 106/117] dom0/updates: clean yum cache as root (#540) Actually looks like this solve problem, don't know why (cleaning as user didn't returned any error). --- dom0/aux-tools/qubes-receive-updates | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/aux-tools/qubes-receive-updates b/dom0/aux-tools/qubes-receive-updates index 02cbebee..6db39d4e 100755 --- a/dom0/aux-tools/qubes-receive-updates +++ b/dom0/aux-tools/qubes-receive-updates @@ -76,7 +76,7 @@ def handle_dom0updates(updatevm): os.chown(updates_repodata_dir, -1, qubes_gid) os.chmod(updates_repodata_dir, 0775) # Clean old cache - subprocess.call(["/usr/bin/yum", "-q", "clean", "all"], stdout=sys.stderr) + subprocess.call(["sudo", "/usr/bin/yum", "-q", "clean", "all"], stdout=sys.stderr) # This will fail because of "smart" detection of no-network, but it will invalidate the cache try: null = open('/dev/null','w') From 87b07872ae90353938dcd59620e9ad4ee8c4763c Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 25 Jun 2012 23:38:18 +0200 Subject: [PATCH 107/117] version 1.7.30 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 5f444567..a2ad95ca 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.29 +1.7.30 diff --git a/version_vm b/version_vm index 6c56d77a..a2ad95ca 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.27 +1.7.30 From 29e3593a023adcd778612c8ccef3897b9c817f79 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 00:26:53 +0200 Subject: [PATCH 108/117] dom0/qmemman: allow balance when xen have low free memory (#563) --- dom0/qmemman/qmemman.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/qmemman/qmemman.py b/dom0/qmemman/qmemman.py index 227cc812..cf6325a7 100755 --- a/dom0/qmemman/qmemman.py +++ b/dom0/qmemman/qmemman.py @@ -132,6 +132,9 @@ class SystemState: total_memory_transfer = 0 MIN_TOTAL_MEMORY_TRANSFER = 150*1024*1024 MIN_MEM_CHANGE_WHEN_UNDER_PREF = 15*1024*1024 + # If xenfree to low, return immediately + if self.XEN_FREE_MEM_LEFT - xenfree > MIN_MEM_CHANGE_WHEN_UNDER_PREF: + return True for rq in memset_reqs: dom, mem = rq last_target = self.domdict[dom].last_target From 71c4ca88045dbd02d2274335b4e7ebbb57b38f9e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:30:06 +0200 Subject: [PATCH 109/117] vm/spec: fix enabling of qubes-firewall SysV service --- rpm_spec/core-vm.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index df49f4e7..6d97102b 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -480,8 +480,8 @@ chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" From 4cc7d9300fa58a28c7f9e1dce57c273198471fba Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:31:28 +0200 Subject: [PATCH 110/117] vm/spec: fix error messages --- rpm_spec/core-vm.spec | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 6d97102b..85385134 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -476,14 +476,14 @@ chkconfig messagebus on chkconfig iptables on chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core_netvm!" +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core_appvm!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core_appvm!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewall!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" +chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" +chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" From 4f7656e36facc5dcbe8a3498e600b64a28624e01 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:36:22 +0200 Subject: [PATCH 111/117] vm/spec: fix enabling NetworkManager SystemD service --- rpm_spec/core-vm.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 85385134..3cb6a6b2 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -596,7 +596,9 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service /bin/systemctl enable iptables.service 2> /dev/null /bin/systemctl enable rsyslog.service 2> /dev/null /bin/systemctl enable ntpd.service 2> /dev/null -/bin/systemctl enable NetworkManager.service +# Disable original service to enable overriden one +/bin/systemctl disable NetworkManager.service 2> /dev/null +/bin/systemctl enable NetworkManager.service 2> /dev/null # Enable cups only when it is real SystemD service [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null From 2e7d5cc178acd8656fc7242370ab257bb105cf4d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 24 Jun 2012 14:09:43 +0200 Subject: [PATCH 112/117] dom0: appmenu to start Firefox in new DispVM (#594) --- dom0/misc/qubes-dispvm-firefox.desktop | 10 ++++++++++ dom0/misc/qubes-dispvm.directory | 5 +++++ dom0/restore/qfile-daemon-dvm | 19 +++++++++++++++---- rpm_spec/core-dom0.spec | 8 ++++++++ 4 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 dom0/misc/qubes-dispvm-firefox.desktop create mode 100644 dom0/misc/qubes-dispvm.directory diff --git a/dom0/misc/qubes-dispvm-firefox.desktop b/dom0/misc/qubes-dispvm-firefox.desktop new file mode 100644 index 00000000..021bda61 --- /dev/null +++ b/dom0/misc/qubes-dispvm-firefox.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Version=1.0 +Type=Application +Exec=sh -c 'echo firefox | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 user red' +Icon=/usr/share/qubes/icons/dispvm-red.png +Terminal=false +Name=DispVM: Firefox web browser +GenericName=DispVM: Web browser +StartupNotify=false +Categories=Network; diff --git a/dom0/misc/qubes-dispvm.directory b/dom0/misc/qubes-dispvm.directory new file mode 100644 index 00000000..9b5544d6 --- /dev/null +++ b/dom0/misc/qubes-dispvm.directory @@ -0,0 +1,5 @@ +[Desktop Entry] +Encoding=UTF-8 +Type=Directory +Name=DisposableVM +Icon=/usr/share/qubes/icons/dispvm-red.png diff --git a/dom0/restore/qfile-daemon-dvm b/dom0/restore/qfile-daemon-dvm index db779c65..a2fb8c72 100755 --- a/dom0/restore/qfile-daemon-dvm +++ b/dom0/restore/qfile-daemon-dvm @@ -29,6 +29,7 @@ import shutil from qubes.qubes import QubesVmCollection from qubes.qubes import QubesException from qubes.qubes import QubesDaemonPidfile +from qubes.qubes import QubesDispVmLabels from qubes.qmemman_client import QMemmanClient current_savefile = '/var/run/qubes/current_savefile' @@ -58,12 +59,16 @@ class QfileDaemonDvm: qvm_collection.unlock_db() qmemman_client.close() return None + label = vm.label + if len(sys.argv) > 4 and len(sys.argv[4]) > 0: + assert sys.argv[4] in QubesDispVmLabels.keys(), "Invalid label" + label = QubesDispVmLabels[sys.argv[4]] retcode = subprocess.call(['/usr/lib/qubes/qubes_restore', current_savefile, current_dvm_conf, - '-c', vm.label.color, - '-i', vm.label.icon, - '-l', str(vm.label.index)]) + '-c', label.color, + '-i', label.icon, + '-l', str(label.index)]) qmemman_client.close() if retcode != 0: subprocess.call(['/usr/bin/kdialog', '--sorry', 'DisposableVM creation failed, see qubes_restore.log']) @@ -80,12 +85,15 @@ class QfileDaemonDvm: qvm_collection.unlock_db() return None dispid=int(disp_name[4:]) - dispvm=qvm_collection.add_new_disposablevm(disp_name, vm_disptempl.template, label=vm.label, dispid=dispid) + dispvm=qvm_collection.add_new_disposablevm(disp_name, vm_disptempl.template, label=label, dispid=dispid) # By default inherit firewall rules from calling VM if os.path.exists(vm.firewall_conf): disp_firewall_conf = '/var/run/qubes/%s-firewall.xml' % disp_name shutil.copy(vm.firewall_conf, disp_firewall_conf) dispvm.firewall_conf = disp_firewall_conf + if len(sys.argv) > 5 and len(sys.argv[5]) > 0: + assert os.path.exists(sys.argv[5]), "Invalid firewall.conf location" + dispvm.firewall_conf = sys.argv[5] qvm_collection.save() qvm_collection.unlock_db() # Reload firewall rules @@ -137,6 +145,9 @@ def main(): exec_index = sys.argv[1] src_vmname = sys.argv[2] user = sys.argv[3] + #accessed directly by get_dvm() + # sys.argv[4] - override label + # sys.argv[5] - override firewall notify_object = dbus.SessionBus().get_object("org.freedesktop.Notifications", "/org/freedesktop/Notifications") qfile = QfileDaemonDvm(src_vmname) diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index e9c3cd67..918164f9 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -155,6 +155,8 @@ mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons cp icons/*.png $RPM_BUILD_ROOT/usr/share/qubes/icons cp misc/qubes-vm.directory.template $RPM_BUILD_ROOT/usr/share/qubes/ cp misc/qubes-templatevm.directory.template $RPM_BUILD_ROOT/usr/share/qubes/ +cp misc/qubes-dispvm.directory $RPM_BUILD_ROOT/usr/share/qubes/ +cp misc/qubes-dispvm-firefox.desktop $RPM_BUILD_ROOT/usr/share/qubes/ cp misc/qubes-appmenu-select.desktop $RPM_BUILD_ROOT/usr/share/qubes/ cp misc/vm-template.conf $RPM_BUILD_ROOT/usr/share/qubes/ @@ -252,6 +254,8 @@ for i in /usr/share/qubes/icons/*.png ; do xdg-icon-resource install --novendor --size 48 $i done +xdg-desktop-menu install /usr/share/qubes/qubes-dispvm.directory /usr/share/qubes/qubes-dispvm-firefox.desktop + # Because we now have an installer # this script is always executed during upgrade # and we decided not to restart core during upgrade @@ -293,6 +297,8 @@ if [ "$1" = 0 ] ; then for i in /usr/share/qubes/icons/*.png ; do xdg-icon-resource uninstall --novendor --size 48 $i done + + xdg-desktop-menu uninstall /usr/share/qubes/qubes-dispvm.directory /usr/share/qubes/qubes-dispvm-firefox.desktop fi %postun @@ -353,6 +359,8 @@ fi /usr/share/qubes/icons/*.png /usr/share/qubes/qubes-vm.directory.template /usr/share/qubes/qubes-templatevm.directory.template +/usr/share/qubes/qubes-dispvm.directory +/usr/share/qubes/qubes-dispvm-firefox.desktop /usr/share/qubes/qubes-appmenu-select.desktop /usr/share/qubes/vm-template.conf /usr/lib/qubes/qubes_setup_dnat_to_ns From bf9b63e06f6113e1bb3ad7331cdda2bf8175006d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 00:26:53 +0200 Subject: [PATCH 113/117] dom0/qmemman: allow balance when xen have low free memory (#563) --- dom0/qmemman/qmemman.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/qmemman/qmemman.py b/dom0/qmemman/qmemman.py index 227cc812..cf6325a7 100755 --- a/dom0/qmemman/qmemman.py +++ b/dom0/qmemman/qmemman.py @@ -132,6 +132,9 @@ class SystemState: total_memory_transfer = 0 MIN_TOTAL_MEMORY_TRANSFER = 150*1024*1024 MIN_MEM_CHANGE_WHEN_UNDER_PREF = 15*1024*1024 + # If xenfree to low, return immediately + if self.XEN_FREE_MEM_LEFT - xenfree > MIN_MEM_CHANGE_WHEN_UNDER_PREF: + return True for rq in memset_reqs: dom, mem = rq last_target = self.domdict[dom].last_target From da63af599c35c0136fa07449c77437a35e4858a3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:30:06 +0200 Subject: [PATCH 114/117] vm/spec: fix enabling of qubes-firewall SysV service --- rpm_spec/core-vm.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index df49f4e7..6d97102b 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -480,8 +480,8 @@ chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" From a6c7d0efbe100645b569c590d2bc66e05ef94f3e Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:31:28 +0200 Subject: [PATCH 115/117] vm/spec: fix error messages --- rpm_spec/core-vm.spec | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 6d97102b..85385134 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -476,14 +476,14 @@ chkconfig messagebus on chkconfig iptables on chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core_netvm!" +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core_appvm!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core_appvm!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewall!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" +chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" +chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" From 0006ebdafffb47ae80a0a2bf54a87b4b0b7e9ae8 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:36:22 +0200 Subject: [PATCH 116/117] vm/spec: fix enabling NetworkManager SystemD service --- rpm_spec/core-vm.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 85385134..3cb6a6b2 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -596,7 +596,9 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service /bin/systemctl enable iptables.service 2> /dev/null /bin/systemctl enable rsyslog.service 2> /dev/null /bin/systemctl enable ntpd.service 2> /dev/null -/bin/systemctl enable NetworkManager.service +# Disable original service to enable overriden one +/bin/systemctl disable NetworkManager.service 2> /dev/null +/bin/systemctl enable NetworkManager.service 2> /dev/null # Enable cups only when it is real SystemD service [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null From 50dc08668230eecc0a3f28f70d3df54e72796636 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 11:05:03 +0200 Subject: [PATCH 117/117] dom0/core: typo fix in clone_disk_files (#608) --- dom0/qvm-core/qubes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index f8120b62..735f2a20 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1608,7 +1608,7 @@ class QubesTemplateVm(QubesVm): if dry_run: return - super(QubesTemplateVM, self).clone_disk_files(src_vm=src_vm, verbose=verbose) + super(QubesTemplateVm, self).clone_disk_files(src_vm=src_vm, verbose=verbose) if os.path.exists(src_vm.dir_path + '/vm-' + qubes_whitelisted_appmenus): if verbose: