From 2af085fc0cf33c988f038677dfc631f65aa134fc Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 8 Mar 2012 12:44:41 +0100 Subject: [PATCH 01/10] version 1.7.15 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 68ced4b6..25eebeb8 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.14 +1.7.15 diff --git a/version_vm b/version_vm index 68ced4b6..25eebeb8 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.14 +1.7.15 From 35b1264424bb5bb9080d4c998224c60b0d8e0083 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 8 Mar 2012 21:45:55 +0100 Subject: [PATCH 02/10] version 1.7.16 --- version_dom0 | 2 +- version_vm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/version_dom0 b/version_dom0 index 25eebeb8..15421b30 100644 --- a/version_dom0 +++ b/version_dom0 @@ -1 +1 @@ -1.7.15 +1.7.16 diff --git a/version_vm b/version_vm index 25eebeb8..15421b30 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.15 +1.7.16 From c174d0c1845cc07538dd62a71cc1a74ed288d679 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 00:00:20 +0100 Subject: [PATCH 03/10] dom0/qvm-block: ignore unsupported devices istead of throw exception (#476) --- dom0/qvm-core/qubesutils.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubesutils.py b/dom0/qvm-core/qubesutils.py index d1690505..9df4a54f 100644 --- a/dom0/qvm-core/qubesutils.py +++ b/dom0/qvm-core/qubesutils.py @@ -136,7 +136,8 @@ def block_name_to_majorminor(name): disk = False major = 11 else: - raise QubesException("Unknown device type %s" % name_match.group(1)) + # Unknown device + return (0, 0) if disk: minor = (ord(name_match.group(2))-ord('a')) * 16 @@ -211,6 +212,10 @@ def block_list(vm = None): if not mode_re.match(device_mode): print >> sys.stderr, "Invalid %s device mode in VM '%s'" % (device, vm_name) continue + # Check if we know major number for this device; attach will work without this, but detach and check_attached don't + if block_name_to_majorminor(device) == (0, 0): + print >> sys.stderr, "Unsupported device %s:%s" % (vm_name, device) + continue visible_name = "%s:%s" % (vm_name, device) devices_list[visible_name] = {"name": visible_name, "xid":int(xid), "vm": vm_name, "device":device, "size":int(device_size), From d91bbdb3dde23031dd3b7d7fc1e1bcd3e81b6834 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 00:04:36 +0100 Subject: [PATCH 04/10] dom0/qvm-block: add support for md devices (#476) --- dom0/qvm-core/qubesutils.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dom0/qvm-core/qubesutils.py b/dom0/qvm-core/qubesutils.py index 9df4a54f..e9e0897f 100644 --- a/dom0/qvm-core/qubesutils.py +++ b/dom0/qvm-core/qubesutils.py @@ -135,6 +135,9 @@ def block_name_to_majorminor(name): elif name.startswith("sr"): disk = False major = 11 + elif name.startswith("md"): + disk = False + major = 9 else: # Unknown device return (0, 0) From 29d7fbfad39c72cbe654557cf26ccfda4867d085 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Fri, 9 Mar 2012 00:21:39 +0100 Subject: [PATCH 05/10] vm/qubes_netwatcher: correct type in service name (#465) This prevented netwatcher being started in the firewallvm. --- network/qubes_netwatcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/qubes_netwatcher b/network/qubes_netwatcher index afd7cdaa..44d56a07 100755 --- a/network/qubes_netwatcher +++ b/network/qubes_netwatcher @@ -18,8 +18,8 @@ while true; do # thus, no sanitization ready # but be careful when passing it to other shell scripts if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then - /sbin/service qubes_firewall stop - /sbin/service qubes_firewall start + /sbin/service qubes-firewall stop + /sbin/service qubes-firewall start CURR_NETCFG="$UNTRUSTED_NETCFG" /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi From 0bad3c3decf5bd036e8793891c65daaf0722a194 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:01:30 +0100 Subject: [PATCH 06/10] vm/netwatcher: watch also for netvm change (#478) --- network/qubes_netwatcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/qubes_netwatcher b/network/qubes_netwatcher index 44d56a07..a0e54fbe 100755 --- a/network/qubes_netwatcher +++ b/network/qubes_netwatcher @@ -24,8 +24,8 @@ while true; do /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch-qubes /local/domain/$NET_DOMID/qubes_netvm_external_ip + /usr/bin/xenstore-watch -n 2 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid else - /usr/bin/xenstore-watch-qubes qubes_netvm_domid + /usr/bin/xenstore-watch -n 1 qubes_netvm_domid fi done From 0b142fb0400ae375939408c38669ce06c312d7b3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:03:59 +0100 Subject: [PATCH 07/10] vm/init.d: make firewall and netwatcher service consistent with systemd --- rpm_spec/core-vm.spec | 12 ++++++------ vm-init.d/{qubes_firewall => qubes-firewall} | 0 vm-init.d/{qubes_netwatcher => qubes-netwatcher} | 0 3 files changed, 6 insertions(+), 6 deletions(-) rename vm-init.d/{qubes_firewall => qubes-firewall} (100%) rename vm-init.d/{qubes_netwatcher => qubes-netwatcher} (100%) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index f02cdccf..c11b699d 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -411,8 +411,8 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes_core /etc/init.d/qubes_core_appvm /etc/init.d/qubes_core_netvm -/etc/init.d/qubes_firewall -/etc/init.d/qubes_netwatcher +/etc/init.d/qubes-firewall +/etc/init.d/qubes-netwatcher %post sysvinit @@ -443,8 +443,8 @@ chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab @@ -455,8 +455,8 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core off chkconfig qubes_core_netvm off chkconfig qubes_core_appvm off - chkconfig qubes_firewall off - chkconfig qubes_netwatcher off + chkconfig qubes-firewall off + chkconfig qubes-netwatcher off fi %package systemd diff --git a/vm-init.d/qubes_firewall b/vm-init.d/qubes-firewall similarity index 100% rename from vm-init.d/qubes_firewall rename to vm-init.d/qubes-firewall diff --git a/vm-init.d/qubes_netwatcher b/vm-init.d/qubes-netwatcher similarity index 100% rename from vm-init.d/qubes_netwatcher rename to vm-init.d/qubes-netwatcher From 9547b191ade0f5d836859a0179b8e582a786c6e1 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:44:27 +0100 Subject: [PATCH 08/10] vm/qvm-firewall: force firewall reload on service start (#478) This makes firewall reload triggered by qubes-netwatcher working again. --- network/qubes_firewall | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/network/qubes_firewall b/network/qubes_firewall index 81dbca7c..30670b82 100755 --- a/network/qubes_firewall +++ b/network/qubes_firewall @@ -12,13 +12,20 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM +FIRST_TIME=yes + while true; do echo "1" > /proc/sys/net/ipv4/ip_forward - # Wait for changes in xenstore file - /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES - TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + if [ "$FIRST_TIME" ]; then + FIRST_TIME= + TRIGGER=reload + else + # Wait for changes in xenstore file + /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES + TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi From ceed4507eb0872249970a46d780466eb6494a611 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:52:28 +0100 Subject: [PATCH 09/10] dom0/qvm-network: implement dynamic switching in property setter (#478) Also add to it missing parts: firewall reload and netid attr set (+perms for it) --- dom0/qvm-core/qubes.py | 81 +++++++++++++++++++++++++++++++--------- dom0/qvm-tools/qvm-prefs | 13 +------ 2 files changed, 64 insertions(+), 30 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 2d8ae4c9..9f826829 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -232,7 +232,7 @@ class QubesVm(object): "template_vm": { "default": None, 'order': 10 }, # order >= 20: have template set "uses_default_netvm": { "default": True, 'order': 20 }, - "netvm": { "default": None, 'order': 20 }, + "netvm": { "default": None, "attr": "_netvm", 'order': 20 }, "label": { "attr": "_label", "default": QubesVmLabels["red"], 'order': 20 }, "memory": { "default": default_memory, 'order': 20 }, "maxmem": { "default": None, 'order': 25 }, @@ -369,6 +369,47 @@ class QubesVm(object): os.symlink (new_label.icon_path, self.icon_path) subprocess.call(['sudo', 'xdg-icon-resource', 'forceupdate']) + @property + def netvm(self): + return self._netvm + + # Don't know how properly call setter from base class, so workaround it... + @netvm.setter + def netvm(self, new_netvm): + self._set_netvm(new_netvm) + + def _set_netvm(self, new_netvm): + if self.netvm is not None: + self.netvm.connected_vms.pop(self.qid) + if self.is_running(): + subprocess.call(["xl", "network-detach", self.name, "0"], stderr=subprocess.PIPE) + if hasattr(self.netvm, 'post_vm_net_detach'): + self.netvm.post_vm_net_detach(self) + + if new_netvm is None: + # Set also firewall to block all traffic as discussed in #370 + if os.path.exists(self.firewall_conf): + shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml" + % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S'))) + self.write_firewall_conf({'allow': False, 'allowDns': False, + 'allowIcmp': False, 'rules': []}) + else: + new_netvm.connected_vms[self.qid]=self + + self._netvm = new_netvm + + if new_netvm is None: + return + + if self.is_running(): + if not new_netvm.is_running(): + new_netvm.start() + # refresh IP, DNS etc + self.create_xenstore_entries() + self.attach_network() + if hasattr(self.netvm, 'post_vm_net_attach'): + self.netvm.post_vm_net_attach(self) + @property def ip(self): if self.netvm is not None: @@ -441,22 +482,6 @@ class QubesVm(object): raise QubesException ("Change 'updateable' flag is not supported. Please use qvm-create.") - def set_netvm(self, netvm): - if self.netvm is not None: - self.netvm.connected_vms.pop(self.qid) - - if netvm is None: - # Set also firewall to block all traffic as discussed in #370 - if os.path.exists(self.firewall_conf): - shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml" - % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S'))) - self.write_firewall_conf({'allow': False, 'allowDns': False, - 'allowIcmp': False, 'rules': []}) - else: - netvm.connected_vms[self.qid]=self - - self.netvm = netvm - def pre_rename(self, new_name): pass @@ -1811,6 +1836,25 @@ class QubesProxyVm(QubesNetVm): def type(self): return "ProxyVM" + def _set_netvm(self, new_netvm): + old_netvm = self.netvm + super(QubesProxyVm, self)._set_netvm(new_netvm) + if self.netvm is not None: + self.netvm.add_external_ip_permission(self.get_xid()) + self.write_netvm_domid_entry() + if old_netvm is not None: + old_netvm.remove_external_ip_permission(self.get_xid()) + + def post_vm_net_attach(self, vm): + """ Called after some VM net-attached to this ProxyVm """ + + self.write_iptables_xenstore_entry() + + def post_vm_net_detach(self, vm): + """ Called after some VM net-detached from this ProxyVm """ + + self.write_iptables_xenstore_entry() + def start(self, debug_console = False, verbose = False, preparing_dvm = False): if dry_run: return @@ -2530,7 +2574,8 @@ class QubesVmCollection(dict): else: netvm = self[netvm_qid] - vm.netvm = netvm + # directly set internal attr to not call setters... + vm._netvm = netvm if netvm: netvm.connected_vms[vm.qid] = vm diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 7fc55c4f..08d06156 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -150,18 +150,7 @@ def set_netvm(vms, vm, args): exit (1) vm.uses_default_netvm = False - vm.set_netvm(netvm) - if not vm.is_running(): - return - # this can fail if VM was not connected to any NetVM - subprocess.call(["xl", "network-detach", vm.name, "0"], stderr=subprocess.PIPE) - if vm.netvm is None: - return - if not vm.netvm.is_running(): - subprocess.check_call(["qvm-start", vm.netvm.name]) - # refresh IP, DNS etc - vm.create_xenstore_entries() - vm.attach_network(verbose = True) + vm.netvm = netvm def set_updateable(vms, vm, args): if vm.is_updateable(): From e9d341ff710497ad369155406afaca9989d7becd Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:54:16 +0100 Subject: [PATCH 10/10] vm/netwatcher: fix watch --- network/qubes_netwatcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/qubes_netwatcher b/network/qubes_netwatcher index a0e54fbe..2512f737 100755 --- a/network/qubes_netwatcher +++ b/network/qubes_netwatcher @@ -24,8 +24,8 @@ while true; do /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch -n 2 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid + /usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid else - /usr/bin/xenstore-watch -n 1 qubes_netvm_domid + /usr/bin/xenstore-watch -n 2 qubes_netvm_domid fi done