StandaloneVM have no template to get clean volatile.img. Normally it is copied
from template during VM creation, but it can happen that image would not extx
(e.g. after backup restore). So create it from scratch.
Stay with original approach (restoring from clean image of template) for other
cases as it is much simpler (and perhaps faster).
No more ugly symlink creation at VM startup, nautilus-actions have system-wide
dir (in opposite to nautilus-scripts).
Currently old symlinks are not cleaned up. Maybe it should, but leaving them
have one advantage: will not break existing users behavior.
This is more accurate name. Also "qubes-setupdvm" is already used in
some places, so change service name instead of changing that places (at
least qubes-core.service).
Upgrade of kernel is suppressed by qubes-vm-kernel-placeholder package.
Excluding xorg packages makes more problems than goods (e.g. unable to
install dummy driver, block fedora bugfixes).
Same purpose as sudo rule - the user already can do almost all
administrative tasks and access all VMs data, so do disable annoying
password prompt (eg at system shutdown), which do not add any real
security layer.
This reverts commit 4b44f977db.
This doesn't actually fix the problem, because in %post new qubes.py is already
installed and maxmem=memory is no longer true.
HVM should have meminfo-writer disabled by default (and now have). But existing
VMs have it already enabled so it must be fixed now. Generic HVM isn't capable
of dynamic memory management.
Previously it was forced to always have maxmem=memory but it wasn't fully
correct because someone could install Qubes agents/PV drivers including
meminfo-writer and xen-balloon even in HVM so it should be possible to turn it.
%setup macro must be present in %prep to set variables required by
find-debuginfo script. Symlink is to place sources in nice
/usr/src/debug/%{name}-%{version} subdir instead of plain /usr/src/debug/core
(which can be ambiguous).
Additionally all packages need to have _builddir pointing at top src dir (in
core-dom0 it was dom0 subdir). And to cheat make about current dir (to have
%{name}-%{version} included in path) chdir must be done by shell, not make - so
can't use make -C.
This libs are required by both dom0 and VM so it's better to have it
separately. Previously in VM it was separate package, but dom0 have them
embedded in qubes-core-dom0, but qubes-core-vm-libs package was used to build
qubes-gui-dom0. Now we do not build all packages for all distros (especially do
not build core-vm package for dom0 distro, so gui-dom0 build fails), so make it
explicit which package is needed by which system.
Some packages depends on kernel (ex fuse, pulseaudio), but kernel in VM is
managed by dom0. Any hack like exlude or so on will break some things, so
install empty placeholder package to fulfill dependencies.
1. Try to use NetworkManager sleep command instead of shutting it down
2. Move sleep action details (which is VM-specific) to VM
3. Export it as qrexec service(s)
1. Try to use NetworkManager sleep command instead of shutting it down
2. Move sleep action details (which is VM-specific) to VM
3. Export it as qrexec service(s)
Actually all /etc/pam.d/ files containing pam_systemd.so are autogenerated by
authconfig, so "removing" pam_systemd.so file as not elegant solution, seems to
be much more realiable.
Actually all /etc/pam.d/ files containing pam_systemd.so are autogenerated by
authconfig, so "removing" pam_systemd.so file as not elegant solution, seems to
be much more realiable.
When device is ejected by some VM (state=6, effectively inactive), it should be
removed from xenstore to free slot for some another device. This should be done
by libxl toolstack, but not implemented in xen 4.1 - AFAIR done in xen 4.2.
The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it
is reasonable to bypass the proxy. Some examples:
- usage of non-standard repos with some exotic file layout, which will be
blocked by the proxy
- usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM)
This commit introduces 'yum-proxy-setup' pseudo-service, which can be
controlled via standard qvm-service or qubes-manager. When enabled - yum will
be configured at VM startup to use qubes proxy, otherwise - to connect directly
(proxy setting will be cleared).
Introduce proxy service, which allow only http(s) traffic to yum repos. The
filter rules are based on URL regexp, so it isn't full-featured content
inspection and can be easy bypassed, but should be enough to prevent some
erroneus user actions (like clicking on invalid link).
It is set up to intercept connections to 10.137.255.254:8082, so VM can connect
to this IP regardless of VM in which proxy is running. By default it is
started in every NetVM, but this can be changed using qvm-service or
qubes-manager (as always).
The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it
is reasonable to bypass the proxy. Some examples:
- usage of non-standard repos with some exotic file layout, which will be
blocked by the proxy
- usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM)
This commit introduces 'yum-proxy-setup' pseudo-service, which can be
controlled via standard qvm-service or qubes-manager. When enabled - yum will
be configured at VM startup to use qubes proxy, otherwise - to connect directly
(proxy setting will be cleared).
Introduce proxy service, which allow only http(s) traffic to yum repos. The
filter rules are based on URL regexp, so it isn't full-featured content
inspection and can be easy bypassed, but should be enough to prevent some
erroneus user actions (like clicking on invalid link).
It is set up to intercept connections to 10.137.255.254:8082, so VM can connect
to this IP regardless of VM in which proxy is running. By default it is
started in every NetVM, but this can be changed using qvm-service or
qubes-manager (as always).
XENCONSOLED_LOG_GUESTS was erroneously replaced by XENCONSOLED_LOG_HYPERVISOR.
So to config fresh systems and broken by prevoius version, remove any
XENCONSOLED_LOG_ entries and add correct one at the config end.
XENCONSOLED_LOG_GUESTS was erroneously replaced by XENCONSOLED_LOG_HYPERVISOR.
So to config fresh systems and broken by prevoius version, remove any
XENCONSOLED_LOG_ entries and add correct one at the config end.
In FC15, NetworkManager by default uses global connections ("Available to all users"). Save them in /rw instead of /etc, to preserve them across reboots.