Commit Graph

950 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
beaa0e9348
tests/mgmt: check if argument/payload is rejected when should be
Instead of creating such tests for each method separately, use unittest
subTest functionality to handle all of them at once.
2017-03-16 20:04:06 +01:00
Marek Marczykowski-Górecki
944bb26369
tests/mgmt: VM property related functions 2017-03-16 20:04:05 +01:00
Marek Marczykowski-Górecki
35d1167893
qubes/vm/net: fix name of argument for property-del event handler
Since enforcing keyword arguments for event handlers, it's important now.
2017-03-16 20:04:05 +01:00
Marek Marczykowski-Górecki
32f6bc2cd9
qubes/app: fix notifying about default_netvm change
Notify every VM that is affected, not only those providing network
itself.
2017-03-16 20:04:05 +01:00
Marek Marczykowski-Górecki
2c4303efc4
Prefer qubes.exc.QubesValueError over ValueError
This provide clearer information for UI.
2017-03-16 20:04:05 +01:00
Marek Marczykowski-Górecki
010d40dc1e
mgmt: add label-related calls
QubesOS/qubes-issues#2622
2017-03-16 20:04:04 +01:00
Marek Marczykowski-Górecki
33f3fedca1
mgmt: save qubes.xml after config-modifying calls
In theory any call could modify config (through events), but lets keep
writes to qubes.xml low. In any case, qubes.xml will be eventually
written (either at next config-modifying call, or daemon exit).
2017-03-16 20:04:04 +01:00
Marek Marczykowski-Górecki
868dbeac3e
mgmt: implement mgmt.vm.property.Set
Sanitization of input value is tricky here, and also very important at
the same time. If property define value type (and it's something more
specific than 'str'), use that. Otherwise allow only printable ASCII
characters, and let appropriate event and setter handle value.
At this point I've reviewed all QubesVM properties in this category and
added appropriate setters where needed.

QubesOS/qubes-issues#2622
2017-03-16 20:04:03 +01:00
Marek Marczykowski-Górecki
da51e6f032
vm/qubesvm: add validator for default_user property
Don't allow characters potentially interfering with qrexec. To be on the
safe side, allow only alphanumeric characters + very few selected
punctuations.
2017-03-16 20:04:03 +01:00
Marek Marczykowski-Górecki
0f8fab088e
vm/qubesvm: remove pool_name property
It isn't used anywhere - in core3 each storage volume have pool assigned
- which may be different for each volume.
2017-03-16 20:04:03 +01:00
Marek Marczykowski-Górecki
2d2672ec58
vm/qubesvm: convert firewall_conf into dumb, read-only property
Don't allow anything else than firewall.xml.
2017-03-16 20:04:03 +01:00
Marek Marczykowski-Górecki
123feced36
vm/qubesvm: forbid '/' in kernel property
It would give VM access to some files outside of
/var/lib/qubes/vm-kernels.
2017-03-16 20:04:02 +01:00
Marek Marczykowski-Górecki
a036e2a8a0
vm/qubesvm: improve name property setter
Split it into two functions: validate_name - context-less verification,
and actual _setter_name which perform additional verification in
context of actual VM.
Switch to qubes.exc.* exceptions where appropriate.
2017-03-16 20:04:02 +01:00
Marek Marczykowski-Górecki
dbf2066dfd
mgmt: encode property type in property.Get
This also require having property.type public.

QubesOS/qubes-issues#2622
2017-03-16 20:04:02 +01:00
Marek Marczykowski-Górecki
3b36e92b6d
vm/qubesvm: fix few more keyword arguments for events 2017-03-16 20:04:02 +01:00
Marek Marczykowski-Górecki
772293d0b5
vm/qubesvm: define 'updateable' as qubes.property
This will allow property being accessed through management API
2017-03-16 20:04:01 +01:00
Marek Marczykowski-Górecki
f7eabf8eb0
tools/qubesd: do not close connection before sending response
eof_received callback should return True, if connection should not be
automatically closed just after returning from it.
2017-03-16 20:04:01 +01:00
Marek Marczykowski-Górecki
c41585e2f5
Initialize dom0 label
It is required property. Additionally, define icon_path to None,
otherwise it tries to access dom0.dir_path, which isn't set.
2017-03-16 20:04:01 +01:00
Marek Marczykowski-Górecki
10a07c8726
mgmt: allow vm.List call to a particular VM
This allow getting info about a single VM.

QubesOS/qubes-issues#853
2017-03-16 20:04:01 +01:00
Marek Marczykowski-Górecki
fb7bd6823a
mgmt: implement storage-related methods
QubesOS/qubes-issues#2622
2017-03-16 20:04:01 +01:00
Wojtek Porczyk
80807fb872 qubes/libvirtaio: document and prepare for upstream
QubesOS/qubes-issues#2622
2017-03-16 15:21:16 +01:00
Wojtek Porczyk
a5c59a5075 qubes/mgmt: Drop custom repr
QubesOS/qubes-issues#2622
2017-03-13 22:00:15 +01:00
Wojtek Porczyk
93153da893 Add documentation for mgmt
QubesOS/qubes-issues#2622
2017-03-13 21:51:52 +01:00
Wojtek Porczyk
417cb6e912 qubes/vm/mix/net: fix event arguments
Arguments to events are now keyword-only and require exact names.
2017-03-06 17:20:57 +01:00
Wojtek Porczyk
4a247b1b1b Merge remote-tracking branch 'origin/pull/90/head' into core3-devel 2017-03-02 13:19:57 +01:00
Marek Marczykowski-Górecki
f7d73893d7
qubes/storage: py3k related fixes 2017-03-01 21:50:06 +01:00
Wojtek Porczyk
c2a0d34ade pylint: do not interpret asyncio.ensure_future compat hack 2017-03-01 18:30:49 +01:00
Wojtek Porczyk
865ab10a0c qubesd+mgmt: convert mgmt functions to coroutines
QubesOS/qubes-issues#2622
2017-03-01 17:31:37 +01:00
Marek Marczykowski-Górecki
3e0f225938
qubes: allow 'property' object comparing with str
This will allow checking if a given name is valid property name, using
simple `name in vm.property_list()`.

QubesOS/qubes-issues#853
2017-02-27 21:57:56 +01:00
Marek Marczykowski-Górecki
2169075807
qubesd: fix response message header
Type is not 16 bit big-endian. Encode it as 8bit code and \x00 as
delimiter explicitly.

QubesOS/qubes-issues#853
2017-02-27 21:43:14 +01:00
Marek Marczykowski-Górecki
6ab7032b11
qubes/mgmt: encode VM name without quotes
That's how it is in the specification.

QubesOS/qubes-issues#853
2017-02-27 21:42:30 +01:00
Marek Marczykowski-Górecki
f4616fc366
qubesd: make qubesd socket qubes-group owned
QubesOS/qubes-issues#853
2017-02-27 21:42:06 +01:00
Marek Marczykowski-Górecki
c454973596
qubes/mgmt: use keyword arguments in events
QubesOS/qubes-issues#853
2017-02-27 20:56:16 +01:00
Marek Marczykowski-Górecki
751415434c
backup: make hmac verification more defensive
Check HMAC file size, read it as binary or with 'ascii' encoding only.
2017-02-27 02:37:52 +01:00
Marek Marczykowski-Górecki
a6c7da6061
tests: be even more defensive on cleaning up VMs
Don't fail even if qubes-test.xml do not load at all because of syntax
error - for example empty file.
2017-02-27 02:37:52 +01:00
Marek Marczykowski-Górecki
45709b510a
backup: minor fixes after bringing back scrypt support 2017-02-27 02:37:51 +01:00
Marek Marczykowski-Górecki
1363251438
Revert "Revert "backup: use 'scrypt' tool for backup encryption and integrity protection""
This reverts commit 0f1672dc63.

Bring it back. Lets not revert the whole feature just because required
package exists only in qubes-builder, not in some online repository.
Also, this revert didn't go as planned - there was a reference to a
'passphrase' local variable, but it wasn't assigned any value.

Cc: @woju
2017-02-27 02:37:50 +01:00
Marek Marczykowski-Górecki
13fc810363
tests: some more fixes for core3 API 2017-02-27 02:37:50 +01:00
Marek Marczykowski-Górecki
3ecc0a9bcb
tests: improve devices API unit test
Check fired events - inspired by qvm-device test.
2017-02-27 02:37:50 +01:00
Marek Marczykowski-Górecki
7f2ca33774
tests: fix importing template in non-default pool 2017-02-27 02:37:50 +01:00
Marek Marczykowski-Górecki
3726c7d9c3
python: decode xrandr output earlier, don't use regexp on bytes 2017-02-27 02:37:49 +01:00
Marek Marczykowski-Górecki
5e43d26abd
qubes: unify property ordering
We already have property ordering defined in property_list(), lets move
it to proper place: property.__lt__.
2017-02-27 02:37:49 +01:00
Marek Marczykowski-Górecki
9ace4e66f1
tests: more py3k related fixes 2017-02-27 02:37:49 +01:00
Marek Marczykowski-Górecki
33416f2549
qmemman: update for py3k
This just make the code compatible with py3k, but nothing more.
Converting to asyncio is probably the next step.
2017-02-27 02:37:49 +01:00
Marek Marczykowski-Górecki
2c3e112951
backup: one more py3k related fix 2017-02-27 02:37:48 +01:00
Marek Marczykowski-Górecki
e52d8fb051
qubes: allow passing name of class to app.add_new_vm
This will allow more flexible API usage, especially when using mgmt API
- we need to use VM type as string there.
We don't lose any flexibility here - VM class names needs to be uniquely
identified by a string (used in qubes.xml) anyway.
2017-02-27 02:37:48 +01:00
Marek Marczykowski-Górecki
cae68f64ca
tests: just one more test in vm_qrexec_gui to core3 API 2017-02-27 02:37:48 +01:00
Marek Marczykowski-Górecki
3f29345d32
tests/storage: read-only volume should not have save_on_stop=True 2017-02-27 02:37:48 +01:00
Marek Marczykowski-Górecki
5ee05e06e5
qubes/core2migration: update locking API
Sync with 0141e1a "qubes/app: Allow keeping lock after load"
2017-02-27 02:37:47 +01:00
Marek Marczykowski-Górecki
570cbe5225
qubes: py3k related fixes 2017-02-27 02:37:45 +01:00
Marek Marczykowski-Górecki
9c5c70fe25
qubes/backup: py3k related fixes
- str/bytes usage
- functools.reduce
- dict.items instead of dict.iteritems etc
2017-02-27 02:35:50 +01:00
Marek Marczykowski-Górecki
f2a1687879
typos in comments 2017-02-27 02:35:49 +01:00
Marek Marczykowski-Górecki
9cad353939
tests: py3k related fixes - bytes/str
Adjust usage of bytes vs str type.
2017-02-27 02:35:49 +01:00
Marek Marczykowski-Górecki
d68499f17f
qubes: add property ordering 2017-02-27 02:35:49 +01:00
Wojtek Porczyk
be53db4db9 qubes/events: they accept only keyword arguments
Positional arguments are hereby deprecated, with immediate effect.

QubesOS/qubes-issues#2622
2017-02-21 14:46:42 +01:00
Wojtek Porczyk
48f10a79c9 qubes/tools/qubesd: add response header
QubesOS/qubes-issues#2622
2017-02-21 14:46:42 +01:00
Wojtek Porczyk
25d81b8ab6 Merge remote-tracking branch 'origin/pull/88/head' into core3-devel 2017-02-15 12:17:41 +01:00
Marek Marczykowski-Górecki
e50b17a6b3
tools/qvm-features: make pylint happy
reduce number of return statements.
2017-02-15 00:01:33 +01:00
Marek Marczykowski-Górecki
a317e81d7e
qubes/ext/gui: adjust shm.id path
It's moved to /var/run/qubes and now is built based on $DISPLAY.
2017-02-15 00:01:33 +01:00
Marek Marczykowski-Górecki
bd9300b38e
tests: copy pool configuration into qubes-test.xml
If template choosen for the tests is installed in non-default storage
pool, this pool also needs to be imported into qubes-test.xml.
2017-02-15 00:01:33 +01:00
Marek Marczykowski-Górecki
0c43329188
tools/qvm-features: fix handling empty list of features 2017-02-15 00:01:33 +01:00
Marek Marczykowski-Górecki
98edc9779c
tools/qvm-features: fix domain argument handling
It's args.domains[0], not args.vm.
2017-02-15 00:01:33 +01:00
Marek Marczykowski-Górecki
c3fc4062d8
tests: add basic test for qvm-features 2017-02-15 00:01:33 +01:00
Marek Marczykowski-Górecki
bcab92ee64
qubes/vm: make sure to close qmemman socket after failed startup
If qmemman socket isn't closed, it will block other VM startups.
2017-02-14 23:59:07 +01:00
Marek Marczykowski-Górecki
01aedb7f18
storage: fix handling snap_on_start=True file volumes
Use the right cow image and apply the second layer to provide read-write
access. The correct setup is:
 - base image + base cow -> read-only snapshot (base changes "cached"
   until committed)
 - read-only snapshot + VM cow -> read-write snapshot (changes discarded
   after VM shutdown)

This way, even VM without Qubes-specific startup scripts will can
benefit from Template VMs, while VMs with Qubes-specific startup scripts
may still see original root.img content (for possible signature
verification, when storage domain got implemented).

QubesOS/qubes-issues#2256
2017-02-14 23:59:07 +01:00
Marek Marczykowski-Górecki
48f78dfbc8
tests: check if snap_on_start=True volumes are not persistent
Content should be reset back to base volume at each VM startup.
Disposable VMs depend on this behaviour.

QubesOS/qubes-issues#2256
2017-02-14 23:59:07 +01:00
Wojtek Porczyk
8e678c0172 qubes/mgmt: mgmt.vm.property.Reset
QubesOS/qubes-issues#2622
2017-02-14 11:37:17 +01:00
Wojtek Porczyk
ada0437f52 qubes/mgmt: mgmt.vm.property.Help
QubesOS/qubes-issues#2622
2017-02-13 21:28:27 +01:00
Wojtek Porczyk
e8a5bc9b36 qubesd: improve exception handling
QubesOS/qubes-issues#2622
2017-02-10 23:25:45 +01:00
Wojtek Porczyk
249d8c08e2 qubes/tools/qubesd-query: low-level interrogation tool 2017-02-10 23:25:45 +01:00
Wojtek Porczyk
02639b8d02 qubes/mgmt: mgmt.vm.property.List
QubesOS/qubes-issues#2622
2017-02-10 22:55:53 +01:00
Wojtek Porczyk
c12fc744a2 qubes/mgmt: move mgmt api to separate module
QubesOS/qubes-issues#2622
2017-02-09 23:29:05 +01:00
Wojtek Porczyk
5d455ac3c4 misc pylint fixes related to qubesd 2017-02-08 15:37:39 +01:00
Wojtek Porczyk
0be3b1fbb1 qubes/tools/qubesd: initial version 2017-02-07 17:07:53 +01:00
Wojtek Porczyk
1be75d9c83 misc python3 fixes 2017-02-07 17:07:52 +01:00
Wojtek Porczyk
d74567d65f qubes: port core to python3
fixes QubesOS/qubes-issues#2074
2017-01-20 16:42:51 +01:00
Wojtek Porczyk
0f1672dc63 Revert "backup: use 'scrypt' tool for backup encryption and integrity protection"
This reverts commit 418d749680.

Package `scrypt` is currently not installable (not present in any repo).

Cc: @marmarek
2016-12-05 18:36:13 +01:00
Wojtek Porczyk
25912f5787 qubes/tools: add qvm-tags
QubesOS/qubes-issues#865
2016-12-02 14:17:09 +01:00
Wojtek Porczyk
5f436360f7 qubes/app: Fix create_empty_store signature
QubesOS/qubes-issues#1729
2016-11-30 18:34:11 +01:00
Wojtek Porczyk
68ad60c1b3 Merge remote-tracking branch 'origin/master' into core3-devel
Conflicts:
	core/qubes.py
	doc/Makefile
	doc/manpages/qvm-prefs.rst
	doc/qvm-tools/qvm-add-appvm.rst
	doc/qvm-tools/qvm-backup-restore.rst
	doc/qvm-tools/qvm-backup.rst
	doc/qvm-tools/qvm-block.rst
	doc/qvm-tools/qvm-clone.rst
	doc/qvm-tools/qvm-firewall.rst
	doc/qvm-tools/qvm-ls.rst
	doc/qvm-tools/qvm-pci.rst
	doc/qvm-tools/qvm-run.rst
	doc/qvm-tools/qvm-shutdown.rst
	doc/qvm-tools/qvm-start.rst
	doc/qvm-tools/qvm-template-commit.rst
	qvm-tools/qvm-ls
	qvm-tools/qvm-prefs
	qvm-tools/qvm-remove
	tests/__init__.py
	vm-config/xen-vm-template.xml
2016-11-30 03:07:39 +01:00
Marek Marczykowski-Górecki
8f443547fb
qubes/vm: disconnect from old QubesDB when going to start new instance
QubesDB daemon no longer remove socket created by new instance, so one
part of VM restart race condition is solved. The only remaining part is
to ensure that we really connect to the new instance, instead of talking
to the old one (soon to be terminated).

Fixes QubesOS/qubes-issues#1694
2016-11-26 04:09:00 +01:00
Marek Marczykowski-Górecki
3b209515c2
qubes/vm/dispvm: don't crash when DispVM is already killed
This is regression of QubesOS/qubes-issues#1660

Fixes QubesOS/qubes-issues#1660
2016-11-26 04:09:00 +01:00
Marek Marczykowski-Górecki
6ff836dfa4
qubes/log: add FD_CLOEXEC to log files
Don't leak log file descriptors. At least 'lvm' complains.

QubesOS/qubes-issues#2412
2016-11-26 04:08:59 +01:00
Marek Marczykowski-Górecki
210cb65d1c
qubes/tools: drop requirement of qubes-prefs --force-root
None of properties set there do any "dangerous thing" for filesystem
permissions (at least for now), so do not require it. This is mostly to
keep compatibility with %post rpm scripts (kernel-qubes-vm at least).

QubesOS/qubes-issues#2412
2016-11-26 04:08:59 +01:00
Marek Marczykowski-Górecki
a318d5cea9
Don't fail on DBus connection error or opening log
Especially in offline mode - like during installation, tests etc.

QubesOS/qubes-issues#2412
2016-11-26 04:08:59 +01:00
Marek Marczykowski-Górecki
02a0713665
qubes/tools: better handle qvm-template-postprocess called as root
This tool by design is called as root, so try to:
 - switch to normal user if possible
 - fix file permissions afterwards - if not

QubesOS/qubes-issues#2412
2016-11-26 04:08:58 +01:00
Marek Marczykowski-Górecki
28d4feb0d0
qubes: fix network-related functions
- cleanup_vifs crash when non-networked VM is running
- type error in get_vms_connected_to (store VM objects, not qid)
2016-11-26 04:08:58 +01:00
Marek Marczykowski-Górecki
e85b0663f6
tools: fire 'template-postinstall' event for extensions
Allow extensions to finish template setup. This include retrieving
appmenus, settings defaults etc.

QubesOS/qubes-issues#2412
2016-11-26 04:08:58 +01:00
Marek Marczykowski-Górecki
0041063b8e
qubes/config: set default labels
There was a comment '# Set later', but actually values were never set.
This break adding just installed template (qvm-template-postprocess).

QubesOS/qubes-issues#2412
2016-11-26 04:08:57 +01:00
Marek Marczykowski-Górecki
c4e85a81fb
qubes/app: automatically enable offline mode when running in chroot
Do not spray --offline-mode over every installer-related script.

QubesOS/qubes-issues#2412
2016-11-26 04:08:50 +01:00
Marek Marczykowski-Górecki
d8a1216daf
Fix qubes-create in offline mode
QubesOS/qubes-issues#2412
2016-11-26 04:08:09 +01:00
Marek Marczykowski-Górecki
5e15db4176
qubes/tools: accept qvm-start --no-guid
Lets keep compatibility with older scripts.

QubesOS/qubes-issues#2412
2016-11-26 04:08:08 +01:00
Marek Marczykowski-Górecki
964955758c
qubes/app: create 'default' storage pool as LVM when present
When system is installed with LVM thin pool, it should be used by
default. But lets keep file-based on for /var/lib/qubes for some corner
cases, migration etc.

QubesOS/qubes-issues#2412
2016-11-26 04:08:08 +01:00
Marek Marczykowski-Górecki
badc58837a
Add qvm-template-postprocess tool
This is intended to call to finish template installation/removal.
Template RPM package is basically container for root.img, nothing more.
Other parts needs to be generated after root.img extraction. Previously
it was open coded in rpm post-install script, but lets keep it as qvm
tool to ease supporting multiple version in template builder

QubesOS/qubes-issues#2412
2016-11-26 04:08:08 +01:00
Marek Marczykowski-Górecki
1418555346
qubes/vm: don't fail on removing VM without files
VM files may be already removed. Don't fail on this while removing a
VM, it's probably the reason why domain is being removed.

qvm-remove tool have its own guard for this, but it isn't enough - if
rmtree(dir_path) fails, storage.remove() would not be called, so
non-file storages would not be cleaned up.

This is also needed to correctly handle template reinstallation - where
VM directory is moved away to call create_on_disk again.

QubesOS/qubes-issues#2412
2016-11-26 04:08:07 +01:00
Marek Marczykowski-Górecki
cc440c62f6
qubes/tools: accept properties with '-'
'-' is invalid character in python identifier, so all the properties
have '_'. But in previous versions qvm-* tools accepted names with '-',
so lets not break this.

QubesOS/qubes-issues#2412
2016-11-26 04:08:07 +01:00
Marek Marczykowski-Górecki
880566a387
qubes/tools: do not reject --set/--get in *-prefs tools
Those options are no longer needed, but lets not reject them to preserve
compatibility with older scripts

QubesOS/qubes-issues#2412
2016-11-26 04:08:07 +01:00
Marek Marczykowski-Górecki
91727389c4
qubes/log: ensure logs are group writable
/var/log/qubes directory have setgid set, so all the files will be owned
by qubes group (that's ok), but there is no enforcement of creating it
group writable, which undermine group ownership (logs created by root
would not be writable by normal user)

QubesOS/qubes-issues#2412
2016-11-26 04:08:07 +01:00
Marek Marczykowski-Górecki
80c0093c77
qubes/tools/qubes-create: reject overriding existing qubes.xml
If someone really want do to this, need to manually remove the file
first.

QubesOS/qubes-issues#2412
2016-11-26 04:08:06 +01:00
Marek Marczykowski-Górecki
c08766e157
qubes/features: rename 'services/ntpd' to 'service/ntpd'
It makes much more sense to use singular form here - ntpd is a single
service.
2016-11-26 04:08:06 +01:00
Wojtek Porczyk
2b0ad51b18 Merge remote-tracking branch 'origin/pull/68/head' into core3-devel 2016-11-15 17:41:47 +01:00
Wojtek Porczyk
37bfd0d2a3 Merge remote-tracking branch 'marmarek/core3-fake-ip' into core3-devel 2016-11-15 17:40:30 +01:00
Wojtek Porczyk
a4d50409df Merge remote-tracking branch 'marmarek/core3-storage-fixes' into core3-devel 2016-11-15 17:36:53 +01:00
Wojtek Porczyk
fd953f4f27 Merge remote-tracking branch 'marmarek/core3-backup2' into core3-devel 2016-11-15 17:34:12 +01:00
Bahtiar `kalkin-` Gadimov
5db67fca8d
Fix init property swap in DomainVolumes 2016-11-07 23:26:53 +01:00
Marek Marczykowski-Górecki
b011cef8af
tests/storage: add tests for basic volumes properties
Things like if read-only volume is really read-only, volatile is
volatile etc.

QubesOS/qubes-issues#2256
2016-11-04 14:18:56 +01:00
Marek Marczykowski-Górecki
b59463e8e8
qvm-block: fix listing non-internal volumes
In case of LVM (at least), "internal" flag is initialized only when
listing volume attached to given VM, but not when listing them from the
pool. This looks like a limitation (bug?) of pool driver, it looks like
much nicer fix is to handle the flag in qvm-block tool (which list VMs
volumes anyway), than in LVM storage pool driver (which would need to
keep second copy of volumes list - just like file driver).

QubesOS/qubes-issues#2256
2016-11-04 14:18:56 +01:00
Marek Marczykowski-Górecki
1a7f2892d1
storage/lvm: fix logic regarding snapshots, start, stop etc
There are mutiple cases when snapshots are inconsistently created, for
example:
 - "-back" snapshot created from the "new" data, instead of old one
 - "-snap" created even when volume.snap_on_start=False
 - probably more

Fix this by following volume.snap_on_start and volume.save_on_stop
directly, instead of using abstraction of old volume types.

QubesOS/qubes-issues#2256
2016-11-04 14:18:56 +01:00
Marek Marczykowski-Górecki
ab9d7fbb76
storage: improve/fix handling extra volumes
Just calling pool.init_volume isn't enough - a lot of code depends on
additional data loaded into vm.storage object. Provide a convenient
wrapper for this.

At the same time, fix loading extra volumes from qubes.xml - don't fail
on volume not mentioned in initial vm.volume_config.

QubesOS/qubes-issues#2256
2016-11-04 14:18:56 +01:00
Marek Marczykowski-Górecki
4323651afb
storage/lvm: remove duplicated _reset function
There were two: _reset and _reset_volume. Neither of them was working,
but the later was closer. Remove the other one.

QubesOS/qubes-issues#2256
2016-11-04 14:18:55 +01:00
Marek Marczykowski-Górecki
37dbf29bc1
storage/lvm: don't fail on removing already removed volumes
This may happen when removing not fully created VM.

QubesOS/qubes-issues#2256
2016-11-04 14:18:55 +01:00
Marek Marczykowski-Górecki
400e92b25a
storage/lvm: misc fixes
- add missing lvm remove call when commiting changes
- delay creating volatile image until domain startup (it will be created
  then anyway)
- reset cache only when really changed anything
- attach VM to the volume (snapshot) created for its runtime - to not
  expose changes (for example in root volume) to child VMs until
  shutdown

QubesOS/qubes-issues#2412
QubesOS/qubes-issues#2256
2016-11-04 14:18:55 +01:00
Marek Marczykowski-Górecki
0471453773
storage/lvm: call lvm directly, don't use qubes-lvm wrapper
The wrapper doesn't do anything else than translating command
parameters, but it's load time is significant (because of python imports
mostly). Since we can't use python lvm API from non-root user anyway,
lets drop the wrapper and call `lvm` directly (or through sudo when
necessary).

This makes VM startup much faster - storage preparation is down from
over 10s to about 3s.

QubesOS/qubes-issues#2256
2016-11-04 14:18:55 +01:00
Marek Marczykowski-Górecki
9197bde76e
storage/lvm: use dd for importing volumes
...instead of manual copy in python. DD is much faster and when used
with `conv=sparse` it will correctly preserve sparse image.

QubesOS/qubes-issues#2256
2016-11-04 14:18:54 +01:00
Marek Marczykowski-Górecki
38fc504ca0
qubes/vm/net: set mapped IP info before attaching network
Set parameters for possibly hiding domain's real IP before attaching
network to it, otherwise we'll have race condition with vif-route-qubes
script.

QubesOS/qubes-issues#1143
2016-11-01 00:37:43 +01:00
Marek Marczykowski-Górecki
b4fa8cdce3
qubes/vm/net: use domain's "visible IP" for a gateway address
This is the IP known to the domain itself and downstream domains. It may
be a different one than seen be its upstream domain.

Related to QubesOS/qubes-issues#1143`
2016-11-01 00:30:11 +01:00
Marek Marczykowski-Górecki
ec81b3046f
tests: add missing app.save() before starting a domain
Otherwise domain will be unknown to other processes (like qrexec
services).
2016-11-01 00:28:37 +01:00
Marek Marczykowski-Górecki
d999d91049
tests: few more tests for fake/custom IP
QubesOS/qubes-issues#1143
QubesOS/qubes-issues#1477
2016-10-31 03:39:46 +01:00
Marek Marczykowski-Górecki
ea33fef9cc
tests: drop dispvm_netvm tests
This property no longer exists in core3.
2016-10-31 03:10:12 +01:00
Marek Marczykowski-Górecki
5072acc8f2
tests: custom VM IP
QubesOS/qubes-issues#1477
2016-10-31 03:09:45 +01:00
Marek Marczykowski-Górecki
b8145595a9
qubes/vm/net: allow setting custom IP
Fixes QubesOS/qubes-issues#1477
2016-10-31 03:04:13 +01:00
Marek Marczykowski-Górecki
4585f2b503
tests: add tests for fake IP feature
QubesOS/qubes-issues#1143
2016-10-31 02:17:21 +01:00
Marek Marczykowski-Górecki
2c6c476410
qubes/vm/net: add feature of hiding real IP from the VM
This helps hiding VM IP for anonymous VMs (Whonix) even when some
application leak it. VM will know only some fake IP, which should be set
to something as common as possible.
The feature is mostly implemented at (Proxy)VM side using NAT in
separate network namespace. Core here is only passing arguments to it.
It is designed the way that multiple VMs can use the same IP and still
do not interfere with each other. Even more: it is possible to address
each of them (using their "native" IP), even when multiple of them share
the same "fake" IP.

Original approach (marmarek/old-qubes-core-admin#2) used network script
arguments by appending them to script name, but libxl in Xen >= 4.6
fixed that side effect and it isn't possible anymore. So use QubesDB
instead.

From user POV, this adds 3 "features":
 - net/fake-ip - IP address visible in the VM
 - net/fake-gateway - default gateway in the VM
 - net/fake-netmask - network mask
The feature is enabled if net/fake-ip is set (to some IP address) and is
different than VM native IP. All of those "features" can be set on
template, to affect all of VMs.
Firewall rules etc in (Proxy)VM should still be applied to VM "native"
IP.

Fixes QubesOS/qubes-issues#1143
2016-10-31 02:06:01 +01:00
Marek Marczykowski-Górecki
b91714b204
qubes/features: handle recursive templates
Have features.check_with_template() check the template recursively.
The longest path (currently) is: DispVM -> AppVM -> TemplateVM.
2016-10-31 02:04:27 +01:00
Wojtek Porczyk
0141e1ac73 qubes/app: Allow keeping lock after load
QubesOS/qubes-issues#1729
2016-10-28 15:43:43 +02:00
Marek Marczykowski-Górecki
8cf19e3c92
tests/backupcompatibility: verify restored VM properties 2016-10-28 11:53:34 +02:00
Marek Marczykowski-Górecki
36bd834c01
core2migration: try to set properties to "default" when possible
Core3 keep information whether property have default value for all the
properties (not only few like netvm or kernel). Try to use this feature
as much as possible.
2016-10-28 11:53:34 +02:00
Marek Marczykowski-Górecki
64ac7f6e8d
tests/backup: check non-ASCII passphrase
QubesOS/qubes-issues#2398
2016-10-28 11:53:34 +02:00
Marek Marczykowski-Górecki
af182c4fd1
backup: fixup restore options just before restoring VMs
When user included/excluded some VMs for restoration, it may be
neceesarry to fix dependencies between them (for example when default
template is no longer going to be restored).
Also fix handling conflicting names.
2016-10-28 11:53:34 +02:00
Marek Marczykowski-Górecki
043d20c05d
backup: fix handling non-ascii characters in backup passphrase
Fixes QubesOS/qubes-issues#2398
2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
fc00dd211e
tests/backup: test backup with non-ASCII passphrase 2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
49e718cf57
backup: mark 'encryption' option as deprecated - all backups are encrypted
QubesOS/qubes-issues#971
2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
51b66208f3
backup: verify if archive chunks are not reordered
Now, when file name is also integrity protected (prefixed to the
passphrase), we can make sure that input files are given in the same
order. And are parts of the same VM.

QubesOS/qubes-issues#971
2016-10-28 11:53:33 +02:00
Marek Marczykowski-Górecki
4ad15c082b
backup: add 'backup_id' to integrity protection
This prevent switching parts of backup of the same VM between different
backups made by the same user (or actually: with the same passphrase).

QubesOS/qubes-issues#971
2016-10-28 11:53:32 +02:00
Marek Marczykowski-Górecki
418d749680
backup: use 'scrypt' tool for backup encryption and integrity protection
`openssl dgst` and `openssl enc` used previously poorly handle key
stretching - in case of `openssl enc` encryption key is derived using
single MD5 iteration, without even any salt. This hardly prevent
brute force or even rainbow tables attacks. To make things worse, the
same key is used for encryption and integrity protection which ease
brute force even further.
All this is still about brute force attacks, so when using long, high
entropy passphrase, it should be still relatively safe. But lets do
better.
According to discussion in QubesOS/qubes-issues#971, scrypt algorithm is
a good choice for key stretching (it isn't the best of all existing, but
a good one and widely adopted). At the same time, lets switch away from
`openssl` tool, as it is very limited and apparently not designed for
production use. Use `scrypt` tool, which is very simple and does exactly
what we need - encrypt the data and integrity protect it. Its archive
format have own (simple) header with data required by the `scrypt`
algorithm, including salt. Internally data is encrypted with AES256-CTR
and integrity protected with HMAC-SHA256. For details see:
https://github.com/tarsnap/scrypt/blob/master/FORMAT

This means change of backup format. Mainly:

1. HMAC is stored in scrypt header, so don't use separate file for it.
Instead have data in files with `.enc` extension.
2. For compatibility leave `backup-header` and `backup-header.hmac`. But
`backup-header.hmac` is really scrypt-encrypted version of `backup-header`.
3. For each file, prepend its identifier to the passphrase, to
authenticate filename itself too. Having this we can guard against
reordering archive files within a single backup and across backups. This
identifier is built as:

        backup ID (from backup-header)!filename!

For backup-header itself, there is no backup ID (just 'backup-header!').

Fixes QubesOS/qubes-issues#971
2016-10-28 11:53:32 +02:00
Marek Marczykowski-Górecki
d7c355eadb
backup: make wait_backup_feedback/handle_streams less ugly
Have a generic function `handle_streams`, instead of
`wait_backup_feedback` with open coded process names and manual
iteration over them.

No functional change, besides minor logging change.
2016-10-28 11:53:32 +02:00
Marek Marczykowski-Górecki
6ee200236c
tests/backup: verify migration into LVM thin pool 2016-10-28 11:53:31 +02:00
Marek Marczykowski-Górecki
673fe4423a
tests: handle LVM thin pool 2016-10-28 11:53:31 +02:00
Marek Marczykowski-Górecki
fbecd08a58
tests/backup: exclude some VMs during restore 2016-10-28 11:53:31 +02:00
Wojtek Porczyk
3553b2e1d4 Make pylint happy 2016-10-25 17:27:02 +02:00
Wojtek Porczyk
8edbf0e406 qubes: Document all the events
fixes QubesOS/qubes-issues#1811
2016-10-25 17:11:38 +02:00
Wojtek Porczyk
5e62d3f7cb qubes/tests: substitute_entry_points
New context manager for temporary overriding entry point groups.

fixes QubesOS/qubes-issues#2111
2016-10-24 15:16:39 +02:00
Wojtek Porczyk
4c73c1b93a More green paint 2016-10-19 16:09:58 +02:00
Marek Marczykowski-Górecki
5babb68031
tests/backupcompatibility: verify if all files got restored
There is still no verification of disk images content, nor VM
properties...
2016-10-19 01:54:44 +02:00
Wojtek Porczyk
8097da7cab Paint the project green for testbench launch 2016-10-18 19:07:20 +02:00
Wojtek Porczyk
c81346ba51 qubes/test/run: Print tracebacks of expected fails
fixes QubesOS/qubes-issues#2376
2016-10-14 17:20:14 +02:00
Wojtek Porczyk
526f2c3751 Merge remote-tracking branch 'marmarek/core3-backup' into core3-devel 2016-10-14 15:29:37 +02:00
Wojtek Porczyk
e06829ab2c Make pylint happy 2016-10-11 13:42:37 +02:00
Wojtek Porczyk
c6c0a545e6 Merge remote-tracking branch 'origin/pull/58/head' into core3-devel 2016-10-11 11:37:15 +02:00
Marek Marczykowski-Górecki
33fecd90c1
qubes/backup: misc fixes
Fix restoring ProxyVM and NetVM from core2. Use correct VM class.
2016-10-05 01:58:11 +02:00