Commit Graph

268 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
d9c2990747 core: fix creation of private.img at VM startup
This code is used when VM is migrated from older system, where HVM
didn't have private.img.
2015-07-01 04:41:09 +02:00
Marek Marczykowski-Górecki
522bfc427a core: fix template-based HVM disk handling
We use only one device-mapper layer for HVMs, and this isn't the same as
for PV - it is that one, which PV does in initramfs.
Device-mapper layers summary for template-based VMs:
PV: root.img+root-cow.img (dom0) -> xvda, xvda+volatile.img (VM)
HVM: root.img+volatile.img (dom0)
2015-07-01 04:35:09 +02:00
Wojtek Porczyk
8afba4c5e9 core3 move: storage/* 2015-06-29 17:39:26 +02:00
Wojtek Porczyk
b623a71d87 core3 move: QubesVmCollection
This got split to qubes.Qubes and qubes.VMCollection.
From now on, VMCollection is a stupid bag. Some parts went elsewhere.
2015-06-29 17:39:23 +02:00
Wojtek Porczyk
f3673dd34c core3 move: class QubesVmLabel 2015-06-29 17:39:23 +02:00
Wojtek Porczyk
778571fe8d core3 move: class QubesHost 2015-06-29 17:39:23 +02:00
Wojtek Porczyk
cec3db993d core3 move: class QubesVMMConnection 2015-06-29 17:39:22 +02:00
Wojtek Porczyk
e1a6fb2859 core3 move: class QubesException 2015-06-29 17:39:22 +02:00
Marek Marczykowski-Górecki
b1f4e6d15c backup: fix missing 'unused' variables
Actually the 'vm' variable is used - in eval'ed statement.
2015-05-11 02:31:56 +02:00
Marek Marczykowski-Górecki
13f0f64d0a backup: code style, no functional change (part 2)
Remove unused variables, rename potentially coliding one.
2015-05-03 14:57:28 +02:00
Marek Marczykowski-Górecki
9ec0580840 backup: code style fixes, no functional change (part 1)
Indentation, break long lines, use is/is not None instead of ==/!=.
2015-05-03 14:57:28 +02:00
Marek Marczykowski-Górecki
868ee83093 block: trigger QubesDB watches after attaching/detaching device
Since libvirt do not support such events (at least for libxl driver), we
need some way to notify qubes-manager when device is attached/detached.
Use the same protocol as for connect/disconnect but on the target
domain.
2015-04-14 23:08:52 +02:00
Marek Marczykowski-Górecki
e1da1fb3c1 block: fixes for dom0-backed devices and dead domains 2015-04-14 23:07:54 +02:00
Marek Marczykowski-Górecki
dbb43f6035 core/storage: fix disk handling for HVM template
Currently HVM template do not have root-cow.img (also do not use 2-layer
device-mapper as PV VMs), so vm.is_template() check isn't enough.
2015-04-06 00:21:38 +02:00
Marek Marczykowski-Górecki
a6448e073c block: fix handling non-dom0 backend
The libvirt XML config syntax was changed - the element is named
<backenddomain/>.
2015-04-04 16:18:10 +02:00
Marek Marczykowski-Górecki
6dac228648 backup: backup any template marked to do so, even if installed by rpm 2015-03-31 05:54:41 +02:00
Marek Marczykowski-Górecki
01e208d5ec utils/QubesWatch: provide domain UUID to domain_callback 2015-03-30 00:08:00 +02:00
Marek Marczykowski-Górecki
30fadfa994 core/block: handle any QubesDB exception 2015-03-29 23:47:39 +02:00
Marek Marczykowski-Górecki
075f35b873 core: do not assume that libvirt domain is always defined
Define it only when really needed:
 - during VM creation - to generate UUID
 - just before VM startup

As a consequence we must handle possible exception when accessing
vm.libvirt_domain. It would be a good idea to make this field private in
the future. It isn't possible for now because block_* are external for
QubesVm class.

This hopefully fixes race condition when Qubes Manager tries to access
libvirt_domain (using some QubesVm.*) at the same time as other tool is
removing the domain. Additionally if Qubes Manage would loose that race, it could
define the domain again leaving some unused libvirt domain (blocking
that domain name for future use).
2015-03-29 23:38:36 +02:00
Marek Marczykowski-Górecki
f8ad78d174 core: use absolute imports in qubesutils 2015-03-29 17:33:02 +02:00
Marek Marczykowski-Górecki
bb958fd1c8 core: improve handling dead domains when talking to QubesDB daemon
Provide vm.refresh(), which will force to reconnect do QubesDB daemon,
and also get new libvirt object (including new ID, if any). Use this
method whenever QubesDB call returns DisconnectedError exception. Also
raise that exception when someone is trying to talk to not running
QubesDB - instead of returning None.
2015-03-29 17:22:15 +02:00
Marek Marczykowski-Górecki
c878beb25d utils/block: catch an exception when talking to disconnected qubesdb
This can happen for example when domain disappeared in the meantime.
2015-03-26 22:10:49 +01:00
Marek Marczykowski-Górecki
4dfb629dd8 Update libvirt config syntax for new version of driver domain patches
Finally accepted patches uses different syntax: <backenddomain name=.../> tag
instead of <source domain=.../>.
2015-03-21 21:12:48 +01:00
Marek Marczykowski-Górecki
ae6ca5c0a3 core: prevent taking database lock twice 2015-02-22 01:25:51 +01:00
Marek Marczykowski-Górecki
b858488719 Merge remote-tracking branch 'woju/master' 2015-02-21 03:09:29 +01:00
Marek Marczykowski-Górecki
e65842322a core: hold the lock after QubesVmCollection.save()
The statement that unlock_db() is always called directly after save() is
no longer true - tests holds the lock all the time, doing multiple saves
in the middle.
2015-02-21 00:25:50 +01:00
Wojtek Porczyk
2b14bc88d0 core/modules: debug important VM changes 2015-02-19 21:32:43 +01:00
Wojtek Porczyk
241cf2e089 core/qubes.py: ensure that all default_*vm are present in collection
References to invalid qids are None'd. Failure to do so may cause KeyErrors even
on fixing ntpd service during instantiation of QubesVmCollection.
2015-02-19 21:32:43 +01:00
Marek Marczykowski-Górecki
bdae560770 backup: fix deadlock on error while receiving backup from a VM
When qfile-dom0-unpacker detects an error, it sends error report to
stdout and terminate (so stdout is closed). That close should be
transferred to the VM process (as EOF on its stdin), which will signal
it to stop sending the data and handle error report.
Also qrexec-client holds the connection until both stdin and
stdout are closed.
So when that EOF is missing, tar2qfile will not detect error report and
still tries to send the data and qrexec-client will hold the
connection while receiving process is long dead.

To prevent that deadlock from happening, close FD in python code, so
qfile-dom0-unpacker will be the last owner of write end of the pipe.
When it closes its stdout, qrexec-client will receive EOF at its stdin.
2015-02-18 21:41:22 +01:00
Marek Marczykowski-Górecki
adfc4e0ac9 core: disks handling cleanup, fix them for TemplateHVM
Move rootcow_img to storage class, remove clean_volatile_img. And most
importantly - set source_template in QubesHVm.create_on_disk.
2015-02-09 06:02:20 +01:00
Marek Marczykowski-Górecki
869675c15c core: convert memory/cpu stats to libvirt API 2015-02-09 03:28:01 +01:00
Marek Marczykowski-Górecki
48fd2669cb raise correct exception 2015-02-07 01:14:22 +01:00
Marek Marczykowski-Górecki
1da8ab5823 core: Add missing import 2015-01-08 03:55:02 +01:00
Marek Marczykowski-Górecki
adff88101a Rework QubesWatch implementation for libvirt events 2014-12-26 02:56:38 +01:00
Marek Marczykowski-Górecki
d4ab70ae9d core: update qvm-block code for HAL API
Use QubesDB to get list of devices, call libvirt methods to
attach/detach devices.
2014-12-12 03:59:01 +01:00
Marek Marczykowski-Górecki
592a4901c9 core: import monitorlayoutnotify instead of calling it as external script
Otherwise deadlock could happen - the script will try to get read lock
on qubes.xml, while the calling tool can already hold the lock. If that
was write lock (which is in case of qfile-daemon-dvm), the deadlock
occurs.
2014-11-21 21:45:03 +01:00
Wojciech Zygmunt Porczyk
6b0a5f9738 storage/xen.py: always initialise args['otherdevs'] 2014-11-19 12:50:32 +01:00
Marek Marczykowski-Górecki
9205c5c054 core: fix imports 2014-11-19 12:50:32 +01:00
Rafał Wojdyła
7e8978d278 wni: changed qrexec agent path environment variable name 2014-11-19 12:50:32 +01:00
Rafał Wojdyła
f91d6e93f6 wni: set random password on user creation 2014-11-19 12:50:31 +01:00
Rafał Wojdyła
ccd04c7c8f wni: properly get user profiles directory 2014-11-19 12:50:31 +01:00
Rafał Wojdyła
81fb2b696b wni: vm users can't change their password 2014-11-19 12:50:31 +01:00
Rafał Wojdyła
b4d827d5e8 wni: remove user profiles on domain removal 2014-11-19 12:50:31 +01:00
Rafał Wojdyła
b6a379e94a Fixed PyQt4 import in guihelpers 2014-11-19 12:50:31 +01:00
Marek Marczykowski-Górecki
fef2672935 settings-wni: get installation directory from windows registry 2014-11-19 12:50:31 +01:00
Marek Marczykowski-Górecki
803e128b8e wni: Add qrexec-client path to WNI settings 2014-11-19 12:50:30 +01:00
Marek Marczykowski-Górecki
071a01d29e guihelpers: Import PyQt only when needed 2014-11-19 12:50:30 +01:00
Marek Marczykowski-Górecki
06189b4a5b wni: set path to qrexec-daemon 2014-11-19 12:50:30 +01:00
Marek Marczykowski-Górecki
63eccac025 wni: use win32net module for creating new user
This require UAC disabled (or already started as administrator), but
works much more reliable ("net user" sometimes fails _silently_).
2014-11-19 12:50:30 +01:00
Marek Marczykowski-Górecki
e5c2448af4 copy & paste error (VM rename fix) 2014-11-19 12:50:30 +01:00
Marek Marczykowski-Górecki
4300d778a5 qvm-toos: import dbus only when needed
Void import errors when 'dbus' module not really needed.
2014-11-19 12:50:29 +01:00
Marek Marczykowski-Górecki
d88da1e66b wni: add missing parameter 2014-11-19 12:50:29 +01:00
Marek Marczykowski-Górecki
f6729b4968 wni: use generated password 2014-11-19 12:50:29 +01:00
Marek Marczykowski-Górecki
5dbad01796 Fill some more WNI settings
Especially use new "wni" libvirt driver.
2014-11-19 12:50:29 +01:00
Marek Marczykowski-Górecki
ea68c6a766 xen: fix template vm storage code 2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
11047bf427 Use platform specific locking method
None of found existing portable locking module does support RW locks.
Use lowlevel system locking support - both Windows and Linux support
such feature.

Drop locking code in write_firewall_conf() b/c is is called with
QubesVmCollection lock held anyway.
2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
a5a2c0b97c Revert "release qubes.xml lock on object destroy"
This reverts commit 39e056b74acca3854c5707d8f2cbcd199b8cac75.
This change rely on reverted python-locking use.
2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
5fb1991ad5 QubesWniVmStorage: prefix system user with "qubes-vm-". 2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
f927f12e39 QubesWniVmStorage: pass all positional parameters to base class 2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
392b70a4d8 Create missing private.img when needed
Not only for HVM, but any VM type which support private.img.
2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
21c908b9b2 Move storage-related VM rename code to storage class 2014-11-19 12:50:28 +01:00
Marek Marczykowski-Górecki
ada5ebd784 Use "None" in *_img attr for "not applicable"
Some VM types do not have particular disk image. Instead of enumerating
cases in storage class, signal unused image from VM class by setting
appropriate attr to None.
2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
e2bea656b4 Add vm-configs for WNI 2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
ec37a4e681 Rename vm-configs directory to be more generic 2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
35ecfc82ef wni: QubesWniVmStorage and update settings file 2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
e8715cd561 release qubes.xml lock on object destroy
This will ensure that lock will be released even in case of error.
2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
50188c8832 Use relative path in system_path dict instead of path templates
This will allow use of correct slashes/backslashes (os.path.join instead
of hardcoded '/').
2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
a17f6ef779 Update QubesHVM to use QubesVmStorage classes
Also add external drive support to QubesXenVmStorage (move from
QubesHVM).
2014-11-19 12:50:27 +01:00
Marek Marczykowski-Górecki
b323a4d1e3 core: Fix handling the case when no settings file present. 2014-11-19 12:50:26 +01:00
Marek Marczykowski-Górecki
50e44ce22d makefile: Improve readability of settings.py install command 2014-11-19 12:50:26 +01:00
Marek Marczykowski-Górecki
ec17f7d329 core/xen: setup xen-specific defaults in separate settings file 2014-11-19 12:50:26 +01:00
Marek Marczykowski-Górecki
0a1f3d0a44 core: split VM images handling to separate class
This will ease handling different types of VMM (which can require
different image types, location etc).
2014-11-19 12:50:25 +01:00
Marek Marczykowski-Górecki
a8bee8d978 Ignore error when 'xen.lowlevel.xs' doesn't exists
There are still few uses of direct xenstore access, most of them are
xen-specific (so doesn't need to be portable). For now simply don't
connect to xenstore when no 'xen.lowlevel.xs' module present. It will
break such xen-specific accesses - it must be somehow reworked - either
by adding appropriate conditionals, or moving such code somewhere else
(custom methods of libvirt driver?).
2014-11-19 12:50:25 +01:00
Marek Marczykowski-Górecki
bc58ca5edb Remove import xen.lowlevel.xc
There is still use of it: QubesHost.get_free_xen_memory and
QubesHost.measure_cpu_usage. Will migrate them to libvirt later (for now
some things will be broken - namely qubes-manager).
2014-11-19 12:50:25 +01:00
Marek Marczykowski-Górecki
6193b4fea3 Add support for VMM-specific settings. 2014-11-19 12:50:25 +01:00
Marek Marczykowski-Górecki
80c89cc91c Delay resolving system_path['qubes_base_dir']
So changes made by os/vmm-specific settings would be taken into account.
2014-11-19 12:50:25 +01:00
Marek Marczykowski-Górecki
f6835346d4 Move initialization code at the end of file
So all of it will be in one place.
2014-11-19 12:50:25 +01:00
Marek Marczykowski-Górecki
0009805041 rpm+makefile: move build/install code to Makefile files
This makes build "scripts" not tied to Fedora-specific files. Especially
ease porting to other platforms.
2014-11-19 12:50:24 +01:00
Marek Marczykowski
f159f3e168 Use QubesDB instead of Xenstore.
Mostly done. Things still using xenstore/not working at all:
 - DispVM
 - qubesutils.py (especially qvm-block and qvm-usb code)
 - external IP change notification for ProxyVM (should be done via RPC
   service)
2014-11-19 12:48:28 +01:00
Marek Marczykowski
b8c62c0279 Wrap all VMM connection related object into QubesVMMConnection class
This makes easier to import right objects in submodules (only one
object). This also implement lazy connection - at first access, not at
module import, which speeds up tools, which doesn't need runtime
information (like qvm-prefs or qvm-service). In the future this will
ease migration from xenstore to QubesDB.

Also implement "offline mode" - operate on qubes.xml without connecting
to VMM - raise exception at such try.
This is needed to run tools during installation, where only minimal
set of services are started, especially no libvirt.
2014-11-19 12:48:26 +01:00
Marek Marczykowski
a880483092 Migration to libvirt - core part
Still not all code migrated, added appropriate TODO/FIXME comments.
2014-11-19 12:47:00 +01:00
Marek Marczykowski-Górecki
247cff335f core: fix race condition in qubes.xml locking (#906)
QubesVmCollection.save() overrides qubes.xml by creating new file, then
renaming it over the old one. If any process has that (old) file open
at the same time - especially while waiting on lock_db_for_writing() -
it will end up in accessing old, already unlinked file.

The exact calls would look like:
P1                                      P2
lock_db_for_writing
  fd = open('qubes.xml')
  fcntl(fd, F_SETLK, ...)

                                      lock_db_for_writing
                                          fd = open('qubes.xml')
                                          fcntl(fd, F_SETLK, ...)
...
save():
    open(temp-file)
    write(temp-file, ...)
    ...
    flush(temp-file)
    rename(temp-file, 'qubes.xml')
    close(fd) // close old file

                                      lock_db_for_writing succeed
                                      *** fd points at already unlinked
                                          file
unlock_db
    close(qubes.xml)

To fix that problem, added a check if (already locked) file is still the
same as qubes.xml.
2014-10-22 03:53:30 +02:00
Marek Marczykowski-Górecki
ed0eabb482 backups: use default kernel if saved one is not installed 2014-10-01 03:50:50 +02:00
Marek Marczykowski-Górecki
55d89698a3 backups: minor fixes 2014-09-28 03:20:47 +02:00
Marek Marczykowski-Górecki
77da00e3ca backups: fix handling incomplete restore
We do not cancel the whole restore at first error.
2014-09-28 03:20:40 +02:00
Marek Marczykowski-Górecki
0cd8281ac1 backups: implement compression in backup format 3 (#775)
Since tar multi-archive no longer used, we can simply instruct tar to
pipe output through gzip (or whatever compressor we want). Include used
compressor command in backup header.
2014-09-26 14:42:07 +02:00
Marek Marczykowski-Górecki
fc0c0adff8 backups: do not use tar multi-volume feature, backup format 3 (#902)
Tar multi-volume support is broken when used with sparse files[1], so do
not use it. Instead simply cut the archive manually and concatenate at
restore time. This change require a little modification in restore
process, so make this new backup format ("3"). Also add backup format
version to the header, instead of some guessing code.
For now only cleartext and encrypted backups implemented, compression
will come as a separate commit.
2014-09-26 14:29:20 +02:00
Marek Marczykowski-Górecki
2c3159c7f9 backups: remove trailing semicolon 2014-09-26 03:19:21 +02:00
Marek Marczykowski-Górecki
58128a574a backups: force ASCII when writing backup header 2014-09-26 02:18:47 +02:00
Marek Marczykowski-Górecki
ec45308f1c backups: better handle quiet mode (for tests) 2014-09-25 05:47:35 +02:00
Victor Lopez
99315fd02c support partitions on loop devices
loop device parsing should have "dXpY_style = True" in order to
correctly parse partitions on loop devices.

Reasoning:
==========
Using losetup to create a virtual SD card disk into a loop device and
creating partitions for it results in new devices within an AppVM that
look like: /dev/loop0p1 /dev/loop0p2 and so on.

However as soon as they are created, Qubes Manager rises an exception
and becomes blocked with the following message (redacted):
"QubesException: Invalid device name: loop0p1
at line 639 of file /usr/lib64/python2.7/site-
packages/qubesmanager/main.py

Details:
line: raise QubesException....
func: block_name_to_majorminor
line no.: 181
file: ....../qubes/qubesutils.py
2014-09-19 11:00:56 +02:00
Marek Marczykowski-Górecki
dba6798a60 backups: change default HMAC algorithm to SHA512
Backups should be safe also for long-term, so change HMAC to SHA512,
which should be usable much longer than SHA1.

See this thread for discussion:
https://groups.google.com/d/msg/qubes-devel/5X-WjdP9VqQ/4zI8-QWd0S4J

Additionally save guessed HMAC in artificial header data (when no real
header exists).
2014-09-18 08:35:09 +02:00
Marek Marczykowski-Górecki
a12cf158da backups: handle empty tar output 2014-09-18 07:39:19 +02:00
Marek Marczykowski-Górecki
b506a0cc15 backups: make the restore more defensive
Continue restore even if some fails failed to extract
2014-09-17 23:12:27 +02:00
Marek Marczykowski-Górecki
2c7fbd88e2 backups: include tar error message when reporting problem with inner tar archive
Previously this message goes to /dev/null (unless BACKUP_DEBUG enabled),
so the user got cryptic "Restore failed" message without any clue about
the cause.
2014-09-17 23:12:27 +02:00
Marek Marczykowski-Górecki
ec74ebdc32 backups: fix handling of unicode in error messages, clean up "ERROR:" prefix usage
When non-english language is set, some processes can output non-ASCII
characters in error messages. Handle them nicely.

Also make error messages more consistent about "ERROR:" prefix. Do not
use this prefix in QubesException message, add it just before showing
the message to the user.
2014-09-17 23:12:19 +02:00
Marek Marczykowski-Górecki
228ae07543 backups: improve errors handling
Report nice error message (not a traceback), interrupt the process on
non-recoverable error (when extraction process is already dead).
2014-09-17 14:43:41 +02:00
Marek Marczykowski-Górecki
f0bbb28398 backups: implement verify-only option (#863) 2014-09-17 14:43:27 +02:00
Wojciech Zygmunt Porczyk
d7958625c6 core+modules: provide meaingful repr()s for some classes 2014-08-11 16:34:33 +02:00
Marek Marczykowski-Górecki
2f9247c39d notify: missing import 2014-07-20 13:39:02 +02:00