core-agent-linux/init/setup-rw.sh

#!/bin/sh

dev=/dev/xvdb

if mountpoint -q /rw ; then
    # This means /rw is mounted now.
    echo "Checking /rw" >&2

    echo "Private device size management: enlarging $dev" >&2
    if content=$(resize2fs "$dev" 2>&1) ; then
        echo "Private device size management: resize2fs of $dev succeeded" >&2
    else
        echo "Private device size management: resize2fs $dev failed:" >&2
        echo "$content" >&2
    fi

    if ! [ -d /rw/config ] ; then
        echo "Virgin boot of the VM: populating /rw/config" >&2

        mkdir -p /rw/config
        touch /rw/config/rc.local
        cat > /rw/config/rc.local <<EOF
#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.

# Example for overriding the whole CUPS configuration:
#  rm -rf /etc/cups
#  ln -s /rw/config/cups /etc/cups
#  systemctl --no-block restart cups
EOF
        chmod 755 /rw/config/rc.local

        touch /rw/config/qubes-firewall-user-script
        cat > /rw/config/qubes-firewall-user-script <<EOF
#!/bin/sh

# This script is called at AppVM boot if this AppVM has the qubes-firewall
# service enabled. It is executed after the empty chains for the Qubes firewall
# are created, but before rules for attached qubes are processed and inserted.
#
# It is a good place for custom rules and actions that should occur when the
# firewall service is started.
# 
# Executable scripts located in /rw/config/qubes-firewall.d are executed
# immediately before this qubes-firewall-user-script.
EOF
        chmod 755 /rw/config/qubes-firewall-user-script

        touch /rw/config/suspend-module-blacklist
        cat > /rw/config/suspend-module-blacklist <<EOF
# You can list modules here that you want to be unloaded before going to sleep. This
# file is used only if the VM has any PCI device assigned. Modules will be
# automatically re-loaded after resume.
EOF
    fi

    if ! [ -d /rw/usrlocal ] ; then
        if [ -d /usr/local.orig ] ; then
            echo "Virgin boot of the VM: populating /rw/usrlocal from /usr/local.orig" >&2
            cp -af /usr/local.orig /rw/usrlocal
        else
            echo "Virgin boot of the VM: creating /rw/usrlocal" >&2
            mkdir -p /rw/usrlocal
        fi
    fi

    echo "Finished checking /rw" >&2
fi

# Old Qubes versions had symlink /home -> /rw/home; now we use mount --bind
if [ -L /home ]; then
    rm /home
    mkdir /home
fi

if [ ! -e /var/lib/qubes/first-boot-completed ]; then
    touch /var/lib/qubes/first-boot-completed
fi
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`#!/bin/sh`

Use online resize2fs, and run filesystem check only when needed When trying offline resize2fs, it require running fsck first, which takes time, especially on large volumes. And in most cases, resize2fs will notice that no action is needed - after wasting some time on fsck. To remedy this, use resize2fs in online mode (on mounted filesystem). And drop fsck call if it fails (filesystem is already mounted read-write, running fsck isn't good idea). But do not remove fsck call completely - still call it, but without '-f' flag, so it run actual check only when really needed (unclean shutdown, last check far in the past etc). Fixes QubesOS/qubes-issues#979 Fixes QubesOS/qubes-issues#2583 2017-02-27 02:13:42 +01:00			`dev=/dev/xvdb`

Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`if mountpoint -q /rw ; then`
			`# This means /rw is mounted now.`
			`echo "Checking /rw" >&2`

Use online resize2fs, and run filesystem check only when needed When trying offline resize2fs, it require running fsck first, which takes time, especially on large volumes. And in most cases, resize2fs will notice that no action is needed - after wasting some time on fsck. To remedy this, use resize2fs in online mode (on mounted filesystem). And drop fsck call if it fails (filesystem is already mounted read-write, running fsck isn't good idea). But do not remove fsck call completely - still call it, but without '-f' flag, so it run actual check only when really needed (unclean shutdown, last check far in the past etc). Fixes QubesOS/qubes-issues#979 Fixes QubesOS/qubes-issues#2583 2017-02-27 02:13:42 +01:00			`echo "Private device size management: enlarging $dev" >&2`
			`if content=$(resize2fs "$dev" 2>&1) ; then`
			`echo "Private device size management: resize2fs of $dev succeeded" >&2`
			`else`
			`echo "Private device size management: resize2fs $dev failed:" >&2`
			`echo "$content" >&2`
			`fi`

Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`if ! [ -d /rw/config ] ; then`
			`echo "Virgin boot of the VM: populating /rw/config" >&2`

			`mkdir -p /rw/config`
			`touch /rw/config/rc.local`
			`cat > /rw/config/rc.local <<EOF`
			`#!/bin/sh`

			`# This script will be executed at every VM startup, you can place your own`
Update spelling in setup-rw.sh 2018-12-14 17:07:28 +01:00			`# custom commands here. This includes overriding some configuration in /etc,`
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`# starting services etc.`

			`# Example for overriding the whole CUPS configuration:`
			`# rm -rf /etc/cups`
			`# ln -s /rw/config/cups /etc/cups`
			`# systemctl --no-block restart cups`
			`EOF`
Fix language issues and usability issue 2017-12-12 15:56:33 +01:00			`chmod 755 /rw/config/rc.local`
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00
			`touch /rw/config/qubes-firewall-user-script`
			`cat > /rw/config/qubes-firewall-user-script <<EOF`
			`#!/bin/sh`

Fix comments in default qubes-firewall-user-script 2021-01-02 22:07:27 +01:00			`# This script is called at AppVM boot if this AppVM has the qubes-firewall`
			`# service enabled. It is executed after the empty chains for the Qubes firewall`
			`# are created, but before rules for attached qubes are processed and inserted.`
			`#`
			`# It is a good place for custom rules and actions that should occur when the`
			`# firewall service is started.`
			`#`
			`# Executable scripts located in /rw/config/qubes-firewall.d are executed`
			`# immediately before this qubes-firewall-user-script.`
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`EOF`
Fix language issues and usability issue 2017-12-12 15:56:33 +01:00			`chmod 755 /rw/config/qubes-firewall-user-script`
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00
			`touch /rw/config/suspend-module-blacklist`
			`cat > /rw/config/suspend-module-blacklist <<EOF`
Fix language issues and usability issue 2017-12-12 15:56:33 +01:00			`# You can list modules here that you want to be unloaded before going to sleep. This`
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`# file is used only if the VM has any PCI device assigned. Modules will be`
Fix language issues and usability issue 2017-12-12 15:56:33 +01:00			`# automatically re-loaded after resume.`
Clean up early initialization and setup of /rw 2016-10-22 17:43:16 +02:00			`EOF`
			`fi`

			`if ! [ -d /rw/usrlocal ] ; then`
			`if [ -d /usr/local.orig ] ; then`
			`echo "Virgin boot of the VM: populating /rw/usrlocal from /usr/local.orig" >&2`
			`cp -af /usr/local.orig /rw/usrlocal`
			`else`
			`echo "Virgin boot of the VM: creating /rw/usrlocal" >&2`
			`mkdir -p /rw/usrlocal`
			`fi`
			`fi`

			`echo "Finished checking /rw" >&2`
			`fi`

			`# Old Qubes versions had symlink /home -> /rw/home; now we use mount --bind`
			`if [ -L /home ]; then`
			`rm /home`
			`mkdir /home`
			`fi`

			`if [ ! -e /var/lib/qubes/first-boot-completed ]; then`
			`touch /var/lib/qubes/first-boot-completed`
			`fi`