diff --git a/.gitignore b/.gitignore index 4d22dcb..e244064 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ rpm/ *.pyc +*.pyo +*~ +*.o diff --git a/Makefile b/Makefile index 01085b2..b38c5f5 100644 --- a/Makefile +++ b/Makefile @@ -5,20 +5,26 @@ help: @echo "make update-repo-testing -- same, but to -testing repo" rpms: + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-commonvm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-appvm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-netvm.spec + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-proxyvm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec rpm --addsign $(RPMS_DIR)/x86_64/*.rpm update-repo: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*.rpm ../yum/r1/dom0/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-appvm-*.rpm ../yum/r1/appvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-commonvm-*.rpm ../yum/r1/netvm/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-netvm-*.rpm ../yum/r1/netvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-proxyvm-*.rpm ../yum/r1/netvm/rpm/ update-repo-testing: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*.rpm ../yum/r1-testing/dom0/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-appvm-*.rpm ../yum/r1-testing/appvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-commonvm-*.rpm ../yum/r1-testing/netvm/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-netvm-*.rpm ../yum/r1-testing/netvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-proxyvm-*.rpm ../yum/r1-testing/netvm/rpm/ diff --git a/appvm/.gitignore b/appvm/.gitignore new file mode 100644 index 0000000..2368033 --- /dev/null +++ b/appvm/.gitignore @@ -0,0 +1,4 @@ +qubes_add_pendrive_script +qubes_penctl +qvm-open-in-dvm +xenstore-watch diff --git a/appvm/Makefile b/appvm/Makefile index 6bb1dea..0ef375a 100644 --- a/appvm/Makefile +++ b/appvm/Makefile @@ -1,11 +1,14 @@ CC=gcc CFLAGS=-Wall -all: qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm +all: qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm xenstore-watch qubes_penctl: qubes_penctl.o $(CC) -o qubes_penctl qubes_penctl.o -lxenstore qubes_add_pendrive_script: qubes_add_pendrive_script.o $(CC) -o qubes_add_pendrive_script qubes_add_pendrive_script.o -lxenstore qvm-open-in-dvm: qvm-open-in-dvm.o $(CC) -o qvm-open-in-dvm qvm-open-in-dvm.o -lxenstore +xenstore-watch: xenstore-watch.o + $(CC) -o xenstore-watch xenstore-watch.o -lxenstore + clean: - rm -f qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm *.o *~ + rm -f qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm xenstore-watch *.o *~ diff --git a/appvm/qubes_core_appvm b/appvm/qubes_core_appvm new file mode 100755 index 0000000..ed250dd --- /dev/null +++ b/appvm/qubes_core_appvm @@ -0,0 +1,82 @@ +#!/bin/sh +# +# chkconfig: 345 85 85 +# description: Executes Qubes core scripts at AppVM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +possibly_run_save_script() +{ + ENCODED_SCRIPT=$(xenstore-read qubes_save_script) + if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi + echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64()' >/tmp/qubes_save_script + chmod 755 /tmp/qubes_save_script + Xorg -config /etc/X11/xorg-preload-apps.conf :0 & + sleep 2 + DISPLAY=:0 su - user -c /tmp/qubes_save_script + killall Xorg +} + +start() +{ + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" != "AppVM" -a "$type" != "DisposableVM" ]; then + # This script runs only on AppVMs + return 0 + fi + + # Start AppVM specific services + /sbin/service cups start + + echo -n $"Executing Qubes Core scripts for AppVM:" + + if xenstore-read qubes_save_request 2>/dev/null ; then + ln -sf /home_volatile /home + possibly_run_save_script + touch /etc/this_is_dvm + dmesg -c >/dev/null + free | grep Mem: | + (read a b c d ; xenstore-write device/qubes_used_mem $c) + # we're still running in DispVM template + echo "Waiting for save/restore..." + # ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys + while ! xenstore-read qubes_restore_complete 2>/dev/null ; do + usleep 10 + done + echo Back to life. + fi + + MEM_CHANGE_THRESHOLD_KB=30000 + MEMINFO_DELAY_USEC=100000 + /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & + + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/appvm/xenstore-watch.c b/appvm/xenstore-watch.c new file mode 100644 index 0000000..497ed29 --- /dev/null +++ b/appvm/xenstore-watch.c @@ -0,0 +1,28 @@ +#include +#include +#include +#include +main(int argc, char **argv) +{ + struct xs_handle *xs; + unsigned int count; + char **vec; + char dummy; + if (argc != 2) { + fprintf(stderr, "usage: %s xenstore_path\n", argv[0]); + exit(1); + } + xs = xs_domain_open(); + if (!xs) { + perror("xs_domain_open"); + exit(1); + } + if (!xs_watch(xs, argv[1], &dummy)) { + perror("xs_watch"); + exit(1); + } + vec = xs_read_watch(xs, &count); + free(vec); + vec = xs_read_watch(xs, &count); + free(vec); +} diff --git a/common/.gitignore b/common/.gitignore new file mode 100644 index 0000000..03034a9 --- /dev/null +++ b/common/.gitignore @@ -0,0 +1 @@ +meminfo-writer diff --git a/common/block-snapshot b/common/block-snapshot new file mode 100755 index 0000000..a668935 --- /dev/null +++ b/common/block-snapshot @@ -0,0 +1,200 @@ +#!/bin/bash + +# Usage: block-snapshot add|remove img-file cow-file +# +# This creates dm-snapshot device on given arguments + +dir=$(dirname "$0") +. "$dir/block-common.sh" + +get_dev() { + dev=$1 + + if [ -L "$dev" ]; then + dev=$(readlink -f "$dev") || fatal "$dev link does not exist." + fi + + if [ -f "$dev" ]; then + file=$dev + + inode=$(stat -c '%i' "$file") + devnum=$(stat -c '%D' "$file") + if [ -z "$inode" ] || [ -z "$devnum" ] + then + release_lock "block" + fatal "Unable to lookup $file: dev: $devnum inode: $inode" + fi + + dev_list=$(losetup -a | grep ' \[0*'${devnum}'\]:'${inode} | cut -d : -f 1) + for loopdev in $dev_list; do + # found existing loop to this file + echo $loopdev + return + done + + + # assign new loop device + loopdev=$(losetup -f 2>/dev/null || find_free_loopback_dev) + if [ "$loopdev" = '' ] + then + release_lock "block" + fatal 'Failed to find an unused loop device' + fi + + do_or_die losetup "$loopdev" "$file" + echo $loopdev + else + test -e "$dev" || fatal "$dev does not exist." + test -b "$dev" || fatal "$dev is not a block device nor file." + fi +} + +get_dm_snapshot_name() { + base=$1 + cow=$2 + + echo snapshot-$(stat -c '%D:%i' "$base")-$(stat -c '%D:%i' "$cow") +} + +create_dm_snapshot() { + local base_dev cow_dev base_sz + + dm_devname=$1 + base=$2 + cow=$3 + + if [ ! -e /dev/mapper/$dm_devname ]; then + # prepare new snapshot device + base_dev=$(get_dev $base) + cow_dev=$(get_dev $cow) + base_sz=$(blockdev --getsz $base_dev) + do_or_die dmsetup create $dm_devname --table "0 $base_sz snapshot $base_dev $cow_dev P 256" + fi + +} + +create_dm_snapshot_origin() { + local base_dev base_sz + + dm_devname=$1 + base=$2 + + if [ ! -e /dev/mapper/$dm_devname ]; then + # prepare new snapshot-origin device + base_dev=$(get_dev $base) + base_sz=$(blockdev --getsz $base_dev) + do_or_die dmsetup create $dm_devname --table "0 $base_sz snapshot-origin $base_dev" + fi +} + +t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') + + +case "$command" in + add) + case $t in + snapshot|origin) + p=$(xenstore_read "$XENBUS_PATH/params") + base=${p/:*/} + cow=${p/*:/} + + if [ -L "$base" ]; then + base=$(readlink -f "$base") || fatal "$base link does not exist." + fi + + if [ -L "$cow" ]; then + cow=$(readlink -f "$cow") || fatal "$cow link does not exist." + fi + + # first ensure that snapshot device exists (to write somewhere changes from snapshot-origin) + dm_devname=$(get_dm_snapshot_name "$base" "$cow") + + claim_lock "block" + + # prepare snapshot device + create_dm_snapshot $dm_devname "$base" "$cow" + + if [ "$t" == "snapshot" ]; then + #that's all for snapshot, store name of prepared device + xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname" + write_dev /dev/mapper/$dm_devname + elif [ "$t" == "origin" ]; then + # for origin - prepare snapshot-origin device and store its name + dm_devname=origin-$(stat -c '%D:%i' "$base") + create_dm_snapshot_origin $dm_devname "$base" + xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname" + write_dev /dev/mapper/$dm_devname + fi + + release_lock "block" + exit 0 + ;; + esac + ;; + remove) + case $t in + snapshot|origin) + node=$(xenstore_read "$XENBUS_PATH/node") + + if [ -z "$node" ]; then + fatal "No device node to remove" + fi + + if [ ! -e "$node" ]; then + fatal "Device $node does not exists" + fi + + claim_lock "block" + + use_count=$(dmsetup info $node|grep Open|awk '{print $3}') + + # do not remove snapshot if snapshot origin is still present + if [ "${node/snapshot/}" != "$node" -a -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then + use_count=1 + fi + + if [ "$use_count" -gt 0 ]; then + log info "Device $node still in use - not removing" + release_lock "block" + exit 0 + fi + + # get list of used (loop) devices + deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')" + + # if this is origin + if [ "${node/origin/}" != "$node" ]; then + # remove unused snapshots + for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2)-*; do + use_count=$(dmsetup info $snap|grep Open|awk '{print $3}') + if [ "$use_count" -eq 0 ]; then + # unused snapshot - remove it + deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')" + log debug "Removing $snap" + dmsetup remove $snap + fi + done + fi + + if [ -e $node ]; then + log debug "Removing $node" + dmsetup remove $node + fi + + # try to free loop devices + for dev in $deps; do + if [ -b "$dev" ]; then + log debug "Removing $dev" + losetup -d $dev || true 2> /dev/null + fi + done + + release_lock "block" + + exit 0 + ;; + esac + ;; +esac + +# vim:sw=2:et: diff --git a/appvm/fstab b/common/fstab similarity index 100% rename from appvm/fstab rename to common/fstab diff --git a/appvm/qubes_core b/common/qubes_core similarity index 61% rename from appvm/qubes_core rename to common/qubes_core index 714727a..26fe514 100755 --- a/appvm/qubes_core +++ b/common/qubes_core @@ -6,18 +6,6 @@ # Source function library. . /etc/rc.d/init.d/functions -possibly_run_save_script() -{ - ENCODED_SCRIPT=$(xenstore-read qubes_save_script) - if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi - echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64()' >/tmp/qubes_save_script - chmod 755 /tmp/qubes_save_script - Xorg -config /etc/X11/xorg-preload-apps.conf :0 & - sleep 2 - DISPLAY=:0 su - user -c /tmp/qubes_save_script - killall Xorg -} - start() { echo -n $"Executing Qubes Core scripts:" @@ -26,21 +14,6 @@ start() echo "ERROR: /usr/bin/xenstore-read not found!" exit 1 fi - if xenstore-read qubes_save_request 2>/dev/null ; then - ln -sf /home_volatile /home - possibly_run_save_script - touch /etc/this_is_dvm - dmesg -c >/dev/null - free | grep Mem: | - (read a b c d ; xenstore-write device/qubes_used_mem $c) - # we're still running in DispVM template - echo "Waiting for save/restore..." - # ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys - while ! xenstore-read qubes_restore_complete 2>/dev/null ; do - usleep 10 - done - echo Back to life. - fi name=$(/usr/bin/xenstore-read name) if ! [ -f /etc/this_is_dvm ] ; then @@ -81,10 +54,6 @@ start() fi fi - MEM_CHANGE_THRESHOLD_KB=30000 - MEMINFO_DELAY_USEC=100000 - /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & - [ -x /rw/config/rc.local ] && /rw/config/rc.local success echo "" diff --git a/netvm/30-qubes_external_ip b/netvm/30-qubes_external_ip new file mode 100755 index 0000000..66ae526 --- /dev/null +++ b/netvm/30-qubes_external_ip @@ -0,0 +1,8 @@ +#!/bin/sh +if [ x$2 == xup ]; then + INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) + /usr/bin/xenstore-write qubes_netvm_external_ip "$INET" +fi +if [ x$2 == xdown ]; then + /usr/bin/xenstore-write qubes_netvm_external_ip "" +fi diff --git a/netvm/qubes_core b/netvm/qubes_core deleted file mode 100755 index dbfaad7..0000000 --- a/netvm/qubes_core +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# -# chkconfig: 345 90 90 -# description: Executes Qubes core scripts at VM boot -# -# Source function library. -. /etc/rc.d/init.d/functions - -start() -{ - echo -n $"Executing Qubes Core scripts NetVM:" - - if ! [ -x /usr/bin/xenstore-read ] ; then - echo "ERROR: /usr/bin/xenstore-read not found!" - exit 1 - fi - - name=$(/usr/bin/xenstore-read name) - hostname $name - - # Setup gateway for all the VMs this netVM is serviceing... - modprobe netbk - gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) - netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) - network=$(/usr/bin/xenstore-read qubes_netvm_network) - secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) - echo "NS1=$gateway" > /var/run/qubes/qubes_ns - echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns - /usr/lib/qubes/qubes_setup_dnat_to_ns - echo "1" > /proc/sys/net/ipv4/ip_forward - success - echo "" - return 0 -} - -stop() -{ - return 0 -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - *) - echo $"Usage: $0 {start|stop}" - exit 3 - ;; -esac - -exit $RETVAL diff --git a/netvm/qubes_core_netvm b/netvm/qubes_core_netvm new file mode 100755 index 0000000..dd713fc --- /dev/null +++ b/netvm/qubes_core_netvm @@ -0,0 +1,58 @@ +#!/bin/sh +# +# chkconfig: 345 90 90 +# description: Executes Qubes core scripts at NetVM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +start() +{ + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "NetVM" ]; then + /sbin/service NetworkManager start + fi + + echo -n $"Executing Qubes Core scripts NetVM:" + + # Setup gateway for all the VMs this netVM is serviceing... + network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) + modprobe netbk + echo "NS1=$gateway" > /var/run/qubes/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns + /usr/lib/qubes/qubes_setup_dnat_to_ns + echo "1" > /proc/sys/net/ipv4/ip_forward + fi + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall new file mode 100755 index 0000000..6f1cc26 --- /dev/null +++ b/proxyvm/bin/qubes_firewall @@ -0,0 +1,33 @@ +#!/bin/bash +set -e + +PIDFILE=/var/run/qubes/qubes_firewall.pid +XENSTORE_IPTABLES=qubes_iptables +XENSTORE_ERROR=qubes_iptables_error +OLD_RULES="" + +# PIDfile handling +[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0 +echo $$ >$PIDFILE + +trap 'exit 0' SIGTERM + +while true; do + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + + if [[ "$RULES" != "$OLD_RULES" ]]; then + IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` + /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + + if [[ -z "$OUT" ]]; then + # If OK save it for later + /sbin/service iptables save >/dev/null + fi + + OLD_RULES="$RULES" + fi + + # Wait for changes in xenstore file + /usr/bin/xenstore-watch $XENSTORE_IPTABLES +done diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher new file mode 100755 index 0000000..8f9d2e9 --- /dev/null +++ b/proxyvm/bin/qubes_netwatcher @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +PIDFILE=/var/run/qubes/qubes_netwatcher.pid +CURR_NETCFG="" + +# PIDfile handling +[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0 +echo $$ >$PIDFILE + +trap 'exit 0' SIGTERM + +while true; do + NET_DOMID=$(/usr/bin/xenstore-read qubes_netvm_domid) + if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then + NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip) + if [[ "$NETCFG" != "$CURR_NETCFG" ]]; then + /sbin/service qubes_firewall stop + /sbin/service qubes_firewall start + CURR_NETCFG="$NETCFG" + fi + + /usr/bin/xenstore-watch /local/domain/$NET_DOMID/qubes_netvm_external_ip + else + /usr/bin/xenstore-watch qubes_netvm_domid + fi +done diff --git a/proxyvm/init.d/qubes_firewall b/proxyvm/init.d/qubes_firewall new file mode 100755 index 0000000..2d1218e --- /dev/null +++ b/proxyvm/init.d/qubes_firewall @@ -0,0 +1,48 @@ +#!/bin/sh +# +# chkconfig: 345 91 91 +# description: Starts Qubes Firewall monitor +# +# Source function library. +. /etc/rc.d/init.d/functions + +PIDFILE=/var/run/qubes/qubes_firewall.pid + +start() +{ + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "ProxyVM" ]; then + echo -n $"Starting Qubes Firewall monitor:" + /sbin/ethtool -K eth0 sg off + /usr/sbin/qubes_firewall & + success + echo "" + fi + return 0 +} + +stop() +{ + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "ProxyVM" ]; then + echo -n "Stopping Qubes Firewall monitor:" + kill -9 $(cat $PIDFILE) 2>/dev/null && success || failure + echo "" + fi + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/proxyvm/init.d/qubes_netwatcher b/proxyvm/init.d/qubes_netwatcher new file mode 100755 index 0000000..e8d9af4 --- /dev/null +++ b/proxyvm/init.d/qubes_netwatcher @@ -0,0 +1,48 @@ +#!/bin/sh +# +# chkconfig: 345 92 92 +# description: Starts Qubes Network monitor +# +# Source function library. +. /etc/rc.d/init.d/functions + +PIDFILE=/var/run/qubes/qubes_netwatcher.pid + +start() +{ + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "ProxyVM" ]; then + echo -n $"Starting Qubes Network monitor:" + /sbin/ethtool -K eth0 sg off + /usr/sbin/qubes_netwatcher & + success + echo "" + fi + return 0 +} + +stop() +{ + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "ProxyVM" ]; then + echo -n "Stopping Qubes Network monitor:" + kill -9 $(cat $PIDFILE) 2>/dev/null && success || failure + echo "" + fi + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec index c9a009d..91fd13c 100644 --- a/rpm_spec/core-appvm.spec +++ b/rpm_spec/core-appvm.spec @@ -34,6 +34,9 @@ URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release = 13 Requires: /usr/bin/mimeopen +Requires: qubes-core-commonvm +BuildRequires: gcc +BuildRequires: xen-devel Provides: qubes-core-vm %define _builddir %(pwd)/appvm @@ -53,9 +56,6 @@ fi adduser --create-home user mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then -mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig -fi %build make clean all @@ -63,10 +63,8 @@ make -C ../common %install -mkdir -p $RPM_BUILD_ROOT/etc -cp fstab $RPM_BUILD_ROOT/etc/fstab mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +cp qubes_core_appvm $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/lib/qubes mkdir -p $RPM_BUILD_ROOT/usr/bin cp qubes_timestamp qvm-copy-to-vm qvm-open-in-dvm $RPM_BUILD_ROOT/usr/bin @@ -78,17 +76,9 @@ mkdir -p $RPM_BUILD_ROOT/%{kde_service_dir} cp qvm-copy.desktop qvm-dvm.desktop $RPM_BUILD_ROOT/%{kde_service_dir} mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d cp qubes.rules $RPM_BUILD_ROOT/etc/udev/rules.d -mkdir -p $RPM_BUILD_ROOT/etc/sysconfig -cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ mkdir -p $RPM_BUILD_ROOT/mnt/incoming mkdir -p $RPM_BUILD_ROOT/mnt/outgoing mkdir -p $RPM_BUILD_ROOT/mnt/removable -mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d -cp ../appvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d -mkdir -p $RPM_BUILD_ROOT/sbin -cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT/etc -cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ mkdir -p $RPM_BUILD_ROOT/etc/X11 cp xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11 @@ -96,91 +86,22 @@ cp xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11 mkdir -p $RPM_BUILD_ROOT/home_volatile/user chown 500:500 $RPM_BUILD_ROOT/home_volatile/user -%triggerin -- initscripts -cp /var/lib/qubes/serial.conf /etc/init/serial.conf - %post +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" + if [ "$1" != 1 ] ; then # do this whole %post thing only when updating for the first time... exit 0 fi -usermod -L root usermod -L user -if ! [ -f /var/lib/qubes/serial.orig ] ; then - cp /etc/init/serial.conf /var/lib/qubes/serial.orig -fi - -#echo "--> Disabling SELinux..." -sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed -mv /etc/selinux/config.processed /etc/selinux/config -setenforce 0 2>/dev/null - -#echo "--> Turning off unnecessary services..." -# FIXME: perhaps there is more elegant way to do this? -for f in /etc/init.d/* -do - srv=`basename $f` - [ $srv = 'functions' ] && continue - [ $srv = 'killall' ] && continue - [ $srv = 'halt' ] && continue - [ $srv = 'single' ] && continue - chkconfig $srv off -done - -#echo "--> Enabling essential services..." -chkconfig rsyslog on -chkconfig haldaemon on -chkconfig messagebus on -chkconfig cups on -chkconfig iptables on -chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" - - -# TODO: make this not display the silly message about security context... -sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab - -# Remove most of the udev scripts to speed up the VM boot time -# Just leave the xen* scripts, that are needed if this VM was -# ever used as a net backend (e.g. as a VPN domain in the future) -#echo "--> Removing unnecessary udev scripts..." -mkdir -p /var/lib/qubes/removed-udev-scripts -for f in /etc/udev/rules.d/* -do - if [ $(basename $f) == "xen-backend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "xend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "qubes.rules" ] ; then - continue - fi - - if [ $(basename $f) == "90-hal.rules" ] ; then - continue - fi - - - mv $f /var/lib/qubes/removed-udev-scripts/ -done -mkdir -p /rw -#rm -f /etc/mtab -#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" -#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig -#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 %preun if [ "$1" = 0 ] ; then # no more packages left - chkconfig qubes_core off - mv /var/lib/qubes/fstab.orig /etc/fstab - mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ - mv /var/lib/qubes/serial.orig /etc/init/serial.conf + chkconfig qubes_core_appvm off fi %clean @@ -188,8 +109,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) -/etc/fstab -/etc/init.d/qubes_core +/etc/init.d/qubes_core_appvm /usr/bin/qvm-copy-to-vm /usr/lib/qubes/qvm-copy-to-vm.kde %attr(4755,root,root) /usr/bin/qvm-open-in-dvm @@ -200,13 +120,9 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) /usr/lib/qubes/qubes_penctl /usr/lib/qubes/qubes_add_pendrive_script /etc/udev/rules.d/qubes.rules -/etc/sysconfig/iptables -/var/lib/qubes %dir /mnt/incoming %dir /mnt/outgoing %dir /mnt/removable -/etc/yum.repos.d/qubes.repo -/sbin/qubes_serial_login /usr/bin/qubes_timestamp %dir /home_volatile %attr(700,user,user) /home_volatile/user diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec new file mode 100644 index 0000000..6705c28 --- /dev/null +++ b/rpm_spec/core-commonvm.spec @@ -0,0 +1,166 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-commonvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for any VM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: fedora-release = 13 + +%define _builddir %(pwd)/common + +%description +The Qubes core files for installation inside a Qubes VM. + +%pre + +if [ "$1" != 1 ] ; then +# do this whole %pre thing only when updating for the first time... +exit 0 +fi + +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then +mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig +fi + +%install + +mkdir -p $RPM_BUILD_ROOT/etc +cp fstab $RPM_BUILD_ROOT/etc/fstab +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ +mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d +cp ../appvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d +mkdir -p $RPM_BUILD_ROOT/sbin +cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin +mkdir -p $RPM_BUILD_ROOT/etc +cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ + +%triggerin -- initscripts +cp /var/lib/qubes/serial.conf /etc/init/serial.conf + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +usermod -L root +if ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig +fi + +#echo "--> Disabling SELinux..." +sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed +mv /etc/selinux/config.processed /etc/selinux/config +setenforce 0 2>/dev/null + +#echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + [ $srv = 'single' ] && continue + [ $srv = 'qubes_gui' ] && continue + chkconfig $srv off +done + +#echo "--> Enabling essential services..." +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig iptables on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" + + +# TODO: make this not display the silly message about security context... +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +# Remove most of the udev scripts to speed up the VM boot time +# Just leave the xen* scripts, that are needed if this VM was +# ever used as a net backend (e.g. as a VPN domain in the future) +#echo "--> Removing unnecessary udev scripts..." +mkdir -p /var/lib/qubes/removed-udev-scripts +for f in /etc/udev/rules.d/* +do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "xend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "qubes.rules" ] ; then + continue + fi + + if [ $(basename $f) == "90-hal.rules" ] ; then + continue + fi + + + mv $f /var/lib/qubes/removed-udev-scripts/ +done +mkdir -p /rw +#rm -f /etc/mtab +#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" +#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig +#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + mv /var/lib/qubes/fstab.orig /etc/fstab + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + mv /var/lib/qubes/serial.orig /etc/init/serial.conf +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/fstab +/etc/init.d/qubes_core +/etc/sysconfig/iptables +/var/lib/qubes +/etc/yum.repos.d/qubes.repo +/sbin/qubes_serial_login diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 83d88c2..346c548 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -34,6 +34,7 @@ URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release = 13 Requires: NetworkManager >= 0.8.1-1 +Requires: qubes-core-commonvm Provides: qubes-core-vm %define _builddir %(pwd)/netvm @@ -43,22 +44,13 @@ The Qubes core files for installation inside a Qubes NetVM. %pre -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then -mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig -fi - - %build %install -mkdir -p $RPM_BUILD_ROOT/etc/sysconfig -cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig mkdir -p $RPM_BUILD_ROOT/etc -cp fstab $RPM_BUILD_ROOT/etc/fstab mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +cp qubes_core_netvm $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/lib/qubes mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes @@ -67,103 +59,22 @@ mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ -mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d -cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d -mkdir -p $RPM_BUILD_ROOT/sbin -cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT/etc -cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ +cp ../netvm/30-qubes_external_ip $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ mkdir -p $RPM_BUILD_ROOT/var/run/qubes mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts -%triggerin -- initscripts -cp /var/lib/qubes/serial.conf /etc/init/serial.conf - %post /usr/lib/qubes/qubes_fix_nm_conf.sh -if [ "$1" != 1 ] ; then -# do this whole %post thing only when updating for the first time... -exit 0 -fi - -sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' -i /etc/sysctl.conf -usermod -L root -if ! [ -f /var/lib/qubes/serial.orig ] ; then - cp /etc/init/serial.conf /var/lib/qubes/serial.orig -fi - -#echo "--> Disabling SELinux..." -sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed -mv /etc/selinux/config.processed /etc/selinux/config -setenforce 0 2>/dev/null - -#echo "--> Turning off unnecessary services..." -# FIXME: perhaps there is more elegant way to do this? -for f in /etc/init.d/* -do - srv=`basename $f` - [ $srv = 'functions' ] && continue - [ $srv = 'killall' ] && continue - [ $srv = 'halt' ] && continue - [ $srv = 'single' ] && continue - chkconfig $srv off -done - -#echo "--> Enabling essential services..." -chkconfig iptables on -chkconfig rsyslog on -chkconfig haldaemon on -chkconfig messagebus on -chkconfig NetworkManager on -chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" - - -# TODO: make this not display the silly message about security context... -sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab - -# Remove most of the udev scripts to speed up the VM boot time -# Just leave the xen* scripts, that are needed if this VM was -# ever used as a net backend (e.g. as a VPN domain in the future) -#echo "--> Removing unnecessary udev scripts..." -mkdir -p /var/lib/qubes/removed-udev-scripts -for f in /etc/udev/rules.d/* -do - if [ $(basename $f) == "xen-backend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "xend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "qubes.rules" ] ; then - continue - fi - - if [ $(basename $f) == "90-hal.rules" ] ; then - continue - fi - - - mv $f /var/lib/qubes/removed-udev-scripts/ -done - -#rm -f /etc/mtab -#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" -#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig -#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" %preun if [ "$1" = 0 ] ; then # no more packages left - chkconfig qubes_core off - mv /var/lib/qubes/fstab.orig /etc/fstab - mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ - mv /var/lib/qubes/serial.orig /etc/init/serial.conf + chkconfig qubes_core_netvm off fi %clean @@ -171,15 +82,11 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) -/etc/fstab -/etc/sysconfig/iptables -/etc/init.d/qubes_core -/var/lib/qubes +/etc/init.d/qubes_core_netvm /usr/lib/qubes/qubes_setup_dnat_to_ns /usr/lib/qubes/qubes_fix_nm_conf.sh /etc/dhclient.d/qubes_setup_dnat_to_ns.sh /etc/NetworkManager/dispatcher.d/qubes_nmhook -/etc/yum.repos.d/qubes.repo -/sbin/qubes_serial_login +/etc/NetworkManager/dispatcher.d/30-qubes_external_ip /etc/xen/scripts/vif-route-qubes %dir /var/run/qubes diff --git a/rpm_spec/core-proxyvm.spec b/rpm_spec/core-proxyvm.spec new file mode 100644 index 0000000..52bc17f --- /dev/null +++ b/rpm_spec/core-proxyvm.spec @@ -0,0 +1,80 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-proxyvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for NetVM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: /sbin/ethtool +Requires: fedora-release = 13 +Requires: qubes-core-netvm + +%define _builddir %(pwd)/proxyvm + +%description +The Qubes core files for installation inside a Qubes ProxyVM in addition to NetVM scripts. + +%pre + +%build + +%install + +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp init.d/qubes_firewall $RPM_BUILD_ROOT/etc/init.d/ +cp init.d/qubes_netwatcher $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/usr/sbin +cp bin/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ +cp bin/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ + +%post + +chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" + +chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_firewall off + chkconfig qubes_netwatcher off +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/init.d/qubes_firewall +/etc/init.d/qubes_netwatcher +/usr/sbin/qubes_firewall +/usr/sbin/qubes_netwatcher