From e0b50db2ee6ecfe2b47566acd3f7e28ec8010670 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 26 Feb 2011 03:42:55 +0100 Subject: [PATCH 01/19] Update TemplateVM with running AppVM: part 1 snapshot and origin device type for xen --- common/block-snapshot | 189 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 common/block-snapshot diff --git a/common/block-snapshot b/common/block-snapshot new file mode 100644 index 0000000..a08a10c --- /dev/null +++ b/common/block-snapshot @@ -0,0 +1,189 @@ +#!/bin/bash + +# Usage: block-snapshot add|remove img-file cow-file +# +# This creates dm-snapshot device on given arguments + +dir=$(dirname "$0") +. "$dir/block-common.sh" + + +get_dev() { + dev=$1 + + if [ -L "$dev" ]; then + dev=$(readlink -f "$dev") || fatal "$dev link does not exist." + fi + + if [ -f "$dev" ]; then + file=$dev + + inode=$(stat -c '%i' "$file") + devnum=$(stat -c '%D' "$file") + if [ -z "$inode" ] || [ -z "$devnum" ] + then + release_lock "block" + fatal "Unable to lookup $file: dev: $devnum inode: $inode" + fi + + dev_list=$(losetup -a | grep ' \[0*'${dev}'\]:'${inode} | cut -d : -f 1) + for dev in $dev_list; do + # found existing loop to this file + echo $dev + return + done + + + # assign new loop device + loopdev=$(losetup -f 2>/dev/null || find_free_loopback_dev) + if [ "$loopdev" = '' ] + then + release_lock "block" + fatal 'Failed to find an unused loop device' + fi + + do_or_die losetup "$loopdev" "$file" + echo $loopdev + else + test -e "$dev" || fatal "$dev does not exist." + test -b "$dev" || fatal "$dev is not a block device nor file." + fi +} + +get_dm_snapshot_name() { + base=$1 + cow=$2 + + echo snapshot-$(stat -c '%D:%i' "$base")-$(stat -c '%D:%i' "$cow") +} + +create_dm_snapshot() { + local base_dev cow_dev base_sz + + dm_devname=$1 + base=$2 + cow=$3 + + if [ ! -e /dev/mapper/$dm_devname ]; then + # prepare new snapshot device + base_dev=$(get_dev $base) + cow_dev=$(get_dev $cow) + base_sz=$(blockdev --getsz $base_dev) + do_or_die dmsetup create $dm_devname --table "0 $base_sz snapshot $base_dev $cow_dev P 256" + fi + +} + +create_dm_snapshot_origin() { + local base_dev base_sz + + dm_devname=$1 + base=$2 + + if [ ! -e /dev/mapper/$dm_devname ]; then + # prepare new snapshot-origin device + base_dev=$(get_dev $base) + base_sz=$(blockdev --getsz $base_dev) + do_or_die dmsetup create $dm_devname --table "0 $base_sz snapshot-origin $base_dev" + fi +} + +t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') + + +case "$command" in + add) + case $t in + snapshot|origin) + p=$(xenstore_read "$XENBUS_PATH/params") + base=${p/:*/} + cow=${p/*:/} + + if [ -L "$base" ]; then + base=$(readlink -f "$base") || fatal "$base link does not exist." + fi + + if [ -L "$cow" ]; then + cow=$(readlink -f "$cow") || fatal "$cow link does not exist." + fi + + # first ensure that snapshot device exists (to write somewhere changes from snapshot-origin) + dm_devname=$(get_dm_snapshot_name "$base" "$cow") + + claim_lock "block" + + # prepare snapshot device + create_dm_snapshot $dm_devname "$base" "$cow" + + if [ "$t" == "snapshot" ]; then + #that's all for snapshot, store name of prepared device + xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname" + write_dev /dev/mapper/$dm_devname + elif [ "$t" == "origin" ]; then + # for origin - prepare snapshot-origin device and store its name + dm_devname=origin-$(stat -c '%D:%i' "$base") + create_dm_snapshot_origin $dm_devname "$base" + xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname" + write_dev /dev/mapper/$dm_devname + fi + + release_lock "block" + exit 0 + ;; + esac + ;; + remove) + case $t in + snapshot|origin) + node=$(xenstore_read "$XENBUS_PATH/node") + + if [ -z "$node" ]; then + fatal "No device node to remove" + fi + + claim_lock "block" + + use_count=$(dmsetup info $node|grep Open|awk '{print $3}') + + # do not remove snapshot if snapshot origin is still present + if [ "${node/snapshot/}" != "$node" -a + -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then + ((use_count++)) + fi + + if [ "$use_count" -gt 0 ]; then + log info "Device $node still in use - not removing" + exit 0 + fi + + # get list of used (loop) devices + deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]+\))#/dev/loop\1#g')" + + # remove unused snapshots + for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2); do + use_count=$(dmsetup info $snap|grep Open|awk '{print $3}') + if [ $use_count -eq 0 ]; then + # unused snapshot - remove it + deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]+\))#/dev/loop\1#g')" + dmsetup remove $snap + fi + done + + do_or_die dmsetup remove $node + + # try to free loop devices + for dev in $deps; do + if [ -b "$dev" ]; then + losetup -d $dev 2> /dev/null + fi + done + + release_lock "block" + + exit 0 + ;; + esac + ;; +esac + +# vim:sw=2:et: From 2aec5870276520ba31cbb38661a83bba853261df Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 28 Feb 2011 18:52:55 +0100 Subject: [PATCH 02/19] block-snapshot fixes --- common/block-snapshot | 51 ++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 20 deletions(-) mode change 100644 => 100755 common/block-snapshot diff --git a/common/block-snapshot b/common/block-snapshot old mode 100644 new mode 100755 index a08a10c..a668935 --- a/common/block-snapshot +++ b/common/block-snapshot @@ -7,7 +7,6 @@ dir=$(dirname "$0") . "$dir/block-common.sh" - get_dev() { dev=$1 @@ -26,10 +25,10 @@ get_dev() { fatal "Unable to lookup $file: dev: $devnum inode: $inode" fi - dev_list=$(losetup -a | grep ' \[0*'${dev}'\]:'${inode} | cut -d : -f 1) - for dev in $dev_list; do + dev_list=$(losetup -a | grep ' \[0*'${devnum}'\]:'${inode} | cut -d : -f 1) + for loopdev in $dev_list; do # found existing loop to this file - echo $dev + echo $loopdev return done @@ -141,40 +140,52 @@ case "$command" in fatal "No device node to remove" fi + if [ ! -e "$node" ]; then + fatal "Device $node does not exists" + fi + claim_lock "block" use_count=$(dmsetup info $node|grep Open|awk '{print $3}') # do not remove snapshot if snapshot origin is still present - if [ "${node/snapshot/}" != "$node" -a - -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then - ((use_count++)) + if [ "${node/snapshot/}" != "$node" -a -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then + use_count=1 fi if [ "$use_count" -gt 0 ]; then log info "Device $node still in use - not removing" + release_lock "block" exit 0 fi # get list of used (loop) devices - deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]+\))#/dev/loop\1#g')" + deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')" - # remove unused snapshots - for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2); do - use_count=$(dmsetup info $snap|grep Open|awk '{print $3}') - if [ $use_count -eq 0 ]; then - # unused snapshot - remove it - deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]+\))#/dev/loop\1#g')" - dmsetup remove $snap - fi - done - - do_or_die dmsetup remove $node + # if this is origin + if [ "${node/origin/}" != "$node" ]; then + # remove unused snapshots + for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2)-*; do + use_count=$(dmsetup info $snap|grep Open|awk '{print $3}') + if [ "$use_count" -eq 0 ]; then + # unused snapshot - remove it + deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')" + log debug "Removing $snap" + dmsetup remove $snap + fi + done + fi + + if [ -e $node ]; then + log debug "Removing $node" + dmsetup remove $node + fi # try to free loop devices for dev in $deps; do if [ -b "$dev" ]; then - losetup -d $dev 2> /dev/null + log debug "Removing $dev" + losetup -d $dev || true 2> /dev/null fi done From 8fa18c465886ded5014191d02e4a1fdc5962d349 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 2 Mar 2011 11:35:36 +0100 Subject: [PATCH 03/19] Add backup files to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 4d22dcb..228b7ab 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ rpm/ *.pyc +*~ From ee5542ee43bb361efdc0bcfd78df1ed92353a2aa Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 2 Mar 2011 11:55:54 +0100 Subject: [PATCH 04/19] Add BR to core-appvm.spec --- rpm_spec/core-appvm.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec index c9a009d..e901a12 100644 --- a/rpm_spec/core-appvm.spec +++ b/rpm_spec/core-appvm.spec @@ -34,6 +34,8 @@ URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release = 13 Requires: /usr/bin/mimeopen +BuildRequires: gcc +BuildRequires: xen-devel Provides: qubes-core-vm %define _builddir %(pwd)/appvm From 088adcc95f40f6e23f8cdc4ea3cdc4be5fd437d9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 2 Mar 2011 11:58:22 +0100 Subject: [PATCH 05/19] gitignore files - add build products --- .gitignore | 2 ++ appvm/.gitignore | 3 +++ common/.gitignore | 1 + 3 files changed, 6 insertions(+) create mode 100644 appvm/.gitignore create mode 100644 common/.gitignore diff --git a/.gitignore b/.gitignore index 228b7ab..e244064 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ rpm/ *.pyc +*.pyo *~ +*.o diff --git a/appvm/.gitignore b/appvm/.gitignore new file mode 100644 index 0000000..edd6d09 --- /dev/null +++ b/appvm/.gitignore @@ -0,0 +1,3 @@ +qubes_add_pendrive_script +qubes_penctl +qvm-open-in-dvm diff --git a/common/.gitignore b/common/.gitignore new file mode 100644 index 0000000..03034a9 --- /dev/null +++ b/common/.gitignore @@ -0,0 +1 @@ +meminfo-writer From 24ed4df11c223c6b475ede3a7cc07c74524f30ef Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 28 Feb 2011 18:52:55 +0100 Subject: [PATCH 06/19] block-snapshot fixes --- common/block-snapshot | 51 ++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 20 deletions(-) mode change 100644 => 100755 common/block-snapshot diff --git a/common/block-snapshot b/common/block-snapshot old mode 100644 new mode 100755 index a08a10c..a668935 --- a/common/block-snapshot +++ b/common/block-snapshot @@ -7,7 +7,6 @@ dir=$(dirname "$0") . "$dir/block-common.sh" - get_dev() { dev=$1 @@ -26,10 +25,10 @@ get_dev() { fatal "Unable to lookup $file: dev: $devnum inode: $inode" fi - dev_list=$(losetup -a | grep ' \[0*'${dev}'\]:'${inode} | cut -d : -f 1) - for dev in $dev_list; do + dev_list=$(losetup -a | grep ' \[0*'${devnum}'\]:'${inode} | cut -d : -f 1) + for loopdev in $dev_list; do # found existing loop to this file - echo $dev + echo $loopdev return done @@ -141,40 +140,52 @@ case "$command" in fatal "No device node to remove" fi + if [ ! -e "$node" ]; then + fatal "Device $node does not exists" + fi + claim_lock "block" use_count=$(dmsetup info $node|grep Open|awk '{print $3}') # do not remove snapshot if snapshot origin is still present - if [ "${node/snapshot/}" != "$node" -a - -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then - ((use_count++)) + if [ "${node/snapshot/}" != "$node" -a -e "/dev/mapper/origin-$(echo $node|cut -d- -f2)" ]; then + use_count=1 fi if [ "$use_count" -gt 0 ]; then log info "Device $node still in use - not removing" + release_lock "block" exit 0 fi # get list of used (loop) devices - deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]+\))#/dev/loop\1#g')" + deps="$(dmsetup deps $node | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')" - # remove unused snapshots - for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2); do - use_count=$(dmsetup info $snap|grep Open|awk '{print $3}') - if [ $use_count -eq 0 ]; then - # unused snapshot - remove it - deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]+\))#/dev/loop\1#g')" - dmsetup remove $snap - fi - done - - do_or_die dmsetup remove $node + # if this is origin + if [ "${node/origin/}" != "$node" ]; then + # remove unused snapshots + for snap in /dev/mapper/snapshot-$(echo $node|cut -d- -f2)-*; do + use_count=$(dmsetup info $snap|grep Open|awk '{print $3}') + if [ "$use_count" -eq 0 ]; then + # unused snapshot - remove it + deps="$deps $(dmsetup deps $snap | cut -d: -f2 | sed -e 's#(7, \([0-9]\+\))#/dev/loop\1#g')" + log debug "Removing $snap" + dmsetup remove $snap + fi + done + fi + + if [ -e $node ]; then + log debug "Removing $node" + dmsetup remove $node + fi # try to free loop devices for dev in $deps; do if [ -b "$dev" ]; then - losetup -d $dev 2> /dev/null + log debug "Removing $dev" + losetup -d $dev || true 2> /dev/null fi done From 1b9aec1efd0e176c7323a340360e7d15ef30dcf4 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 2 Mar 2011 11:35:36 +0100 Subject: [PATCH 07/19] Add backup files to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 4d22dcb..228b7ab 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ rpm/ *.pyc +*~ From dc5b65c23ddd0cb9e435309ae2193e57efd79899 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 2 Mar 2011 11:55:54 +0100 Subject: [PATCH 08/19] Add BR to core-appvm.spec --- rpm_spec/core-appvm.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec index c9a009d..e901a12 100644 --- a/rpm_spec/core-appvm.spec +++ b/rpm_spec/core-appvm.spec @@ -34,6 +34,8 @@ URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release = 13 Requires: /usr/bin/mimeopen +BuildRequires: gcc +BuildRequires: xen-devel Provides: qubes-core-vm %define _builddir %(pwd)/appvm From 45f70b4e02bb6cd1490c9c58f471eb4221314c20 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 2 Mar 2011 11:58:22 +0100 Subject: [PATCH 09/19] gitignore files - add build products --- .gitignore | 2 ++ appvm/.gitignore | 3 +++ common/.gitignore | 1 + 3 files changed, 6 insertions(+) create mode 100644 appvm/.gitignore create mode 100644 common/.gitignore diff --git a/.gitignore b/.gitignore index 228b7ab..e244064 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ rpm/ *.pyc +*.pyo *~ +*.o diff --git a/appvm/.gitignore b/appvm/.gitignore new file mode 100644 index 0000000..edd6d09 --- /dev/null +++ b/appvm/.gitignore @@ -0,0 +1,3 @@ +qubes_add_pendrive_script +qubes_penctl +qvm-open-in-dvm diff --git a/common/.gitignore b/common/.gitignore new file mode 100644 index 0000000..03034a9 --- /dev/null +++ b/common/.gitignore @@ -0,0 +1 @@ +meminfo-writer From e686391de1e7bf0121a179ae1b9b72ea384f37d7 Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Wed, 9 Mar 2011 17:27:35 +0100 Subject: [PATCH 10/19] Added AppVM version of xenstore-watch. --- appvm/Makefile | 7 +++++-- appvm/xenstore-watch.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 appvm/xenstore-watch.c diff --git a/appvm/Makefile b/appvm/Makefile index 6bb1dea..0ef375a 100644 --- a/appvm/Makefile +++ b/appvm/Makefile @@ -1,11 +1,14 @@ CC=gcc CFLAGS=-Wall -all: qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm +all: qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm xenstore-watch qubes_penctl: qubes_penctl.o $(CC) -o qubes_penctl qubes_penctl.o -lxenstore qubes_add_pendrive_script: qubes_add_pendrive_script.o $(CC) -o qubes_add_pendrive_script qubes_add_pendrive_script.o -lxenstore qvm-open-in-dvm: qvm-open-in-dvm.o $(CC) -o qvm-open-in-dvm qvm-open-in-dvm.o -lxenstore +xenstore-watch: xenstore-watch.o + $(CC) -o xenstore-watch xenstore-watch.o -lxenstore + clean: - rm -f qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm *.o *~ + rm -f qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm xenstore-watch *.o *~ diff --git a/appvm/xenstore-watch.c b/appvm/xenstore-watch.c new file mode 100644 index 0000000..497ed29 --- /dev/null +++ b/appvm/xenstore-watch.c @@ -0,0 +1,28 @@ +#include +#include +#include +#include +main(int argc, char **argv) +{ + struct xs_handle *xs; + unsigned int count; + char **vec; + char dummy; + if (argc != 2) { + fprintf(stderr, "usage: %s xenstore_path\n", argv[0]); + exit(1); + } + xs = xs_domain_open(); + if (!xs) { + perror("xs_domain_open"); + exit(1); + } + if (!xs_watch(xs, argv[1], &dummy)) { + perror("xs_watch"); + exit(1); + } + vec = xs_read_watch(xs, &count); + free(vec); + vec = xs_read_watch(xs, &count); + free(vec); +} From 76bf222dd2265b8c125c75b761d916ba57cacd4b Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Wed, 9 Mar 2011 20:50:13 +0100 Subject: [PATCH 11/19] Added FirewallVM related VM scripts --- fwvm/bin/qubes_firewall | 33 +++++++++++++++++++ fwvm/init.d/qubes_core | 67 ++++++++++++++++++++++++++++++++++++++ fwvm/init.d/qubes_firewall | 42 ++++++++++++++++++++++++ netvm/30-qubes_external_ip | 8 +++++ rpm_spec/core-netvm.spec | 1 + 5 files changed, 151 insertions(+) create mode 100755 fwvm/bin/qubes_firewall create mode 100755 fwvm/init.d/qubes_core create mode 100755 fwvm/init.d/qubes_firewall create mode 100755 netvm/30-qubes_external_ip diff --git a/fwvm/bin/qubes_firewall b/fwvm/bin/qubes_firewall new file mode 100755 index 0000000..6f1cc26 --- /dev/null +++ b/fwvm/bin/qubes_firewall @@ -0,0 +1,33 @@ +#!/bin/bash +set -e + +PIDFILE=/var/run/qubes/qubes_firewall.pid +XENSTORE_IPTABLES=qubes_iptables +XENSTORE_ERROR=qubes_iptables_error +OLD_RULES="" + +# PIDfile handling +[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0 +echo $$ >$PIDFILE + +trap 'exit 0' SIGTERM + +while true; do + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + + if [[ "$RULES" != "$OLD_RULES" ]]; then + IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` + /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + + if [[ -z "$OUT" ]]; then + # If OK save it for later + /sbin/service iptables save >/dev/null + fi + + OLD_RULES="$RULES" + fi + + # Wait for changes in xenstore file + /usr/bin/xenstore-watch $XENSTORE_IPTABLES +done diff --git a/fwvm/init.d/qubes_core b/fwvm/init.d/qubes_core new file mode 100755 index 0000000..d6bcac2 --- /dev/null +++ b/fwvm/init.d/qubes_core @@ -0,0 +1,67 @@ +#!/bin/sh +# +# chkconfig: 345 90 90 +# description: Executes Qubes core scripts at VM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +start() +{ + echo -n $"Executing Qubes Core scripts FirewallVM:" + + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + name=$(/usr/bin/xenstore-read name) + hostname $name + + # Setup gateway for all the VMs this netVM is serviceing... + modprobe netbk + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + network=$(/usr/bin/xenstore-read qubes_netvm_network) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) + echo "NS1=$gateway" > /var/run/qubes/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns + /usr/lib/qubes/qubes_setup_dnat_to_ns + echo "1" > /proc/sys/net/ipv4/ip_forward + + # Now setup "AppVM" part of FirewallVM + ip=$(/usr/bin/xenstore-read qubes_ip) + netmask=$(/usr/bin/xenstore-read qubes_netmask) + gateway=$(/usr/bin/xenstore-read qubes_gateway) + secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns) + if [ x$ip != x ]; then + /sbin/ifconfig eth0 $ip netmask 255.255.255.255 up + /sbin/route add default dev eth0 + echo "nameserver $gateway" > /etc/resolv.conf + echo "nameserver $secondary_dns" >> /etc/resolv.conf + fi + + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/fwvm/init.d/qubes_firewall b/fwvm/init.d/qubes_firewall new file mode 100755 index 0000000..f970734 --- /dev/null +++ b/fwvm/init.d/qubes_firewall @@ -0,0 +1,42 @@ +#!/bin/sh +# +# chkconfig: 345 91 91 +# description: Starts Qubes Firewall monitor +# +# Source function library. +. /etc/rc.d/init.d/functions + +PIDFILE=/var/run/qubes/qubes_firewall.pid + +start() +{ + echo -n $"Starting Qubes Firewall monitor:" + /sbin/ethtool -K eth0 sg off + /usr/bin/qubes_firewall & + success + echo "" + return 0 +} + +stop() +{ + echo -n "Stopping Qubes Firewall monitor:" + kill $(cat $PIDFILE) 2>/dev/null && success || failure + echo "" + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/netvm/30-qubes_external_ip b/netvm/30-qubes_external_ip new file mode 100755 index 0000000..66ae526 --- /dev/null +++ b/netvm/30-qubes_external_ip @@ -0,0 +1,8 @@ +#!/bin/sh +if [ x$2 == xup ]; then + INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) + /usr/bin/xenstore-write qubes_netvm_external_ip "$INET" +fi +if [ x$2 == xdown ]; then + /usr/bin/xenstore-write qubes_netvm_external_ip "" +fi diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 83d88c2..47a04ff 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -67,6 +67,7 @@ mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ +cp ../netvm/30-qubes_external_ip $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d mkdir -p $RPM_BUILD_ROOT/sbin From 67b6217308242c618180289abfbc9453e55a08aa Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 10 Mar 2011 16:09:37 +0100 Subject: [PATCH 12/19] Add 30-qubes_external_ip to netvm.spec --- rpm_spec/core-netvm.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 47a04ff..d03591a 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -180,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/qubes_fix_nm_conf.sh /etc/dhclient.d/qubes_setup_dnat_to_ns.sh /etc/NetworkManager/dispatcher.d/qubes_nmhook +/etc/NetworkManager/dispatcher.d/30-qubes_external_ip /etc/yum.repos.d/qubes.repo /sbin/qubes_serial_login /etc/xen/scripts/vif-route-qubes From f5e526f2c38efda22a2e71489d0f20cacc11c8c2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 10 Mar 2011 16:23:45 +0100 Subject: [PATCH 13/19] .gitignore --- appvm/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/appvm/.gitignore b/appvm/.gitignore index edd6d09..2368033 100644 --- a/appvm/.gitignore +++ b/appvm/.gitignore @@ -1,3 +1,4 @@ qubes_add_pendrive_script qubes_penctl qvm-open-in-dvm +xenstore-watch From c87b15ba2a0a2a585c87d4e4f1105d1e1522bc20 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 11 Mar 2011 01:38:04 +0100 Subject: [PATCH 14/19] NetVM, AppVM, ProxyVM from single template - VM side Modify VM packages to: - do not conflicts - starts services if its VM type need it Added core-proxyvm (firewall) and core-commonvm (common parts) packages. --- Makefile | 6 ++ {appvm => common}/fstab | 0 {appvm => common}/qubes_core | 31 -------- fwvm/init.d/qubes_core | 67 ------------------ fwvm/init.d/qubes_firewall | 42 ----------- netvm/qubes_core | 54 -------------- netvm/qubes_core_netvm | 58 +++++++++++++++ {fwvm => proxyvm}/bin/qubes_firewall | 0 proxyvm/init.d/qubes_firewall | 48 +++++++++++++ rpm_spec/core-appvm.spec | 98 ++------------------------ rpm_spec/core-netvm.spec | 101 ++------------------------- 11 files changed, 124 insertions(+), 381 deletions(-) rename {appvm => common}/fstab (100%) rename {appvm => common}/qubes_core (61%) delete mode 100755 fwvm/init.d/qubes_core delete mode 100755 fwvm/init.d/qubes_firewall delete mode 100755 netvm/qubes_core create mode 100755 netvm/qubes_core_netvm rename {fwvm => proxyvm}/bin/qubes_firewall (100%) create mode 100755 proxyvm/init.d/qubes_firewall diff --git a/Makefile b/Makefile index 01085b2..b38c5f5 100644 --- a/Makefile +++ b/Makefile @@ -5,20 +5,26 @@ help: @echo "make update-repo-testing -- same, but to -testing repo" rpms: + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-commonvm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-appvm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-netvm.spec + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-proxyvm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec rpm --addsign $(RPMS_DIR)/x86_64/*.rpm update-repo: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*.rpm ../yum/r1/dom0/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-appvm-*.rpm ../yum/r1/appvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-commonvm-*.rpm ../yum/r1/netvm/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-netvm-*.rpm ../yum/r1/netvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-proxyvm-*.rpm ../yum/r1/netvm/rpm/ update-repo-testing: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*.rpm ../yum/r1-testing/dom0/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-appvm-*.rpm ../yum/r1-testing/appvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-commonvm-*.rpm ../yum/r1-testing/netvm/rpm/ ln -f $(RPMS_DIR)/x86_64/qubes-core-netvm-*.rpm ../yum/r1-testing/netvm/rpm/ + ln -f $(RPMS_DIR)/x86_64/qubes-core-proxyvm-*.rpm ../yum/r1-testing/netvm/rpm/ diff --git a/appvm/fstab b/common/fstab similarity index 100% rename from appvm/fstab rename to common/fstab diff --git a/appvm/qubes_core b/common/qubes_core similarity index 61% rename from appvm/qubes_core rename to common/qubes_core index 714727a..26fe514 100755 --- a/appvm/qubes_core +++ b/common/qubes_core @@ -6,18 +6,6 @@ # Source function library. . /etc/rc.d/init.d/functions -possibly_run_save_script() -{ - ENCODED_SCRIPT=$(xenstore-read qubes_save_script) - if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi - echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64()' >/tmp/qubes_save_script - chmod 755 /tmp/qubes_save_script - Xorg -config /etc/X11/xorg-preload-apps.conf :0 & - sleep 2 - DISPLAY=:0 su - user -c /tmp/qubes_save_script - killall Xorg -} - start() { echo -n $"Executing Qubes Core scripts:" @@ -26,21 +14,6 @@ start() echo "ERROR: /usr/bin/xenstore-read not found!" exit 1 fi - if xenstore-read qubes_save_request 2>/dev/null ; then - ln -sf /home_volatile /home - possibly_run_save_script - touch /etc/this_is_dvm - dmesg -c >/dev/null - free | grep Mem: | - (read a b c d ; xenstore-write device/qubes_used_mem $c) - # we're still running in DispVM template - echo "Waiting for save/restore..." - # ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys - while ! xenstore-read qubes_restore_complete 2>/dev/null ; do - usleep 10 - done - echo Back to life. - fi name=$(/usr/bin/xenstore-read name) if ! [ -f /etc/this_is_dvm ] ; then @@ -81,10 +54,6 @@ start() fi fi - MEM_CHANGE_THRESHOLD_KB=30000 - MEMINFO_DELAY_USEC=100000 - /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & - [ -x /rw/config/rc.local ] && /rw/config/rc.local success echo "" diff --git a/fwvm/init.d/qubes_core b/fwvm/init.d/qubes_core deleted file mode 100755 index d6bcac2..0000000 --- a/fwvm/init.d/qubes_core +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh -# -# chkconfig: 345 90 90 -# description: Executes Qubes core scripts at VM boot -# -# Source function library. -. /etc/rc.d/init.d/functions - -start() -{ - echo -n $"Executing Qubes Core scripts FirewallVM:" - - if ! [ -x /usr/bin/xenstore-read ] ; then - echo "ERROR: /usr/bin/xenstore-read not found!" - exit 1 - fi - - name=$(/usr/bin/xenstore-read name) - hostname $name - - # Setup gateway for all the VMs this netVM is serviceing... - modprobe netbk - gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) - netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) - network=$(/usr/bin/xenstore-read qubes_netvm_network) - secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) - echo "NS1=$gateway" > /var/run/qubes/qubes_ns - echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns - /usr/lib/qubes/qubes_setup_dnat_to_ns - echo "1" > /proc/sys/net/ipv4/ip_forward - - # Now setup "AppVM" part of FirewallVM - ip=$(/usr/bin/xenstore-read qubes_ip) - netmask=$(/usr/bin/xenstore-read qubes_netmask) - gateway=$(/usr/bin/xenstore-read qubes_gateway) - secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns) - if [ x$ip != x ]; then - /sbin/ifconfig eth0 $ip netmask 255.255.255.255 up - /sbin/route add default dev eth0 - echo "nameserver $gateway" > /etc/resolv.conf - echo "nameserver $secondary_dns" >> /etc/resolv.conf - fi - - success - echo "" - return 0 -} - -stop() -{ - return 0 -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - *) - echo $"Usage: $0 {start|stop}" - exit 3 - ;; -esac - -exit $RETVAL diff --git a/fwvm/init.d/qubes_firewall b/fwvm/init.d/qubes_firewall deleted file mode 100755 index f970734..0000000 --- a/fwvm/init.d/qubes_firewall +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -# -# chkconfig: 345 91 91 -# description: Starts Qubes Firewall monitor -# -# Source function library. -. /etc/rc.d/init.d/functions - -PIDFILE=/var/run/qubes/qubes_firewall.pid - -start() -{ - echo -n $"Starting Qubes Firewall monitor:" - /sbin/ethtool -K eth0 sg off - /usr/bin/qubes_firewall & - success - echo "" - return 0 -} - -stop() -{ - echo -n "Stopping Qubes Firewall monitor:" - kill $(cat $PIDFILE) 2>/dev/null && success || failure - echo "" - return 0 -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - *) - echo $"Usage: $0 {start|stop}" - exit 3 - ;; -esac - -exit $RETVAL diff --git a/netvm/qubes_core b/netvm/qubes_core deleted file mode 100755 index dbfaad7..0000000 --- a/netvm/qubes_core +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# -# chkconfig: 345 90 90 -# description: Executes Qubes core scripts at VM boot -# -# Source function library. -. /etc/rc.d/init.d/functions - -start() -{ - echo -n $"Executing Qubes Core scripts NetVM:" - - if ! [ -x /usr/bin/xenstore-read ] ; then - echo "ERROR: /usr/bin/xenstore-read not found!" - exit 1 - fi - - name=$(/usr/bin/xenstore-read name) - hostname $name - - # Setup gateway for all the VMs this netVM is serviceing... - modprobe netbk - gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) - netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) - network=$(/usr/bin/xenstore-read qubes_netvm_network) - secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) - echo "NS1=$gateway" > /var/run/qubes/qubes_ns - echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns - /usr/lib/qubes/qubes_setup_dnat_to_ns - echo "1" > /proc/sys/net/ipv4/ip_forward - success - echo "" - return 0 -} - -stop() -{ - return 0 -} - -case "$1" in - start) - start - ;; - stop) - stop - ;; - *) - echo $"Usage: $0 {start|stop}" - exit 3 - ;; -esac - -exit $RETVAL diff --git a/netvm/qubes_core_netvm b/netvm/qubes_core_netvm new file mode 100755 index 0000000..dd713fc --- /dev/null +++ b/netvm/qubes_core_netvm @@ -0,0 +1,58 @@ +#!/bin/sh +# +# chkconfig: 345 90 90 +# description: Executes Qubes core scripts at NetVM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +start() +{ + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "NetVM" ]; then + /sbin/service NetworkManager start + fi + + echo -n $"Executing Qubes Core scripts NetVM:" + + # Setup gateway for all the VMs this netVM is serviceing... + network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) + modprobe netbk + echo "NS1=$gateway" > /var/run/qubes/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns + /usr/lib/qubes/qubes_setup_dnat_to_ns + echo "1" > /proc/sys/net/ipv4/ip_forward + fi + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/fwvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall similarity index 100% rename from fwvm/bin/qubes_firewall rename to proxyvm/bin/qubes_firewall diff --git a/proxyvm/init.d/qubes_firewall b/proxyvm/init.d/qubes_firewall new file mode 100755 index 0000000..1d3c026 --- /dev/null +++ b/proxyvm/init.d/qubes_firewall @@ -0,0 +1,48 @@ +#!/bin/sh +# +# chkconfig: 345 91 91 +# description: Starts Qubes Firewall monitor +# +# Source function library. +. /etc/rc.d/init.d/functions + +PIDFILE=/var/run/qubes/qubes_firewall.pid + +start() +{ + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "ProxyVM" ]; then + echo -n $"Starting Qubes Firewall monitor:" + /sbin/ethtool -K eth0 sg off + /usr/sbin/qubes_firewall & + success + echo "" + fi + return 0 +} + +stop() +{ + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" == "ProxyVM" ]; then + echo -n "Stopping Qubes Firewall monitor:" + kill $(cat $PIDFILE) 2>/dev/null && success || failure + echo "" + fi + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec index e901a12..a6eea0d 100644 --- a/rpm_spec/core-appvm.spec +++ b/rpm_spec/core-appvm.spec @@ -34,6 +34,7 @@ URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release = 13 Requires: /usr/bin/mimeopen +Requires: qubes-core-commonvm BuildRequires: gcc BuildRequires: xen-devel Provides: qubes-core-vm @@ -55,9 +56,6 @@ fi adduser --create-home user mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then -mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig -fi %build make clean all @@ -65,10 +63,8 @@ make -C ../common %install -mkdir -p $RPM_BUILD_ROOT/etc -cp fstab $RPM_BUILD_ROOT/etc/fstab mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +cp qubes_core_appvm $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/lib/qubes mkdir -p $RPM_BUILD_ROOT/usr/bin cp qubes_timestamp qvm-copy-to-vm qvm-open-in-dvm $RPM_BUILD_ROOT/usr/bin @@ -80,17 +76,9 @@ mkdir -p $RPM_BUILD_ROOT/%{kde_service_dir} cp qvm-copy.desktop qvm-dvm.desktop $RPM_BUILD_ROOT/%{kde_service_dir} mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d cp qubes.rules $RPM_BUILD_ROOT/etc/udev/rules.d -mkdir -p $RPM_BUILD_ROOT/etc/sysconfig -cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ mkdir -p $RPM_BUILD_ROOT/mnt/incoming mkdir -p $RPM_BUILD_ROOT/mnt/outgoing mkdir -p $RPM_BUILD_ROOT/mnt/removable -mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d -cp ../appvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d -mkdir -p $RPM_BUILD_ROOT/sbin -cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT/etc -cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ mkdir -p $RPM_BUILD_ROOT/etc/X11 cp xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11 @@ -98,9 +86,6 @@ cp xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11 mkdir -p $RPM_BUILD_ROOT/home_volatile/user chown 500:500 $RPM_BUILD_ROOT/home_volatile/user -%triggerin -- initscripts -cp /var/lib/qubes/serial.conf /etc/init/serial.conf - %post if [ "$1" != 1 ] ; then @@ -108,81 +93,15 @@ if [ "$1" != 1 ] ; then exit 0 fi -usermod -L root usermod -L user -if ! [ -f /var/lib/qubes/serial.orig ] ; then - cp /etc/init/serial.conf /var/lib/qubes/serial.orig -fi -#echo "--> Disabling SELinux..." -sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed -mv /etc/selinux/config.processed /etc/selinux/config -setenforce 0 2>/dev/null - -#echo "--> Turning off unnecessary services..." -# FIXME: perhaps there is more elegant way to do this? -for f in /etc/init.d/* -do - srv=`basename $f` - [ $srv = 'functions' ] && continue - [ $srv = 'killall' ] && continue - [ $srv = 'halt' ] && continue - [ $srv = 'single' ] && continue - chkconfig $srv off -done - -#echo "--> Enabling essential services..." -chkconfig rsyslog on -chkconfig haldaemon on -chkconfig messagebus on -chkconfig cups on -chkconfig iptables on -chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" - - -# TODO: make this not display the silly message about security context... -sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab - -# Remove most of the udev scripts to speed up the VM boot time -# Just leave the xen* scripts, that are needed if this VM was -# ever used as a net backend (e.g. as a VPN domain in the future) -#echo "--> Removing unnecessary udev scripts..." -mkdir -p /var/lib/qubes/removed-udev-scripts -for f in /etc/udev/rules.d/* -do - if [ $(basename $f) == "xen-backend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "xend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "qubes.rules" ] ; then - continue - fi - - if [ $(basename $f) == "90-hal.rules" ] ; then - continue - fi - - - mv $f /var/lib/qubes/removed-udev-scripts/ -done -mkdir -p /rw -#rm -f /etc/mtab -#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" -#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig -#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" %preun if [ "$1" = 0 ] ; then # no more packages left - chkconfig qubes_core off - mv /var/lib/qubes/fstab.orig /etc/fstab - mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ - mv /var/lib/qubes/serial.orig /etc/init/serial.conf + chkconfig qubes_core_appvm off fi %clean @@ -190,8 +109,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) -/etc/fstab -/etc/init.d/qubes_core +/etc/init.d/qubes_core_appvm /usr/bin/qvm-copy-to-vm /usr/lib/qubes/qvm-copy-to-vm.kde %attr(4755,root,root) /usr/bin/qvm-open-in-dvm @@ -202,13 +120,9 @@ rm -rf $RPM_BUILD_ROOT %attr(4755,root,root) /usr/lib/qubes/qubes_penctl /usr/lib/qubes/qubes_add_pendrive_script /etc/udev/rules.d/qubes.rules -/etc/sysconfig/iptables -/var/lib/qubes %dir /mnt/incoming %dir /mnt/outgoing %dir /mnt/removable -/etc/yum.repos.d/qubes.repo -/sbin/qubes_serial_login /usr/bin/qubes_timestamp %dir /home_volatile %attr(700,user,user) /home_volatile/user diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index d03591a..f813e37 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -34,6 +34,7 @@ URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release = 13 Requires: NetworkManager >= 0.8.1-1 +Requires: qubes-core-commonvm Provides: qubes-core-vm %define _builddir %(pwd)/netvm @@ -43,22 +44,13 @@ The Qubes core files for installation inside a Qubes NetVM. %pre -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then -mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig -fi - - %build %install -mkdir -p $RPM_BUILD_ROOT/etc/sysconfig -cp ../common/iptables $RPM_BUILD_ROOT/etc/sysconfig mkdir -p $RPM_BUILD_ROOT/etc -cp fstab $RPM_BUILD_ROOT/etc/fstab mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +cp qubes_core_netvm $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/lib/qubes mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes @@ -68,19 +60,10 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp ../netvm/30-qubes_external_ip $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ -mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d -cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d -mkdir -p $RPM_BUILD_ROOT/sbin -cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT/etc -cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ mkdir -p $RPM_BUILD_ROOT/var/run/qubes mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts -%triggerin -- initscripts -cp /var/lib/qubes/serial.conf /etc/init/serial.conf - %post /usr/lib/qubes/qubes_fix_nm_conf.sh @@ -90,81 +73,14 @@ if [ "$1" != 1 ] ; then exit 0 fi -sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' -i /etc/sysctl.conf -usermod -L root -if ! [ -f /var/lib/qubes/serial.orig ] ; then - cp /etc/init/serial.conf /var/lib/qubes/serial.orig -fi +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" -#echo "--> Disabling SELinux..." -sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed -mv /etc/selinux/config.processed /etc/selinux/config -setenforce 0 2>/dev/null - -#echo "--> Turning off unnecessary services..." -# FIXME: perhaps there is more elegant way to do this? -for f in /etc/init.d/* -do - srv=`basename $f` - [ $srv = 'functions' ] && continue - [ $srv = 'killall' ] && continue - [ $srv = 'halt' ] && continue - [ $srv = 'single' ] && continue - chkconfig $srv off -done - -#echo "--> Enabling essential services..." -chkconfig iptables on -chkconfig rsyslog on -chkconfig haldaemon on -chkconfig messagebus on -chkconfig NetworkManager on -chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" - - -# TODO: make this not display the silly message about security context... -sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab - -# Remove most of the udev scripts to speed up the VM boot time -# Just leave the xen* scripts, that are needed if this VM was -# ever used as a net backend (e.g. as a VPN domain in the future) -#echo "--> Removing unnecessary udev scripts..." -mkdir -p /var/lib/qubes/removed-udev-scripts -for f in /etc/udev/rules.d/* -do - if [ $(basename $f) == "xen-backend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "xend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "qubes.rules" ] ; then - continue - fi - - if [ $(basename $f) == "90-hal.rules" ] ; then - continue - fi - - - mv $f /var/lib/qubes/removed-udev-scripts/ -done - -#rm -f /etc/mtab -#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" -#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig -#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 %preun if [ "$1" = 0 ] ; then # no more packages left - chkconfig qubes_core off - mv /var/lib/qubes/fstab.orig /etc/fstab - mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ - mv /var/lib/qubes/serial.orig /etc/init/serial.conf + chkconfig qubes_core_netvm off fi %clean @@ -172,16 +88,11 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) -/etc/fstab -/etc/sysconfig/iptables -/etc/init.d/qubes_core -/var/lib/qubes +/etc/init.d/qubes_core_netvm /usr/lib/qubes/qubes_setup_dnat_to_ns /usr/lib/qubes/qubes_fix_nm_conf.sh /etc/dhclient.d/qubes_setup_dnat_to_ns.sh /etc/NetworkManager/dispatcher.d/qubes_nmhook /etc/NetworkManager/dispatcher.d/30-qubes_external_ip -/etc/yum.repos.d/qubes.repo -/sbin/qubes_serial_login /etc/xen/scripts/vif-route-qubes %dir /var/run/qubes From 4c0849890cbe83cc8433cffcaf44b2c669441856 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 11 Mar 2011 01:42:42 +0100 Subject: [PATCH 15/19] NetVM, AppVM, ProxyVM from single template - VM side (missing files...) --- appvm/qubes_core_appvm | 82 ++++++++++++++++++ rpm_spec/core-commonvm.spec | 166 ++++++++++++++++++++++++++++++++++++ rpm_spec/core-proxyvm.spec | 77 +++++++++++++++++ 3 files changed, 325 insertions(+) create mode 100755 appvm/qubes_core_appvm create mode 100644 rpm_spec/core-commonvm.spec create mode 100644 rpm_spec/core-proxyvm.spec diff --git a/appvm/qubes_core_appvm b/appvm/qubes_core_appvm new file mode 100755 index 0000000..ed250dd --- /dev/null +++ b/appvm/qubes_core_appvm @@ -0,0 +1,82 @@ +#!/bin/sh +# +# chkconfig: 345 85 85 +# description: Executes Qubes core scripts at AppVM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +possibly_run_save_script() +{ + ENCODED_SCRIPT=$(xenstore-read qubes_save_script) + if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi + echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64()' >/tmp/qubes_save_script + chmod 755 /tmp/qubes_save_script + Xorg -config /etc/X11/xorg-preload-apps.conf :0 & + sleep 2 + DISPLAY=:0 su - user -c /tmp/qubes_save_script + killall Xorg +} + +start() +{ + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" != "AppVM" -a "$type" != "DisposableVM" ]; then + # This script runs only on AppVMs + return 0 + fi + + # Start AppVM specific services + /sbin/service cups start + + echo -n $"Executing Qubes Core scripts for AppVM:" + + if xenstore-read qubes_save_request 2>/dev/null ; then + ln -sf /home_volatile /home + possibly_run_save_script + touch /etc/this_is_dvm + dmesg -c >/dev/null + free | grep Mem: | + (read a b c d ; xenstore-write device/qubes_used_mem $c) + # we're still running in DispVM template + echo "Waiting for save/restore..." + # ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys + while ! xenstore-read qubes_restore_complete 2>/dev/null ; do + usleep 10 + done + echo Back to life. + fi + + MEM_CHANGE_THRESHOLD_KB=30000 + MEMINFO_DELAY_USEC=100000 + /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & + + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec new file mode 100644 index 0000000..6705c28 --- /dev/null +++ b/rpm_spec/core-commonvm.spec @@ -0,0 +1,166 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-commonvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for any VM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: fedora-release = 13 + +%define _builddir %(pwd)/common + +%description +The Qubes core files for installation inside a Qubes VM. + +%pre + +if [ "$1" != 1 ] ; then +# do this whole %pre thing only when updating for the first time... +exit 0 +fi + +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then +mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig +fi + +%install + +mkdir -p $RPM_BUILD_ROOT/etc +cp fstab $RPM_BUILD_ROOT/etc/fstab +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ +mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d +cp ../appvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d +mkdir -p $RPM_BUILD_ROOT/sbin +cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin +mkdir -p $RPM_BUILD_ROOT/etc +cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ + +%triggerin -- initscripts +cp /var/lib/qubes/serial.conf /etc/init/serial.conf + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +usermod -L root +if ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig +fi + +#echo "--> Disabling SELinux..." +sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed +mv /etc/selinux/config.processed /etc/selinux/config +setenforce 0 2>/dev/null + +#echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + [ $srv = 'single' ] && continue + [ $srv = 'qubes_gui' ] && continue + chkconfig $srv off +done + +#echo "--> Enabling essential services..." +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig iptables on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" + + +# TODO: make this not display the silly message about security context... +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +# Remove most of the udev scripts to speed up the VM boot time +# Just leave the xen* scripts, that are needed if this VM was +# ever used as a net backend (e.g. as a VPN domain in the future) +#echo "--> Removing unnecessary udev scripts..." +mkdir -p /var/lib/qubes/removed-udev-scripts +for f in /etc/udev/rules.d/* +do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "xend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "qubes.rules" ] ; then + continue + fi + + if [ $(basename $f) == "90-hal.rules" ] ; then + continue + fi + + + mv $f /var/lib/qubes/removed-udev-scripts/ +done +mkdir -p /rw +#rm -f /etc/mtab +#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" +#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig +#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + mv /var/lib/qubes/fstab.orig /etc/fstab + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + mv /var/lib/qubes/serial.orig /etc/init/serial.conf +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/fstab +/etc/init.d/qubes_core +/etc/sysconfig/iptables +/var/lib/qubes +/etc/yum.repos.d/qubes.repo +/sbin/qubes_serial_login diff --git a/rpm_spec/core-proxyvm.spec b/rpm_spec/core-proxyvm.spec new file mode 100644 index 0000000..c5a5ad3 --- /dev/null +++ b/rpm_spec/core-proxyvm.spec @@ -0,0 +1,77 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-proxyvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for NetVM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: /sbin/ethtool +Requires: fedora-release = 13 +Requires: qubes-core-netvm + +%define _builddir %(pwd)/proxyvm + +%description +The Qubes core files for installation inside a Qubes ProxyVM in addition to NetVM scripts. + +%pre + +%build + +%install + +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp init.d/qubes_firewall $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/usr/sbin +cp bin/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_firewall off +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/init.d/qubes_firewall +/usr/sbin/qubes_firewall From 7914558ad84912ce478a95d2220dd2f729f524ad Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Fri, 11 Mar 2011 19:39:52 +0100 Subject: [PATCH 16/19] FwVM network changes watcher script --- fwvm/bin/qubes_netwatcher | 27 +++++++++++++++++++++++ fwvm/init.d/qubes_netwatcher | 42 ++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100755 fwvm/bin/qubes_netwatcher create mode 100755 fwvm/init.d/qubes_netwatcher diff --git a/fwvm/bin/qubes_netwatcher b/fwvm/bin/qubes_netwatcher new file mode 100755 index 0000000..8f9d2e9 --- /dev/null +++ b/fwvm/bin/qubes_netwatcher @@ -0,0 +1,27 @@ +#!/bin/bash +set -e + +PIDFILE=/var/run/qubes/qubes_netwatcher.pid +CURR_NETCFG="" + +# PIDfile handling +[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0 +echo $$ >$PIDFILE + +trap 'exit 0' SIGTERM + +while true; do + NET_DOMID=$(/usr/bin/xenstore-read qubes_netvm_domid) + if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then + NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip) + if [[ "$NETCFG" != "$CURR_NETCFG" ]]; then + /sbin/service qubes_firewall stop + /sbin/service qubes_firewall start + CURR_NETCFG="$NETCFG" + fi + + /usr/bin/xenstore-watch /local/domain/$NET_DOMID/qubes_netvm_external_ip + else + /usr/bin/xenstore-watch qubes_netvm_domid + fi +done diff --git a/fwvm/init.d/qubes_netwatcher b/fwvm/init.d/qubes_netwatcher new file mode 100755 index 0000000..c322c82 --- /dev/null +++ b/fwvm/init.d/qubes_netwatcher @@ -0,0 +1,42 @@ +#!/bin/sh +# +# chkconfig: 345 92 92 +# description: Starts Qubes Network monitor +# +# Source function library. +. /etc/rc.d/init.d/functions + +PIDFILE=/var/run/qubes/qubes_netwatcher.pid + +start() +{ + echo -n $"Starting Qubes Network monitor:" + /sbin/ethtool -K eth0 sg off + /usr/bin/qubes_netwatcher & + success + echo "" + return 0 +} + +stop() +{ + echo -n "Stopping Qubes Network monitor:" + kill -9 $(cat $PIDFILE) 2>/dev/null && success || failure + echo "" + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL From bfb5ec483d52a824c129328d5850c0cfdd7d909f Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Fri, 11 Mar 2011 19:40:23 +0100 Subject: [PATCH 17/19] Use SIGKILL to stop qubes_firewall service --- fwvm/init.d/qubes_firewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fwvm/init.d/qubes_firewall b/fwvm/init.d/qubes_firewall index f970734..c23fb2b 100755 --- a/fwvm/init.d/qubes_firewall +++ b/fwvm/init.d/qubes_firewall @@ -21,7 +21,7 @@ start() stop() { echo -n "Stopping Qubes Firewall monitor:" - kill $(cat $PIDFILE) 2>/dev/null && success || failure + kill -9 $(cat $PIDFILE) 2>/dev/null && success || failure echo "" return 0 } From a0a6bdf7d8edf3fb3f789a7b1034f2dbb8d7aba3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 11 Mar 2011 23:33:15 +0100 Subject: [PATCH 18/19] Add qubes_netwatcher to proxyvm spec --- rpm_spec/core-proxyvm.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rpm_spec/core-proxyvm.spec b/rpm_spec/core-proxyvm.spec index c5a5ad3..13c9253 100644 --- a/rpm_spec/core-proxyvm.spec +++ b/rpm_spec/core-proxyvm.spec @@ -49,8 +49,10 @@ The Qubes core files for installation inside a Qubes ProxyVM in addition to NetV mkdir -p $RPM_BUILD_ROOT/etc/init.d cp init.d/qubes_firewall $RPM_BUILD_ROOT/etc/init.d/ +cp init.d/qubes_netwatcher $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/usr/sbin cp bin/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ +cp bin/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ %post @@ -62,10 +64,14 @@ fi chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" + %preun if [ "$1" = 0 ] ; then # no more packages left chkconfig qubes_firewall off + chkconfig qubes_netwatcher off fi %clean @@ -74,4 +80,6 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) /etc/init.d/qubes_firewall +/etc/init.d/qubes_netwatcher /usr/sbin/qubes_firewall +/usr/sbin/qubes_netwatcher From 94209336aebf0ea5597c63d75a89ab761aac8035 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 11 Mar 2011 23:42:49 +0100 Subject: [PATCH 19/19] Register VM services also on update --- rpm_spec/core-appvm.spec | 6 +++--- rpm_spec/core-netvm.spec | 6 ------ rpm_spec/core-proxyvm.spec | 5 ----- 3 files changed, 3 insertions(+), 14 deletions(-) diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec index a6eea0d..91fd13c 100644 --- a/rpm_spec/core-appvm.spec +++ b/rpm_spec/core-appvm.spec @@ -88,6 +88,9 @@ chown 500:500 $RPM_BUILD_ROOT/home_volatile/user %post +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" + if [ "$1" != 1 ] ; then # do this whole %post thing only when updating for the first time... exit 0 @@ -95,9 +98,6 @@ fi usermod -L user -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" - %preun if [ "$1" = 0 ] ; then # no more packages left diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index f813e37..346c548 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -68,15 +68,9 @@ cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts /usr/lib/qubes/qubes_fix_nm_conf.sh -if [ "$1" != 1 ] ; then -# do this whole %post thing only when updating for the first time... -exit 0 -fi - chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" - %preun if [ "$1" = 0 ] ; then # no more packages left diff --git a/rpm_spec/core-proxyvm.spec b/rpm_spec/core-proxyvm.spec index 13c9253..52bc17f 100644 --- a/rpm_spec/core-proxyvm.spec +++ b/rpm_spec/core-proxyvm.spec @@ -56,11 +56,6 @@ cp bin/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ %post -if [ "$1" != 1 ] ; then -# do this whole %post thing only when updating for the first time... -exit 0 -fi - chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!"