From 611914da1521a30655f11802f25491ce46a4116e Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Tue, 19 Apr 2011 00:11:45 +0200 Subject: [PATCH 01/22] Disable unnecessary Upstart, Init and XDG Autostart serices. #209 Move unneded /etc/init/*.conf services to /etc/init/*.conf.disabled. Start CUPS only in AppVM and UtilityVM. Start XDG Autostart applications only in domains that makes sense for them. --- rpm_spec/core-commonvm.spec | 52 +++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index 0da0f39..eb073cd 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -80,8 +80,56 @@ cp /var/lib/qubes/serial.conf /etc/init/serial.conf %post -# Disable gpk-update-icon -sed 's/^NotShowIn=KDE;$/\0QUBES;/' -i /etc/xdg/autostart/gpk-update-icon.desktop +# disable some Upstart services +for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do + if [ -e /etc/init/$F.conf ]; then + mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled + fi +done + +remove_ShowIn () { + if [ -e /etc/xdg/autostart/$1.desktop ]; then + sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop + fi +} + +# don't want it at all +for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=QUBES' >> /etc/xdg/autostart/$F.desktop + fi +done + +# don't want it in DisposableVM +for F in gcm-apply ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=DisposableVM' >> /etc/xdg/autostart/$F.desktop + fi +done + +# want it in AppVM and StandaloneVM only +for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'OnlyShowIn=GNOME;AppVM;StandaloneVM;' >> /etc/xdg/autostart/$F.desktop + fi +done + +# remove existing rule to add own later +for F in gpk-update-icon nm-applet print-applet ; do + remove_ShowIn $F +done + +echo 'OnlyShowIn=GNOME;StandaloneVM;TemplateVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : +echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || : +echo 'OnlyShowIn=GNOME;AppVM;UtilityVM;' >> /etc/xdg/autostart/print-applet.desktop || : + +# start cups only in AppVM and UtilityVM +if [ -e /etc/init.d/cups ] && ! grep -q xenstore-read /etc/init.d/cups ; then + sed -i '/echo.*Starting /s#^#\ntype=$(/usr/bin/xenstore-read qubes_vm_type)\nif [ "$type" != "AppVM" -a "$type" != "UtilityVM" ]; then\nreturn 0\nfi\n\n#' /etc/init.d/cups +fi if [ "$1" != 1 ] ; then # do this whole %post thing only when updating for the first time... From e7bb4843eabc7a1b29afa972c57aafd497c11f09 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 19 Apr 2011 13:06:34 +0200 Subject: [PATCH 02/22] Show progress of qvm-copy-to-vm by default (#221) --- appvm/qvm-copy-to-vm | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/appvm/qvm-copy-to-vm b/appvm/qvm-copy-to-vm index 4817b43..480f2ca 100755 --- a/appvm/qvm-copy-to-vm +++ b/appvm/qvm-copy-to-vm @@ -20,15 +20,15 @@ # # -if [ x"$1" = "x--with-progress" ] ; then - DO_PROGRESS=1 +if [ x"$1" = "x--without-progress" ] ; then + DO_PROGRESS=0 shift else - DO_PROGRESS=0 + DO_PROGRESS=1 fi if [ $# -lt 2 ] ; then - echo usage: $0 '[--with-progress] dest_vmname file [file]+' + echo usage: $0 '[--without-progress] dest_vmname file [file]+' exit 1 fi From c132b70856ad8533d8f2c7030e5afcf313d64338 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 19 Apr 2011 13:07:13 +0200 Subject: [PATCH 03/22] Fix typo --- appvm/qvm-copy-to-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appvm/qvm-copy-to-vm b/appvm/qvm-copy-to-vm index 480f2ca..eaf8c8f 100755 --- a/appvm/qvm-copy-to-vm +++ b/appvm/qvm-copy-to-vm @@ -49,7 +49,7 @@ while true ; do read agentpid sentsize agentstatus < $PROGRESS_FILE if [ "x"$agentstatus = x ] ; then continue ; fi if ! [ -e /proc/$agentpid ] ; then break ; fi - if [ "x"$agentstatus = xdone ] ; then break ; fi + if [ "x"$agentstatus = xDONE ] ; then break ; fi CURRSIZE=$(($sentsize/1024)) if [ $DO_PROGRESS = 1 ] ; then echo -ne "\r sent $CURRSIZE/$SIZE KB " From 692b97db3847052a4da62d67cab44139fe2055ab Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 19 Apr 2011 13:10:18 +0200 Subject: [PATCH 04/22] Run qubes_core_appvm also in TemplateVM (#222) --- appvm/qubes_core_appvm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appvm/qubes_core_appvm b/appvm/qubes_core_appvm index 32c0833..a4c2465 100755 --- a/appvm/qubes_core_appvm +++ b/appvm/qubes_core_appvm @@ -26,7 +26,7 @@ start() fi type=$(/usr/bin/xenstore-read qubes_vm_type) - if [ "$type" != "AppVM" -a "$type" != "DisposableVM" ]; then + if [ "$type" != "AppVM" -a "$type" != "DisposableVM" -a "$type" != "TemplateVM" ]; then # This script runs only on AppVMs return 0 fi From 705a66af63371676f76487a0bbeabe7ae0d79c15 Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Wed, 20 Apr 2011 00:56:58 +0200 Subject: [PATCH 05/22] We do not want to have StandaloneVM and UtilityVM types. --- rpm_spec/core-commonvm.spec | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index eb073cd..bd0a540 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -109,27 +109,21 @@ for F in gcm-apply ; do fi done -# want it in AppVM and StandaloneVM only +# want it in AppVM only for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do if [ -e /etc/xdg/autostart/$F.desktop ]; then remove_ShowIn $F - echo 'OnlyShowIn=GNOME;AppVM;StandaloneVM;' >> /etc/xdg/autostart/$F.desktop + echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop fi done # remove existing rule to add own later -for F in gpk-update-icon nm-applet print-applet ; do +for F in gpk-update-icon nm-applet ; do remove_ShowIn $F done -echo 'OnlyShowIn=GNOME;StandaloneVM;TemplateVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : +echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || : -echo 'OnlyShowIn=GNOME;AppVM;UtilityVM;' >> /etc/xdg/autostart/print-applet.desktop || : - -# start cups only in AppVM and UtilityVM -if [ -e /etc/init.d/cups ] && ! grep -q xenstore-read /etc/init.d/cups ; then - sed -i '/echo.*Starting /s#^#\ntype=$(/usr/bin/xenstore-read qubes_vm_type)\nif [ "$type" != "AppVM" -a "$type" != "UtilityVM" ]; then\nreturn 0\nfi\n\n#' /etc/init.d/cups -fi if [ "$1" != 1 ] ; then # do this whole %post thing only when updating for the first time... From 59da079f22ef3d0dd14b6a5d16780e3f969420fa Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 23 Apr 2011 02:31:54 +0200 Subject: [PATCH 06/22] Configure VM network iface on attach (not only on boot) (#190) --- common/qubes_network.rules | 2 ++ common/setup_ip | 12 ++++++++++++ rpm_spec/core-commonvm.spec | 6 ++++++ 3 files changed, 20 insertions(+) create mode 100644 common/qubes_network.rules create mode 100755 common/setup_ip diff --git a/common/qubes_network.rules b/common/qubes_network.rules new file mode 100644 index 0000000..077c841 --- /dev/null +++ b/common/qubes_network.rules @@ -0,0 +1,2 @@ + +SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/qubes/setup_ip" diff --git a/common/setup_ip b/common/setup_ip new file mode 100755 index 0000000..267d7ba --- /dev/null +++ b/common/setup_ip @@ -0,0 +1,12 @@ +#!/bin/sh + +ip=`/usr/bin/xenstore-read qubes_ip` +netmask=`/usr/bin/xenstore-read qubes_netmask` +gateway=`/usr/bin/xenstore-read qubes_gateway` +secondary_dns=`/usr/bin/xenstore-read qubes_secondary_dns` +if [ x$ip != x ]; then + /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 up + /sbin/route add default dev $INTERFACE + echo "nameserver $gateway" > /etc/resolv.conf + echo "nameserver $secondary_dns" >> /etc/resolv.conf +fi diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index bd0a540..d4944b7 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -74,6 +74,10 @@ mkdir -p $RPM_BUILD_ROOT/usr/bin cp xenstore-watch $RPM_BUILD_ROOT/usr/bin mkdir -p $RPM_BUILD_ROOT/etc cp serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ +mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d +cp qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/ +mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes/ +cp setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ %triggerin -- initscripts cp /var/lib/qubes/serial.conf /etc/init/serial.conf @@ -220,3 +224,5 @@ rm -rf $RPM_BUILD_ROOT /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes* /sbin/qubes_serial_login /usr/bin/xenstore-watch +/etc/udev/rules.d/qubes_network.rules +/usr/lib/qubes/setup_ip From 638473a364643a2ecea5502966420d250d02d153 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 23 Apr 2011 02:32:54 +0200 Subject: [PATCH 07/22] Connect vif's to already running VMs on NetVM/ProxyVM startup (#190) Also cleanup stale vifs using "xm network-detach ... -f" Fix iptables rules to support not only first vif of VM --- common/setup_ip | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/setup_ip b/common/setup_ip index 267d7ba..aec795e 100755 --- a/common/setup_ip +++ b/common/setup_ip @@ -5,7 +5,8 @@ netmask=`/usr/bin/xenstore-read qubes_netmask` gateway=`/usr/bin/xenstore-read qubes_gateway` secondary_dns=`/usr/bin/xenstore-read qubes_secondary_dns` if [ x$ip != x ]; then - /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 up + /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 + /sbin/ifconfig $INTERFACE up /sbin/route add default dev $INTERFACE echo "nameserver $gateway" > /etc/resolv.conf echo "nameserver $secondary_dns" >> /etc/resolv.conf From 59071d87b94b0209ec62600ecf4ec96bcfe934f9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 29 Apr 2011 02:26:25 +0200 Subject: [PATCH 08/22] Revert "Run nm-applet as normal user" This reverts commit 2f5b6e6582e71630193d0098d4cc60db019e1e9b. Dbus policy hacking not needed any more. ConsoleKit session is correctly started. --- netvm/dbus-nm-applet.conf | 42 --------------------------------------- rpm_spec/core-netvm.spec | 9 --------- 2 files changed, 51 deletions(-) delete mode 100644 netvm/dbus-nm-applet.conf diff --git a/netvm/dbus-nm-applet.conf b/netvm/dbus-nm-applet.conf deleted file mode 100644 index 0d0f082..0000000 --- a/netvm/dbus-nm-applet.conf +++ /dev/null @@ -1,42 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - 512 - - diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 07200b4..a4c966b 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -66,9 +66,6 @@ mkdir -p $RPM_BUILD_ROOT/var/run/qubes mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts -mkdir -p $RPM_BUILD_ROOT/etc/dbus-1/system.d -cp ../netvm/dbus-nm-applet.conf $RPM_BUILD_ROOT/etc/dbus-1/system.d/qubes-nm-applet.conf - %post # Create NetworkManager configuration if we do not have it @@ -91,11 +88,6 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core_netvm off fi -%triggerin -- NetworkManager -# Fix PolicyKit settings to allow run as normal user not visible to ConsoleKit -sed 's#$#\0yes#' -i /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy - - %clean rm -rf $RPM_BUILD_ROOT @@ -108,4 +100,3 @@ rm -rf $RPM_BUILD_ROOT /etc/NetworkManager/dispatcher.d/qubes_nmhook /etc/NetworkManager/dispatcher.d/30-qubes_external_ip /etc/xen/scripts/vif-route-qubes -/etc/dbus-1/system.d/qubes-nm-applet.conf From 868fd1f4316c2b817e8399986eaf95ccc7d29b87 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 12 May 2011 19:15:24 +0200 Subject: [PATCH 09/22] vm: Remove root password to allow easy escalation from UI application (#202) Ex. gpk-application needs this to work properly while running from user. When root password is set - polkit-daemon asks for it (according to polkit setting). --- rpm_spec/core-commonvm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index d4944b7..9e484d0 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -129,12 +129,12 @@ done echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || : +usermod -p '' root if [ "$1" != 1 ] ; then # do this whole %post thing only when updating for the first time... exit 0 fi -usermod -L root if ! [ -f /var/lib/qubes/serial.orig ] ; then cp /etc/init/serial.conf /var/lib/qubes/serial.orig fi From 8fac6139bede88307a0bfb527879ce4c2197c16a Mon Sep 17 00:00:00 2001 From: Timo Juhani Lindfors Date: Tue, 10 May 2011 14:03:31 +0300 Subject: [PATCH 10/22] Ensure 'make clean' removes xenstore-watch --- common/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/Makefile b/common/Makefile index 4f8df46..3b01506 100644 --- a/common/Makefile +++ b/common/Makefile @@ -6,4 +6,4 @@ meminfo-writer: meminfo-writer.o xenstore-watch: xenstore-watch.o $(CC) -o xenstore-watch xenstore-watch.o -lxenstore clean: - rm -f meminfo-writer *.o *~ + rm -f meminfo-writer xenstore-watch *.o *~ From 0b211e0375f463384d752e1a37ee28fa9a00d6ec Mon Sep 17 00:00:00 2001 From: Timo Juhani Lindfors Date: Tue, 10 May 2011 14:03:32 +0300 Subject: [PATCH 11/22] Ensure 'make clean' descends to u2mfn/ --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index b07baf6..6b36c88 100644 --- a/Makefile +++ b/Makefile @@ -41,5 +41,6 @@ clean: (cd dom0/restore && make clean) (cd dom0/qmemman && make clean) (cd common && make clean) + (cd u2mfn && make clean) make -C qrexec clean make -C vchan clean From a49e8e8c18d503059a1f5d68d09c3d844d979001 Mon Sep 17 00:00:00 2001 From: Timo Juhani Lindfors Date: Tue, 10 May 2011 14:03:33 +0300 Subject: [PATCH 12/22] Add _GNU_SOURCE to get O_NOFOLLOW on debian squeeze. --- appvm/unpack.c | 1 + 1 file changed, 1 insertion(+) diff --git a/appvm/unpack.c b/appvm/unpack.c index 1c88771..76cee95 100644 --- a/appvm/unpack.c +++ b/appvm/unpack.c @@ -1,3 +1,4 @@ +#define _GNU_SOURCE /* For O_NOFOLLOW. */ #include #include #include From a662750322b068a037dbb1dd5a16e7c879b132a1 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 17 May 2011 22:24:29 +0200 Subject: [PATCH 13/22] version 1.6.0 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 07a45d7..dc1e644 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.5.21 +1.6.0 From 9cfa24c8b8032f4813f371bb1a5645c1c4dd4905 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 4 Jun 2011 02:49:50 +0200 Subject: [PATCH 14/22] proxyvm: directly display error msg beside of writing it to xenstore --- proxyvm/bin/qubes_firewall | 3 +++ 1 file changed, 3 insertions(+) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 6f1cc26..2a0963d 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -19,6 +19,9 @@ while true; do IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + if [ "$OUT" ]; then + DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : + fi if [[ -z "$OUT" ]]; then # If OK save it for later From 60b86de2caa4e201e0b8f9d81ca97d58675dcbe2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 6 Jun 2011 02:37:55 +0200 Subject: [PATCH 15/22] vm: add -qubes suffix to xenstore-watch to not conflict with xen standard tool --- proxyvm/bin/qubes_firewall | 2 +- proxyvm/bin/qubes_netwatcher | 4 ++-- rpm_spec/core-commonvm.spec | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 2a0963d..fbac295 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -32,5 +32,5 @@ while true; do fi # Wait for changes in xenstore file - /usr/bin/xenstore-watch $XENSTORE_IPTABLES + /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES done diff --git a/proxyvm/bin/qubes_netwatcher b/proxyvm/bin/qubes_netwatcher index 9b9f279..f250cc1 100755 --- a/proxyvm/bin/qubes_netwatcher +++ b/proxyvm/bin/qubes_netwatcher @@ -24,8 +24,8 @@ while true; do /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch /local/domain/$NET_DOMID/qubes_netvm_external_ip + /usr/bin/xenstore-watch-qubes /local/domain/$NET_DOMID/qubes_netvm_external_ip else - /usr/bin/xenstore-watch qubes_netvm_domid + /usr/bin/xenstore-watch-qubes qubes_netvm_domid fi done diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index 9e484d0..74b7a5e 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -71,7 +71,7 @@ install -m 644 RPM-GPG-KEY-qubes* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ mkdir -p $RPM_BUILD_ROOT/sbin cp qubes_serial_login $RPM_BUILD_ROOT/sbin mkdir -p $RPM_BUILD_ROOT/usr/bin -cp xenstore-watch $RPM_BUILD_ROOT/usr/bin +cp xenstore-watch $RPM_BUILD_ROOT/usr/bin/xenstore-watch-qubes mkdir -p $RPM_BUILD_ROOT/etc cp serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d @@ -223,6 +223,6 @@ rm -rf $RPM_BUILD_ROOT /etc/yum.repos.d/qubes%{dist}.repo /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes* /sbin/qubes_serial_login -/usr/bin/xenstore-watch +/usr/bin/xenstore-watch-qubes /etc/udev/rules.d/qubes_network.rules /usr/lib/qubes/setup_ip From 68b5a71add7523c1c62cc2d284ff26435afd02ed Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 9 Jun 2011 14:06:24 +0200 Subject: [PATCH 16/22] dom0: Use /var/run/xen-hotplug to store information needed for block devices cleanup. Libxl removes xenstore entries before udev (+scripts) have chance to read it. --- common/block-snapshot | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/common/block-snapshot b/common/block-snapshot index 14752da..d8605bd 100755 --- a/common/block-snapshot +++ b/common/block-snapshot @@ -7,6 +7,8 @@ dir=$(dirname "$0") . "$dir/block-common.sh" +HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" + get_dev() { dev=$1 @@ -89,7 +91,6 @@ create_dm_snapshot_origin() { t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') - case "$command" in add) case $t in @@ -117,14 +118,20 @@ case "$command" in if [ "$t" == "snapshot" ]; then #that's all for snapshot, store name of prepared device xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname" + echo "/dev/mapper/$dm_devname" > "$HOTPLUG_STORE-node" write_dev /dev/mapper/$dm_devname elif [ "$t" == "origin" ]; then # for origin - prepare snapshot-origin device and store its name dm_devname=origin-$(stat -c '%D:%i' "$base") create_dm_snapshot_origin $dm_devname "$base" xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname" + echo "/dev/mapper/$dm_devname" > "$HOTPLUG_STORE-node" write_dev /dev/mapper/$dm_devname fi + # Save domain name for template commit on device remove + domid=$(xenstore_read "$XENBUS_PATH/frontend-id") + domain=$(xl domname $domid) + echo $domain > "$HOTPLUG_STORE-domain" release_lock "block" exit 0 @@ -134,7 +141,7 @@ case "$command" in remove) case $t in snapshot|origin) - node=$(xenstore_read "$XENBUS_PATH/node") + node=$(cat "$HOTPLUG_STORE-node") if [ -z "$node" ]; then fatal "No device node to remove" @@ -175,13 +182,13 @@ case "$command" in fi done # Commit template changes - domain=$(xenstore_read "$XENBUS_PATH/domain") + domain=$(cat "$HOTPLUG_STORE-domain") if [ "$domain" ]; then # Dont stop on errors /usr/bin/qvm-template-commit "$domain" || true fi fi - + if [ -e $node ]; then log debug "Removing $node" dmsetup remove $node From 6192e35419d84fa300c2aa997ccb236703d66671 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 10 Jun 2011 18:29:56 +0200 Subject: [PATCH 17/22] dom0: block-snapshot: enable nullglob to not fail on snapshot/origin remove Normally should not happen because all domains needs at least one snapshot device, but in some rare situation can be helpful to cleanup stale devices. --- common/block-snapshot | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/block-snapshot b/common/block-snapshot index d8605bd..bba8ee5 100755 --- a/common/block-snapshot +++ b/common/block-snapshot @@ -7,6 +7,8 @@ dir=$(dirname "$0") . "$dir/block-common.sh" +shopt -s nullglob + HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" get_dev() { From 20fe69db75470f21bc69f285bb466e45cbfbcc66 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 10 Jun 2011 18:32:34 +0200 Subject: [PATCH 18/22] dom0: block-snapshot: retrieve domain name from frontend-id only when no "domain" entry in xenstore This enables compatibility with libxl AND xend. --- common/block-snapshot | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/common/block-snapshot b/common/block-snapshot index bba8ee5..ad71eeb 100755 --- a/common/block-snapshot +++ b/common/block-snapshot @@ -131,8 +131,11 @@ case "$command" in write_dev /dev/mapper/$dm_devname fi # Save domain name for template commit on device remove - domid=$(xenstore_read "$XENBUS_PATH/frontend-id") - domain=$(xl domname $domid) + domain=$(xenstore_read_default "$XENBUS_PATH/domain" '') + if [ -z "$domain" ]; then + domid=$(xenstore_read "$XENBUS_PATH/frontend-id") + domain=$(xl domname $domid) + fi echo $domain > "$HOTPLUG_STORE-domain" release_lock "block" From 12971ec163b9d64f3fad99971bbef280d113efa6 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 10 Jun 2011 18:34:17 +0200 Subject: [PATCH 19/22] dom0: block-snapshot: add prepare and cleanup actions "prepare" and "cleanup" actions can be used to setup device manually - not from udev. This is used by qvm-revert-template-changes. --- common/block-snapshot | 71 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 63 insertions(+), 8 deletions(-) diff --git a/common/block-snapshot b/common/block-snapshot index ad71eeb..719b10a 100755 --- a/common/block-snapshot +++ b/common/block-snapshot @@ -5,7 +5,12 @@ # This creates dm-snapshot device on given arguments dir=$(dirname "$0") -. "$dir/block-common.sh" +if [ "$1" = "prepare" ] || [ "$1" = "cleanup" ]; then + . "$dir/xen-hotplug-common.sh" + command=$1 +else + . "$dir/block-common.sh" +fi shopt -s nullglob @@ -143,10 +148,58 @@ case "$command" in ;; esac ;; - remove) + prepare) + t=$2 case $t in snapshot|origin) - node=$(cat "$HOTPLUG_STORE-node") + p=$3 + base=${p/:*/} + cow=${p/*:/} + + if [ -L "$base" ]; then + base=$(readlink -f "$base") || fatal "$base link does not exist." + fi + + if [ -L "$cow" ]; then + cow=$(readlink -f "$cow") || fatal "$cow link does not exist." + fi + + # first ensure that snapshot device exists (to write somewhere changes from snapshot-origin) + dm_devname=$(get_dm_snapshot_name "$base" "$cow") + + claim_lock "block" + + # prepare snapshot device + create_dm_snapshot $dm_devname "$base" "$cow" + + if [ "$t" == "snapshot" ]; then + #that's all for snapshot, store name of prepared device + echo "/dev/mapper/$dm_devname" + elif [ "$t" == "origin" ]; then + # for origin - prepare snapshot-origin device and store its name + dm_devname=origin-$(stat -c '%D:%i' "$base") + create_dm_snapshot_origin $dm_devname "$base" + echo "/dev/mapper/$dm_devname" + fi + + release_lock "block" + exit 0 + ;; + esac + ;; + remove|cleanup) + if [ "$command" = "cleanup" ]; then + t=$2 + else + t=$(cat $HOTPLUG_STORE-type) + fi + case $t in + snapshot|origin) + if [ "$command" = "cleanup" ]; then + node=$3 + else + node=$(cat "$HOTPLUG_STORE-node") + fi if [ -z "$node" ]; then fatal "No device node to remove" @@ -186,11 +239,13 @@ case "$command" in dmsetup remove $snap fi done - # Commit template changes - domain=$(cat "$HOTPLUG_STORE-domain") - if [ "$domain" ]; then - # Dont stop on errors - /usr/bin/qvm-template-commit "$domain" || true + if [ "$command" = "remove" ]; then + # Commit template changes + domain=$(cat "$HOTPLUG_STORE-domain") + if [ "$domain" ]; then + # Dont stop on errors + /usr/bin/qvm-template-commit "$domain" || true + fi fi fi From 31f0308d450811c67f9c24afa6f67ef8171794f8 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 12 Jun 2011 00:50:39 +0200 Subject: [PATCH 20/22] dom0+vm: Trigger appmenus sync after yum transaction (#45), NEW QREXEC COMMAND After yum transaction (install/upgrade/remove), yum-plugin-post-transaction-actions will execute script which trigger qvm-sync-appmenus in dom0 (through qrexec). THIS INTRODUCE NEW PREDEFINED COMMAND IN QREXEC --- common/qubes_trigger_sync_appmenus.action | 1 + common/qubes_trigger_sync_appmenus.sh | 7 +++++++ rpm_spec/core-commonvm.spec | 7 +++++++ 3 files changed, 15 insertions(+) create mode 100644 common/qubes_trigger_sync_appmenus.action create mode 100755 common/qubes_trigger_sync_appmenus.sh diff --git a/common/qubes_trigger_sync_appmenus.action b/common/qubes_trigger_sync_appmenus.action new file mode 100644 index 0000000..ad56a8f --- /dev/null +++ b/common/qubes_trigger_sync_appmenus.action @@ -0,0 +1 @@ +*:any:/usr/lib/qubes/qubes_trigger_sync_appmenus.sh diff --git a/common/qubes_trigger_sync_appmenus.sh b/common/qubes_trigger_sync_appmenus.sh new file mode 100755 index 0000000..fc5301a --- /dev/null +++ b/common/qubes_trigger_sync_appmenus.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +UPDATEABLE=`/usr/bin/xenstore-read qubes_vm_updateable` + +if [ "$UPDATEABLE" = "True" ]; then + echo -n SYNC > /var/run/qubes/qrexec_agent +fi diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index 74b7a5e..993b277 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -33,6 +33,7 @@ License: GPL URL: http://www.qubes-os.org Requires: /usr/bin/xenstore-read Requires: fedora-release +Requires: yum-plugin-post-transaction-actions BuildRequires: xen-devel %define _builddir %(pwd)/common @@ -78,6 +79,10 @@ mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d cp qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes/ cp setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ +mkdir -p $RPM_BUILD_ROOT/etc/yum/post-actions +cp qubes_trigger_sync_appmenus.action $RPM_BUILD_ROOT/etc/yum/post-actions/ +mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes +cp qubes_trigger_sync_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes/ %triggerin -- initscripts cp /var/lib/qubes/serial.conf /etc/init/serial.conf @@ -226,3 +231,5 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/xenstore-watch-qubes /etc/udev/rules.d/qubes_network.rules /usr/lib/qubes/setup_ip +/etc/yum/post-actions/qubes_trigger_sync_appmenus.action +/usr/lib/qubes/qubes_trigger_sync_appmenus.sh From 6602679130c6f82a58d500c93bae05394569ddfd Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 12 Jun 2011 02:27:30 +0200 Subject: [PATCH 21/22] version 1.6.1 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index dc1e644..9c6d629 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.6.0 +1.6.1 From f564a4d143ace574be83147dae4d4aafa456c1ed Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 22 Jun 2011 00:44:48 +0200 Subject: [PATCH 22/22] dom0+vm: Tools for downloading dom0 update by VM (#198) Mainly 4 parts: - scripts for providing rpmdb and yum repos to VM (choosen by qvm-set-updatevm) - VM script for downloading updates (qubes_download_dom0_updates.sh) - qfile-dom0-unpacker which receive updates, check signatures and place its in dom0 local yum repo - qvm-dom0-upgrade which calls all of above and after all yum gpk-update-viewer Besides qvm-dom0-upgrade, updates are checked every 6h and user is prompted if want to download it. At dom0 side gpk-update-icon (disabled yet) should notice new updates in "local" repo. --- appvm/Makefile | 4 +-- {appvm => common}/copy_file.c | 0 {appvm => common}/crc32.c | 0 {appvm => common}/crc32.h | 0 {appvm => common}/filecopy.h | 0 common/qubes_download_dom0_updates.sh | 51 +++++++++++++++++++++++++++ {appvm => common}/unpack.c | 0 rpm_spec/core-commonvm.spec | 3 ++ 8 files changed, 56 insertions(+), 2 deletions(-) rename {appvm => common}/copy_file.c (100%) rename {appvm => common}/crc32.c (100%) rename {appvm => common}/crc32.h (100%) rename {appvm => common}/filecopy.h (100%) create mode 100755 common/qubes_download_dom0_updates.sh rename {appvm => common}/unpack.c (100%) diff --git a/appvm/Makefile b/appvm/Makefile index df9989e..d1e1040 100644 --- a/appvm/Makefile +++ b/appvm/Makefile @@ -5,9 +5,9 @@ dvm_file_editor: dvm_file_editor.o ../common/ioall.o $(CC) -pie -g -o $@ $^ qfile-agent-dvm: qfile-agent-dvm.o ../common/ioall.o ../common/gui-fatal.o $(CC) -pie -g -o $@ $^ -qfile-agent: qfile-agent.o ../common/ioall.o ../common/gui-fatal.o copy_file.o crc32.o +qfile-agent: qfile-agent.o ../common/ioall.o ../common/gui-fatal.o ../common/copy_file.o ../common/crc32.o $(CC) -pie -g -o $@ $^ -qfile-unpacker: qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o copy_file.o unpack.o crc32.o +qfile-unpacker: qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o ../common/copy_file.o ../common/unpack.o ../common/crc32.o $(CC) -pie -g -o $@ $^ clean: diff --git a/appvm/copy_file.c b/common/copy_file.c similarity index 100% rename from appvm/copy_file.c rename to common/copy_file.c diff --git a/appvm/crc32.c b/common/crc32.c similarity index 100% rename from appvm/crc32.c rename to common/crc32.c diff --git a/appvm/crc32.h b/common/crc32.h similarity index 100% rename from appvm/crc32.h rename to common/crc32.h diff --git a/appvm/filecopy.h b/common/filecopy.h similarity index 100% rename from appvm/filecopy.h rename to common/filecopy.h diff --git a/common/qubes_download_dom0_updates.sh b/common/qubes_download_dom0_updates.sh new file mode 100755 index 0000000..488eecb --- /dev/null +++ b/common/qubes_download_dom0_updates.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +DOM0_UPDATES_DIR=/var/lib/qubes/dom0-updates + +DOIT=0 +GUI=1 +while [ -n "$1" ]; do + if [ "x--doit" = "x$1" ]; then + DOIT=1 + elif [ "x--nogui" = "x$1" ]; then + GUI=0 + fi + shift +done + +if ! [ -d "$DOM0_UPDATES_DIR" ]; then + echo "Dom0 updates dir does not exists: $DOM0_UPDATES_DIR" + exit 1 +fi + +mkdir -p $DOM0_UPDATES_DIR/etc +cp /etc/yum.conf $DOM0_UPDATES_DIR/etc/ + +echo "Checking for updates..." +PKGLIST=`yum --installroot $DOM0_UPDATES_DIR check-update -q | cut -f 1 -d ' '` + +if [ -z $PKGLIST ]; then + # No new updates + exit 0 +fi + +if [ "$DOIT" != "1" ]; then + zenity --question --title="Qubes Dom0 updates" \ + --text="Updates for dom0 available. Do you want to download its now?" || exit 0 +fi + +mkdir -p "$DOM0_UPDATES_DIR/packages" + +set -e + +if [ "$GUI" = 1 ]; then + ( echo "1" + yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST + echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \ + --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates" +else + yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST +fi + +# qvm-copy-to-vm works only from user +su -c "qvm-copy-to-vm @dom0updates $DOM0_UPDATES_DIR/packages/*.rpm" user diff --git a/appvm/unpack.c b/common/unpack.c similarity index 100% rename from appvm/unpack.c rename to common/unpack.c diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec index 993b277..d754c36 100644 --- a/rpm_spec/core-commonvm.spec +++ b/rpm_spec/core-commonvm.spec @@ -79,10 +79,12 @@ mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d cp qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes/ cp setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ +cp qubes_download_dom0_updates.sh $RPM_BUILD_ROOT/usr/lib/qubes/ mkdir -p $RPM_BUILD_ROOT/etc/yum/post-actions cp qubes_trigger_sync_appmenus.action $RPM_BUILD_ROOT/etc/yum/post-actions/ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes cp qubes_trigger_sync_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes/ +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes/dom0-updates %triggerin -- initscripts cp /var/lib/qubes/serial.conf /etc/init/serial.conf @@ -233,3 +235,4 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/setup_ip /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /usr/lib/qubes/qubes_trigger_sync_appmenus.sh +/usr/lib/qubes/qubes_download_dom0_updates.sh