From 4c0849890cbe83cc8433cffcaf44b2c669441856 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 11 Mar 2011 01:42:42 +0100 Subject: [PATCH] NetVM, AppVM, ProxyVM from single template - VM side (missing files...) --- appvm/qubes_core_appvm | 82 ++++++++++++++++++ rpm_spec/core-commonvm.spec | 166 ++++++++++++++++++++++++++++++++++++ rpm_spec/core-proxyvm.spec | 77 +++++++++++++++++ 3 files changed, 325 insertions(+) create mode 100755 appvm/qubes_core_appvm create mode 100644 rpm_spec/core-commonvm.spec create mode 100644 rpm_spec/core-proxyvm.spec diff --git a/appvm/qubes_core_appvm b/appvm/qubes_core_appvm new file mode 100755 index 0000000..ed250dd --- /dev/null +++ b/appvm/qubes_core_appvm @@ -0,0 +1,82 @@ +#!/bin/sh +# +# chkconfig: 345 85 85 +# description: Executes Qubes core scripts at AppVM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +possibly_run_save_script() +{ + ENCODED_SCRIPT=$(xenstore-read qubes_save_script) + if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi + echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64()' >/tmp/qubes_save_script + chmod 755 /tmp/qubes_save_script + Xorg -config /etc/X11/xorg-preload-apps.conf :0 & + sleep 2 + DISPLAY=:0 su - user -c /tmp/qubes_save_script + killall Xorg +} + +start() +{ + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$type" != "AppVM" -a "$type" != "DisposableVM" ]; then + # This script runs only on AppVMs + return 0 + fi + + # Start AppVM specific services + /sbin/service cups start + + echo -n $"Executing Qubes Core scripts for AppVM:" + + if xenstore-read qubes_save_request 2>/dev/null ; then + ln -sf /home_volatile /home + possibly_run_save_script + touch /etc/this_is_dvm + dmesg -c >/dev/null + free | grep Mem: | + (read a b c d ; xenstore-write device/qubes_used_mem $c) + # we're still running in DispVM template + echo "Waiting for save/restore..." + # ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys + while ! xenstore-read qubes_restore_complete 2>/dev/null ; do + usleep 10 + done + echo Back to life. + fi + + MEM_CHANGE_THRESHOLD_KB=30000 + MEMINFO_DELAY_USEC=100000 + /usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC & + + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec new file mode 100644 index 0000000..6705c28 --- /dev/null +++ b/rpm_spec/core-commonvm.spec @@ -0,0 +1,166 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-commonvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for any VM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: fedora-release = 13 + +%define _builddir %(pwd)/common + +%description +The Qubes core files for installation inside a Qubes VM. + +%pre + +if [ "$1" != 1 ] ; then +# do this whole %pre thing only when updating for the first time... +exit 0 +fi + +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then +mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig +fi + +%install + +mkdir -p $RPM_BUILD_ROOT/etc +cp fstab $RPM_BUILD_ROOT/etc/fstab +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ +mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d +cp ../appvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d +mkdir -p $RPM_BUILD_ROOT/sbin +cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin +mkdir -p $RPM_BUILD_ROOT/etc +cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ + +%triggerin -- initscripts +cp /var/lib/qubes/serial.conf /etc/init/serial.conf + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +usermod -L root +if ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig +fi + +#echo "--> Disabling SELinux..." +sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed +mv /etc/selinux/config.processed /etc/selinux/config +setenforce 0 2>/dev/null + +#echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + [ $srv = 'single' ] && continue + [ $srv = 'qubes_gui' ] && continue + chkconfig $srv off +done + +#echo "--> Enabling essential services..." +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig iptables on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" + + +# TODO: make this not display the silly message about security context... +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +# Remove most of the udev scripts to speed up the VM boot time +# Just leave the xen* scripts, that are needed if this VM was +# ever used as a net backend (e.g. as a VPN domain in the future) +#echo "--> Removing unnecessary udev scripts..." +mkdir -p /var/lib/qubes/removed-udev-scripts +for f in /etc/udev/rules.d/* +do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "xend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "qubes.rules" ] ; then + continue + fi + + if [ $(basename $f) == "90-hal.rules" ] ; then + continue + fi + + + mv $f /var/lib/qubes/removed-udev-scripts/ +done +mkdir -p /rw +#rm -f /etc/mtab +#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" +#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig +#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + mv /var/lib/qubes/fstab.orig /etc/fstab + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + mv /var/lib/qubes/serial.orig /etc/init/serial.conf +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/fstab +/etc/init.d/qubes_core +/etc/sysconfig/iptables +/var/lib/qubes +/etc/yum.repos.d/qubes.repo +/sbin/qubes_serial_login diff --git a/rpm_spec/core-proxyvm.spec b/rpm_spec/core-proxyvm.spec new file mode 100644 index 0000000..c5a5ad3 --- /dev/null +++ b/rpm_spec/core-proxyvm.spec @@ -0,0 +1,77 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-proxyvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for NetVM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: /sbin/ethtool +Requires: fedora-release = 13 +Requires: qubes-core-netvm + +%define _builddir %(pwd)/proxyvm + +%description +The Qubes core files for installation inside a Qubes ProxyVM in addition to NetVM scripts. + +%pre + +%build + +%install + +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp init.d/qubes_firewall $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/usr/sbin +cp bin/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_firewall off +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/init.d/qubes_firewall +/usr/sbin/qubes_firewall