diff --git a/Makefile b/Makefile index d2087a3..3fbba15 100644 --- a/Makefile +++ b/Makefile @@ -43,23 +43,35 @@ all: make -C qrexec make -C qubes-rpc -install-rh: - install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab - install -d $(DESTDIR)/etc/init.d - install vm-init.d/* $(DESTDIR)/etc/init.d/ - - install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf - install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login - +install-systemd: + install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init $(DESTDIR)/lib/modules-load.d + install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)/lib/systemd/system/ install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)/lib/modules-load.d/ + install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)/lib/modules-load.d/ install -m 0644 vm-systemd/cups.* $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/ntpd.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/chronyd.service $(DESTDIR)/usr/lib/qubes/init/ - install -m 0644 vm-systemd/qubes-update-check.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-update-check.timer $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-yum-proxy.service $(DESTDIR)/lib/systemd/system/ + +install-sysvinit: + install -d $(DESTDIR)/etc/init.d + install vm-init.d/qubes-core $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-core-appvm $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-core-netvm $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-firewall $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-netwatcher $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-qrexec-agent $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/ + install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules + install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules + + +install-rh: install-systemd install-sysvinit + install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ @@ -70,9 +82,7 @@ install-rh: install -D -m 0644 misc/yum-qubes-hooks.conf $(DESTDIR)/etc/yum/pluginconf.d/yum-qubes-hooks.conf install -d -m 755 $(DESTDIR)/etc/pki/rpm-gpg install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/ - - install -D misc/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules - install -D misc/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules + install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf install -d $(DESTDIR)/etc/yum.conf.d @@ -82,6 +92,12 @@ install-rh: install -d $(DESTDIR)/var/lib/qubes/dom0-updates install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action + install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf + install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login + + install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables + install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables + install-common: install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes @@ -119,9 +135,9 @@ install-common: install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes - install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf - install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum - install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy + install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf + install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates + install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy install -d $(DESTDIR)/etc/xdg/autostart install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)/usr/lib/qubes/show-hide-nm-applet.sh install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop @@ -155,10 +171,12 @@ install-common: install -m 0644 qubes-rpc/qubes.{Backup,Restore} $(DESTDIR)/etc/qubes-rpc install -m 0644 qubes-rpc/qubes.Select{File,Directory} $(DESTDIR)/etc/qubes-rpc install -m 0644 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc + install -m 0644 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc install -d $(DESTDIR)/usr/share/file-manager/actions install -m 0644 qubes-rpc/*-gnome.desktop $(DESTDIR)/usr/share/file-manager/actions + install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -d $(DESTDIR)/mnt/removable @@ -167,16 +185,7 @@ install-common: install -d $(DESTDIR)/var/run/qubes install -d $(DESTDIR)/home_volatile/user - - install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init - install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ - install -m 0644 vm-systemd/qubes-dvm.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-firewall.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-misc-post.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-netwatcher.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-network.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-qrexec-agent.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-sysinit.service $(DESTDIR)/lib/systemd/system/ + install -d $(DESTDIR)/rw install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index c675ea1..fcb8ffd 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -66,27 +66,11 @@ package() { make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin DIST=archlinux - # Convert module loading to ARCHLINUX - mkdir -p $pkgdir/etc/modules-load.d/ - - #misc/qubes-core.modules - echo xen-evtchn > $pkgdir/etc/modules-load.d/qubes_core.conf - echo xen-blkback >> $pkgdir/etc/modules-load.d/qubes_core.conf - # Note : need to compile pvusb drivers for this last one? - echo xen-usbfront >> $pkgdir/etc/modules-load.d/qubes_core.conf - - #misc/qubes-misc.modules - #install -D misc/qubes_misc.modules $pkgdir/etc/sysconfig/modules/qubes_misc.modules - echo dummy-hcd > $pkgdir/etc/modules-load.d/qubes_misc.conf - # Change the place for iptable rules to match archlinux standard mkdir -p $pkgdir/etc/iptables mv $pkgdir/etc/sysconfig/iptables $pkgdir/etc/iptables/iptables.rules mv $pkgdir/etc/sysconfig/ip6tables $pkgdir/etc/iptables/ip6tables.rules - # Note: appears in the gui package but required for qrexec agent to work - echo u2mfn > $pkgdir/etc/modules-load.d/qubes_u2mfn.conf - # Remove things non wanted in archlinux rm -r $pkgdir/etc/yum* rm -r $pkgdir/etc/init.d diff --git a/debian/changelog b/debian/changelog index a5d67a9..9a1924c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,25 @@ +qubes-core-agent (2.1.42) jessie; urgency=medium + + * firewall: show error message only on actual error + * Avoid 100MB reserved space in private ext4 partition + * gui-fatal: do not run as root + * fedora: workaround slow system shutdown (#852) + * Rename qubes-yum-proxy service to qubes-updates-proxy + * Rename yum-proxy-setup service to updates-proxy-setup + * updates-proxy: add rules for debian repositories (#887) + * qrexec: check for setuid() error when calling zenity/kdialog + * Use systemd mechanism for loading kernel modules (when available) + * Add missing u2mfn module load + * archlinux: modules-load.d handled now in generic files + * debian: migrate to native systemd services + * updates-proxy-setup: support setting proxy for apt (#887) + * Introduce qubes.SetDateTime service for time synchronization + * systemd: fix 'service' path + * Include /rw in the package + * debian: custom dh_auto_clean no longer needed + + -- Marek Marczykowski-Górecki Sat, 25 Oct 2014 01:49:58 +0200 + qubes-core-agent (2.1.41) jessie; urgency=medium [ Marek Marczykowski-Górecki ] diff --git a/debian/control b/debian/control index 6fdc9e2..60c9559 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: qubes-core-agent Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson -Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev +Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5) Standards-Version: 3.9.3 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git diff --git a/debian/rules b/debian/rules index e447f05..ff4db5c 100755 --- a/debian/rules +++ b/debian/rules @@ -7,13 +7,13 @@ export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ --with=systemd + dh $@ --with systemd override_dh_auto_build: make all override_dh_auto_install: - make install-common install-deb + make install-common install-deb install-systemd make -C qrexec install override_dh_fixperms: diff --git a/misc/qubes-desktop-run b/misc/qubes-desktop-run new file mode 100755 index 0000000..14e3f8b --- /dev/null +++ b/misc/qubes-desktop-run @@ -0,0 +1,11 @@ +#!/usr/bin/python + +from gi.repository import Gio +import sys + +def main(myname, desktop, *files): + launcher = Gio.DesktopAppInfo.new_from_filename(desktop) + launcher.launch(files, None) + +if __name__ == "__main__": + main(*sys.argv) diff --git a/misc/session-stop-timeout.conf b/misc/session-stop-timeout.conf new file mode 100644 index 0000000..fb8e422 --- /dev/null +++ b/misc/session-stop-timeout.conf @@ -0,0 +1,2 @@ +[Service] +TimeoutStopSec=500000us diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum deleted file mode 100644 index 828010e..0000000 --- a/network/filter-qubes-yum +++ /dev/null @@ -1,6 +0,0 @@ -/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ -/repodata/repomd\.xml$ -\.rpm$ -\.drpm$ -^mirrors\.fedoraproject\.org:443$ -^http://mirrors\..*/mirrorlist\? diff --git a/network/filter-updates b/network/filter-updates new file mode 100644 index 0000000..c1afa54 --- /dev/null +++ b/network/filter-updates @@ -0,0 +1,11 @@ +/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +/repodata/repomd\.xml$ +\.rpm$ +\.drpm$ +^mirrors\.fedoraproject\.org:443$ +^http://mirrors\..*/mirrorlist\? +\.deb$ +/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$ +/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ +/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ +/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ diff --git a/network/iptables-yum-proxy b/network/iptables-updates-proxy similarity index 100% rename from network/iptables-yum-proxy rename to network/iptables-updates-proxy diff --git a/network/qubes-firewall b/network/qubes-firewall index dd5ed23..35a23a1 100755 --- a/network/qubes-firewall +++ b/network/qubes-firewall @@ -40,13 +40,15 @@ while true; do for i in $(xenstore-list qubes-iptables-domainrules) ; do RULES=$(xenstore-read qubes-iptables-domainrules/"$i") - ERRS=`echo -e "$RULES" | iptables-restore -n 2>&1 || true` - echo "Failed applying rules for $i: $ERRS" >&2 - OUT="$OUT$ERRS" + ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` + if [ -n "$ERRS" ]; then + echo "Failed applying rules for $i: $ERRS" >&2 + OUT="$OUT$ERRS" + fi done xenstore-write $XENSTORE_ERROR "$OUT" - if [ "$OUT" ]; then - DISPLAY=:0 notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : + if [ -n "$OUT" ]; then + DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi # Check if user didn't define some custom rules to be applied as well... diff --git a/network/tinyproxy-qubes-yum.conf b/network/tinyproxy-updates.conf similarity index 82% rename from network/tinyproxy-qubes-yum.conf rename to network/tinyproxy-updates.conf index 43b5082..110b96e 100644 --- a/network/tinyproxy-qubes-yum.conf +++ b/network/tinyproxy-updates.conf @@ -8,7 +8,7 @@ DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Syslog On LogLevel Notice -PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid" +PidFile "/var/run/tinyproxy/tinyproxy-updates.pid" MaxClients 50 MinSpareServers 2 @@ -21,7 +21,7 @@ Allow 127.0.0.1 Allow 10.137.0.0/16 -Filter "/etc/tinyproxy/filter-qubes-yum" +Filter "/etc/tinyproxy/filter-updates" FilterURLs On #FilterExtended On #FilterCaseSensitive On diff --git a/qubes-rpc/gui-fatal.c b/qubes-rpc/gui-fatal.c index 0bda201..5292f06 100644 --- a/qubes-rpc/gui-fatal.c +++ b/qubes-rpc/gui-fatal.c @@ -28,6 +28,9 @@ static void produce_message(const char * type, const char *fmt, va_list args) case -1: exit(1); //what else case 0: + if (geteuid() == 0) + if (setuid(getuid()) != 0) + perror("setuid failed, calling kdialog/zenity as root"); fix_display(); #ifdef USE_KDIALOG execlp("/usr/bin/kdialog", "kdialog", "--sorry", dialog_msg, NULL); diff --git a/qubes-rpc/prepare-suspend b/qubes-rpc/prepare-suspend index 8e8e738..975e06f 100755 --- a/qubes-rpc/prepare-suspend +++ b/qubes-rpc/prepare-suspend @@ -19,6 +19,9 @@ if [ x"$action" == x"suspend" ]; then service NetworkManager stop # Force interfaces down, just in case when NM didn't done it for if in `ls /sys/class/net|grep -v "lo\|vif"`; do + if [ "`cat /sys/class/net/$if/device/devtype 2>/dev/null`" == "vif" ]; then + continue + fi ip l s $if down done LOADED_MODULES="" diff --git a/qubes-rpc/qubes.GetAppmenus b/qubes-rpc/qubes.GetAppmenus index 71e7b33..e26b15b 100644 --- a/qubes-rpc/qubes.GetAppmenus +++ b/qubes-rpc/qubes.GetAppmenus @@ -1 +1,2 @@ -find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' | xargs awk '/^\[/ { if (tolower($0) != "\[desktop entry\]") nextfile } /=/ {print FILENAME ":" $0 }' 2> /dev/null +find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' | \ + xargs awk '/^\[/ { if (tolower($0) != "\[desktop entry\]") nextfile } /^Exec=/ { print FILENAME ":Exec=qubes-desktop-run " FILENAME; next } /=/ {print FILENAME ":" $0 }' 2> /dev/null diff --git a/qubes-rpc/qubes.SetDateTime b/qubes-rpc/qubes.SetDateTime new file mode 100644 index 0000000..6ecc9e6 --- /dev/null +++ b/qubes-rpc/qubes.SetDateTime @@ -0,0 +1,11 @@ +#!/bin/sh + +# it is in format of `date -u -Iseconds`, example: 2014-09-29T22:59:21+0000 +# it comes from dom0, so is trusted +read timestamp +timediff=$(( `date -u +'+%Y%m%d%H%M%S'` - `date -u -d "$timestamp" +'+%Y%m%d%H%M%S'` )) +if [ $timediff -le 2 -a $timediff -ge -2 ]; then + # don't bother + exit 0 +fi +date -u -s "$timestamp" diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 503fba9..6448fcb 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -331,13 +331,12 @@ rm -f %{name}-%{version} /etc/qubes-rpc/qubes.SelectFile /etc/qubes-rpc/qubes.SelectDirectory /etc/qubes-rpc/qubes.GetImageRGBA +/etc/qubes-rpc/qubes.SetDateTime %config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/sysconfig/iptables %config(noreplace) /etc/sysconfig/ip6tables -/etc/sysconfig/modules/qubes-core.modules -/etc/sysconfig/modules/qubes-misc.modules -%config(noreplace) /etc/tinyproxy/filter-qubes-yum -%config(noreplace) /etc/tinyproxy/tinyproxy-qubes-yum.conf +%config(noreplace) /etc/tinyproxy/filter-updates +%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop @@ -347,6 +346,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/yum.repos.d/qubes-r2.repo /etc/yum/pluginconf.d/yum-qubes-hooks.conf /etc/yum/post-actions/qubes-trigger-sync-appmenus.action +/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf /usr/sbin/qubes-serial-login /usr/bin/qvm-copy-to-vm /usr/bin/qvm-move-to-vm @@ -355,6 +355,7 @@ rm -f %{name}-%{version} /usr/bin/qvm-run /usr/bin/qvm-mru-entry /usr/bin/xenstore-watch-qubes +/usr/bin/qubes-desktop-run %dir /usr/lib/qubes /usr/lib/qubes/vusb-ctl.py* /usr/lib/qubes/dispvm-prerun.sh @@ -382,7 +383,7 @@ rm -f %{name}-%{version} /usr/lib/qubes/tar2qfile /usr/lib/qubes/vm-file-editor /usr/lib/qubes/wrap-in-html-if-url.sh -/usr/lib/qubes/iptables-yum-proxy +/usr/lib/qubes/iptables-updates-proxy /usr/lib/qubes/close-window /usr/lib/yum-plugins/yum-qubes-hooks.py* /usr/sbin/qubes-firewall @@ -398,6 +399,7 @@ rm -f %{name}-%{version} %dir /home_volatile %attr(700,user,user) /home_volatile/user %dir /mnt/removable +%dir /rw %package sysvinit Summary: Qubes unit files for SysV init style or upstart @@ -417,8 +419,10 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes-core-netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher -/etc/init.d/qubes-yum-proxy +/etc/init.d/qubes-updates-proxy /etc/init.d/qubes-qrexec-agent +/etc/sysconfig/modules/qubes-core.modules +/etc/sysconfig/modules/qubes-misc.modules %post sysvinit @@ -452,8 +456,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" -chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" -chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" +chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!" +chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!" chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!" chkconfig qubes-qrexec-agent on || echo "WARNING: Cannot enable service qubes-qrexec-agent!" @@ -468,7 +472,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes-core-appvm off chkconfig qubes-firewall off chkconfig qubes-netwatcher off - chkconfig qubes-yum-proxy off + chkconfig qubes-updates-proxy off chkconfig qubes-qrexec-agent off fi @@ -497,8 +501,10 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer -/lib/systemd/system/qubes-yum-proxy.service +/lib/systemd/system/qubes-updates-proxy.service /lib/systemd/system/qubes-qrexec-agent.service +/lib/modules-load.d/qubes-core.conf +/lib/modules-load.d/qubes-misc.conf %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -522,7 +528,7 @@ The Qubes core startup configuration for SystemD init. %post systemd -for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy qubes-qrexec-agent; do +for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-updates-proxy qubes-qrexec-agent; do /bin/systemctl enable $srv.service 2> /dev/null done diff --git a/version b/version index b2581af..0f72d83 100644 --- a/version +++ b/version @@ -1 +1 @@ -2.1.41 +2.1.42 diff --git a/vm-init.d/qubes-core b/vm-init.d/qubes-core index 8c8e588..77a71bf 100755 --- a/vm-init.d/qubes-core +++ b/vm-init.d/qubes-core @@ -28,7 +28,7 @@ start() # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) # (let's be frank: nobody's gonna use xterm on DispVM) hostname $name - sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` @@ -38,7 +38,7 @@ start() echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi - yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) + yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/xenstore-read qubes-service/updates-proxy-setup 2>/dev/null ) type=$(/usr/bin/xenstore-read qubes-vm-type) if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf diff --git a/misc/qubes-core.modules b/vm-init.d/qubes-core.modules similarity index 83% rename from misc/qubes-core.modules rename to vm-init.d/qubes-core.modules index 42ce0fb..064151b 100755 --- a/misc/qubes-core.modules +++ b/vm-init.d/qubes-core.modules @@ -1,3 +1,4 @@ modprobe evtchn 2>/dev/null || modprobe xen-evtchn modprobe xen-blkback 2> /dev/null || modprobe blkbk modprobe xen-usbfront 2> /dev/null +modprobe u2mfn 2>/dev/null diff --git a/misc/qubes-misc.modules b/vm-init.d/qubes-misc.modules similarity index 100% rename from misc/qubes-misc.modules rename to vm-init.d/qubes-misc.modules diff --git a/vm-init.d/qubes-yum-proxy b/vm-init.d/qubes-updates-proxy similarity index 76% rename from vm-init.d/qubes-yum-proxy rename to vm-init.d/qubes-updates-proxy index 00a3634..577a386 100755 --- a/vm-init.d/qubes-yum-proxy +++ b/vm-init.d/qubes-updates-proxy @@ -1,14 +1,14 @@ #!/bin/sh # -# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy +# tinyproxy Startup script for the tinyproxy server as Qubes updates proxy # # chkconfig: - 85 15 # description: small, efficient HTTP/SSL proxy daemon # # processname: tinyproxy -# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf -# config: /etc/sysconfig/tinyproxy-qubes-yum -# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid +# config: /etc/tinyproxy/tinyproxy-updates.conf +# config: /etc/sysconfig/tinyproxy-updates +# pidfile: /var/run/tinyproxy/tinyproxy-updates.pid # # Note: pidfile is created by tinyproxy in its config # see PidFile in the configuration file. @@ -24,17 +24,17 @@ exec="/usr/sbin/tinyproxy" prog=$(basename $exec) -config="/etc/tinyproxy/tinyproxy-qubes-yum.conf" -pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid" +config="/etc/tinyproxy/tinyproxy-updates.conf" +pidfile="/var/run/tinyproxy/tinyproxy-updates.pid" -[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum +[ -e /etc/sysconfig/tinyproxy-updates ] && . /etc/sysconfig/tinyproxy-updates -lockfile=/var/lock/subsys/tinyproxy-qubes-yum +lockfile=/var/lock/subsys/tinyproxy-updates start() { type=`/usr/bin/xenstore-read qubes-vm-type` - start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null` - if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then + start_updates_proxy=`/usr/bin/xenstore-read qubes-service/qubes-updates-proxy 2>/dev/null` + if [ -z "$start_updates_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_updates_proxy" != "1" ]; then # Yum proxy disabled exit 0 fi @@ -45,7 +45,7 @@ start() { /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT - echo -n $"Starting $prog (as Qubes yum proxy): " + echo -n $"Starting $prog (as Qubes updates proxy): " daemon $exec -c $config retval=$? echo diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 43e944c..f4169e7 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,15 +1,17 @@ #!/bin/sh -if [ -e /etc/debian_version ]; then - if [ -f /var/run/qubes-service/yum-proxy-setup ]; then - echo 'Acquire::http::proxy "http://10.137.255.254:8082/";' > /etc/apt/apt.conf.d/80qubes-proxy - else - echo > /etc/apt/apt.conf.d/80qubes-proxy +if [ -f /var/run/qubes-service/yum-proxy-setup -o -f /var/run/qubes-service/updates-proxy-setup ]; then + if [ -d /etc/apt/apt.conf.d ]; then + echo 'Acquire::http::Proxy "http://10.137.255.254:8082/";' >> /etc/apt/apt.conf.d/01qubes-proxy + fi + if [ -d /etc/yum.conf.d ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf fi else - if [ -f /var/run/qubes-service/yum-proxy-setup ]; then - echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf - else + if [ -d /etc/apt/apt.conf.d ]; then + rm -f /etc/apt/apt.conf.d/01qubes-proxy + fi + if [ -d /etc/yum.conf.d ]; then echo > /etc/yum.conf.d/qubes-proxy.conf fi fi @@ -22,6 +24,7 @@ INTERFACE=eth0 /usr/lib/qubes/setup-ip if [ -e /dev/xvdb -a ! -e /etc/this-is-dvm ] ; then resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed" + tune2fs -m 0 /dev/xvdb mount /rw if ! [ -d /rw/home ] ; then @@ -59,7 +62,7 @@ fi # Start AppVM specific services if [ ! -f /etc/systemd/system/cups.service ]; then if [ -f /var/run/qubes-service/cups ]; then - service cups start + /usr/sbin/service cups start # Allow also notification icon sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop else diff --git a/vm-systemd/qubes-core.conf b/vm-systemd/qubes-core.conf new file mode 100644 index 0000000..e87a760 --- /dev/null +++ b/vm-systemd/qubes-core.conf @@ -0,0 +1,4 @@ +xen-evtchn +xen-blkback +xen-usbfront +u2mfn diff --git a/vm-systemd/qubes-misc.conf b/vm-systemd/qubes-misc.conf new file mode 100644 index 0000000..e799241 --- /dev/null +++ b/vm-systemd/qubes-misc.conf @@ -0,0 +1 @@ +dummy-hcd diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service index 72bbe84..38d8f71 100644 --- a/vm-systemd/qubes-qrexec-agent.service +++ b/vm-systemd/qubes-qrexec-agent.service @@ -9,3 +9,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-core-agent.service diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index c5ee1ce..99be971 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,14 +1,16 @@ #!/bin/bash # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" -DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" +DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup" DEFAULT_ENABLED="meminfo-writer" -XS_READ=xenstore-read -XS_LS=xenstore-ls +XS_READ=/usr/bin/xenstore-read +[ -x /usr/sbin/xenstore-read ] && XS_READ=/usr/sbin/xenstore-read +XS_LS=/usr/bin/xenstore-ls +[ -x /usr/sbin/xenstore-read ] && XS_LS=/usr/sbin/xenstore-ls read_service() { $XS_READ qubes-service/$1 2> /dev/null @@ -38,10 +40,10 @@ chmod 666 /proc/u2mfn # Set default services depending on VM type TYPE=`$XS_READ qubes-vm-type 2> /dev/null` -[ "$TYPE" == "AppVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_APPVM -[ "$TYPE" == "NetVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_NETVM -[ "$TYPE" == "ProxyVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_PROXYVM -[ "$TYPE" == "TemplateVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_TEMPLATEVM +[ "$TYPE" = "AppVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_APPVM +[ "$TYPE" = "NetVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_NETVM +[ "$TYPE" = "ProxyVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_PROXYVM +[ "$TYPE" = "TemplateVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_TEMPLATEVM # Enable default services for srv in $DEFAULT_ENABLED; do diff --git a/vm-systemd/qubes-updates-proxy.service b/vm-systemd/qubes-updates-proxy.service new file mode 100644 index 0000000..cb88922 --- /dev/null +++ b/vm-systemd/qubes-updates-proxy.service @@ -0,0 +1,16 @@ +[Unit] +Description=Qubes updates proxy (tinyproxy) +ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy +ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy +After=iptables.service + +[Service] +ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy +ExecStartPre=/usr/lib/qubes/iptables-updates-proxy start +ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-updates.conf +ExecStopPost=/usr/lib/qubes/iptables-updates-proxy stop +Restart=on-failure +RestartSec=5s + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service deleted file mode 100644 index 379d3df..0000000 --- a/vm-systemd/qubes-yum-proxy.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Qubes yum proxy (tinyproxy) -ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy -After=iptables.service - -[Service] -ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy -ExecStartPre=/usr/lib/qubes/iptables-yum-proxy start -ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf -ExecStopPost=/usr/lib/qubes/iptables-yum-proxy stop -Restart=on-failure -RestartSec=5s - -[Install] -WantedBy=multi-user.target