From e5478d6578062a13ec53893cd8734b0a87bb569b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 25 Apr 2012 00:25:54 +0200 Subject: [PATCH 01/44] vm/qubes-dom0-update: display info when no updates available --- misc/qubes_download_dom0_updates.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/misc/qubes_download_dom0_updates.sh b/misc/qubes_download_dom0_updates.sh index 575ebe7..33bc46d 100755 --- a/misc/qubes_download_dom0_updates.sh +++ b/misc/qubes_download_dom0_updates.sh @@ -57,6 +57,9 @@ fi if [ -z "$PKGLIST" ]; then # No new updates + if [ "$GUI" = 1 ]; then + zenity --info --text="No new updates available" + fi exit 0 fi From 232c00590a95b2f6c4f5893e1993f1c44b6374d2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 25 Apr 2012 23:41:48 +0200 Subject: [PATCH 02/44] dom0+vm/hotplug-script: improve error checking, log only important messages (#477) --- misc/block-snapshot | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/misc/block-snapshot b/misc/block-snapshot index 719b10a..c57cad4 100755 --- a/misc/block-snapshot +++ b/misc/block-snapshot @@ -14,7 +14,9 @@ fi shopt -s nullglob -HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" +if [ -n "$XENBUS_PATH" ]; then + HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" +fi get_dev() { dev=$1 @@ -102,7 +104,10 @@ case "$command" in add) case $t in snapshot|origin) - p=$(xenstore_read "$XENBUS_PATH/params") + p=$(xenstore_read_default "$XENBUS_PATH/params" 'MISSING') + if [ "$p" == "MISSING" ]; then + fatal "Missing device parameters ($t $XENBUS_PATH/params)" + fi base=${p/:*/} cow=${p/*:/} @@ -191,18 +196,20 @@ case "$command" in if [ "$command" = "cleanup" ]; then t=$2 else - t=$(cat $HOTPLUG_STORE-type) + t=$(cat $HOTPLUG_STORE-type 2>/dev/null || echo 'MISSING') fi - case $t in + case "$t" in snapshot|origin) if [ "$command" = "cleanup" ]; then node=$3 else - node=$(cat "$HOTPLUG_STORE-node") + node=$(cat "$HOTPLUG_STORE-node" 2> /dev/null) fi if [ -z "$node" ]; then - fatal "No device node to remove" + #fatal "No device node to remove" + #Most likely already removed + exit 0 fi if [ ! -e "$node" ]; then @@ -258,10 +265,13 @@ case "$command" in for dev in $deps; do if [ -b "$dev" ]; then log debug "Removing $dev" - losetup -d $dev || true 2> /dev/null + losetup -d $dev 2> /dev/null || true fi done + if [ -n "$HOTPLUG_STORE" ]; then + rm $HOTPLUG_STORE-* + fi release_lock "block" exit 0 From ddd2ca1d8ab8eb541e0d80eff7e9c517eb687a5f Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 1 May 2012 11:01:16 +0200 Subject: [PATCH 03/44] version 1.7.20 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index ae6ddf7..ddb0f97 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.19 +1.7.20 From bd8977c82438e5bce44312443cc09ba330519158 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 01:14:04 +0200 Subject: [PATCH 04/44] vm: notify dom0 when updates available in VM (#475) --- rpm_spec/core-vm.spec | 5 +++++ vm-systemd/qubes-sysinit.sh | 6 +++--- vm-systemd/qubes-update-check.service | 7 +++++++ vm-systemd/qubes-update-check.timer | 11 +++++++++++ 4 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 vm-systemd/qubes-update-check.service create mode 100644 vm-systemd/qubes-update-check.timer diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index c11b699..3158b57 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -87,6 +87,7 @@ install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ install -d $RPM_BUILD_ROOT/lib/systemd/system $RPM_BUILD_ROOT/usr/lib/qubes/init install -m 0755 vm-systemd/*.sh $RPM_BUILD_ROOT/usr/lib/qubes/init/ install -m 0644 vm-systemd/qubes-*.service $RPM_BUILD_ROOT/lib/systemd/system/ +install -m 0644 vm-systemd/qubes-*.timer $RPM_BUILD_ROOT/lib/systemd/system/ install -m 0644 vm-systemd/NetworkManager.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ install -m 0644 vm-systemd/cups.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ install -m 0644 vm-systemd/ntpd.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ @@ -484,6 +485,8 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-netwatcher.service /lib/systemd/system/qubes-network.service /lib/systemd/system/qubes-sysinit.service +/lib/systemd/system/qubes-update-check.service +/lib/systemd/system/qubes-update-check.timer %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -502,6 +505,8 @@ for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes /bin/systemctl enable $srv.service 2> /dev/null done +/bin/systemctl enable qubes-update-check.timer 2> /dev/null + # Install overriden services only when original exists for srv in cups NetworkManager ntpd; do if [ -f /lib/systemd/system/$srv.service ]; then diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 65c3606..d78929c 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,9 +1,9 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network" -DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher" -DEFAULT_ENABLED_APPVM="meminfo-writer cups" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check" +DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" +DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM DEFAULT_ENABLED="meminfo-writer" diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service new file mode 100644 index 0000000..5566eda --- /dev/null +++ b/vm-systemd/qubes-update-check.service @@ -0,0 +1,7 @@ +[Unit] +Description=Qubes check for VM updates and notify dom0 +ConditionPathExists=/var/run/qubes-service/qubes-update-check + +[Service] +Type=oneshot +ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l' diff --git a/vm-systemd/qubes-update-check.timer b/vm-systemd/qubes-update-check.timer new file mode 100644 index 0000000..d63cf45 --- /dev/null +++ b/vm-systemd/qubes-update-check.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Periodically check for updates +ConditionPathExists=/var/run/qubes-service/qubes-update-check + +[Timer] +OnBootSec=5min +OnUnitActiveSec=2d + +[Install] +WantedBy=multi-user.target + From ab0b4b40307ba333537079b54055e8784cca661f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 23:48:25 +0200 Subject: [PATCH 05/44] vm: include /proc/xen in fstab (#466) --- misc/fstab | 1 + 1 file changed, 1 insertion(+) diff --git a/misc/fstab b/misc/fstab index 877e6e4..b7d0fee 100644 --- a/misc/fstab +++ b/misc/fstab @@ -13,4 +13,5 @@ tmpfs /dev/shm tmpfs defaults 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 sysfs /sys sysfs defaults 0 0 proc /proc proc defaults 0 0 +xen /proc/xen xenfs defaults 0 0 /dev/xvdi /mnt/removable auto noauto,user,rw 0 0 From e654e5b85140f4cddf98e491e3de7800362ce21f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 1 May 2012 23:48:45 +0200 Subject: [PATCH 06/44] vm/systemd: do not depend on proc-xen.mount (#466) local-fs.target already covers /proc/xen --- vm-systemd/qubes-sysinit.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-sysinit.service b/vm-systemd/qubes-sysinit.service index c6ca7a0..29bb1e4 100644 --- a/vm-systemd/qubes-sysinit.service +++ b/vm-systemd/qubes-sysinit.service @@ -2,7 +2,7 @@ Description=Init Qubes Services settings DefaultDependencies=no Before=sysinit.target -After=local-fs.target proc-xen.mount +After=local-fs.target [Service] Type=oneshot From 65e3c1d13ec9878977a8a7cc54ec21aaa3537509 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 13:20:14 +0200 Subject: [PATCH 07/44] version 1.7.21 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index ddb0f97..7bc3ecf 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.20 +1.7.21 From 667d85a5f8af8478bd9f5db02a7e2cd5a5bdb0aa Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 8 May 2012 18:30:21 +0200 Subject: [PATCH 08/44] vm: Add localhost alias to /etc/hosts ... or otherwise, some programs will hang for many secconds trying to resolve localhost. --- vm-init.d/qubes_core | 2 +- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index c3accd9..52bb1cd 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -26,7 +26,7 @@ start() # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) # (let's be frank: nobody's gonna use xterm on DispVM) hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name") > /etc/hosts + (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts fi timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 65c3606..9e3c488 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -52,7 +52,7 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name") > /etc/hosts + (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` From ee150d996d65460f6b7165395dac70aa206f175b Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 8 May 2012 18:36:30 +0200 Subject: [PATCH 09/44] version 1.7.22 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 7bc3ecf..ff39d44 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.21 +1.7.22 From 76847de0f27b657f03c2d5133e3d4a0c96e519f5 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 23:34:01 +0200 Subject: [PATCH 10/44] vm: do not override /etc/hosts, just add VMNAME to 127.0.0.1 --- vm-init.d/qubes_core | 2 +- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index 52bb1cd..7193d38 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -26,7 +26,7 @@ start() # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) # (let's be frank: nobody's gonna use xterm on DispVM) hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts + sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 356a18b..02e2a9a 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -52,7 +52,7 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name localhost") > /etc/hosts + sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` From be05968bd13a04a3fd66195c29dabf3f060d13ab Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 8 May 2012 23:41:53 +0200 Subject: [PATCH 11/44] vm/spec: fix /etc/hosts if it was broken by previous version --- rpm_spec/core-vm.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 3158b57..0b9d5ff 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -237,6 +237,14 @@ sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf sed -i -e '/^exclude = kernel/d' /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf +# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content +if ! grep -q localhost /etc/hosts; then + cat < /etc/hosts +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +EOF +fi + if [ "$1" != 1 ] ; then # do the rest of %post thing only when updating for the first time... exit 0 From 5d3bc77a63c501ff2cc477317a777fbe9c9c1e13 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Sat, 12 May 2012 13:45:12 +0200 Subject: [PATCH 12/44] version 1.7.23-vm --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index ff39d44..52a89d4 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.22 +1.7.23 From aba5ce6048b1e2d2575cac332e8f0c81f86a00fe Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 22 May 2012 16:49:03 +0200 Subject: [PATCH 13/44] vm/systemd: generate opts for GUI based on debug-mode (#567) --- vm-systemd/qubes-sysinit.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 02e2a9a..1fb463c 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -61,3 +61,11 @@ if [ -n "$timezone" ]; then echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + +# Prepare environment for other services +echo > /var/run/qubes-service-environment + +debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null` +if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then + echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment +fi From f28ad79651f9032d68f625233325b34fef72fb7b Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 28 May 2012 19:30:55 +0200 Subject: [PATCH 14/44] version 1.7.24 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 52a89d4..384e29d 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.23 +1.7.24 From bdf8e5f5c77e99a419fa3b507f0e7a6f936beb4a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 30 May 2012 13:40:27 +0200 Subject: [PATCH 15/44] vm/notify-update: do not treat network problems as updates pending symptom --- vm-systemd/qubes-update-check.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index 5566eda..6ac37e3 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l' +ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' From f290b2e93966b32aa96167b0d335c7416105cb14 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:03:12 +0200 Subject: [PATCH 16/44] vm+dom0/vif-script: indent fix --- network/vif-route-qubes | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/network/vif-route-qubes b/network/vif-route-qubes index c807017..f4e8989 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -53,8 +53,7 @@ if [ "${ip}" ] ; then for addr in ${ip} ; do ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done - echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP - ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP fi log debug "Successful vif-route-qubes $command for $vif." From c18cb08f8cf7e800c8afe0b0f122e1e56ff3de41 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:03:55 +0200 Subject: [PATCH 17/44] dom0+vm/vif-script: setup IP address of net backend interface This is needed to connect to ProxyVM/NetVM, not only pass traffic ahead. Still firewall rules applies. --- network/vif-route-qubes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network/vif-route-qubes b/network/vif-route-qubes index f4e8989..6809028 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -54,6 +54,8 @@ if [ "${ip}" ] ; then ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + back_ip=${ip%.*}.1 + ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} fi log debug "Successful vif-route-qubes $command for $vif." From 4b98106732dbb8ba8c5e4de3b095692d21d1d379 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:07:01 +0200 Subject: [PATCH 18/44] dom0+vm/iptables: add PR-QBS-SERVICES chain in PREROUTING nat table Additional chain for some qubes-related redirections. BTW PR-QBS should be renamed now to PR-QBS-DNS... --- network/iptables | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network/iptables b/network/iptables index 6e6e6d8..5977ff2 100644 --- a/network/iptables +++ b/network/iptables @@ -4,7 +4,9 @@ :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PR-QBS - [0:0] +:PR-QBS-SERVICES - [0:0] -A PREROUTING -j PR-QBS +-A PREROUTING -j PR-QBS-SERVICES -A POSTROUTING -o vif+ -j ACCEPT -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE From 542cd42d04a6a64ed572bb41d2cf2aedefcf77e3 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:17:09 +0200 Subject: [PATCH 19/44] vm/spec: remove executable perm where not needed --- rpm_spec/core-vm.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0b9d5ff..4473e08 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -80,7 +80,7 @@ su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' %install -install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab +install -m 0644 -D misc/fstab $RPM_BUILD_ROOT/etc/fstab install -d $RPM_BUILD_ROOT/etc/init.d install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ @@ -116,7 +116,7 @@ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules -install network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules +install -m 0644 network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -126,7 +126,7 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes -install -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ From 0430e5186b3f9054816f39fb9cf1ab282b562d27 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:24:49 +0200 Subject: [PATCH 20/44] vm: qubes-yum-proxy service (#568) Introduce proxy service, which allow only http(s) traffic to yum repos. The filter rules are based on URL regexp, so it isn't full-featured content inspection and can be easy bypassed, but should be enough to prevent some erroneus user actions (like clicking on invalid link). It is set up to intercept connections to 10.137.255.254:8082, so VM can connect to this IP regardless of VM in which proxy is running. By default it is started in every NetVM, but this can be changed using qvm-service or qubes-manager (as always). --- network/filter-qubes-yum | 6 ++ network/tinyproxy-qubes-yum.conf | 30 +++++++ rpm_spec/core-vm.spec | 12 ++- vm-init.d/qubes-yum-proxy | 121 +++++++++++++++++++++++++++++ vm-systemd/qubes-sysinit.sh | 2 +- vm-systemd/qubes-yum-proxy.service | 14 ++++ 6 files changed, 183 insertions(+), 2 deletions(-) create mode 100644 network/filter-qubes-yum create mode 100644 network/tinyproxy-qubes-yum.conf create mode 100755 vm-init.d/qubes-yum-proxy create mode 100644 vm-systemd/qubes-yum-proxy.service diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum new file mode 100644 index 0000000..b244f3c --- /dev/null +++ b/network/filter-qubes-yum @@ -0,0 +1,6 @@ +.*/repodata/[A-Za-z0-9-]*\(primary\|filelist\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +.*/repodata/repomd\.xml$ +.*\.rpm$ +.*\.drpm$ +mirrors.fedoraproject.org:443 +^http://mirrors\..*/mirrorlist diff --git a/network/tinyproxy-qubes-yum.conf b/network/tinyproxy-qubes-yum.conf new file mode 100644 index 0000000..43b5082 --- /dev/null +++ b/network/tinyproxy-qubes-yum.conf @@ -0,0 +1,30 @@ +User tinyproxy +Group tinyproxy +Port 8082 +Timeout 60 +DefaultErrorFile "/usr/share/tinyproxy/default.html" + +#StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +Syslog On +LogLevel Notice +PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +MaxClients 50 +MinSpareServers 2 +MaxSpareServers 10 +StartServers 2 +MaxRequestsPerChild 0 +ViaProxyName "tinyproxy" + +Allow 127.0.0.1 +Allow 10.137.0.0/16 + + +Filter "/etc/tinyproxy/filter-qubes-yum" +FilterURLs On +#FilterExtended On +#FilterCaseSensitive On +FilterDefaultDeny Yes +ConnectPort 443 + diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 4473e08..10da4d2 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -37,6 +37,7 @@ Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: /sbin/ethtool +Requires: tinyproxy Provides: qubes-core-vm Obsoletes: qubes-core-commonvm Obsoletes: qubes-core-appvm @@ -127,6 +128,8 @@ install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf +install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ @@ -334,6 +337,8 @@ rm -rf $RPM_BUILD_ROOT /etc/sudoers.d/qubes /etc/sysconfig/iptables /etc/sysconfig/modules/qubes_core.modules +/etc/tinyproxy/filter-qubes-yum +/etc/tinyproxy/tinyproxy-qubes-yum.conf /etc/udev/rules.d/50-qubes_memory.rules /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules @@ -422,6 +427,7 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes_core_netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher +/etc/init.d/qubes-yum-proxy %post sysvinit @@ -454,6 +460,8 @@ chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" +chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab @@ -466,6 +474,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core_appvm off chkconfig qubes-firewall off chkconfig qubes-netwatcher off + chkconfig qubes-yum-proxy off fi %package systemd @@ -495,6 +504,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer +/lib/systemd/system/qubes-yum-proxy.service %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -509,7 +519,7 @@ The Qubes core startup configuration for SystemD init. %post systemd -for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall; do +for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy; do /bin/systemctl enable $srv.service 2> /dev/null done diff --git a/vm-init.d/qubes-yum-proxy b/vm-init.d/qubes-yum-proxy new file mode 100755 index 0000000..52f329b --- /dev/null +++ b/vm-init.d/qubes-yum-proxy @@ -0,0 +1,121 @@ +#!/bin/sh +# +# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy +# +# chkconfig: - 85 15 +# description: small, efficient HTTP/SSL proxy daemon +# +# processname: tinyproxy +# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf +# config: /etc/sysconfig/tinyproxy-qubes-yum +# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid +# +# Note: pidfile is created by tinyproxy in its config +# see PidFile in the configuration file. + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ "$NETWORKING" = "no" ] && exit 0 + +exec="/usr/sbin/tinyproxy" +prog=$(basename $exec) +config="/etc/tinyproxy/tinyproxy-qubes-yum.conf" +pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum + +lockfile=/var/lock/subsys/tinyproxy-qubes-yum + +start() { + type=`/usr/bin/xenstore-read qubes_vm_type` + start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null` + if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then + # Yum proxy disabled + exit 0 + fi + + [ -x $exec ] || exit 5 + [ -f $config ] || exit 6 + # setup network redirection + /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + + echo -n $"Starting $prog (as Qubes yum proxy): " + daemon $exec -c $config + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $pidfile $prog + retval=$? + echo + /sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + /sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + echo -n $"Reloading $prog: " + killproc -p $pidfile $prog -HUP + echo +} + +force_reload() { + restart +} + +rh_status() { + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? + diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 1fb463c..0c8e9d0 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,7 +1,7 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service new file mode 100644 index 0000000..39c14ec --- /dev/null +++ b/vm-systemd/qubes-yum-proxy.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes yum proxy (tinyproxy) +ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy +After=iptables.service + +[Service] +ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT +ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf +ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + +[Install] +WantedBy=multi-user.target From c37e4b2344df63f8c444e685c987f9c8d75a65cb Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:33:56 +0200 Subject: [PATCH 21/44] vm/qubes-yum-proxy: create dir for pidfile under FC15 (#568) On FC>=15 /var/run is on tmpfs, so /var/run/tinyproxy from rpm don't survive reboot. This is bug in Fedora package (should include config file for tmpfiles service). For now create dir just before starting service. --- vm-systemd/qubes-yum-proxy.service | 1 + 1 file changed, 1 insertion(+) diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service index 39c14ec..b03c34d 100644 --- a/vm-systemd/qubes-yum-proxy.service +++ b/vm-systemd/qubes-yum-proxy.service @@ -4,6 +4,7 @@ ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy After=iptables.service [Service] +ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf From 9930a89fb18fdc01d400837b809d58b4992d7909 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:37:53 +0200 Subject: [PATCH 22/44] vm/qubes-yum-proxy: setup yum to use qubes-yum-proxy (#568) The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it is reasonable to bypass the proxy. Some examples: - usage of non-standard repos with some exotic file layout, which will be blocked by the proxy - usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM) This commit introduces 'yum-proxy-setup' pseudo-service, which can be controlled via standard qvm-service or qubes-manager. When enabled - yum will be configured at VM startup to use qubes proxy, otherwise - to connect directly (proxy setting will be cleared). --- rpm_spec/core-vm.spec | 10 ++++++++++ vm-init.d/qubes_core | 7 +++++++ vm-systemd/misc-post.sh | 6 ++++++ 3 files changed, 23 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 10da4d2..06004ea 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -131,6 +131,9 @@ install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum +install -d $RPM_BUILD_ROOT/etc/yum.conf.d +touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf + install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ @@ -236,6 +239,12 @@ fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf +if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then + echo >> /etc/yum.conf + echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf +fi + # Prevent unnecessary updates in VMs: sed -i -e '/^exclude = kernel/d' /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf @@ -343,6 +352,7 @@ rm -rf $RPM_BUILD_ROOT /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules /etc/xen/scripts/vif-route-qubes +/etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /lib/firmware/updates diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index 7193d38..de194f8 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -36,6 +36,13 @@ start() echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) + if [ "$yum_proxy_setup" != "0" ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + else + echo > /etc/yum.conf.d/qubes-proxy.conf + fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 9ebdf2e..dbefd43 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,5 +1,11 @@ #!/bin/sh +if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf +else + echo > /etc/yum.conf.d/qubes-proxy.conf +fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case From 55f99e23db69f65c9e0bbaa386ae4cc3f4660540 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 2 Jun 2012 12:32:49 +0200 Subject: [PATCH 23/44] makefile: rename vchan Makefile to not conflict with windows build --- rpm_spec/core-vm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 06004ea..88b2687 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -54,7 +54,7 @@ The Qubes core files for installation inside a Qubes VM. %build make -C u2mfn -make -C vchan +make -C vchan -f Makefile.linux make -C misc make -C qubes_rpc make -C qrexec From b77cd12dff9d0e1033989198bcbc87916d2e3c9b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 4 Jun 2012 15:29:26 +0200 Subject: [PATCH 24/44] vm/systemd: fix ProxyVM related services deps (#578) --- vm-systemd/qubes-firewall.service | 1 + vm-systemd/qubes-network.service | 1 + 2 files changed, 2 insertions(+) diff --git a/vm-systemd/qubes-firewall.service b/vm-systemd/qubes-firewall.service index df765dc..e668271 100644 --- a/vm-systemd/qubes-firewall.service +++ b/vm-systemd/qubes-firewall.service @@ -1,6 +1,7 @@ [Unit] Description=Qubes firewall updater ConditionPathExists=/var/run/qubes-service/qubes-firewall +After=qubes-network.service [Service] ExecStart=/usr/sbin/qubes_firewall diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service index afb53f0..cdb01a7 100644 --- a/vm-systemd/qubes-network.service +++ b/vm-systemd/qubes-network.service @@ -3,6 +3,7 @@ Names=qubes_firewall.service Description=Qubes network forwarding setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target +After=iptables.service [Service] Type=oneshot From 06c4d57b60f708827c11182ad55ccef61ad9e806 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:28:59 +0200 Subject: [PATCH 25/44] vm: yum plugin to notify dom0 about installed updates (#592) --- misc/Makefile | 7 +++++-- misc/yum-qubes-hooks.py | 42 +++++++++++++++++++++++++++++++++++++++++ rpm_spec/core-vm.spec | 3 +++ 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 misc/yum-qubes-hooks.py diff --git a/misc/Makefile b/misc/Makefile index 3b01506..e6f653a 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -1,9 +1,12 @@ CC=gcc CFLAGS=-Wall -g -O3 -all: meminfo-writer xenstore-watch +all: meminfo-writer xenstore-watch python meminfo-writer: meminfo-writer.o $(CC) -g -o meminfo-writer meminfo-writer.o -lxenstore xenstore-watch: xenstore-watch.o $(CC) -o xenstore-watch xenstore-watch.o -lxenstore +python: + python -m compileall . + python -O -m compileall . clean: - rm -f meminfo-writer xenstore-watch *.o *~ + rm -f meminfo-writer xenstore-watch *.o *~ *.pyc *.pyo diff --git a/misc/yum-qubes-hooks.py b/misc/yum-qubes-hooks.py new file mode 100644 index 0000000..f49eac2 --- /dev/null +++ b/misc/yum-qubes-hooks.py @@ -0,0 +1,42 @@ +#!/usr/bin/python +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2012 Marek Marczykowski +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + + +from yum.plugins import TYPE_CORE +from yum.constants import * +import subprocess + +requires_api_version = '2.4' +plugin_type = (TYPE_CORE,) + +def posttrans_hook(conduit): + # Get all updates available _before_ this transaction + pkg_list = conduit._base.doPackageLists(pkgnarrow='updates') + + # Get packages installed in this transaction... + ts = conduit.getTsInfo() + all = ts.getMembers() + # ...and filter them out of available updates + filtered_updates = filter(lambda x: x not in all, pkg_list.updates) + + # Notify dom0 about left updates count + subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', 'echo', str(len(filtered_updates))]) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 88b2687..7b64796 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -99,6 +99,8 @@ install -D -m 0644 misc/serial.conf $RPM_BUILD_ROOT/usr/lib/qubes/serial.conf install -D misc/qubes_serial_login $RPM_BUILD_ROOT/sbin/qubes_serial_login install -d $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ +install -d $RPM_BUILD_ROOT/usr/lib/yum-plugins/ +install -m 0644 misc/yum-qubes-hooks.py* $RPM_BUILD_ROOT/usr/lib/yum-plugins/ install -d $RPM_BUILD_ROOT/var/lib/qubes @@ -386,6 +388,7 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/vm-file-editor /usr/lib/qubes/vm-shell /usr/lib/qubes/wrap_in_html_if_url.sh +/usr/lib/yum-plugins/yum-qubes-hooks.py* /usr/sbin/qubes_firewall /usr/sbin/qubes_netwatcher /usr/share/glib-2.0/schemas/org.gnome.settings-daemon.plugins.updates.gschema.override From 03b5c4778ad50253c9712f71987b562a36b7affd Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 5 Jun 2012 19:38:37 +0200 Subject: [PATCH 26/44] vm: use yum proxy in TemplateVM by default (#590) --- vm-init.d/qubes_core | 3 ++- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index de194f8..c5fe5d2 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -37,7 +37,8 @@ start() fi yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) - if [ "$yum_proxy_setup" != "0" ]; then + type=$(/usr/bin/xenstore-read qubes_vm_type) + if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf else echo > /etc/yum.conf.d/qubes-proxy.conf diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 0c8e9d0..77dac3f 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -4,7 +4,7 @@ DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" -DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM +DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" DEFAULT_ENABLED="meminfo-writer" XS_READ=/usr/bin/xenstore-read From baf95fb7656ca254e73f02549c37f1a7dededd60 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Jun 2012 02:59:07 +0200 Subject: [PATCH 27/44] vm/spec: depend on ethtool _package_ --- rpm_spec/core-vm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 7b64796..c0aac4c 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -36,7 +36,7 @@ Requires: fedora-release Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen -Requires: /sbin/ethtool +Requires: ethtool Requires: tinyproxy Provides: qubes-core-vm Obsoletes: qubes-core-commonvm From 3e89b332096795be17451e70b673c7baaad474b9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Jun 2012 03:00:05 +0200 Subject: [PATCH 28/44] vm/spec: create firmware symlink only when needed On new systems, like FC16+, firmware is provided by separate package (like linux-firmware), so no longer need to get it from kernel package. --- rpm_spec/core-vm.spec | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index c0aac4c..45dfb3a 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -140,9 +140,6 @@ install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ -install -d $RPM_BUILD_ROOT/lib/firmware -ln -s /lib/modules/firmware $RPM_BUILD_ROOT/lib/firmware/updates - install -d $RPM_BUILD_ROOT/usr/bin install qubes_rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run} $RPM_BUILD_ROOT/usr/bin @@ -241,6 +238,11 @@ fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf +# Install firmware link only on system which haven't it yet +if ! [ -e /lib/firmware/updates ]; then + ln -s /lib/modules/firmware /lib/firmware/updates +fi + if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then echo >> /etc/yum.conf echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf @@ -320,6 +322,10 @@ fi %postun if [ $1 -eq 0 ] ; then /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : + + if [ -l /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi fi %posttrans @@ -357,7 +363,6 @@ rm -rf $RPM_BUILD_ROOT /etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo /etc/yum/post-actions/qubes_trigger_sync_appmenus.action -/lib/firmware/updates /sbin/qubes_serial_login /usr/bin/qvm-copy-to-vm /usr/bin/qvm-open-in-dvm From 871d4485b94e9503dc9fbf67c374b2f015931dbb Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 6 Jun 2012 02:12:10 +0200 Subject: [PATCH 29/44] dom0+vm/qvm-block: speed up udev block handler (#560) xenstore is very slow, so don't bother it when unneeded. Namely do not try to remove entries, which haven't even created. --- misc/block_add_change | 16 ++++++++++++---- misc/qubes_block.rules | 4 ++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/misc/block_add_change b/misc/block_add_change index e1b25ca..b366f9d 100755 --- a/misc/block_add_change +++ b/misc/block_add_change @@ -6,19 +6,26 @@ SIZE=$[ $(cat /sys/$DEVPATH/size) * 512 ] MODE=w XS_KEY="qubes-block-devices/$NAME" +xs_remove() { + if [ "$QUBES_EXPOSED" == "1" ]; then + xenstore-rm "$XS_KEY" + fi + echo QUBES_EXPOSED=0 +} + # Ignore mounted... if fgrep -q $DEVNAME /proc/mounts; then - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi # ... and used by device-mapper if [ -n "`ls -A /sys/$DEVPATH/holders 2> /dev/null`" ]; then - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi # ... and "empty" loop devices if [ "$MAJOR" -eq 7 -a ! -d /sys/$DEVPATH/loop ]; then - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi @@ -26,7 +33,7 @@ fi if [ "$ID_TYPE" = "cd" ]; then if [ "$ID_CDROM_MEDIA" != "1" ]; then # Hide empty cdrom drive - xenstore-rm "$XS_KEY" + xs_remove exit 0 fi MODE=r @@ -37,6 +44,7 @@ if [ -d /sys/$DEVPATH/loop ]; then DESC=$(cat /sys/$DEVPATH/loop/backing_file) fi xenstore-write "$XS_KEY/desc" "$DESC" "$XS_KEY/size" "$SIZE" "$XS_KEY/mode" "$MODE" +echo QUBES_EXPOSED=1 # Make sure that block backend is loaded /sbin/modprobe xen-blkback 2> /dev/null || /sbin/modprobe blkbk diff --git a/misc/qubes_block.rules b/misc/qubes_block.rules index 343553f..14503ee 100644 --- a/misc/qubes_block.rules +++ b/misc/qubes_block.rules @@ -9,8 +9,8 @@ ENV{MAJOR}=="202", GOTO="qubes_block_end" # Skip device-mapper devices ENV{MAJOR}=="253", GOTO="qubes_block_end" -ACTION=="add", RUN+="/usr/lib/qubes/block_add_change" -ACTION=="change", RUN+="/usr/lib/qubes/block_add_change" +ACTION=="add", IMPORT{program}="/usr/lib/qubes/block_add_change" +ACTION=="change", IMPORT{program}="/usr/lib/qubes/block_add_change" ACTION=="remove", RUN+="/usr/lib/qubes/block_remove" LABEL="qubes_block_end" From 20c170427db139c6f47c64c5fa9eb4441416bf41 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 8 Jun 2012 00:24:46 +0200 Subject: [PATCH 30/44] vm: disable gnome update plugin, not only unattended installation --- misc/org.gnome.settings-daemon.plugins.updates.gschema.override | 2 ++ 1 file changed, 2 insertions(+) diff --git a/misc/org.gnome.settings-daemon.plugins.updates.gschema.override b/misc/org.gnome.settings-daemon.plugins.updates.gschema.override index da283e1..c6c7b45 100644 --- a/misc/org.gnome.settings-daemon.plugins.updates.gschema.override +++ b/misc/org.gnome.settings-daemon.plugins.updates.gschema.override @@ -1,2 +1,4 @@ [org.gnome.settings-daemon.plugins.updates] auto-update-type='none' +active=false +frequency-get-updates=0 From 64a9c54ba6dd24430f3a3ec9e6389ced6efc7de0 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 8 Jun 2012 00:34:11 +0200 Subject: [PATCH 31/44] vm: enable yum-qubes-hooks plugin (#592) --- misc/yum-qubes-hooks.conf | 2 ++ rpm_spec/core-vm.spec | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 misc/yum-qubes-hooks.conf diff --git a/misc/yum-qubes-hooks.conf b/misc/yum-qubes-hooks.conf new file mode 100644 index 0000000..8e4d76c --- /dev/null +++ b/misc/yum-qubes-hooks.conf @@ -0,0 +1,2 @@ +[main] +enabled=1 diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 45dfb3a..1fef666 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -101,6 +101,7 @@ install -d $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -d $RPM_BUILD_ROOT/usr/lib/yum-plugins/ install -m 0644 misc/yum-qubes-hooks.py* $RPM_BUILD_ROOT/usr/lib/yum-plugins/ +install -D -m 0644 misc/yum-qubes-hooks.conf $RPM_BUILD_ROOT/etc/yum/pluginconf.d/yum-qubes-hooks.conf install -d $RPM_BUILD_ROOT/var/lib/qubes @@ -362,6 +363,7 @@ rm -rf $RPM_BUILD_ROOT /etc/xen/scripts/vif-route-qubes /etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo +/etc/yum/pluginconf.d/yum-qubes-hooks.conf /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /sbin/qubes_serial_login /usr/bin/qvm-copy-to-vm From 975c0a0bc7b63bb6125dfe50ea502af87d028f9b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 8 Jun 2012 04:36:33 +0200 Subject: [PATCH 32/44] vm: fix yum-qubes-hooks Program must be given as full path to qrexec_client_vm - it is passed directly to execv. --- misc/yum-qubes-hooks.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/yum-qubes-hooks.py b/misc/yum-qubes-hooks.py index f49eac2..9d851bf 100644 --- a/misc/yum-qubes-hooks.py +++ b/misc/yum-qubes-hooks.py @@ -39,4 +39,4 @@ def posttrans_hook(conduit): filtered_updates = filter(lambda x: x not in all, pkg_list.updates) # Notify dom0 about left updates count - subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', 'echo', str(len(filtered_updates))]) + subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', '/bin/echo', str(len(filtered_updates))]) From e5c77507a158f4184cb47d3040a89de9b809cfce Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 11 Jun 2012 22:33:57 +0200 Subject: [PATCH 33/44] vm: chown /home/user to user if user UID have changed FC16 and FC17 starts normal users at UID 1000, not 500 as in <=FC15. --- vm-systemd/misc-post.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index dbefd43..b86e6a7 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -30,6 +30,11 @@ if [ -e /dev/xvdb ] ; then touch /var/lib/qubes/first_boot_completed fi + # Chown home if user UID have changed - can be the case on template switch + HOME_USER_UID=`ls -dn /home/user | awk '{print $3}'` + if [ "`id -u user`" -ne "$HOME_USER_UID" ]; then + find /home/user -uid "$HOME_USER_UID" -print0 | xargs -0 chown user:user + fi fi [ -x /rw/config/rc.local ] && /rw/config/rc.local From 6df913e88041b8f28acf49da7338794629ede3a5 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Tue, 12 Jun 2012 12:25:19 +0200 Subject: [PATCH 34/44] version 1.7.26 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 384e29d..130990e 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.24 +1.7.26 From a952fc503d0977732ef7b6ee3dd4d25ecc569950 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 13 Jun 2012 01:59:25 +0200 Subject: [PATCH 35/44] vm/qubes-dom0-update: rebuild dom0 rpmdb before touching it with yum Dom0 can have different (older) rpmdb version than VM. Starting from FC17 yum refuses to work without rebuild. --- misc/qubes_download_dom0_updates.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/qubes_download_dom0_updates.sh b/misc/qubes_download_dom0_updates.sh index 33bc46d..de869c5 100755 --- a/misc/qubes_download_dom0_updates.sh +++ b/misc/qubes_download_dom0_updates.sh @@ -43,6 +43,10 @@ fi mkdir -p $DOM0_UPDATES_DIR/etc sed -i '/^reposdir\s*=/d' $DOM0_UPDATES_DIR/etc/yum.conf +# Rebuild rpm database in case of different rpm version +rm -f $DOM0_UPDATES_DIR/var/lib/rpm/__* +rpm --root=$DOM0_UPDATES_DIR --rebuilddb + if [ "$CLEAN" = "1" ]; then yum $OPTS clean all rm -f $DOM0_UPDATES_DIR/packages/* From e213d17341c678a673f6045fd6b8c249292b30c9 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 14 Jun 2012 11:23:59 +0200 Subject: [PATCH 36/44] version 1.7.27 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 130990e..6c56d77 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.26 +1.7.27 From 1fdaa847c4c61ff842fde2f5db91c38fd825e5fa Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 22 Jun 2012 21:59:15 +0200 Subject: [PATCH 37/44] vm: RPC service for NTP time sync (#603) --- qubes_rpc/qubes.SyncNtpClock | 1 + qubes_rpc/sync-ntp-clock | 12 ++++++++++++ rpm_spec/core-vm.spec | 6 +++++- 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 qubes_rpc/qubes.SyncNtpClock create mode 100755 qubes_rpc/sync-ntp-clock diff --git a/qubes_rpc/qubes.SyncNtpClock b/qubes_rpc/qubes.SyncNtpClock new file mode 100644 index 0000000..087a421 --- /dev/null +++ b/qubes_rpc/qubes.SyncNtpClock @@ -0,0 +1 @@ +/usr/lib/qubes/sync-ntp-clock diff --git a/qubes_rpc/sync-ntp-clock b/qubes_rpc/sync-ntp-clock new file mode 100755 index 0000000..f5dfa1b --- /dev/null +++ b/qubes_rpc/sync-ntp-clock @@ -0,0 +1,12 @@ +#!/bin/sh + +if [ -x /usr/libexec/ntpdate-wrapper ]; then + /usr/libexec/ntpdate-wrapper +elif [ -x /etc/init.d/ntpdate ]; then + /etc/init.d/ntpdate restart +elif [ -x /usr/sbin/ntpdate ]; then + /usr/sbin/ntpdate pool.ntp.org +else + echo "No ntpdate installed, giving up." + exit 1 +fi diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 1fef666..df49f4e 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -38,6 +38,7 @@ Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: ethtool Requires: tinyproxy +Requires: ntpdate Provides: qubes-core-vm Obsoletes: qubes-core-commonvm Obsoletes: qubes-core-appvm @@ -149,10 +150,11 @@ install qubes_rpc/qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/{vm-file-editor,qfile-agent,qopen-in-vm,qfile-unpacker} $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/{vm-shell,qrun-in-vm} $RPM_BUILD_ROOT/usr/lib/qubes +install qubes_rpc/sync-ntp-clock $RPM_BUILD_ROOT/usr/lib/qubes install -d $RPM_BUILD_ROOT/%{kde_service_dir} install -m 0644 qubes_rpc/{qvm-copy.desktop,qvm-dvm.desktop} $RPM_BUILD_ROOT/%{kde_service_dir} install -d $RPM_BUILD_ROOT/etc/qubes_rpc -install -m 0644 qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell} $RPM_BUILD_ROOT/etc/qubes_rpc +install -m 0644 qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $RPM_BUILD_ROOT/etc/qubes_rpc install qrexec/qrexec_agent $RPM_BUILD_ROOT/usr/lib/qubes install qrexec/qrexec_client_vm $RPM_BUILD_ROOT/usr/lib/qubes @@ -352,6 +354,7 @@ rm -rf $RPM_BUILD_ROOT /etc/qubes_rpc/qubes.Filecopy /etc/qubes_rpc/qubes.OpenInVM /etc/qubes_rpc/qubes.VMShell +/etc/qubes_rpc/qubes.SyncNtpClock /etc/sudoers.d/qubes /etc/sysconfig/iptables /etc/sysconfig/modules/qubes_core.modules @@ -375,6 +378,7 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/block_add_change /usr/lib/qubes/block_cleanup /usr/lib/qubes/block_remove +/usr/lib/qubes/sync-ntp-clock /usr/lib/qubes/meminfo-writer /usr/lib/qubes/network-manager-prepare-conf-dir /usr/lib/qubes/qfile-agent From 95dc878497e4d94074cef059cceb61d0b41e3756 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Mon, 25 Jun 2012 23:38:18 +0200 Subject: [PATCH 38/44] version 1.7.30 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 6c56d77..a2ad95c 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.27 +1.7.30 From ed49fc9ce4fc3b50394c8bb18d67de3877a95992 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:30:06 +0200 Subject: [PATCH 39/44] vm/spec: fix enabling of qubes-firewall SysV service --- rpm_spec/core-vm.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index df49f4e..6d97102 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -480,8 +480,8 @@ chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" From 8877438c4095d0af7b5847392cc3592dd94edc2b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:31:28 +0200 Subject: [PATCH 40/44] vm/spec: fix error messages --- rpm_spec/core-vm.spec | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 6d97102..8538513 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -476,14 +476,14 @@ chkconfig messagebus on chkconfig iptables on chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core_netvm!" +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core_appvm!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core_appvm!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewall!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" +chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" +chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" From 7d450b34d07b1955571439265dff322bd71c80b6 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:36:22 +0200 Subject: [PATCH 41/44] vm/spec: fix enabling NetworkManager SystemD service --- rpm_spec/core-vm.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 8538513..3cb6a6b 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -596,7 +596,9 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service /bin/systemctl enable iptables.service 2> /dev/null /bin/systemctl enable rsyslog.service 2> /dev/null /bin/systemctl enable ntpd.service 2> /dev/null -/bin/systemctl enable NetworkManager.service +# Disable original service to enable overriden one +/bin/systemctl disable NetworkManager.service 2> /dev/null +/bin/systemctl enable NetworkManager.service 2> /dev/null # Enable cups only when it is real SystemD service [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null From 47e49d0fd6d760527f5107b1b2b4e6e2bbf177f4 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:30:06 +0200 Subject: [PATCH 42/44] vm/spec: fix enabling of qubes-firewall SysV service --- rpm_spec/core-vm.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index df49f4e..6d97102 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -480,8 +480,8 @@ chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" From 77ccf99b88976769af6f70bc3b36912367fbca20 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:31:28 +0200 Subject: [PATCH 43/44] vm/spec: fix error messages --- rpm_spec/core-vm.spec | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 6d97102..8538513 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -476,14 +476,14 @@ chkconfig messagebus on chkconfig iptables on chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core_netvm!" +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core_appvm!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core_appvm!" +chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewall!" +chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" +chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" +chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" From 9efee9324fb9bc5397f40e2d2d74742c92852a1f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 26 Jun 2012 03:36:22 +0200 Subject: [PATCH 44/44] vm/spec: fix enabling NetworkManager SystemD service --- rpm_spec/core-vm.spec | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 8538513..3cb6a6b 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -596,7 +596,9 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service /bin/systemctl enable iptables.service 2> /dev/null /bin/systemctl enable rsyslog.service 2> /dev/null /bin/systemctl enable ntpd.service 2> /dev/null -/bin/systemctl enable NetworkManager.service +# Disable original service to enable overriden one +/bin/systemctl disable NetworkManager.service 2> /dev/null +/bin/systemctl enable NetworkManager.service 2> /dev/null # Enable cups only when it is real SystemD service [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null