From b0ac8adca3a46c849a66f9e9386b4f9c0291f643 Mon Sep 17 00:00:00 2001 From: HW42 Date: Thu, 25 Sep 2014 03:57:33 +0200 Subject: [PATCH 01/48] move fedora specific stuff to install-rh target --- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index b318c3b..a0e8590 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,9 @@ install-rh: install -d $(DESTDIR)/etc/init.d install vm-init.d/* $(DESTDIR)/etc/init.d/ + install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf + install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login + install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/ @@ -76,10 +79,12 @@ install-rh: install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf + install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ + install -d $(DESTDIR)/var/lib/qubes/dom0-updates + install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action + install-common: install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes - install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf - install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login install -d $(DESTDIR)/var/lib/qubes @@ -87,10 +92,8 @@ install-common: install -d $(DESTDIR)/etc/udev/rules.d install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules install -d $(DESTDIR)/usr/lib/qubes/ - install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/ install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/ - install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs @@ -117,8 +120,6 @@ install-common: install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes - install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables - install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy @@ -162,7 +163,6 @@ install-common: install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -d $(DESTDIR)/mnt/removable - install -d $(DESTDIR)/var/lib/qubes/dom0-updates install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf From dad11bd378614c3bafab4194ae98b29cf7917b1f Mon Sep 17 00:00:00 2001 From: HW42 Date: Fri, 26 Sep 2014 23:19:01 +0200 Subject: [PATCH 02/48] don't track debina/files (since it is autogenerated) --- debian/files | 1 - 1 file changed, 1 deletion(-) delete mode 100644 debian/files diff --git a/debian/files b/debian/files deleted file mode 100644 index 67ae435..0000000 --- a/debian/files +++ /dev/null @@ -1 +0,0 @@ -qubes-core-agent_2.1.33_amd64.deb admin extra From 435c04e8a4d6951c2e7747f566fd14bacb6519fc Mon Sep 17 00:00:00 2001 From: HW42 Date: Thu, 25 Sep 2014 16:33:49 +0200 Subject: [PATCH 03/48] use systemd in debian --- Makefile | 17 +++- debian/init.d | 224 -------------------------------------------------- debian/rules | 6 +- 3 files changed, 16 insertions(+), 231 deletions(-) delete mode 100644 debian/init.d diff --git a/Makefile b/Makefile index a0e8590..2ef4c76 100644 --- a/Makefile +++ b/Makefile @@ -51,16 +51,15 @@ install-rh: install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login - install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init - install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ - install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)/lib/systemd/system/ install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/cups.* $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/ntpd.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/chronyd.service $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-update-check.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-update-check.timer $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-yum-proxy.service $(DESTDIR)/lib/systemd/system/ install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ @@ -169,6 +168,16 @@ install-common: install -d $(DESTDIR)/var/run/qubes install -d $(DESTDIR)/home_volatile/user + install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init + install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-dvm.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-firewall.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-misc-post.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-netwatcher.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-network.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-qrexec-agent.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-sysinit.service $(DESTDIR)/lib/systemd/system/ + install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list diff --git a/debian/init.d b/debian/init.d deleted file mode 100644 index 1ec6ad9..0000000 --- a/debian/init.d +++ /dev/null @@ -1,224 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: qubes-core-agent -# Required-Start: $network $local_fs $remote_fs -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Qubes qrexec agent -# Description: The qrexec agent runs in qubes domU domains. It runs -# commands on request from dom0. -### END INIT INFO - -# Author: Davíð Steinn Geirsson -# Most of this script is copied from vm-init.d/qubes-core with -# some fedora-specific stuff removed. - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC=qrexec-agent -NAME=qrexec-agent -DAEMON=/usr/lib/qubes/qrexec-agent -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x $DAEMON ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - - # Ensure necessary modules are loaded - modprobe xen_evtchn - modprobe u2mfn - - - # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read - chmod 666 /proc/xen/xenbus - # Set permissions to files needed to listen at vchan - chmod 666 /proc/u2mfn - - mkdir -p /var/run/xen-hotplug - - name=$(/usr/sbin/xenstore-read name) - if ! [ -f /etc/this-is-dvm ] ; then - # we don't want to set hostname for DispVM - # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) - # (let's be frank: nobody's gonna use xterm on DispVM) - if ! [ -z "$name" ]; then - echo $name > /etc/hostname - hostname $name - grep '127.0.1.1' /etc/hosts > /dev/null - if [ $? -ne 0 ]; then - echo "127.0.1.1 $name" >> /etc/hosts - else - sed -i "s/127\.0\.1\.1.*/127.0.1.1 $name/" /etc/hosts - fi - fi - fi - - timezone=`/usr/sbin/xenstore-read qubes-timezone 2> /dev/null` - if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - fi - - # Set IP address again (besides action in udev rules); this is needed by - # DispVM (to override DispVM-template IP) and in case when qubes-ip was - # called by udev before loading evtchn kernel module - in which case - # xenstore-read fails - INTERFACE=eth0 /usr/lib/qubes/setup-ip - - mkdir -p /var/run/qubes - - if [ -e /dev/xvdb ] ; then - resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed" - mount /rw - - if ! [ -d /rw/home ] ; then - echo - echo "--> Virgin boot of the VM: Linking /home to /rw/home" - - mkdir -p /rw/config - touch /rw/config/rc.local - - mkdir -p /rw/home - cp -a /home.orig/user /rw/home - - mkdir -p /rw/usrlocal - cp -a /usr/local.orig/* /rw/usrlocal - - touch /var/lib/qubes/first-boot-completed - fi - fi - if [ -L /home ]; then - rm /home - mkdir /home - fi - mount /home - - [ -x /rw/config/rc.local ] && /rw/config/rc.local - - - start-stop-daemon --start --quiet -b --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet -b --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/rules b/debian/rules index dc13a10..e447f05 100755 --- a/debian/rules +++ b/debian/rules @@ -7,7 +7,7 @@ export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ + dh $@ --with=systemd override_dh_auto_build: make all @@ -19,5 +19,5 @@ override_dh_auto_install: override_dh_fixperms: dh_fixperms -a -Xqfile-unpacker -override_dh_installinit: - dh_installinit --no-restart-on-upgrade +override_dh_systemd_start: + dh_systemd_start --no-restart-on-upgrade From 70bbc7923d36b130ad644e916b58e29e8b86ccbf Mon Sep 17 00:00:00 2001 From: HW42 Date: Fri, 26 Sep 2014 18:55:42 +0200 Subject: [PATCH 04/48] install iptables/forwarding for debian --- Makefile | 4 ++++ debian/control | 2 +- network/80-qubes.conf | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 network/80-qubes.conf diff --git a/Makefile b/Makefile index 2ef4c76..d2087a3 100644 --- a/Makefile +++ b/Makefile @@ -182,5 +182,9 @@ install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg + install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4 + install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6 + install -d $(DESTDIR)/etc/sysctl.d + install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install-vm: install-rh install-common diff --git a/debian/control b/debian/control index 62967a7..670ecea 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, diff --git a/network/80-qubes.conf b/network/80-qubes.conf new file mode 100644 index 0000000..119d730 --- /dev/null +++ b/network/80-qubes.conf @@ -0,0 +1 @@ +net.ipv4.ip_forward=1 From 4886411570f48bc571be4c57f1820090b39158a0 Mon Sep 17 00:00:00 2001 From: HW42 Date: Fri, 26 Sep 2014 19:56:12 +0200 Subject: [PATCH 05/48] various patches for debian this should enable debian based templates to be used as proxy/netvm --- network/qubes-firewall | 18 +++++++++--------- network/qubes-netwatcher | 10 +++++----- network/qubes-setup-dnat-to-ns | 2 +- vm-systemd/misc-post.sh | 16 ++++++++++++---- vm-systemd/qubes-qrexec-agent.service | 1 + vm-systemd/qubes-sysinit.sh | 18 ++++++++++++------ 6 files changed, 40 insertions(+), 25 deletions(-) diff --git a/network/qubes-firewall b/network/qubes-firewall index 0b8da66..dd5ed23 100755 --- a/network/qubes-firewall +++ b/network/qubes-firewall @@ -23,8 +23,8 @@ while true; do TRIGGER=reload else # Wait for changes in xenstore file - /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES - TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + xenstore-watch-qubes $XENSTORE_IPTABLES + TRIGGER=$(xenstore-read $XENSTORE_IPTABLES) fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi @@ -34,19 +34,19 @@ while true; do # during the time when the rules are being (re)applied echo "0" > /proc/sys/net/ipv4/ip_forward - RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) - IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') - OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true` + RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER) + IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true` for i in $(xenstore-list qubes-iptables-domainrules) ; do - RULES=$(/usr/bin/xenstore-read qubes-iptables-domainrules/"$i") - ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` + RULES=$(xenstore-read qubes-iptables-domainrules/"$i") + ERRS=`echo -e "$RULES" | iptables-restore -n 2>&1 || true` echo "Failed applying rules for $i: $ERRS" >&2 OUT="$OUT$ERRS" done - /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + xenstore-write $XENSTORE_ERROR "$OUT" if [ "$OUT" ]; then - DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : + DISPLAY=:0 notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi # Check if user didn't define some custom rules to be applied as well... diff --git a/network/qubes-netwatcher b/network/qubes-netwatcher index 0acab7f..81edffe 100755 --- a/network/qubes-netwatcher +++ b/network/qubes-netwatcher @@ -11,9 +11,9 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do - NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :) + NET_DOMID=$(xenstore-read qubes-netvm-domid || :) if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then - UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) + UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) # UNTRUSTED_NETCFG is not parsed in any way # thus, no sanitization ready # but be careful when passing it to other shell scripts @@ -21,11 +21,11 @@ while true; do /sbin/service qubes-firewall stop /sbin/service qubes-firewall start CURR_NETCFG="$UNTRUSTED_NETCFG" - /usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" + xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid + xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid else - /usr/bin/xenstore-watch -n 2 qubes-netvm-domid + xenstore-watch -n 2 qubes-netvm-domid fi done diff --git a/network/qubes-setup-dnat-to-ns b/network/qubes-setup-dnat-to-ns index 6a30126..a1f9bc1 100755 --- a/network/qubes-setup-dnat-to-ns +++ b/network/qubes-setup-dnat-to-ns @@ -10,7 +10,7 @@ addrule() fi } export PATH=$PATH:/sbin:/bin -source /var/run/qubes/qubes-ns +. /var/run/qubes/qubes-ns if [ "X"$NS1 = "X" ] ; then exit ; fi iptables -t nat -F PR-QBS FIRSTONE=yes diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index e718d02..43e944c 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,9 +1,17 @@ #!/bin/sh -if [ -f /var/run/qubes-service/yum-proxy-setup ]; then - echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf +if [ -e /etc/debian_version ]; then + if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo 'Acquire::http::proxy "http://10.137.255.254:8082/";' > /etc/apt/apt.conf.d/80qubes-proxy + else + echo > /etc/apt/apt.conf.d/80qubes-proxy + fi else - echo > /etc/yum.conf.d/qubes-proxy.conf + if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + else + echo > /etc/yum.conf.d/qubes-proxy.conf + fi fi # Set IP address again (besides action in udev rules); this is needed by @@ -51,7 +59,7 @@ fi # Start AppVM specific services if [ ! -f /etc/systemd/system/cups.service ]; then if [ -f /var/run/qubes-service/cups ]; then - /sbin/service cups start + service cups start # Allow also notification icon sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop else diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service index 483e694..72bbe84 100644 --- a/vm-systemd/qubes-qrexec-agent.service +++ b/vm-systemd/qubes-qrexec-agent.service @@ -3,6 +3,7 @@ Description=Qubes remote exec agent After=qubes-dvm.service [Service] +ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn' ExecStart=/usr/lib/qubes/qrexec-agent StandardOutput=syslog diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 17d9fde..08b610e 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # List of services enabled by default (in case of absence of xenstore entry) DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" @@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" DEFAULT_ENABLED="meminfo-writer" -XS_READ=/usr/bin/xenstore-read -XS_LS=/usr/bin/xenstore-ls +XS_READ=xenstore-read +XS_LS=xenstore-ls read_service() { $XS_READ qubes-service/$1 2> /dev/null @@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read chmod 666 /proc/xen/xenbus + +[ -e /proc/u2mfn ] || modprobe u2mfn # Set permissions to files needed to listen at vchan chmod 666 /proc/u2mfn @@ -65,9 +67,13 @@ fi timezone=`$XS_READ qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock - echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + cp -p /usr/share/zoneinfo/$timezone /etc/localtime + if [ -e /etc/debian_version ]; then + echo "$timezone" > /etc/timezone + else + echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock + echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + fi fi # Prepare environment for other services From 0d0261d1c1c911b78e986178ac2541ed310669ba Mon Sep 17 00:00:00 2001 From: HW42 Date: Mon, 29 Sep 2014 05:03:25 +0200 Subject: [PATCH 06/48] improve update of /etc/hosts * use 127.0.1.1 under debian (since it's the default there) * also set the IPv6 loopback address (::1) since some tools tries to AAAA resolve the hostname (for example sendmail) * ensure proper /etc/hosts format through postinst-script (hostname as last entry) --- debian/qubes-core-agent.postinst | 15 +++++++++++++++ rpm_spec/core-vm.spec | 11 +++++++++++ vm-systemd/qubes-sysinit.sh | 8 +++++++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 debian/qubes-core-agent.postinst diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst new file mode 100644 index 0000000..de26e6b --- /dev/null +++ b/debian/qubes-core-agent.postinst @@ -0,0 +1,15 @@ +# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is +# in the form expected by qubes-sysinit.sh +for ip in '127\.0\.1\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi +done +# remove hostname from 127.0.0.1 line (in debian the hostname is by default +# resolved to 127.0.1.1) +sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + +#DEBHELPER# diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index d5fd886..503fba9 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -210,6 +210,17 @@ if ! grep -q localhost /etc/hosts; then EOF fi +# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is +# in the form expected by qubes-sysinit.sh +for ip in '127\.0\.0\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi +done + if [ "$1" != 1 ] ; then # do the rest of %post thing only when updating for the first time... exit 0 diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 08b610e..c5ee1ce 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -62,7 +62,13 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + if [ -e /etc/debian_version ]; then + ipv4_localhost_re="127\.0\.1\.1" + else + ipv4_localhost_re="127\.0\.0\.1" + fi + sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts + sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` From 217b5a4a5d48f85d8e1f7bec168134ce1aa7d098 Mon Sep 17 00:00:00 2001 From: HW42 Date: Mon, 29 Sep 2014 05:50:24 +0200 Subject: [PATCH 07/48] make source.list multiarch compatible tell apt that the qubes repos provides only packages for amd64. Without this "apt-get update" will fail if multiarch is used in the templatevm. --- misc/qubes-r2.list.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misc/qubes-r2.list.in b/misc/qubes-r2.list.in index 77a444f..0ab7837 100644 --- a/misc/qubes-r2.list.in +++ b/misc/qubes-r2.list.in @@ -1,11 +1,11 @@ # Main qubes updates repository -deb http://deb.qubes-os.org/r2/vm @DIST@ main +deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@ main deb-src http://deb.qubes-os.org/r2/vm @DIST@ main # Qubes updates candidates repository -#deb http://deb.qubes-os.org/r2/vm @DIST@-testing main +#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-testing main #deb-src http://deb.qubes-os.org/r2/vm @DIST@-testing main # Qubes experimental/unstable repository -#deb http://deb.qubes-os.org/r2/vm @DIST@-unstable main +#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-unstable main #deb-src http://deb.qubes-os.org/r2/vm @DIST@-unstable main From bbb0b3610b5e57eb5799f9097e8e52ff0328dd23 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 02:17:29 +0200 Subject: [PATCH 08/48] add xserver-xorg-video-dummy to the dependencies list of qubes-core-agent the dummy video module is needed by the dvm prepare script --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 670ecea..6fdc9e2 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, xserver-xorg-video-dummy, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, From 5fcf7505fc56235424b8cfb4d895b37a91ad4004 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 02:21:12 +0200 Subject: [PATCH 09/48] dispvm-presun.sh needs bash --- misc/dispvm-prerun.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/dispvm-prerun.sh b/misc/dispvm-prerun.sh index 8bb2583..9489144 100755 --- a/misc/dispvm-prerun.sh +++ b/misc/dispvm-prerun.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash apps="evince /usr/libexec/evinced soffice firefox" From 434a794dda8eb19d9d18fb8bfa9953c713899ae3 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 03:44:33 +0200 Subject: [PATCH 10/48] use sleep instead os usleep since it is more portable --- vm-systemd/prepare-dvm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/prepare-dvm.sh b/vm-systemd/prepare-dvm.sh index bdd1506..c0f30a8 100755 --- a/vm-systemd/prepare-dvm.sh +++ b/vm-systemd/prepare-dvm.sh @@ -29,7 +29,7 @@ if xenstore-read qubes-save-request 2>/dev/null ; then echo "Waiting for save/restore..." # ... wait until qubes-restore.c (in Dom0) recreates VM-specific keys while ! xenstore-read qubes-restore-complete 2>/dev/null ; do - usleep 10000 + sleep 0.01 done echo Back to life. fi From 00e846bbbe581aceeeaf4a8369748d4ff450b1b0 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 03:45:03 +0200 Subject: [PATCH 11/48] debian: chown /home_volatile/user in posinst --- debian/qubes-core-agent.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index de26e6b..b23c8ce 100644 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -12,4 +12,6 @@ done # resolved to 127.0.1.1) sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts +chown user:user /home_volatile/user + #DEBHELPER# From a91dfdf48b0ac55baa1d43b8f2d1c47fe082cb73 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 06:51:58 +0200 Subject: [PATCH 12/48] fix xenstore-read path in network-proxy-setup.sh for debian --- vm-systemd/network-proxy-setup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index 020edb2..2227920 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -1,11 +1,11 @@ #!/bin/sh # Setup gateway for all the VMs this netVM is serviceing... -network=$(/usr/bin/xenstore-read qubes-netvm-network 2>/dev/null) +network=$(xenstore-read qubes-netvm-network 2>/dev/null) if [ "x$network" != "x" ]; then - gateway=$(/usr/bin/xenstore-read qubes-netvm-gateway) - netmask=$(/usr/bin/xenstore-read qubes-netvm-netmask) - secondary_dns=$(/usr/bin/xenstore-read qubes-netvm-secondary-dns) + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) modprobe netbk 2> /dev/null || modprobe xen-netback echo "NS1=$gateway" > /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns From b04594ed60744107644381b6a63e24e2a3925ebc Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 30 Oct 2014 16:35:12 -0400 Subject: [PATCH 13/48] Allow hyphenated distro names in tinyproxy filter --- network/filter-updates | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/network/filter-updates b/network/filter-updates index c1afa54..55fa0d8 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -5,7 +5,7 @@ ^mirrors\.fedoraproject\.org:443$ ^http://mirrors\..*/mirrorlist\? \.deb$ -/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$ -/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ -/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ -/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ +/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)$ +/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ +/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ +/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ From 3366af3f55453ddd817761081c7c434d98398cd7 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 31 Oct 2014 01:56:19 -0400 Subject: [PATCH 14/48] Change condition test to compare to a link "-L" --- rpm_spec/core-vm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 43743bf..6101b86 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -276,7 +276,7 @@ fi if [ $1 -eq 0 ] ; then /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : - if [ -l /lib/firmware/updates ]; then + if [ -L /lib/firmware/updates ]; then rm /lib/firmware/updates fi fi From 5c351bf4ae916b3894825d61ab5eb2657843d1e8 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 31 Oct 2014 01:57:41 -0400 Subject: [PATCH 15/48] debian: add xen-utils-common as a dependancy to allow Debian proxies --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 2523068..b4f1774 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, xen-utils-common, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, From 0937a3b3c63404cac78d47791128aff6d98b927c Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 31 Oct 2014 01:59:20 -0400 Subject: [PATCH 16/48] debian: Added maintainers scripts (pre / postinit + rm) - Currently in debug mode --- debian/postinst | 232 ++++++++++++++++++++++++++++++++++++++++++++++++ debian/postrm | 54 +++++++++++ debian/preinst | 98 ++++++++++++++++++++ debian/prerm | 54 +++++++++++ 4 files changed, 438 insertions(+) create mode 100755 debian/postinst create mode 100755 debian/postrm create mode 100755 debian/preinst create mode 100755 debian/prerm diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..634579a --- /dev/null +++ b/debian/postinst @@ -0,0 +1,232 @@ +#!/bin/bash +# postinst script for core-agent-linux +# +# see: dh_installdeb(1) + +set -x + +# The postint script may be called in the following ways: +# * 'configure' +# * 'abort-upgrade' +# * 'abort-remove' 'in-favour' +# +# * 'abort-remove' +# * 'abort-deconfigure' 'in-favour' +# 'removing' +# +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +case "$1" in + configure) + # disable some Upstart services + for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do + if [ -e /etc/init/$F.conf ]; then + mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled + fi + done + + remove_ShowIn () { + if [ -e /etc/xdg/autostart/$1.desktop ]; then + sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop + fi + } + + # reenable abrt-aplet if disable by some earlier version of package + remove_ShowIn abrt-applet.desktop + + # don't want it at all + for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop + fi + done + + # don't want it in DisposableVM + for F in gcm-apply ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=DisposableVM;' >> /etc/xdg/autostart/$F.desktop + fi + done + + # want it in AppVM only + for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop + fi + done + + # remove existing rule to add own later + for F in gpk-update-icon nm-applet ; do + remove_ShowIn $F + done + + echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : + echo 'OnlyShowIn=GNOME;QUBES;' >> /etc/xdg/autostart/nm-applet.desktop || : + + # Create NetworkManager configuration if we do not have it + if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + fi + /usr/lib/qubes/qubes-fix-nm-conf.sh + + + # Remove ip_forward setting from sysctl, so NM will not reset it + sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf + + # Remove old firmware updates link + if [ -L /lib/firmware/updates ]; then + rm -f /lib/firmware/updates + fi + + #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then + # echo >> /etc/yum.conf + # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf + #fi + + # Revert 'Prevent unnecessary updates in VMs': + #sed -i -e '/^exclude = kernel/d' /etc/yum.conf + + # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content + #if ! grep -q localhost /etc/hosts; then + cat < /etc/hosts +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +EOF + #fi + + #if [ "$1" != 1 ] ; then + # # do the rest of %post thing only when updating for the first time... + # exit 0 + #fi + + if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig + fi + + # Remove most of the udev scripts to speed up the VM boot time + # Just leave the xen* scripts, that are needed if this VM was + # ever used as a net backend (e.g. as a VPN domain in the future) + #echo "--> Removing unnecessary udev scripts..." + mkdir -p /var/lib/qubes/removed-udev-scripts + for f in /etc/udev/rules.d/* + do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "50-qubes-misc.rules" ] ; then + continue + fi + + if echo $f | grep -q qubes; then + continue + fi + + mv $f /var/lib/qubes/removed-udev-scripts/ + done + mkdir -p /rw + #rm -f /etc/mtab + #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" + #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig + #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + + ####################################################################### + # systemd post-init + ####################################################################### + for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-updates-proxy qubes-qrexec-agent; do + /bin/systemctl enable $srv.service 2> /dev/null + done + + /bin/systemctl enable qubes-update-check.timer 2> /dev/null + + UNITDIR=/lib/systemd/system + OVERRIDEDIR=/usr/lib/qubes/init + + # XXX: Debian specific + if [ -f "$OVERRIDEDIR/NetworkManager.service" ]; then + mv -f $OVERRIDEDIR/NetworkManager.service $OVERRIDEDIR/network-manager.service + sed 's/NetworkManager/network-manager/' -i $OVERRIDEDIR/network-manager.service + fi + if [ -f "$OVERRIDEDIR/NetworkManager-wait-online.service" ]; then + mv -f $OVERRIDEDIR/NetworkManager-wait-online.service $OVERRIDEDIR/network-manager-wait-online.service + sed 's/NetworkManager/network-manager/' -i $OVERRIDEDIR/network-manager-wait-online.service + fi + if [ -f "$OVERRIDEDIR/ModemManager" ]; then + mv -f $OVERRIDEDIR/ModemManager $OVERRIDEDIR/modemmanager.service + sed 's/ModemManager/modemmanager/' -i $OVERRIDEDIR/modemmanager.service + fi + + # Install overriden services only when original exists + #for srv in cups modemmanager network-manager network-manager-wait-online ntpd chronyd; do + for srv in cups modemmanager network-manager network-manager-wait-online; do + if [ -f $UNITDIR/$srv.service ]; then + cp $OVERRIDEDIR/$srv.service /etc/systemd/system/ + fi + if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then + cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/ + fi + if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then + cp $OVERRIDEDIR/$srv.path /etc/systemd/system/ + fi + done + + # Set default "runlevel" + rm -f /etc/systemd/system/default.target + ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + + #DISABLE_SERVICES="alsa-store alsa-restore auditd avahi avahi-daemon backuppc cpuspeed crond" + #DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save" + #DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late" + #DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait" + #DISABLE_SERVICES="$DISABLE_SERVICES sshd tcsd sm-client sendmail mdmonitor-takeover" + #DISABLE_SERVICES="$DISABLE_SERVICES rngd smartd upower irqbalance colord" + #for srv in $DISABLE_SERVICES; do + # if [ -f /lib/systemd/system/$srv.service ]; then + # if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then + # /bin/systemctl disable $srv.service 2> /dev/null + # else + # # forcibly disable + # ln -sf /dev/null /etc/systemd/system/$srv.service + # fi + # fi + #done + + rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service + + # Enable some services + /bin/systemctl enable iptables.service 2> /dev/null + /bin/systemctl enable ip6tables.service 2> /dev/null + /bin/systemctl enable rsyslog.service 2> /dev/null + /bin/systemctl enable ntpd.service 2> /dev/null + + # Enable cups only when it is real SystemD service + [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..ae7eb72 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,54 @@ +#!/bin/bash +# postrm script for core-agent-linux +# +# see: dh_installdeb(1) + +set -x + +# The prerm script may be called in the following ways: +# * 'remove' +# * 'purge' +# * 'upgrade' +# * 'disappear' +# +# The postrm script is called after the package's files have been removed +# or replaced. The package whose postrm is being called may have previously been +# deconfigured and only be "Unpacked", at which point subsequent package changes +# do not consider its dependencies. Therefore, all postrm actions may only rely +# on essential packages and must gracefully skip any actions that require the +# package's dependencies if those dependencies are unavailable.[48] +# +# * 'failed-upgrade' +# +# Called when the old postrm upgrade action fails. The new package will be +# unpacked, but only essential packages and pre-dependencies can be relied on. +# Pre-dependencies will either be configured or will be "Unpacked" or +# "Half-Configured" but previously had been configured and was never removed. +# +# * 'abort-install' +# * 'abort-install' +# * 'abort-upgrade' +# +# Called before unpacking the new package as part of the error handling of +# preinst failures. May assume the same state as preinst can assume. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "remove" ] ; then + /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || : + + if [ -L /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/preinst b/debian/preinst new file mode 100755 index 0000000..453c72e --- /dev/null +++ b/debian/preinst @@ -0,0 +1,98 @@ +#!/bin/bash +# preinst script for core-agent-linux +# +# see: dh_installdeb(1) + +set -x + +# The preinst script may be called in the following ways: +# * 'install' +# * 'install' +# * 'upgrade' +# +# The package will not yet be unpacked, so the preinst script cannot rely +# on any files included in its package. Only essential packages and +# pre-dependencies (Pre-Depends) may be assumed to be available. +# Pre-dependencies will have been configured at least once, but at the time the +# preinst is called they may only be in an "Unpacked" or "Half-Configured" state +# if a previous version of the pre-dependency was completely configured and has +# not been removed since then. +# +# +# * 'abort-upgrade' +# +# Called during error handling of an upgrade that failed after unpacking the +# new package because the postrm upgrade action failed. The unpacked files may +# be partly from the new version or partly missing, so the script cannot rely +# on files included in the package. Package dependencies may not be available. +# Pre-dependencies will be at least "Unpacked" following the same rules as +# above, except they may be only "Half-Installed" if an upgrade of the +# pre-dependency failed.[46] +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "install" ] ; then + # -------------------------------------------------------------------------- + # Create required directories + # -------------------------------------------------------------------------- + mkdir -p /var/lib/qubes + mkdir -p /lib/modules + #mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this + + if [ -e /etc/fstab ] ; then + mv /etc/fstab /var/lib/qubes/fstab.orig + fi + + # -------------------------------------------------------------------------- + # Modules setup + # -------------------------------------------------------------------------- + echo "xen_netfront" >> /etc/modules + + # -------------------------------------------------------------------------- + # Remove `mesg` from root/.profile? + # -------------------------------------------------------------------------- + sed -i -e '/^mesg n/d' /root/.profile + + # -------------------------------------------------------------------------- + # Update /etc/fstab + # -------------------------------------------------------------------------- + cat > /etc/fstab < 'remove' +# * 'upgrade' +# * 'remove' 'in-favour' +# * 'deconfigure' 'in-favour' +# [removing conflicting-package version] +# +# The package whose prerm is being called will be at least "Half-Installed". +# All package dependencies will at least be "Half-Installed" and will have +# previously been configured and not removed. If there was no error, all +# dependencies will at least be "Unpacked", but these actions may be called in +# various error states where dependencies are only "Half-Installed" due to a +# partial upgrade. +# +# * 'failed-upgrade' +# +# Called during error handling when prerm upgrade fails. The new package +# will not yet be unpacked, and all the same constraints as for preinst +# upgrade apply. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "remove" ] ; then + # no more packages left + if [ -e /var/lib/qubes/fstab.orig ] ; then + mv /var/lib/qubes/fstab.orig /etc/fstab + fi + + if [ -d /var/lib/qubes/removed-udev-scripts ] ; then + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + fi + + if [ -e /var/lib/qubes/serial.orig ] ; then + mv /var/lib/qubes/serial.orig /etc/init/serial.conf + fi +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : From d34268a085ce03b8e2d5dda32ba21f27cf224859 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 31 Oct 2014 03:04:42 -0400 Subject: [PATCH 17/48] debian: preinst needs a group and force no password entry on adduser --- debian/preinst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/debian/preinst b/debian/preinst index 453c72e..41e9e3e 100755 --- a/debian/preinst +++ b/debian/preinst @@ -78,7 +78,10 @@ EOF # -------------------------------------------------------------------------- # User add / modifications # -------------------------------------------------------------------------- - id -u 'user' || adduser user + id -u 'user' || { + groupadd -f user + useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + } usermod -p '' root usermod -L user exit 0 From aad0d4d57a39c3ac7cd311d21d77dba3cd3b669b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 31 Oct 2014 18:57:01 +0100 Subject: [PATCH 18/48] Reenable imsettings service It is required for some languages (Chinese for example). --- rpm_spec/core-vm.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 43743bf..4c69a6f 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -137,11 +137,11 @@ remove_ShowIn () { fi } -# reenable abrt-aplet if disable by some earlier version of package -remove_ShowIn abrt-applet.desktop +# reenable if disabled by some earlier version of package +remove_ShowIn abrt-applet.desktop imsettings-start.desktop # don't want it at all -for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do +for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do if [ -e /etc/xdg/autostart/$F.desktop ]; then remove_ShowIn $F echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop From a4e4a6214b880a3c6e50bb77e6c9e5cf779b32eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 2 Nov 2014 00:31:49 +0100 Subject: [PATCH 19/48] systemd: fix xenstore-ls path --- vm-systemd/qubes-sysinit.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 8775998..0b3e6ca 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -10,7 +10,7 @@ DEFAULT_ENABLED="meminfo-writer" XS_READ=/usr/bin/xenstore-read [ -x /usr/sbin/xenstore-read ] && XS_READ=/usr/sbin/xenstore-read XS_LS=/usr/bin/xenstore-ls -[ -x /usr/sbin/xenstore-read ] && XS_LS=/usr/sbin/xenstore-ls +[ -x /usr/sbin/xenstore-ls ] && XS_LS=/usr/sbin/xenstore-ls read_service() { $XS_READ qubes-service/$1 2> /dev/null From f02780421d1bafa1367a08ce98ad2d9d96421ed4 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 2 Nov 2014 16:22:42 -0500 Subject: [PATCH 20/48] debian: Added less restrictive filter option for debian packages Sites like sourceforge append ?downloadxxx to end --- network/filter-updates | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/filter-updates b/network/filter-updates index 55fa0d8..5fec48b 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -6,6 +6,6 @@ ^http://mirrors\..*/mirrorlist\? \.deb$ /dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)$ -/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ +/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|.*\)$ /dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ /dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ From ef787ce40ba71ca0c78c21712f2272a993d82c43 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 2 Nov 2014 16:24:41 -0500 Subject: [PATCH 21/48] debian: added new depends --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index b4f1774..a4e6164 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, xen-utils-common, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, From be37c6cc5b9aef6e220ef973b26c33d0bcdebd72 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 2 Nov 2014 16:28:50 -0500 Subject: [PATCH 22/48] debian: force shell to be bash since its default is dash and many qubes scripts rely on bash and will break in dash and added tinyproxy user --- debian/postinst | 10 ++++++++++ debian/preinst | 11 +++++++++++ 2 files changed, 21 insertions(+) diff --git a/debian/postinst b/debian/postinst index 634579a..39a707b 100755 --- a/debian/postinst +++ b/debian/postinst @@ -34,6 +34,16 @@ case "$1" in fi } + + # Stops Qt form using the MIT-SHM X11 Shared Memory Extension + echo 'export QT_X11_NO_MITSHM=1' >> /etc/profile + + # Sudo's defualt umask is 077 so set sane default of 022 + # Also don't allow QT to used shared memory to prevent errors + echo 'Defaults umask = 0002' >> /etc/sudoers + echo 'Defaults umask_override' >> /etc/sudoers + echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' >> /etc/sudoers + # reenable abrt-aplet if disable by some earlier version of package remove_ShowIn abrt-applet.desktop diff --git a/debian/preinst b/debian/preinst index 41e9e3e..4a6876e 100755 --- a/debian/preinst +++ b/debian/preinst @@ -45,6 +45,13 @@ if [ "$1" = "install" ] ; then mv /etc/fstab /var/lib/qubes/fstab.orig fi + # -------------------------------------------------------------------------- + # Many Qubes scripts reference /bin/sh expecting the shell to be bash but + # in Debian it is dash so some scripts will fail so force an alternate for + # /bin/sh to be /bin/bash + # -------------------------------------------------------------------------- + update-alternatives --force --install /bin/sh sh /bin/bash 999 + # -------------------------------------------------------------------------- # Modules setup # -------------------------------------------------------------------------- @@ -82,6 +89,10 @@ EOF groupadd -f user useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user } + id -u 'tinyproxy' || { + groupadd -f tinyproxy + useradd -g tinyproxy -M --home /run/tinyproxy --shell /bin/false tinyproxy + } usermod -p '' root usermod -L user exit 0 From 457196ba584f501f95557ef0bd80168567aab983 Mon Sep 17 00:00:00 2001 From: HW42 Date: Tue, 4 Nov 2014 04:59:17 +0100 Subject: [PATCH 23/48] debian: add dependency on xen-utils since it's needed for proxy/netvm xen-utils provides the /etc/xen/ scripts which are needed for the network setup. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 60c9559..d773943 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, xserver-xorg-video-dummy, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, xserver-xorg-video-dummy, xen-utils, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, From f9b658e6ad61462a671917be0b530ef68e53e1c6 Mon Sep 17 00:00:00 2001 From: HW42 Date: Tue, 4 Nov 2014 05:53:36 +0100 Subject: [PATCH 24/48] debian: add support for qubes appmenus --- debian/qubes-core-agent.postinst | 35 +++++++++++++++++------------ debian/triggers | 1 + misc/qubes-trigger-sync-appmenus.sh | 2 +- 3 files changed, 23 insertions(+), 15 deletions(-) create mode 100644 debian/triggers diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index b23c8ce..c240188 100644 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -1,17 +1,24 @@ -# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is -# in the form expected by qubes-sysinit.sh -for ip in '127\.0\.1\.1' '::1'; do - if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then - sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts - sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts - else - echo "${ip} `hostname`" >> /etc/hosts - fi -done -# remove hostname from 127.0.0.1 line (in debian the hostname is by default -# resolved to 127.0.1.1) -sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts +#!/bin/bash -chown user:user /home_volatile/user +if [ "$0" == configure ]; then + # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is + # in the form expected by qubes-sysinit.sh + for ip in '127\.0\.1\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi + done + # remove hostname from 127.0.0.1 line (in debian the hostname is by default + # resolved to 127.0.1.1) + sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + + chown user:user /home_volatile/user +fi + +echo "Updating Qubes AppMenu." +/usr/lib/qubes/qubes-trigger-sync-appmenus.sh #DEBHELPER# diff --git a/debian/triggers b/debian/triggers new file mode 100644 index 0000000..aa950b6 --- /dev/null +++ b/debian/triggers @@ -0,0 +1 @@ +interest-noawait /usr/share/applications diff --git a/misc/qubes-trigger-sync-appmenus.sh b/misc/qubes-trigger-sync-appmenus.sh index 453100e..48f6024 100755 --- a/misc/qubes-trigger-sync-appmenus.sh +++ b/misc/qubes-trigger-sync-appmenus.sh @@ -1,6 +1,6 @@ #!/bin/sh -UPDATEABLE=`/usr/bin/xenstore-read qubes-vm-updateable` +UPDATEABLE=`xenstore-read qubes-vm-updateable` if [ "$UPDATEABLE" = "True" ]; then /usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus From a2bba588771b343f3af1e9b2119fc83d9d39d3fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 5 Nov 2014 05:10:42 +0100 Subject: [PATCH 25/48] debian: fix initialization of /etc/hosts --- debian/postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/postinst b/debian/postinst index 072e95c..032af0a 100755 --- a/debian/postinst +++ b/debian/postinst @@ -112,7 +112,7 @@ case "$1" in sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts else - echo "${ip} `hostname`" >> /etc/hosts + echo "${ip//\\/} `hostname`" >> /etc/hosts fi done # remove hostname from 127.0.0.1 line (in debian the hostname is by default From 802626c197d90280573e316d0fd732e65024ec95 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 00:08:26 -0500 Subject: [PATCH 26/48] debian: set -e added in place of set -x --- debian/postrm | 2 +- debian/preinst | 2 +- debian/prerm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/postrm b/debian/postrm index ae7eb72..508a238 100755 --- a/debian/postrm +++ b/debian/postrm @@ -3,7 +3,7 @@ # # see: dh_installdeb(1) -set -x +set -e # The prerm script may be called in the following ways: # * 'remove' diff --git a/debian/preinst b/debian/preinst index 4a6876e..7d8baf0 100755 --- a/debian/preinst +++ b/debian/preinst @@ -3,7 +3,7 @@ # # see: dh_installdeb(1) -set -x +set -e # The preinst script may be called in the following ways: # * 'install' diff --git a/debian/prerm b/debian/prerm index 756581e..dc126e6 100755 --- a/debian/prerm +++ b/debian/prerm @@ -3,7 +3,7 @@ # # see: dh_installdeb(1) -set -x +set -e # The prerm script may be called in the following ways: # * 'remove' From a6e6c8676455b5c01c55490c1ed81ce5daedf617 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 00:09:13 -0500 Subject: [PATCH 27/48] debian: Made debian proxy filter rules more restrictive --- network/filter-updates | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/network/filter-updates b/network/filter-updates index 5fec48b..7ab1b05 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -1,11 +1,19 @@ +# Yum filters +# ----------------------------------------------------------------------------- /repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ /repodata/repomd\.xml$ \.rpm$ \.drpm$ ^mirrors\.fedoraproject\.org:443$ ^http://mirrors\..*/mirrorlist\? -\.deb$ -/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)$ -/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|.*\)$ -/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ -/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ + +# Debian filters +# +# Whonix uses sourceforge to host its repos and url can end in: +# '/' or '/download' or '?.*' +# ----------------------------------------------------------------------------- +\.deb\(\|\/\|\/download\|\?.*\)$ +/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\/\)$ +/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$ +/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\/\)$ +/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\/\)$ From 4c30f2886458ea7e2b3f9042b883844c504c4861 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 00:09:54 -0500 Subject: [PATCH 28/48] debian: Cleanup 'set -e' in place of 'set -x' Seperated out 'QT_X11_NO_MITSHM=1' export into own profile.d file Seperated out 'QT_X11_NO_MITSHM=1' sudoers rule to own sudoers.d file Commented out some services that were being enabled that are not installed (yet) Reformated trigger section to allow for multiple triggers --- debian/postinst | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/debian/postinst b/debian/postinst index 032af0a..9f794a8 100755 --- a/debian/postinst +++ b/debian/postinst @@ -3,6 +3,7 @@ # # see: dh_installdeb(1) +set -e set -x # The postint script may be called in the following ways: @@ -34,17 +35,17 @@ case "$1" in fi } - # Stops Qt form using the MIT-SHM X11 Shared Memory Extension - echo 'export QT_X11_NO_MITSHM=1' >> /etc/profile + echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm # Sudo's defualt umask is 077 so set sane default of 022 # Also don't allow QT to used shared memory to prevent errors - echo 'Defaults umask = 0002' >> /etc/sudoers - echo 'Defaults umask_override' >> /etc/sudoers - echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' >> /etc/sudoers + echo 'Defaults umask = 0002' > /etc/sudoers.d/umask + echo 'Defaults umask_override' >> /etc/sudoers.d/umask + echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm.sh + chmod 0755 /etc/sudoers.d/qt_x11_no_mitshm.sh - # reenable abrt-aplet if disable by some earlier version of package + # reenable abrt-aplet if disabled by some earlier version of package remove_ShowIn abrt-applet.desktop # don't want it at all @@ -221,10 +222,12 @@ case "$1" in rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service # Enable some services - /bin/systemctl enable iptables.service 2> /dev/null - /bin/systemctl enable ip6tables.service 2> /dev/null /bin/systemctl enable rsyslog.service 2> /dev/null - /bin/systemctl enable ntpd.service 2> /dev/null + + # These do not exist on debian; maybe a different package name + #/bin/systemctl enable iptables.service 2> /dev/null + #/bin/systemctl enable ntpd.service 2> /dev/null + #/bin/systemctl enable ip6tables.service 2> /dev/null # Enable cups only when it is real SystemD service [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null @@ -235,8 +238,19 @@ case "$1" in ;; triggered) - echo "Updating Qubes AppMenu." - /usr/lib/qubes/qubes-trigger-sync-appmenus.sh + for trigger in $2; do + case "$trigger" in + /usr/share/applications) + echo "Updating Qubes AppMenu." + /usr/lib/qubes/qubes-trigger-sync-appmenus.sh + ;; + *) + echo "postinst called with unknown trigger \`$2'" >&2 + exit 1 + ;; + esac + done + exit 0 ;; *) From 132729bd7975873dc6c5569f73d31a6d85907605 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 00:16:51 -0500 Subject: [PATCH 29/48] debian: Prepend package name to maintainers scripts --- debian/{postinst => qubes-core-agent.postinst} | 0 debian/{postrm => qubes-core-agent.postrm} | 0 debian/{preinst => qubes-core-agent.preinst} | 0 debian/{prerm => qubes-core-agent.prerm} | 0 debian/{triggers => qubes-core-agent.triggers} | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename debian/{postinst => qubes-core-agent.postinst} (100%) rename debian/{postrm => qubes-core-agent.postrm} (100%) rename debian/{preinst => qubes-core-agent.preinst} (100%) rename debian/{prerm => qubes-core-agent.prerm} (100%) rename debian/{triggers => qubes-core-agent.triggers} (100%) diff --git a/debian/postinst b/debian/qubes-core-agent.postinst similarity index 100% rename from debian/postinst rename to debian/qubes-core-agent.postinst diff --git a/debian/postrm b/debian/qubes-core-agent.postrm similarity index 100% rename from debian/postrm rename to debian/qubes-core-agent.postrm diff --git a/debian/preinst b/debian/qubes-core-agent.preinst similarity index 100% rename from debian/preinst rename to debian/qubes-core-agent.preinst diff --git a/debian/prerm b/debian/qubes-core-agent.prerm similarity index 100% rename from debian/prerm rename to debian/qubes-core-agent.prerm diff --git a/debian/triggers b/debian/qubes-core-agent.triggers similarity index 100% rename from debian/triggers rename to debian/qubes-core-agent.triggers From 96887ea1b8f08098e2bbf25dab6d98bce393e2b9 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 03:30:45 -0500 Subject: [PATCH 30/48] debian: Add qubes-update-check for Debian --- vm-systemd/qubes-update-check.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index 96bccbd..c60b983 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' +ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi' From dbffe57bc90b05584409062b489a56304711f7b2 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 03:32:06 -0500 Subject: [PATCH 31/48] debian: Revert back to original NetworkManager, ModemManager service names --- debian/qubes-core-agent.postinst | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 9f794a8..70ef735 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -170,23 +170,8 @@ case "$1" in UNITDIR=/lib/systemd/system OVERRIDEDIR=/usr/lib/qubes/init - # XXX: Debian specific - if [ -f "$OVERRIDEDIR/NetworkManager.service" ]; then - mv -f $OVERRIDEDIR/NetworkManager.service $OVERRIDEDIR/network-manager.service - sed 's/NetworkManager/network-manager/' -i $OVERRIDEDIR/network-manager.service - fi - if [ -f "$OVERRIDEDIR/NetworkManager-wait-online.service" ]; then - mv -f $OVERRIDEDIR/NetworkManager-wait-online.service $OVERRIDEDIR/network-manager-wait-online.service - sed 's/NetworkManager/network-manager/' -i $OVERRIDEDIR/network-manager-wait-online.service - fi - if [ -f "$OVERRIDEDIR/ModemManager" ]; then - mv -f $OVERRIDEDIR/ModemManager $OVERRIDEDIR/modemmanager.service - sed 's/ModemManager/modemmanager/' -i $OVERRIDEDIR/modemmanager.service - fi - # Install overriden services only when original exists - #for srv in cups modemmanager network-manager network-manager-wait-online ntpd chronyd; do - for srv in cups modemmanager network-manager network-manager-wait-online; do + for srv in cups ModemManager NetworkManager NetworkManager-wait-online ntpd chronyd; do if [ -f $UNITDIR/$srv.service ]; then cp $OVERRIDEDIR/$srv.service /etc/systemd/system/ fi From cc26e26be8d7105117ba8b19ca108664bb2d143d Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 03:46:54 -0500 Subject: [PATCH 32/48] debian: apt-get needs to update first --- vm-systemd/qubes-update-check.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index c60b983..9879080 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi' +ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi' From 44230f7f351976c294c7a24d291965446f2220c2 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 09:59:41 -0500 Subject: [PATCH 33/48] debian: Remove absolute path to xenstore-* --- network/30-qubes-external-ip | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/30-qubes-external-ip b/network/30-qubes-external-ip index 1761257..8089e0e 100755 --- a/network/30-qubes-external-ip +++ b/network/30-qubes-external-ip @@ -1,8 +1,8 @@ #!/bin/sh if [ x$2 == xup ]; then INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) - /usr/bin/xenstore-write qubes-netvm-external-ip "$INET" + xenstore-write qubes-netvm-external-ip "$INET" fi if [ x$2 == xdown ]; then - /usr/bin/xenstore-write qubes-netvm-external-ip "" + xenstore-write qubes-netvm-external-ip "" fi From abcc01b874aede4651de04668dc3cca5149ca6df Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 18:25:12 -0500 Subject: [PATCH 34/48] debian: Added more dependancies --- debian/control | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 8f57a9a..df4d573 100644 --- a/debian/control +++ b/debian/control @@ -9,8 +9,12 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} -Conflicts: qubes-core-agent-linux +#Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, qubes-core-vm-kernel-placeholder, qubes-core-vm, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} +Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent This package includes various daemons necessary for qubes domU support, such as qrexec. + +# Unresolved depends that exist in rpm_spec +#qubes-core-vm-kernel-placeholder, qubes-core-vm, From 79db86a94ad551345d63c79bb718bced57d30580 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 18:26:21 -0500 Subject: [PATCH 35/48] debian: Added postrm disable of other Qubes packages --- debian/qubes-core-agent.postrm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/debian/qubes-core-agent.postrm b/debian/qubes-core-agent.postrm index 508a238..537679c 100755 --- a/debian/qubes-core-agent.postrm +++ b/debian/qubes-core-agent.postrm @@ -36,12 +36,16 @@ set -e # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or # the debian-policy package -if [ "$1" = "remove" ] ; then +if [ "${1}" = "remove" ] ; then /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || : if [ -L /lib/firmware/updates ]; then rm /lib/firmware/updates fi + + for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do + systemctl disable ${srv}.service + done fi # dh_installdeb will replace this with shell code automatically From 9e065d6d9cd0f48a0db692da89508c14da38bf43 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 18:28:04 -0500 Subject: [PATCH 36/48] debian: Added all other outstanding triggers contained in rpm_spec as well as triggers if other packages get installed at a later date the configurations will run on them --- debian/qubes-core-agent.postinst | 408 ++++++++++++++++++++++--------- debian/qubes-core-agent.triggers | 44 ++++ 2 files changed, 342 insertions(+), 110 deletions(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 70ef735..7ae77a5 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -4,7 +4,6 @@ # see: dh_installdeb(1) set -e -set -x # The postint script may be called in the following ways: # * 'configure' @@ -20,21 +19,112 @@ set -x # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or # the debian-policy package -case "$1" in +# Install overriden services only when original exists +installOverridenServices() { + unit_dir="${1}" + override_dir="${2}" + service="${3}" + retval=1 + + for unit in ${service}; do + if [ -f ${unit_dir}/${unit}.service ]; then + cp ${override_dir}/${unit}.service /etc/systemd/system/ + retval=0 + fi + if [ -f ${unit_dir}/${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then + cp ${override_dir}/${unit}.socket /etc/systemd/system/ + retval=0 + fi + if [ -f ${unit_dir}/${unit}.path -a -f ${override_dir}/${unit}.path ]; then + cp ${override_dir}/${unit}.path /etc/systemd/system/ + retval=0 + fi + done + + return ${retval} +} + +reenableNetworkManager() { + # Disable original service to enable overriden one + /bin/systemctl disable ModemManager.service 2> /dev/null + /bin/systemctl disable NetworkManager.service 2> /dev/null + + # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts) + /bin/systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null + /bin/systemctl enable ModemManager.service 2> /dev/null + /bin/systemctl enable NetworkManager.service 2> /dev/null + + # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811 + /bin/systemctl enable NetworkManager-dispatcher.service 2> /dev/null +} + +remove_ShowIn () { + if [ -e "${1}" ]; then + sed -i '/^\(Not\|Only\)ShowIn/d' "${1}" + fi +} + +# Disable systemd units +disableSystemdUnits() { + for unit in $*; do + systemctl is-enabled ${unit} > /dev/null 2>&1 && { + echo "Disabling ${unit}..." + systemctl is-active ${unit} > /dev/null 2>&1 && { + systemctl stop ${unit} > /dev/null 2>&1 || echo "Unable to stop ${unit}" + } + if [ -f /lib/systemd/system/${unit} ]; then + if fgrep -q '[Install]' /lib/systemd/system/${unit}; then + systemctl disable ${unit} > /dev/null 2>&1 || echo "Could not disable ${unit}" + else + # Forcibly disable + echo "Forcibly disabling: ${unit}" + ln -sf /dev/null /etc/systemd/system/${unit} + fi + else + systemctl disable ${unit} > /dev/null 2>&1 || echo "Could not disable ${unit}" + fi + } || { + echo "It appears ${unit} is already disabled!" + } + done +} + +# Enable systemd units +enableSystemdUnits() { + for unit in $*; do + systemctl is-enabled ${unit} > /dev/null 2>&1 && { + echo "It appears ${unit} is already enabled!" + } || { + echo "Enabling: ${unit}..." + systemctl enable ${unit} > /dev/null 2>&1 || echo "Could not enable: ${unit}" + } + done +} + +# Manually trigger all triggers to automaticatly configure +triggerTriggers() { + path="$(readlink -m ${0})" + triggers="${path/postinst/triggers}" + + awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line + do + /bin/bash -c "${0} triggered ${line##* }" || true + done +} + +case "${1}" in configure) # disable some Upstart services - for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do - if [ -e /etc/init/$F.conf ]; then - mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled + for init in plymouth-shutdown \ + prefdm \ + splash-manager \ + start-ttys \ + tty ; do + if [ -e /etc/init/${init}.conf ]; then + mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled fi done - remove_ShowIn () { - if [ -e /etc/xdg/autostart/$1.desktop ]; then - sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop - fi - } - # Stops Qt form using the MIT-SHM X11 Shared Memory Extension echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm @@ -45,56 +135,21 @@ case "$1" in echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm.sh chmod 0755 /etc/sudoers.d/qt_x11_no_mitshm.sh - # reenable abrt-aplet if disabled by some earlier version of package - remove_ShowIn abrt-applet.desktop - - # don't want it at all - for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do - if [ -e /etc/xdg/autostart/$F.desktop ]; then - remove_ShowIn $F - echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop - fi - done - - # don't want it in DisposableVM - for F in gcm-apply ; do - if [ -e /etc/xdg/autostart/$F.desktop ]; then - remove_ShowIn $F - echo 'NotShowIn=DisposableVM;' >> /etc/xdg/autostart/$F.desktop - fi - done - - # want it in AppVM only - for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do - if [ -e /etc/xdg/autostart/$F.desktop ]; then - remove_ShowIn $F - echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop - fi - done - - # remove existing rule to add own later - for F in gpk-update-icon nm-applet ; do - remove_ShowIn $F - done - - echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : - echo 'OnlyShowIn=GNOME;QUBES;' >> /etc/xdg/autostart/nm-applet.desktop || : - # Create NetworkManager configuration if we do not have it if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then - echo '[main]' > /etc/NetworkManager/NetworkManager.conf - echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf - echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf fi /usr/lib/qubes/qubes-fix-nm-conf.sh # Remove ip_forward setting from sysctl, so NM will not reset it - sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf + sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf # Remove old firmware updates link if [ -L /lib/firmware/updates ]; then - rm -f /lib/firmware/updates + rm -f /lib/firmware/updates fi #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then @@ -122,7 +177,7 @@ case "$1" in chown user:user /home_volatile/user - #if [ "$1" != 1 ] ; then + #if [ "${1}" != 1 ] ; then # # do the rest of %post thing only when updating for the first time... # exit 0 #fi @@ -138,84 +193,94 @@ case "$1" in mkdir -p /var/lib/qubes/removed-udev-scripts for f in /etc/udev/rules.d/* do - if [ $(basename $f) == "xen-backend.rules" ] ; then + if [ $(basename ${f}) == "xen-backend.rules" ] ; then continue fi - if [ $(basename $f) == "50-qubes-misc.rules" ] ; then + if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then continue fi - if echo $f | grep -q qubes; then + if echo ${f} | grep -q qubes; then continue fi - mv $f /var/lib/qubes/removed-udev-scripts/ + mv ${f} /var/lib/qubes/removed-udev-scripts/ done + + # Create /rw directory mkdir -p /rw + + # XXX: TODO: Needs to be implemented still #rm -f /etc/mtab #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 - ####################################################################### - # systemd post-init - ####################################################################### - for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-updates-proxy qubes-qrexec-agent; do - /bin/systemctl enable $srv.service 2> /dev/null - done - - /bin/systemctl enable qubes-update-check.timer 2> /dev/null - - UNITDIR=/lib/systemd/system - OVERRIDEDIR=/usr/lib/qubes/init - - # Install overriden services only when original exists - for srv in cups ModemManager NetworkManager NetworkManager-wait-online ntpd chronyd; do - if [ -f $UNITDIR/$srv.service ]; then - cp $OVERRIDEDIR/$srv.service /etc/systemd/system/ - fi - if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then - cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/ - fi - if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then - cp $OVERRIDEDIR/$srv.path /etc/systemd/system/ - fi - done + # Enable Qubes systemd units + enableSystemdUnits \ + qubes-sysinit.service \ + qubes-misc-post.service \ + qubes-netwatcher.service \ + qubes-network.service \ + qubes-firewall.service \ + qubes-updates-proxy.service \ + qubes-updates-proxy.timer \ + qubes-qrexec-agent.service # Set default "runlevel" rm -f /etc/systemd/system/default.target ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target - #DISABLE_SERVICES="alsa-store alsa-restore auditd avahi avahi-daemon backuppc cpuspeed crond" - #DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save" - #DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late" - #DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait" - #DISABLE_SERVICES="$DISABLE_SERVICES sshd tcsd sm-client sendmail mdmonitor-takeover" - #DISABLE_SERVICES="$DISABLE_SERVICES rngd smartd upower irqbalance colord" - #for srv in $DISABLE_SERVICES; do - # if [ -f /lib/systemd/system/$srv.service ]; then - # if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then - # /bin/systemctl disable $srv.service 2> /dev/null - # else - # # forcibly disable - # ln -sf /dev/null /etc/systemd/system/$srv.service - # fi - # fi - #done + # Process all triggers which will set defaults to wanted values + triggerTriggers + + disableSystemdUnits \ + alsa-store \ + alsa-restore \ + auditd \ + avahi \ + avahi-daemon \ + backuppc \ + cpuspeed \ + crond \ + fedora-autorelabel \ + fedora-autorelabel-mark \ + ipmi \ + hwclock-load \ + hwclock-save \ + mdmonitor \ + multipathd \ + openct \ + rpcbind \ + mcelog \ + fedora-storage-init \ + fedora-storage-init-late \ + plymouth-start \ + plymouth-read-write \ + plymouth-quit \ + plymouth-quit-wait \ + sshd \ + tcsd \ + sm-client \ + sendmail \ + mdmonitor-takeover \ + rngd smartd \ + upower \ + irqbalance \ + colord rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service - # Enable some services - /bin/systemctl enable rsyslog.service 2> /dev/null + # Enable other systemd units + enableSystemdUnits \ + rsyslog.service + # XXX: TODO: Needs to be implemented still # These do not exist on debian; maybe a different package name - #/bin/systemctl enable iptables.service 2> /dev/null - #/bin/systemctl enable ntpd.service 2> /dev/null - #/bin/systemctl enable ip6tables.service 2> /dev/null - - # Enable cups only when it is real SystemD service - [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null + # iptables.service \ + # ntpd.service \ + # ip6tables.service \ ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -223,14 +288,137 @@ case "$1" in ;; triggered) - for trigger in $2; do - case "$trigger" in + for trigger in ${2}; do + case "${trigger}" in + + # Update Qubes App Menus /usr/share/applications) - echo "Updating Qubes AppMenu." - /usr/lib/qubes/qubes-trigger-sync-appmenus.sh + echo "Updating Qubes App Menus..." + /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true ;; + + # Install overriden services only when original exists + /lib/systemd/system/NetworkManager.service | \ + /lib/systemd/system/NetworkManager-wait-online.service | \ + /lib/systemd/system/ModemManager.service) + echo "Installing over-riden services for $(basename -s .service ${trigger})..." + UNITDIR=/lib/systemd/system + OVERRIDEDIR=/usr/lib/qubes/init + installOverridenServices "${UNITDIR}" "${OVERRIDEDIR}" "$(basename -s .service "${trigger}")" + if [ $? -eq 0 ]; then + reenableNetworkManager + fi + ;; + + # Enable cups only when it is real Systemd service + /lib/systemd/system/cups.service) + echo "Enabling cups" + [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service + ;; + + # "Enable haveged service" + /lib/systemd/system/haveged.service) + echo "Enabling haveged service" + enableSystemdUnits haveged.service + ;; + + # Install overridden serial.conf init script + /etc/init/serial.conf) + echo "Installing over-ridden serial.conf init script..." + if [ -e /etc/init/serial.conf ]; then + cp /usr/share/qubes/serial.conf /etc/init/serial.conf + fi + ;; + + # Enable autostart of notification-daemon when installed + /etc/xdg/autostart/notification-daemon.desktop) + if [ ! -e /etc/xdg/autostart/notification-daemon.desktop ]; then + echo "Enabling autostart of notification-daemon when installed..." + ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/ + fi + ;; + + # Disable SELinux" + /etc/selinux/config) + echo "Disabling SELinux..." + if [ -e /etc/selinux/config ]; then + sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed + mv /etc/selinux/config.processed /etc/selinux/config + setenforce 0 2>/dev/null + fi + ;; + + # Desktop Entry Modification - Remove existing rules + /etc/xdg/autostart/gpk-update-icon.desktop | \ + /etc/xdg/autostart/nm-applet.desktop | \ + /etc/xdg/autostart/abrt-applet.desktop) + if [ -e "${trigger}" ]; then + echo "Desktop Entry Modification - Removing ShowIn from: ${trigger}..." + remove_ShowIn "${trigger}" + fi + ;; + + # Desktop Entry Modification - Not shown in Qubes + /etc/xdg/autostart/pulseaudio.desktop | \ + /etc/xdg/autostart/deja-dup-monitor.desktop | \ + /etc/xdg/autostart/imsettings-start.desktop | \ + /etc/xdg/autostart/krb5-auth-dialog.desktop | \ + /etc/xdg/autostart/pulseaudio.desktop | \ + /etc/xdg/autostart/restorecond.desktop | \ + /etc/xdg/autostart/sealertauto.desktop | \ + /etc/xdg/autostart/gnome-power-manager.desktop | \ + /etc/xdg/autostart/gnome-sound-applet.desktop | \ + /etc/xdg/autostart/gnome-screensaver.desktop | \ + /etc/xdg/autostart/orca-autostart.desktop) + if [ -e "${trigger}" ]; then + echo "Desktop Entry Modification - Not Shown in Qubes: ${trigger}..." + remove_ShowIn "${trigger}" + echo 'NotShowIn=QUBES;' >> "${trigger}" || true + fi + ;; + + # Desktop Entry Modification - Not shown in in DisposableVM + /etc/xdg/autostart/gcm-apply.desktop) + if [ -e "${trigger}" ]; then + echo "Desktop Entry Modification - Not Shown in DisposableVM: ${trigger}..." + remove_ShowIn "${trigger}" + echo 'NotShowIn=DisposableVM;' >> "${trigger}" || true + fi + ;; + + # Desktop Entry Modification - Only shown in AppVM + /etc/xdg/autostart/gnome-keyring-gpg.desktop | \ + /etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \ + /etc/xdg/autostart/gnome-keyring-secrets.desktop | \ + /etc/xdg/autostart/gnome-keyring-ssh.desktop | \ + /etc/xdg/autostart/gnome-settings-daemon.desktop | \ + /etc/xdg/autostart/user-dirs-update-gtk.desktop | \ + /etc/xdg/autostart/gsettings-data-convert.desktop) + if [ -e "${trigger}" ]; then + echo "Desktop Entry Modification - Only Shown in Gnome & AppVM: ${trigger}..." + remove_ShowIn "${trigger}" + echo 'OnlyShowIn=GNOME;AppVM;' >> "${trigger}" || true + fi + ;; + + # Desktop Entry Modification - Only shown in Gnome & UpdateableVM + /etc/xdg/autostart/gpk-update-icon.desktop) + if [ -e "${trigger}" ]; then + echo "Desktop Entry Modification - Only Shown in Gnome & UpdateableVM: ${trigger}..." + echo 'OnlyShowIn=GNOME;UpdateableVM;' >> "${trigger}" || true + fi + ;; + + # Desktop Entry Modification - Only shown in Gnome & Qubes + /etc/xdg/autostart/nm-applet.desktop) + if [ -e "${trigger}" ]; then + echo "Desktop Entry Modification - Only Shown in Gnome & Qubes: ${trigger}..." + echo 'OnlyShowIn=GNOME;QUBES;' >> "${trigger}" || true + fi + ;; + *) - echo "postinst called with unknown trigger \`$2'" >&2 + echo "postinst called with unknown trigger \`${2}'" >&2 exit 1 ;; esac @@ -239,7 +427,7 @@ case "$1" in ;; *) - echo "postinst called with unknown argument \`$1'" >&2 + echo "postinst called with unknown argument \`${1}'" >&2 exit 1 ;; esac diff --git a/debian/qubes-core-agent.triggers b/debian/qubes-core-agent.triggers index aa950b6..2beb695 100644 --- a/debian/qubes-core-agent.triggers +++ b/debian/qubes-core-agent.triggers @@ -1 +1,45 @@ interest-noawait /usr/share/applications +interest-noawait /lib/systemd/system/NetworkManager.service +interest-noawait /lib/systemd/system/NetworkManager-wait-online.service +interest-noawait /lib/systemd/system/ModemManager.service +interest-noawait /etc/init/serial.conf +interest-noawait /etc/xdg/autostart/notification-daemon.desktop +interest-noawait /etc/selinux/config +interest-noawait /lib/systemd/system/cups.service +interest-noawait /lib/systemd/system/haveged.service + +# Desktop Entry Modification - Remove existing rules +interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop +interest-noawait /etc/xdg/autostart/nm-applet.desktop +interest-noawait /etc/xdg/autostart/abrt-applet.desktop + +# Desktop Entry Modification - Not shown in Qubes +interest-noawait /etc/xdg/autostart/pulseaudio.desktop +interest-noawait /etc/xdg/autostart/deja-dup-monitor.desktop +interest-noawait /etc/xdg/autostart/imsettings-start.desktop +interest-noawait /etc/xdg/autostart/krb5-auth-dialog.desktop +interest-noawait /etc/xdg/autostart/pulseaudio.desktop +interest-noawait /etc/xdg/autostart/restorecond.desktop +interest-noawait /etc/xdg/autostart/sealertauto.desktop +interest-noawait /etc/xdg/autostart/gnome-power-manager.desktop +interest-noawait /etc/xdg/autostart/gnome-sound-applet.desktop +interest-noawait /etc/xdg/autostart/gnome-screensaver.desktop +interest-noawait /etc/xdg/autostart/orca-autostart.desktop + +# Desktop Entry Modification - Not shown in in DisposableVM +interest-noawait /etc/xdg/autostart/gcm-apply.desktop + +# Desktop Entry Modification - Only shown in AppVM +interest-noawait /etc/xdg/autostart/gnome-keyring-gpg.desktop +interest-noawait /etc/xdg/autostart/gnome-keyring-pkcs11.desktop +interest-noawait /etc/xdg/autostart/gnome-keyring-secrets.desktop +interest-noawait /etc/xdg/autostart/gnome-keyring-ssh.desktop +interest-noawait /etc/xdg/autostart/gnome-settings-daemon.desktop +interest-noawait /etc/xdg/autostart/user-dirs-update-gtk.desktop +interest-noawait /etc/xdg/autostart/gsettings-data-convert.desktop + +# Desktop Entry Modification - Only shown in Gnome & UpdateableVM +interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop + +# Desktop Entry Modification - Only shown in Gnome & Qubes +interest-noawait /etc/xdg/autostart/nm-applet.desktop From afcff2ca4b9eb6be0aee4ac77df0fafbb259508e Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 18:29:05 -0500 Subject: [PATCH 37/48] debian: removed commented out depends --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index df4d573..9a74037 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,6 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -#Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, qubes-core-vm-kernel-placeholder, qubes-core-vm, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent From 1f93dc0a6023eff6ff661603af3b56da88b698bb Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 22:52:32 -0500 Subject: [PATCH 38/48] debian: Added more error reporting to track down any missing dependancies Prints various systemd messages when a unit fails to enable/disable/start/stop Fixed issue with alternate NetworkManager* systemd files not being placed Removed 'basename -s' since -s option not supported in wheezy --- debian/qubes-core-agent.postinst | 159 ++++++++++++++++++++----------- 1 file changed, 105 insertions(+), 54 deletions(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 7ae77a5..0beb4c1 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -21,22 +21,26 @@ set -e # Install overriden services only when original exists installOverridenServices() { - unit_dir="${1}" - override_dir="${2}" - service="${3}" + override_dir="${1}" + service="${2}" retval=1 for unit in ${service}; do - if [ -f ${unit_dir}/${unit}.service ]; then - cp ${override_dir}/${unit}.service /etc/systemd/system/ + unit="${unit%%.*}" + unit_name="$(basename ${unit})" + if [ -f ${unit}.service ]; then + echo "Installing override for ${unit}.service..." + cp ${override_dir}/${unit_name}.service /etc/systemd/system/ retval=0 fi - if [ -f ${unit_dir}/${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then - cp ${override_dir}/${unit}.socket /etc/systemd/system/ + if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then + echo "Installing override for ${unit}.socket..." + cp ${override_dir}/${unit_name}.socket /etc/systemd/system/ retval=0 fi - if [ -f ${unit_dir}/${unit}.path -a -f ${override_dir}/${unit}.path ]; then - cp ${override_dir}/${unit}.path /etc/systemd/system/ + if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then + echo "Installing override for ${unit}.path..." + cp ${override_dir}/${unit_name}.path /etc/systemd/system/ retval=0 fi done @@ -46,16 +50,21 @@ installOverridenServices() { reenableNetworkManager() { # Disable original service to enable overriden one - /bin/systemctl disable ModemManager.service 2> /dev/null - /bin/systemctl disable NetworkManager.service 2> /dev/null + echo "Disabling original service to enable overriden one..." + disableSystemdUnits ModemManager.service + disableSystemdUnits NetworkManager.service # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts) - /bin/systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null - /bin/systemctl enable ModemManager.service 2> /dev/null - /bin/systemctl enable NetworkManager.service 2> /dev/null + echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)" + systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager" + + echo "Re-enabling original service to enable overriden one..." + enableSystemdUnits ModemManager.service + enableSystemdUnits NetworkManager.service # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811 - /bin/systemctl enable NetworkManager-dispatcher.service 2> /dev/null + echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811" + enableSystemdUnits NetworkManager-dispatcher.service } remove_ShowIn () { @@ -64,27 +73,64 @@ remove_ShowIn () { fi } +setArrayAsGlobal() { + local array="$1" + local export_as="$2" + local code=$(declare -p "$array") + local replaced="${code/$array/$export_as}" + eval ${replaced/declare -/declare -g} +} + +systemdInfo() { + unit=${1} + return_global_var=${2} + + declare -A -g INFO + while read line; do + INFO[${line%%=*}]="${line##*=}" + done < <(systemctl show ${unit} 2> /dev/null) + setArrayAsGlobal INFO $return_global_var +} + +displayFailedStatus() { + action=${1} + unit=${2} + + systemdInfo ${unit} info + echo + echo "===================================================" + echo "FAILED: systemd ${action} ${unit}" + echo "===================================================" + echo " LoadState = ${info[LoadState]}" + echo " LoadError = ${info[LoadError]}" + echo " ActiveState = ${info[ActiveState]}" + echo " SubState = ${info[SubState]}" + echo "UnitFileState = ${info[UnitFileState]}" + echo +} + # Disable systemd units disableSystemdUnits() { for unit in $*; do systemctl is-enabled ${unit} > /dev/null 2>&1 && { echo "Disabling ${unit}..." systemctl is-active ${unit} > /dev/null 2>&1 && { - systemctl stop ${unit} > /dev/null 2>&1 || echo "Unable to stop ${unit}" + systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit} } if [ -f /lib/systemd/system/${unit} ]; then if fgrep -q '[Install]' /lib/systemd/system/${unit}; then - systemctl disable ${unit} > /dev/null 2>&1 || echo "Could not disable ${unit}" + systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit} else # Forcibly disable echo "Forcibly disabling: ${unit}" ln -sf /dev/null /etc/systemd/system/${unit} fi else - systemctl disable ${unit} > /dev/null 2>&1 || echo "Could not disable ${unit}" + systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit} fi } || { echo "It appears ${unit} is already disabled!" + #displayFailedStatus is-disabled ${unit} } done } @@ -94,9 +140,15 @@ enableSystemdUnits() { for unit in $*; do systemctl is-enabled ${unit} > /dev/null 2>&1 && { echo "It appears ${unit} is already enabled!" + #displayFailedStatus is-enabled ${unit} } || { echo "Enabling: ${unit}..." - systemctl enable ${unit} > /dev/null 2>&1 || echo "Could not enable: ${unit}" + systemctl enable ${unit} > /dev/null 2>&1 && { + systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit} + } || { + echo "Could not enable: ${unit}" + displayFailedStatus enable ${unit} + } } done } @@ -236,39 +288,39 @@ case "${1}" in triggerTriggers disableSystemdUnits \ - alsa-store \ - alsa-restore \ - auditd \ - avahi \ - avahi-daemon \ - backuppc \ - cpuspeed \ - crond \ - fedora-autorelabel \ - fedora-autorelabel-mark \ - ipmi \ - hwclock-load \ - hwclock-save \ - mdmonitor \ - multipathd \ - openct \ - rpcbind \ - mcelog \ - fedora-storage-init \ - fedora-storage-init-late \ - plymouth-start \ - plymouth-read-write \ - plymouth-quit \ - plymouth-quit-wait \ - sshd \ - tcsd \ - sm-client \ - sendmail \ - mdmonitor-takeover \ - rngd smartd \ - upower \ - irqbalance \ - colord + alsa-store.service \ + alsa-restore.service \ + auditd.service \ + avahi.service \ + avahi-daemon.service \ + backuppc.service \ + cpuspeed.service \ + crond.service \ + fedora-autorelabel.service \ + fedora-autorelabel-mark.service \ + ipmi.service \ + hwclock-load.service \ + hwclock-save.service \ + mdmonitor.service \ + multipathd.service \ + openct.service \ + rpcbind.service \ + mcelog.service \ + fedora-storage-init.service \ + fedora-storage-init-late.service \ + plymouth-start.service \ + plymouth-read-write.service \ + plymouth-quit.service \ + plymouth-quit-wait.service \ + sshd.service \ + tcsd.service \ + sm-client.service \ + sendmail.service \ + mdmonitor-takeover.service \ + rngd smartd.service \ + upower.service \ + irqbalance.service \ + colord.service rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service @@ -301,10 +353,9 @@ case "${1}" in /lib/systemd/system/NetworkManager.service | \ /lib/systemd/system/NetworkManager-wait-online.service | \ /lib/systemd/system/ModemManager.service) - echo "Installing over-riden services for $(basename -s .service ${trigger})..." UNITDIR=/lib/systemd/system OVERRIDEDIR=/usr/lib/qubes/init - installOverridenServices "${UNITDIR}" "${OVERRIDEDIR}" "$(basename -s .service "${trigger}")" + installOverridenServices "${OVERRIDEDIR}" "${trigger}" if [ $? -eq 0 ]; then reenableNetworkManager fi From cadb10278191418d9e2e9a8d12cc0a08b402cf13 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 8 Nov 2014 02:58:07 -0500 Subject: [PATCH 39/48] debian: More depends for debian as netvm and some configuration tweaks. Jessie base loads as netvm; wheezy base giving bad window error when trying to start nm-applet Fixed qt MIT-SHM graphics issue --- debian/control | 2 +- debian/qubes-core-agent.postinst | 23 ++++++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/debian/control b/debian/control index 9a74037..831b22d 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent This package includes various daemons necessary for qubes domU support, diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 0beb4c1..0a9499f 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -85,7 +85,7 @@ systemdInfo() { unit=${1} return_global_var=${2} - declare -A -g INFO + declare -A INFO while read line; do INFO[${line%%=*}]="${line##*=}" done < <(systemctl show ${unit} 2> /dev/null) @@ -178,14 +178,16 @@ case "${1}" in done # Stops Qt form using the MIT-SHM X11 Shared Memory Extension - echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm + echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh + chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh # Sudo's defualt umask is 077 so set sane default of 022 # Also don't allow QT to used shared memory to prevent errors echo 'Defaults umask = 0002' > /etc/sudoers.d/umask echo 'Defaults umask_override' >> /etc/sudoers.d/umask - echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm.sh - chmod 0755 /etc/sudoers.d/qt_x11_no_mitshm.sh + chmod 0440 /etc/sudoers.d/umask + echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm + chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm # Create NetworkManager configuration if we do not have it if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then @@ -193,8 +195,19 @@ case "${1}" in echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf fi - /usr/lib/qubes/qubes-fix-nm-conf.sh + # XXX - Disabling for now; will need to change script to not include ifcfg-rh plugin + #/usr/lib/qubes/qubes-fix-nm-conf.sh + + # XXX: Test to see if this will satisify dispatcher dependancy + if [ ! -e "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then + ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service + fi + # NetworkManager is looking for this to load. Check into a debian alternative + # + # We are writing the config in qubes-fix-nm-conf.sh to use the ifcfg-rh plugin + # + # [1415425011.785917] [main.c:566] main(): failed to initialize settings storage: Could not load plugin 'ifcfg-rh': /usr/lib/NetworkManager/libnm-settings-plugin-ifcfg-rh.so: cannot open shared object file: No such file or directory # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf From 7027633e802f75db79aab257f52533b5eb7c7ea5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 9 Nov 2014 05:31:22 +0100 Subject: [PATCH 40/48] network: do not use ifcfg-rh NM plugin Apparently eth0 in ProxyVM can be configured using plain keyfile plugin, which is present on all distributions. --- network/network-manager-prepare-conf-dir | 2 +- network/setup-ip | 25 ++++++++++++++++-------- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir index c068bab..04cb00b 100755 --- a/network/network-manager-prepare-conf-dir +++ b/network/network-manager-prepare-conf-dir @@ -14,6 +14,6 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff # unmanaged_devices="$unmanaged_devices;mac:$mac" #done sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf -sed -i -e "s/^plugins=.*/plugins=keyfile,ifcfg-rh/" /etc/NetworkManager/NetworkManager.conf +sed -i -e "s/^plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf exit 0 diff --git a/network/setup-ip b/network/setup-ip index 907a295..49e0144 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -32,14 +32,23 @@ if [ x$ip != x ]; then [ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook fi if [ -f /var/run/qubes-service/network-manager ]; then - cat > /etc/sysconfig/network-scripts/ifcfg-$INTERFACE <<__EOF__ -DEVICE=$INTERFACE -IPADDR=$ip -NETMASK=255.255.255.255 -NETWORK=$ip -ONBOOT=yes -GATEWAYDEV=$INTERFACE -GATEWAY=$gateway + cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__ +[802-3-ethernet] +duplex=full + +[connection] +id=VM uplink $INTERFACE +uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef +type=802-3-ethernet + +[ipv6] +method=ignore + +[ipv4] +method=manual +dns=$gateway;$secondary_dns +address1=$ip/32,$gateway +may-fail=false __EOF__ fi fi From 427decd7936cd86f9970d4ebba7089feb2bc39a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 9 Nov 2014 05:35:07 +0100 Subject: [PATCH 41/48] network: fix NM uplink config permissions Otherwise NM will not use the file. --- network/setup-ip | 1 + 1 file changed, 1 insertion(+) diff --git a/network/setup-ip b/network/setup-ip index 49e0144..0ad91c6 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -50,5 +50,6 @@ dns=$gateway;$secondary_dns address1=$ip/32,$gateway may-fail=false __EOF__ + chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE fi fi From ef50c0d7b699c9a7eedd0b65e897a9e0af62740d Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 9 Nov 2014 12:58:48 -0500 Subject: [PATCH 42/48] debian: Add new notification agent depends; remove other --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 831b22d..62c9a95 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, notification-daemon, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent This package includes various daemons necessary for qubes domU support, From 51cac340ca34ffc1dcb30fa4f62a7e99b07efd40 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 9 Nov 2014 12:58:57 -0500 Subject: [PATCH 43/48] debian: Added functionality to move desktop entry config files to /usr/share/qubes/xdg/autostart to preserve originals Added trigger for new notify agent; removed trigger for old one --- debian/qubes-core-agent.postinst | 89 +++++++++++++++----------------- debian/qubes-core-agent.triggers | 4 +- 2 files changed, 44 insertions(+), 49 deletions(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 0a9499f..142a12a 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -19,6 +19,9 @@ set -e # https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or # the debian-policy package +# Directory that modified desktop entry config files are stored in +XDG_CONFIG_QUBES="/usr/share/qubes/xdg" + # Install overriden services only when original exists installOverridenServices() { override_dir="${1}" @@ -67,12 +70,41 @@ reenableNetworkManager() { enableSystemdUnits NetworkManager-dispatcher.service } -remove_ShowIn () { +remove_ShowIn() { if [ -e "${1}" ]; then sed -i '/^\(Not\|Only\)ShowIn/d' "${1}" fi } +showIn() { + desktop_entry="${1}" + shown_in="${2}" + message="${shown_in:-"Shown in All;"}" + desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}" + + # Make sure Qubes autostart directory exists + mkdir -p "${XDG_CONFIG_QUBES_AUTOSTART}/autostart" + + # Desktop entry exists, so move to Qubes directory and modify it + if [ -e "${desktop_entry}" ]; then + echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..." + cp -pf "${desktop_entry}" "${desktop_entry_qubes}" + + remove_ShowIn "${desktop_entry_qubes}" + sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}" + + # Will only be '' if shown in all + if [ ! "${shown_in}x" == "x" ]; then + echo "${shown_in}" >> "${desktop_entry_qubes}" || true + fi + + # Desktop entry must have been removed, so also remove from Qubes directory + else + echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..." + rm -f "${desktop_entry_qubes}" + fi +} + setArrayAsGlobal() { local array="$1" local export_as="$2" @@ -195,23 +227,12 @@ case "${1}" in echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf fi - # XXX - Disabling for now; will need to change script to not include ifcfg-rh plugin - #/usr/lib/qubes/qubes-fix-nm-conf.sh # XXX: Test to see if this will satisify dispatcher dependancy if [ ! -e "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service fi - # NetworkManager is looking for this to load. Check into a debian alternative - # - # We are writing the config in qubes-fix-nm-conf.sh to use the ifcfg-rh plugin - # - # [1415425011.785917] [main.c:566] main(): failed to initialize settings storage: Could not load plugin 'ifcfg-rh': /usr/lib/NetworkManager/libnm-settings-plugin-ifcfg-rh.so: cannot open shared object file: No such file or directory - - # Remove ip_forward setting from sysctl, so NM will not reset it - sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf - # Remove old firmware updates link if [ -L /lib/firmware/updates ]; then rm -f /lib/firmware/updates @@ -394,14 +415,6 @@ case "${1}" in fi ;; - # Enable autostart of notification-daemon when installed - /etc/xdg/autostart/notification-daemon.desktop) - if [ ! -e /etc/xdg/autostart/notification-daemon.desktop ]; then - echo "Enabling autostart of notification-daemon when installed..." - ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/ - fi - ;; - # Disable SELinux" /etc/selinux/config) echo "Disabling SELinux..." @@ -415,11 +428,9 @@ case "${1}" in # Desktop Entry Modification - Remove existing rules /etc/xdg/autostart/gpk-update-icon.desktop | \ /etc/xdg/autostart/nm-applet.desktop | \ - /etc/xdg/autostart/abrt-applet.desktop) - if [ -e "${trigger}" ]; then - echo "Desktop Entry Modification - Removing ShowIn from: ${trigger}..." - remove_ShowIn "${trigger}" - fi + /etc/xdg/autostart/abrt-applet.desktop | \ + /etc/xdg/autostart/notify-osd.desktop) + showIn "${trigger}" ;; # Desktop Entry Modification - Not shown in Qubes @@ -434,20 +445,12 @@ case "${1}" in /etc/xdg/autostart/gnome-sound-applet.desktop | \ /etc/xdg/autostart/gnome-screensaver.desktop | \ /etc/xdg/autostart/orca-autostart.desktop) - if [ -e "${trigger}" ]; then - echo "Desktop Entry Modification - Not Shown in Qubes: ${trigger}..." - remove_ShowIn "${trigger}" - echo 'NotShowIn=QUBES;' >> "${trigger}" || true - fi + showIn "${trigger}" 'NotShowIn=QUBES;' ;; # Desktop Entry Modification - Not shown in in DisposableVM /etc/xdg/autostart/gcm-apply.desktop) - if [ -e "${trigger}" ]; then - echo "Desktop Entry Modification - Not Shown in DisposableVM: ${trigger}..." - remove_ShowIn "${trigger}" - echo 'NotShowIn=DisposableVM;' >> "${trigger}" || true - fi + showIn "${trigger}" 'NotShowIn=DisposableVM;' ;; # Desktop Entry Modification - Only shown in AppVM @@ -458,27 +461,17 @@ case "${1}" in /etc/xdg/autostart/gnome-settings-daemon.desktop | \ /etc/xdg/autostart/user-dirs-update-gtk.desktop | \ /etc/xdg/autostart/gsettings-data-convert.desktop) - if [ -e "${trigger}" ]; then - echo "Desktop Entry Modification - Only Shown in Gnome & AppVM: ${trigger}..." - remove_ShowIn "${trigger}" - echo 'OnlyShowIn=GNOME;AppVM;' >> "${trigger}" || true - fi + showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;' ;; # Desktop Entry Modification - Only shown in Gnome & UpdateableVM /etc/xdg/autostart/gpk-update-icon.desktop) - if [ -e "${trigger}" ]; then - echo "Desktop Entry Modification - Only Shown in Gnome & UpdateableVM: ${trigger}..." - echo 'OnlyShowIn=GNOME;UpdateableVM;' >> "${trigger}" || true - fi + showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;' ;; # Desktop Entry Modification - Only shown in Gnome & Qubes /etc/xdg/autostart/nm-applet.desktop) - if [ -e "${trigger}" ]; then - echo "Desktop Entry Modification - Only Shown in Gnome & Qubes: ${trigger}..." - echo 'OnlyShowIn=GNOME;QUBES;' >> "${trigger}" || true - fi + showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;' ;; *) diff --git a/debian/qubes-core-agent.triggers b/debian/qubes-core-agent.triggers index 2beb695..bd702ab 100644 --- a/debian/qubes-core-agent.triggers +++ b/debian/qubes-core-agent.triggers @@ -3,7 +3,6 @@ interest-noawait /lib/systemd/system/NetworkManager.service interest-noawait /lib/systemd/system/NetworkManager-wait-online.service interest-noawait /lib/systemd/system/ModemManager.service interest-noawait /etc/init/serial.conf -interest-noawait /etc/xdg/autostart/notification-daemon.desktop interest-noawait /etc/selinux/config interest-noawait /lib/systemd/system/cups.service interest-noawait /lib/systemd/system/haveged.service @@ -43,3 +42,6 @@ interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop # Desktop Entry Modification - Only shown in Gnome & Qubes interest-noawait /etc/xdg/autostart/nm-applet.desktop + +# Desktop Entry Modification - Show in all +interest-noawait /etc/xdg/autostart/notify-osd.desktop From da6f6bd22b4deac455a1657f3c4dedd2752fa440 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 9 Nov 2014 13:27:38 -0500 Subject: [PATCH 44/48] debian: Wrong variable name was used to create /usr/share/qubes/xdg/autostart --- debian/qubes-core-agent.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 142a12a..668c254 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -83,7 +83,7 @@ showIn() { desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}" # Make sure Qubes autostart directory exists - mkdir -p "${XDG_CONFIG_QUBES_AUTOSTART}/autostart" + mkdir -p "${XDG_CONFIG_QUBES}/autostart" # Desktop entry exists, so move to Qubes directory and modify it if [ -e "${desktop_entry}" ]; then From 9bb9e8d9e547922ff4f5502bd49160c901673235 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 11 Nov 2014 01:22:26 +0100 Subject: [PATCH 45/48] Fix compile flags order (-lX11 moved to the end) --- misc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/Makefile b/misc/Makefile index b0b18ae..945dd6f 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -10,7 +10,7 @@ all: xenstore-watch python close-window xenstore-watch: xenstore-watch.o $(CC) -o xenstore-watch xenstore-watch.o -lxenstore close-window: close-window.c - $(CC) -lX11 -o $@ $< + $(CC) -o $@ $< -lX11 python: python -m compileall . python -O -m compileall . From 848c53adc21a4b5f715df2dc9a1239c587dbf9bf Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 11 Nov 2014 13:38:26 -0500 Subject: [PATCH 46/48] debian: Updated tinyproxy filter rules --- network/filter-updates | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/network/filter-updates b/network/filter-updates index 7ab1b05..1e5edec 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -13,7 +13,7 @@ # '/' or '/download' or '?.*' # ----------------------------------------------------------------------------- \.deb\(\|\/\|\/download\|\?.*\)$ -/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\/\)$ +/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\|/\|\/download\|\?.*\)$ /dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$ -/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\/\)$ -/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\/\)$ +/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$ +/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$ From 4420df01eacc2d004ce033fa3c8656d83715e53f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 12 Nov 2014 03:39:17 -0500 Subject: [PATCH 47/48] debian: Don't display systemd info in chroot since systemd show does not work in chroot --- debian/qubes-core-agent.postinst | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 668c254..db16268 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -117,28 +117,33 @@ systemdInfo() { unit=${1} return_global_var=${2} - declare -A INFO + declare -A INFO=() while read line; do INFO[${line%%=*}]="${line##*=}" done < <(systemctl show ${unit} 2> /dev/null) + setArrayAsGlobal INFO $return_global_var + return ${#INFO[@]} } displayFailedStatus() { action=${1} unit=${2} - systemdInfo ${unit} info - echo - echo "===================================================" - echo "FAILED: systemd ${action} ${unit}" - echo "===================================================" - echo " LoadState = ${info[LoadState]}" - echo " LoadError = ${info[LoadError]}" - echo " ActiveState = ${info[ActiveState]}" - echo " SubState = ${info[SubState]}" - echo "UnitFileState = ${info[UnitFileState]}" - echo + # Only display if there are results. In chroot environmnet there will be + # no results to 'systemctl show' command + systemdInfo ${unit} info || { + echo + echo "===================================================" + echo "FAILED: systemd ${action} ${unit}" + echo "===================================================" + echo " LoadState = ${info[LoadState]}" + echo " LoadError = ${info[LoadError]}" + echo " ActiveState = ${info[ActiveState]}" + echo " SubState = ${info[SubState]}" + echo "UnitFileState = ${info[UnitFileState]}" + echo + } } # Disable systemd units From ea4eef7de808d93a64d28b1f6c5448494173d4be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 13 Nov 2014 23:19:34 +0100 Subject: [PATCH 48/48] network: fix indentation --- network/setup-ip | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/setup-ip b/network/setup-ip index 0ad91c6..597ec9e 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -50,6 +50,6 @@ dns=$gateway;$secondary_dns address1=$ip/32,$gateway may-fail=false __EOF__ - chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE + chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE fi fi