vm/qubes-yum-proxy: setup yum to use qubes-yum-proxy (#568)

The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it
is reasonable to bypass the proxy. Some examples:
 - usage of non-standard repos with some exotic file layout, which will be
   blocked by the proxy
 - usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM)

This commit introduces 'yum-proxy-setup' pseudo-service, which can be
controlled via standard qvm-service or qubes-manager. When enabled - yum will
be configured at VM startup to use qubes proxy, otherwise - to connect directly
(proxy setting will be cleared).
This commit is contained in:
Marek Marczykowski 2012-05-31 02:37:53 +02:00
parent c37e4b2344
commit 9930a89fb1
3 changed files with 23 additions and 0 deletions

View File

@ -131,6 +131,9 @@ install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf
install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum
install -d $RPM_BUILD_ROOT/etc/yum.conf.d
touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf
install -d $RPM_BUILD_ROOT/usr/sbin install -d $RPM_BUILD_ROOT/usr/sbin
install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/
install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/
@ -236,6 +239,12 @@ fi
# Remove ip_forward setting from sysctl, so NM will not reset it # Remove ip_forward setting from sysctl, so NM will not reset it
sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf
if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then
echo >> /etc/yum.conf
echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
fi
# Prevent unnecessary updates in VMs: # Prevent unnecessary updates in VMs:
sed -i -e '/^exclude = kernel/d' /etc/yum.conf sed -i -e '/^exclude = kernel/d' /etc/yum.conf
echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf
@ -343,6 +352,7 @@ rm -rf $RPM_BUILD_ROOT
/etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_block.rules
/etc/udev/rules.d/99-qubes_network.rules /etc/udev/rules.d/99-qubes_network.rules
/etc/xen/scripts/vif-route-qubes /etc/xen/scripts/vif-route-qubes
/etc/yum.conf.d/qubes-proxy.conf
/etc/yum.repos.d/qubes.repo /etc/yum.repos.d/qubes.repo
/etc/yum/post-actions/qubes_trigger_sync_appmenus.action /etc/yum/post-actions/qubes_trigger_sync_appmenus.action
/lib/firmware/updates /lib/firmware/updates

View File

@ -36,6 +36,13 @@ start()
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi fi
yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null)
if [ "$yum_proxy_setup" != "0" ]; then
echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
else
echo > /etc/yum.conf.d/qubes-proxy.conf
fi
# Set IP address again (besides action in udev rules); this is needed by # Set IP address again (besides action in udev rules); this is needed by
# DispVM (to override DispVM-template IP) and in case when qubes_ip was # DispVM (to override DispVM-template IP) and in case when qubes_ip was
# called by udev before loading evtchn kernel module - in which case # called by udev before loading evtchn kernel module - in which case

View File

@ -1,5 +1,11 @@
#!/bin/sh #!/bin/sh
if [ -f /var/run/qubes-service/yum-proxy-setup ]; then
echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
else
echo > /etc/yum.conf.d/qubes-proxy.conf
fi
# Set IP address again (besides action in udev rules); this is needed by # Set IP address again (besides action in udev rules); this is needed by
# DispVM (to override DispVM-template IP) and in case when qubes_ip was # DispVM (to override DispVM-template IP) and in case when qubes_ip was
# called by udev before loading evtchn kernel module - in which case # called by udev before loading evtchn kernel module - in which case