From 9c14656ed8405f3457a5c9cea769b3dc8120de0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Olivier=20M=C3=A9doc?= Date: Sun, 29 Oct 2017 03:19:36 -0400 Subject: [PATCH 01/13] Makefile: split network install target from core agent install target --- Makefile | 118 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 83 insertions(+), 35 deletions(-) diff --git a/Makefile b/Makefile index 6a6aadf..89e0234 100644 --- a/Makefile +++ b/Makefile @@ -56,14 +56,17 @@ SYSTEM_DROPIN_DIR ?= "lib/systemd/system" USER_DROPIN_DIR ?= "usr/lib/systemd/user" SYSTEM_DROPINS := chronyd.service crond.service cups.service cups.path cups.socket ModemManager.service -SYSTEM_DROPINS += NetworkManager.service NetworkManager-wait-online.service getty@tty.service -SYSTEM_DROPINS += tinyproxy.service +SYSTEM_DROPINS += getty@tty.service + SYSTEM_DROPINS += tmp.mount SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket SYSTEM_DROPINS += systemd-random-seed.service SYSTEM_DROPINS += tor.service tor@default.service SYSTEM_DROPINS += systemd-timesyncd.service +SYSTEM_DROPINS_NETWORKING := NetworkManager.service NetworkManager-wait-online.service +SYSTEM_DROPINS_NETWORKING += tinyproxy.service + USER_DROPINS := pulseaudio.service pulseaudio.socket # Ubuntu Dropins @@ -106,6 +109,13 @@ install-systemd-dropins: install -m 0644 vm-systemd/user/$${dropin}.d/*.conf $(DESTDIR)/$(USER_DROPIN_DIR)/$${dropin}.d/ ;\ done +install-systemd-networking-dropins: + # Install system dropins + @for dropin in $(SYSTEM_DROPINS_NETWORKING); do \ + install -d $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d ;\ + install -m 0644 vm-systemd/$${dropin}.d/*.conf $(DESTDIR)/$(SYSTEM_DROPIN_DIR)/$${dropin}.d/ ;\ + done + install-init: install -d $(DESTDIR)$(LIBDIR)/qubes/init # FIXME: do a source code move vm-systemd/*.sh to init/ @@ -113,16 +123,17 @@ install-init: install -m 0755 init/*.sh vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/ install -m 0644 init/functions $(DESTDIR)$(LIBDIR)/qubes/init/ +# Systemd service files +SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service) +SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service +SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES), $(SYSTEMD_ALL_SERVICES)) + install-systemd: install-init install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} $(DESTDIR)$(LIBDIR)/qubes/init $(DESTDIR)$(SYSLIBDIR)/modules-load.d - install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)$(SYSLIBDIR)/systemd/system/ + install -m 0644 $(SYSTEMD_CORE_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/ install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/ - install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/ install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/ install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/ - install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/ - install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \ - $(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf install-sysvinit: install-init install -d $(DESTDIR)/etc/init.d @@ -137,7 +148,7 @@ install-sysvinit: install-init install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules install network/qubes-iptables $(DESTDIR)/etc/init.d/ -install-rh: install-systemd install-systemd-dropins install-sysvinit +install-rh: install-systemd install-systemd-dropins install-sysvinit install-systemd-networking-dropins install -D -m 0644 misc/qubes-r4.repo $(DESTDIR)/etc/yum.repos.d/qubes-r4.repo install -d $(DESTDIR)$(LIBDIR)/yum-plugins/ install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)$(LIBDIR)/yum-plugins/ @@ -174,11 +185,6 @@ install-common: install-doc PATH="/usr/bin:$(PATH)" $(PYTHON) setup.py install $(PYTHON_PREFIX_ARG) -O1 --root $(DESTDIR) mkdir -p $(DESTDIR)$(SBINDIR) -ifneq ($(SBINDIR),/usr/bin) - mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall -endif - - install -d -m 0750 $(DESTDIR)/etc/sudoers.d/ install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes install -D -m 0440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm @@ -213,26 +219,6 @@ endif install misc/upgrades-status-notify $(DESTDIR)$(LIBDIR)/qubes/upgrades-status-notify install -m 0644 network/udev-qubes-network.rules $(DESTDIR)/etc/udev/rules.d/99-qubes-network.rules - install network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes - install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes - install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/ - install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/ - install -d $(DESTDIR)/etc/dhclient.d - ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh - install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ - install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ - install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d - install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30-qubes.conf - install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes - install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh - install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf - install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist - install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy - install -d $(DESTDIR)/etc/xdg/autostart - install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh - install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop - install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules - install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules install -m 0755 network/update-proxy-configs $(DESTDIR)$(LIBDIR)/qubes/ install -d $(DESTDIR)$(BINDIR) @@ -275,7 +261,6 @@ endif install -m 0755 qubes-rpc/qubes.InstallUpdatesGUI $(DESTDIR)/etc/qubes-rpc install -m 0755 qubes-rpc/qubes.ResizeDisk $(DESTDIR)/etc/qubes-rpc install -m 0755 qubes-rpc/qubes.StartApp $(DESTDIR)/etc/qubes-rpc - install -m 0755 qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc install -m 0755 qubes-rpc/qubes.PostInstall $(DESTDIR)/etc/qubes-rpc install -m 0755 qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc @@ -317,7 +302,70 @@ endif install -d $(DESTDIR)/var/run/qubes install -d $(DESTDIR)/rw -install-deb: install-common install-systemd install-systemd-dropins +# Networking install target includes: +# * basic network functionality (setting IP address, DNS, default gateway) +# * package update proxy client +install-networking: + install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system + install -m 0644 vm-systemd/qubes-*.socket $(DESTDIR)$(SYSLIBDIR)/systemd/system/ + + install -d $(DESTDIR)$(LIBDIR)/qubes/ + install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/ + +# Netvm install target includes: +# * qubes-firewall service (FirewallVM) +# * DNS redirection setup +# * proxy service used by TemplateVMs to download updates +install-netvm: + install -D -m 0644 $(SYSTEMD_NETWORK_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/ + + install -D -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/qubes-iptables + + install -D -m 0644 vm-systemd/qubes-core-agent-linux.tmpfiles \ + $(DESTDIR)/usr/lib/tmpfiles.d/qubes-core-agent-linux.conf + + mkdir -p $(DESTDIR)$(SBINDIR) + +ifneq ($(SBINDIR),/usr/bin) + mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall +endif + + install -D network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes/qubes-setup-dnat-to-ns + + install -d $(DESTDIR)/etc/dhclient.d + ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh + + install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes + install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh + install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf + install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist + install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy + + install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules + install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules + + install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy + +# networkmanager install target allow integration of NetworkManager for Qubes VM: +# * make connections config persistent +# * adjust DNS redirections when needed +# * show/hide NetworkManager applet icon +install-networkmanager: + install -d $(DESTDIR)$(LIBDIR)/qubes/ + install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes/ + install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/ + + install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ + install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ + + install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d + install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30 + + install -d $(DESTDIR)/etc/xdg/autostart + install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/ + install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop + +install-deb: install-common install-systemd install-systemd-dropins install-systemd-networking-dropins mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r4.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r4.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg From 83e3dd08b9d87f92ae19f4e17dc75bada327e2c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Olivier=20M=C3=A9doc?= Date: Sun, 29 Oct 2017 03:20:51 -0400 Subject: [PATCH 02/13] Makefile: ensure that everything is installed by default for rh based agents --- Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 89e0234..cbe14e9 100644 --- a/Makefile +++ b/Makefile @@ -384,4 +384,8 @@ install-deb: install-common install-systemd install-systemd-dropins install-syst mkdir -p $(DESTDIR)/etc/systemd/system/ install -m 0644 vm-systemd/haveged.service $(DESTDIR)/etc/systemd/system/ -install-vm: install-rh install-common +install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins + +install-netvm: install-systemd-networking-dropins install-networkmanager install-netvm + +install-vm: install-corevm install-netvm From 6e723dca642402fe6f6a3407c8b4011edaf2f1ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Olivier=20M=C3=A9doc?= Date: Sun, 29 Oct 2017 03:24:51 -0400 Subject: [PATCH 03/13] archlinux: split core-agent from netvm-agent --- archlinux/PKGBUILD | 40 ++++++++++++++++++++++---- archlinux/PKGBUILD-networking.install | 41 +++++++++++++++++++++++++++ archlinux/PKGBUILD.install | 20 +------------ 3 files changed, 76 insertions(+), 25 deletions(-) create mode 100644 archlinux/PKGBUILD-networking.install diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 6a3dd4e..65058a1 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -1,7 +1,7 @@ #!/bin/bash # Maintainer: Olivier Medoc # shellcheck disable=SC2034 -pkgname=qubes-vm-core +pkgname=(qubes-vm-core qubes-vm-networking) pkgver=$(cat version) pkgrel=13 epoch= @@ -10,16 +10,13 @@ arch=("x86_64") url="http://qubes-os.org/" license=('GPL') groups=() -depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg) makedepends=(gcc make pkg-config "qubes-vm-utils>=3.1.3" qubes-libvchan qubes-db-vm qubes-vm-xen libx11 python2 python3 lsb-release pandoc) checkdepends=() -optdepends=(gnome-keyring gnome-settings-daemon networkmanager iptables tinyproxy python2-nautilus gpk-update-viewer) provides=() conflicts=() replaces=() backup=() options=() -install=PKGBUILD.install changelog= source=( @@ -60,15 +57,25 @@ build() { done } -package() { +package_qubes-vm-core() { + depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools + gnome-packagekit imagemagick fakeroot notification-daemon dconf + zenity qubes-libvchan "qubes-db-vm>=3.2.1" haveged python2-gobject + python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg + socat + ) + optdepends=(gnome-keyring gnome-settings-daemon python2-nautilus gpk-update-viewer) + install=PKGBUILD.install + # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html) # shellcheck disable=SC2154 make -C qrexec install DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib - PYTHON=python2 make install-vm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux + PYTHON=python2 make install-corevm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux # Remove things non wanted in archlinux rm -r "$pkgdir/etc/yum"* + rm -r "$pkgdir/etc/dnf"* rm -r "$pkgdir/etc/init.d" # Remove fedora specific scripts rm "$pkgdir/etc/fstab" @@ -101,4 +108,25 @@ EOF rm -r "$pkgdir/var/run" } +#This package provides: +# * basic network functionality (setting IP address, DNS, default gateway) +# * proxy service used by TemplateVMs to download updates +# * qubes-firewall service (FirewallVM) +# +#Integration of NetworkManager for Qubes VM: +# * make connections config persistent +# * adjust DNS redirections when needed +# * show/hide NetworkManager applet icon +# +package_qubes-vm-networking() { + depends=(qubes-vm-core "qubes-vm-utils>=3.1.3" python2 ethtool net-tools + "qubes-db-vm>=3.2.1" networkmanager iptables tinyproxy nftables + ) + install=PKGBUILD-networking.install + + # shellcheck disable=SC2154 + PYTHON=python2 make install-netvm DESTDIR="$pkgdir" SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib SYSTEM_DROPIN_DIR=/usr/lib/systemd/system USER_DROPIN_DIR=/usr/lib/systemd/user DIST=archlinux + +} + # vim:set ts=2 sw=2 et: diff --git a/archlinux/PKGBUILD-networking.install b/archlinux/PKGBUILD-networking.install new file mode 100644 index 0000000..8007fca --- /dev/null +++ b/archlinux/PKGBUILD-networking.install @@ -0,0 +1,41 @@ +#!/bin/bash + +## arg 1: the new package version +post_install() { + # Create NetworkManager configuration if we do not have it + if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + fi + + # Remove ip_forward setting from sysctl, so NM will not reset it + # Archlinux now use sysctl.d/ instead of sysctl.conf + #sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf + + /usr/lib/qubes/qubes-fix-nm-conf.sh + + # Yum proxy configuration is fedora specific + #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then + # echo >> /etc/yum.conf + # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf + #fi + + for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do + systemctl enable $srv.service + done +} + +## arg 1: the new package version +## arg 2: the old package version +post_upgrade() { + post_install +} + +## arg 1: the old package version +post_remove() { + for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do + systemctl disable $srv.service + done +} diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 94a71d5..3438c17 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -74,29 +74,11 @@ configure_selinux() { ############################ update_qubesconfig() { - # Create NetworkManager configuration if we do not have it - if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then - echo '[main]' > /etc/NetworkManager/NetworkManager.conf - echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf - echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf - fi - /usr/lib/qubes/qubes-fix-nm-conf.sh - - # Remove ip_forward setting from sysctl, so NM will not reset it - # Archlinux now use sysctl.d/ instead of sysctl.conf - #sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf - # Remove old firmware updates link if [ -L /lib/firmware/updates ]; then rm -f /lib/firmware/updates fi - # Yum proxy configuration is fedora specific - #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then - # echo >> /etc/yum.conf - # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf - # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf - #fi #/usr/lib/qubes/update-proxy-configs # Archlinux pacman configuration is handled in update_finalize @@ -438,7 +420,7 @@ post_remove() { rm -rf /var/lib/qubes/xdg - for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-network qubes-qrexec-agent; do + for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-qrexec-agent; do systemctl disable $srv.service done } From 636722ccb587090ada28858b71378c231deab692 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Sun, 29 Oct 2017 16:40:21 +0100 Subject: [PATCH 04/13] Makefile: add basic networking to the new install-corevm target --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index cbe14e9..473d3cc 100644 --- a/Makefile +++ b/Makefile @@ -384,7 +384,7 @@ install-deb: install-common install-systemd install-systemd-dropins install-syst mkdir -p $(DESTDIR)/etc/systemd/system/ install -m 0644 vm-systemd/haveged.service $(DESTDIR)/etc/systemd/system/ -install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins +install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins install-networking install-netvm: install-systemd-networking-dropins install-networkmanager install-netvm From 7ce29040efd1cc45f1d5cfa9f4860f663203d6d4 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Sun, 29 Oct 2017 21:22:11 +0100 Subject: [PATCH 05/13] Makefile: fix typo created when spliting the install targets --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 473d3cc..aa4bf82 100644 --- a/Makefile +++ b/Makefile @@ -359,7 +359,7 @@ install-networkmanager: install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -d $(DESTDIR)/usr/lib/NetworkManager/conf.d - install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30 + install -m 0644 network/nm-30-qubes.conf $(DESTDIR)/usr/lib/NetworkManager/conf.d/30-qubes.conf install -d $(DESTDIR)/etc/xdg/autostart install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/ From 6ddb8e803415faac8179f157699f848b66f01dcf Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Sun, 29 Oct 2017 22:02:01 +0100 Subject: [PATCH 06/13] Makefile: add network install targets to install-deb --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index aa4bf82..8e37bb9 100644 --- a/Makefile +++ b/Makefile @@ -365,7 +365,7 @@ install-networkmanager: install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/ install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop -install-deb: install-common install-systemd install-systemd-dropins install-systemd-networking-dropins +install-deb: install-common install-systemd install-systemd-dropins install-systemd-networking-dropins install-networking install-networkmanager install-netvm mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r4.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r4.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg From 7ee8c9c672fed744c0b62a9f316fce91e5eddba5 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 30 Oct 2017 16:31:05 +0100 Subject: [PATCH 07/13] archlinux: create a keyring package to install binary repository automatically --- archlinux/PKGBUILD | 19 +++++++++++++++++-- archlinux/PKGBUILD-keyring-keys | 30 ++++++++++++++++++++++++++++++ archlinux/PKGBUILD-keyring-revoked | 0 archlinux/PKGBUILD-keyring-trusted | 1 + archlinux/PKGBUILD-keyring.install | 18 ++++++++++++++++++ 5 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 archlinux/PKGBUILD-keyring-keys create mode 100644 archlinux/PKGBUILD-keyring-revoked create mode 100644 archlinux/PKGBUILD-keyring-trusted create mode 100644 archlinux/PKGBUILD-keyring.install diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 65058a1..ca38636 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -1,9 +1,9 @@ #!/bin/bash # Maintainer: Olivier Medoc # shellcheck disable=SC2034 -pkgname=(qubes-vm-core qubes-vm-networking) +pkgname=(qubes-vm-core qubes-vm-networking qubes-vm-keyring) pkgver=$(cat version) -pkgrel=13 +pkgrel=14 epoch= pkgdesc="The Qubes core files for installation inside a Qubes VM." arch=("x86_64") @@ -24,6 +24,9 @@ source=( PKGBUILD-qubes-pacman-options.conf PKGBUILD-qubes-repo-3.2.conf PKGBUILD-qubes-repo-4.0.conf + PKGBUILD-keyring-keys + PKGBUILD-keyring-trusted + PKGBUILD-keyring-revoked ) noextract=() @@ -129,4 +132,16 @@ package_qubes-vm-networking() { } +package_qubes-vm-keyring() { + pkgdesc="Qubes OS Binary Repository Activation package and Keyring" + install=PKGBUILD-keyring.install + + # Install keyring (will be activated through the .install file) + install -dm755 ${pkgdir}/usr/share/pacman/keyrings/ + install -m0644 PKGBUILD-keyring-keys ${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg + install -m0644 PKGBUILD-keyring-trusted ${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted + install -m0644 PKGBUILD-keyring-revoked ${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked + +} + # vim:set ts=2 sw=2 et: diff --git a/archlinux/PKGBUILD-keyring-keys b/archlinux/PKGBUILD-keyring-keys new file mode 100644 index 0000000..33b9077 --- /dev/null +++ b/archlinux/PKGBUILD-keyring-keys @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFM0TnYBCADNyamUtA9e0/oUu4AeAgt1JYDtq3zCQSX7pHpY1zkGtulppSOe +gkCgW2db+FlKeUNHQ+JX0uv8Ny0SjQBZO0yNxDLfPuqJzM/VjUIdLTJS0FEpxzT1 +Oiz0WRdcbeHtQ8SmEfmRStaB9PTNZ97FogFFONvQ6r/ICNldqfe+Qq72D/p6FqNM +mW16dZokQEOgJpOb/L7dHNrta1ye8CurrEbXIt7B+4NnUpvzFmnQ+OxsC3AUbvI5 +PbaQyu8ivhoofnpgj66PojlFYMaL8mUaScL2VM5Ljx72zVA5+MUmk8O02O2X8Rdc ++5boRi2h7oyCASBYK3x+WayaDTNWx3o8+sSdABEBAAG0N09saXZpZXIgTUVET0Mg +KFF1YmVzLU9TIHNpZ25pbmcga2V5KSA8b19tZWRvY0B5YWhvby5mcj6JAT4EEwEC +ACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW+jhsBQkHiFDrAAoJECBD +56zBgzucHCwH/RLCCM1PJ50jEMJg7ZBrwkv5cvKePD1iGhPFOZ1gBtMTYfl7zJO7 +gOuOgQ+TKjfIFM/ijQBFMRmByrQ0ZkGNIqY7JB3shZ5EsCeb7cgyw7hEyj4S3O6e +K+CVVy4CBAyXILVr/En8xU41K1qQpEiHkvqk0E05sEkYcN4Ggvw5JUNWpZO7fl6I +tLvTBf5aPqiLqWN08fjdmVJ/5l+LCdMyJxUdsQV0pkzcv9l8ouB/0ig8HikoC+dW +HuWbk9uj1CU0c4C8tTbOszjKAbEZ5msZ2NUxPM1vqKaac8IbWkSJBqlYFcb3PSMk +LmFtXN/0hAcf8KbziODQgKcyuEBi3b5d6wy5AQ0EUzROdgEIAOG22xrDqJkCrEx8 +QFnZYSwxV2lI9fDyCT/kaHPa/5YOV/Xa01RLM27UPbV/UKkKN+M6+mFj26e+E25p +2R/e1Wk9HDrbu7NDXozGcKDlTIAmQ4yjNVb/G1850/SO1vuPDfNzMD81F18XzYCa +eyUV88HjXTbJSeJAbjWNvTkoMK4wY6PlHfyT0G0i4svfL/mZCGM8KagNouGHuG8s +5JKwlC1BZnmfDuB4exP7cSNEDWwnBn98rx13DMLkGJu1xGnLqdGJw6WpP4a1IG7A +9NDE2VetAS/ElMbMqfyuqiAxhtnuGdxstDaU7gW4VMTjAOMtO9LLY20EipsSBUrg +7U1ync0AEQEAAYkBJQQYAQIADwIbDAUCVvo4nQUJB4hRJAAKCRAgQ+eswYM7nLWy +CAC6enhJbXKGchqgfh+CeKsvWg97JG8yjW4W/9RL9Vto8ppgNzIKbA7AKgqOiy5l +TToLaxK+Z1JE72lsWUnALmz1Oa7M7M9J1ptfD8TMj1/D3cj2Lnrg7qTaEEL5Nw+t +FRNXeUjsuWt+iW7eYiGtI+eSWBokH945Ig32vf88n0t3F8whDRzv5fy1yF35aMRS +HS5gDJv5t2BnPtehMhr5EOHbUH3UFevA79Hf4bUlOOo7eTTmSPMDcWFUA9MMKoE5 +pkHwoimXiNJy3e8TZ4uSTBH8XcXA/5mYSXbWKBX4Y5JznOBTtkjGsbL7dua3zDbF +BGNH5RhiY1/bJ+m4zxU8bDWq +=ofdo +-----END PGP PUBLIC KEY BLOCK----- diff --git a/archlinux/PKGBUILD-keyring-revoked b/archlinux/PKGBUILD-keyring-revoked new file mode 100644 index 0000000..e69de29 diff --git a/archlinux/PKGBUILD-keyring-trusted b/archlinux/PKGBUILD-keyring-trusted new file mode 100644 index 0000000..a608c62 --- /dev/null +++ b/archlinux/PKGBUILD-keyring-trusted @@ -0,0 +1 @@ +D85EE12F967851CCF433515A2043E7ACC1833B9C:4: diff --git a/archlinux/PKGBUILD-keyring.install b/archlinux/PKGBUILD-keyring.install new file mode 100644 index 0000000..c02da49 --- /dev/null +++ b/archlinux/PKGBUILD-keyring.install @@ -0,0 +1,18 @@ +post_upgrade() { + if usr/bin/pacman-key -l >/dev/null 2>&1; then + usr/bin/pacman-key --populate archlinux + fi + release=$(echo "$1" | cut -d '.' -f 1,2) + + if ! [ -h /etc/pacman.d/99-qubes-repository-${release}.conf ] ; then + ln -s /etc/pacman.d/99-qubes-repository-${release}.conf.disabled /etc/pacman.d/99-qubes-repository-${release}.conf + fi + +} + +post_install() { + if [ -x usr/bin/pacman-key ]; then + post_upgrade "$1" + fi +} + From d0b2a8b4b01b9f455e6a564e5cca2c10104c668d Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Tue, 31 Oct 2017 15:12:04 +0100 Subject: [PATCH 08/13] archlinux: fix shellcheck issues --- archlinux/PKGBUILD | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index ca38636..076e9a8 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -137,10 +137,10 @@ package_qubes-vm-keyring() { install=PKGBUILD-keyring.install # Install keyring (will be activated through the .install file) - install -dm755 ${pkgdir}/usr/share/pacman/keyrings/ - install -m0644 PKGBUILD-keyring-keys ${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg - install -m0644 PKGBUILD-keyring-trusted ${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted - install -m0644 PKGBUILD-keyring-revoked ${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked + install -dm755 "${pkgdir}/usr/share/pacman/keyrings/" + install -m0644 PKGBUILD-keyring-keys "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm.gpg" + install -m0644 PKGBUILD-keyring-trusted "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-trusted" + install -m0644 PKGBUILD-keyring-revoked "${pkgdir}/usr/share/pacman/keyrings/qubesos-vm-revoked" } From cf4fdb8b77d8fc96fe6e34a27e112bb66396cc81 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 6 Nov 2017 22:51:57 +0100 Subject: [PATCH 09/13] Makefile: remove invalid reference to network dropins install target Fix redundant presence of NetworkManager dropins both in qubes-vm-core and qubes-vm-networking (https://github.com/QubesOS/qubes-issues/issues/3185) --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8e37bb9..485808e 100644 --- a/Makefile +++ b/Makefile @@ -148,7 +148,7 @@ install-sysvinit: install-init install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules install network/qubes-iptables $(DESTDIR)/etc/init.d/ -install-rh: install-systemd install-systemd-dropins install-sysvinit install-systemd-networking-dropins +install-rh: install-systemd install-systemd-dropins install-sysvinit install -D -m 0644 misc/qubes-r4.repo $(DESTDIR)/etc/yum.repos.d/qubes-r4.repo install -d $(DESTDIR)$(LIBDIR)/yum-plugins/ install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)$(LIBDIR)/yum-plugins/ From 0999d3b78fd49463d8fe6b3a8dc4488b51223bfa Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 6 Nov 2017 23:23:18 +0100 Subject: [PATCH 10/13] archlinux: fix incorrect keyring being populated Fix one of the issue described in the following commit: https://github.com/QubesOS/qubes-issues/issues/3185 --- archlinux/PKGBUILD-keyring.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archlinux/PKGBUILD-keyring.install b/archlinux/PKGBUILD-keyring.install index c02da49..c915659 100644 --- a/archlinux/PKGBUILD-keyring.install +++ b/archlinux/PKGBUILD-keyring.install @@ -1,6 +1,6 @@ post_upgrade() { if usr/bin/pacman-key -l >/dev/null 2>&1; then - usr/bin/pacman-key --populate archlinux + usr/bin/pacman-key --populate qubesos-vm fi release=$(echo "$1" | cut -d '.' -f 1,2) From 5b45cf1808cb53c1f9e25cf6b90e09d6dbf02071 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Sun, 19 Nov 2017 08:57:31 +0100 Subject: [PATCH 11/13] archlinux: add recently splitted packages as optional dependencies of qubes-vm-core Also improve package description and comments. --- archlinux/PKGBUILD | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index 076e9a8..86e3b15 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -60,6 +60,12 @@ build() { done } +#This package provides: +# * qrexec agent +# * qubes rpc scripts +# * core linux tools and scripts +# * core systemd services and drop-ins +# * basic network functionality (setting IP address, DNS, default gateway) package_qubes-vm-core() { depends=("qubes-vm-utils>=3.1.3" python2 python2-xdg ethtool ntp net-tools gnome-packagekit imagemagick fakeroot notification-daemon dconf @@ -67,7 +73,7 @@ package_qubes-vm-core() { python2-dbus xdg-utils notification-daemon gawk sed procps-ng librsvg socat ) - optdepends=(gnome-keyring gnome-settings-daemon python2-nautilus gpk-update-viewer) + optdepends=(gnome-keyring gnome-settings-daemon python2-nautilus gpk-update-viewer qubes-vm-networking qubes-vm-keyring) install=PKGBUILD.install # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html) @@ -112,7 +118,6 @@ EOF } #This package provides: -# * basic network functionality (setting IP address, DNS, default gateway) # * proxy service used by TemplateVMs to download updates # * qubes-firewall service (FirewallVM) # @@ -122,6 +127,7 @@ EOF # * show/hide NetworkManager applet icon # package_qubes-vm-networking() { + pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM" depends=(qubes-vm-core "qubes-vm-utils>=3.1.3" python2 ethtool net-tools "qubes-db-vm>=3.2.1" networkmanager iptables tinyproxy nftables ) From 0cd100b91ac91f121955887c1a700128102fdb17 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 20 Nov 2017 16:56:57 +0100 Subject: [PATCH 12/13] Makefile: install-netvm shouldn't be a dependency of itself. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 485808e..8e70d7c 100644 --- a/Makefile +++ b/Makefile @@ -386,6 +386,6 @@ install-deb: install-common install-systemd install-systemd-dropins install-syst install-corevm: install-rh install-common install-systemd install-sysvinit install-systemd-dropins install-networking -install-netvm: install-systemd-networking-dropins install-networkmanager install-netvm +install-netvm: install-systemd-networking-dropins install-networkmanager install-vm: install-corevm install-netvm From 9345a29b7e843cf619ac4a6341f6fff489f1015e Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Mon, 20 Nov 2017 16:58:26 +0100 Subject: [PATCH 13/13] archlinux fix .service added twice in networking install script --- archlinux/PKGBUILD-networking.install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/archlinux/PKGBUILD-networking.install b/archlinux/PKGBUILD-networking.install index 8007fca..965778a 100644 --- a/archlinux/PKGBUILD-networking.install +++ b/archlinux/PKGBUILD-networking.install @@ -23,7 +23,7 @@ post_install() { #fi for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do - systemctl enable $srv.service + systemctl enable $srv done } @@ -36,6 +36,6 @@ post_upgrade() { ## arg 1: the old package version post_remove() { for srv in qubes-firewall.service qubes-iptables.service qubes-network.service qubes-updates-proxy.service ; do - systemctl disable $srv.service + systemctl disable $srv done }