little fix for the official template

-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJUWE+GAAoJEIwFIWzgnAk8azoQAJPOdglmiJlu+p5nRQ0ZRP6F
 nammIQhOg1oE0hCTX6H4DnEMnaZmFyGj96JWUX3zES8NF9zYvq4sgJCtZVEK35lm
 /Fxe899NpDlHaHwPqnXoYAKWZnMnyx3Z5XTxYb3A8JQdJCVWJPi2qYw2TBb6iBIp
 hzznI3drhOd8rdkFHXGk/FsBjqFP1mn98GDP4N/XLOZUnK+MiWyxrp0c+QVgybRX
 2XOUhsBPbr/XS/fkMBEia1hJhBf+FYJsFeCARGjYnbI+TKMaPrYaIX6DRqjFMhSS
 eEALEWsYsDiYGerWNBNGxbJ7RWsN4vm+WDfKdi7Hp2TgHeH0z93w40VegU3k7Asx
 NjfehCwT3wjMmtUFYhfhYfIop5305LLLJPPkY/ML+u6Mznzr7OkostMeyMhDxcrq
 lSELqg2HDwEsSwtwEz7kP6fYyfpJRd8yndg48cVonatwPwdjoCMiAz93TIF7Tvvz
 xQaNUidkKL8qQi67ArSQUlQlwGJNngwLRhepaMo0FD4JWSQ5pHc00EYxtJio2LPs
 7prv8ETbTj0bcFb/xKNSxBCGOrLdleHAEdhrpvqHa5nUzMiHw+tMuJbX+f0jOx/Q
 OSgx/dvK9GIyxM7UlsS+Whye3iGeNwsA1ai4TL0n1PFM+DjemBjEbfIl2nxLjG3O
 cXas4+wsl0+qXRk/PDOn
 =6kCH
 -----END PGP SIGNATURE-----

Merge tag 'hw42_debian-systemd-3' into debian

Conflicts:
	debian/control
	Merged postinst scripts from hw42 and nrgaway

Makefile

@@ -88,21 +88,27 @@ install-rh: install-systemd install-sysvinit
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
 
-install-common:
-	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
+	install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
+	install -d $(DESTDIR)/var/lib/qubes/dom0-updates
+	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
+
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 
+	install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
+	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
+
+install-common:
+	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
+
 	install -d $(DESTDIR)/var/lib/qubes
 
 	install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
 	install -d $(DESTDIR)/etc/udev/rules.d
 	install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
 	install -d $(DESTDIR)/usr/lib/qubes/
-	install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
 	install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
 	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
-	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
 	install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 	install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
 	install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
@@ -129,8 +135,6 @@ install-common:
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
-	install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
-	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
 	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
@@ -176,7 +180,6 @@ install-common:
 	install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
 
 	install -d $(DESTDIR)/mnt/removable
-	install -d $(DESTDIR)/var/lib/qubes/dom0-updates
 
 	install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
 
@@ -188,5 +191,9 @@ install-deb:
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
 	sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
+	install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
+	install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
+	install -d $(DESTDIR)/etc/sysctl.d
+	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
 
 install-vm: install-rh install-common

debian/control

@@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
 
 Package: qubes-core-agent
 Architecture: any
-Depends: qubes-utils, libvchan-xen, xenstore-utils, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends}
+Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends}
 Conflicts: qubes-core-agent-linux
 Description: Qubes core agent
  This package includes various daemons necessary for qubes domU support,

debian/files

@@ -1 +0,0 @@
-qubes-core-agent_2.1.33_amd64.deb admin extra

debian/postinst

@@ -105,13 +105,21 @@ case "$1" in
         # Revert 'Prevent unnecessary updates in VMs':
         #sed -i -e '/^exclude = kernel/d' /etc/yum.conf
 
-        # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
-        #if ! grep -q localhost /etc/hosts; then
-        cat <<EOF > /etc/hosts
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-EOF
-        #fi
+        # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
+        # in the form expected by qubes-sysinit.sh
+        for ip in '127\.0\.1\.1' '::1'; do
+            if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
+                sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+                sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
+            else
+                echo "${ip} `hostname`" >> /etc/hosts
+            fi
+        done
+        # remove hostname from 127.0.0.1 line (in debian the hostname is by default
+        # resolved to 127.0.1.1)
+        sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+
+        chown user:user /home_volatile/user
 
         #if [ "$1" !=  1 ] ; then
         #    # do the rest of %post thing only when updating for the first time...

misc/dispvm-prerun.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 apps="evince /usr/libexec/evinced soffice firefox"
 

misc/qubes-r2.list.in

@@ -1,11 +1,11 @@
 # Main qubes updates repository
-deb http://deb.qubes-os.org/r2/vm @DIST@ main
+deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@ main
 deb-src http://deb.qubes-os.org/r2/vm @DIST@ main
 
 # Qubes updates candidates repository
-#deb http://deb.qubes-os.org/r2/vm @DIST@-testing main
+#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-testing main
 #deb-src http://deb.qubes-os.org/r2/vm @DIST@-testing main
 
 # Qubes experimental/unstable repository
-#deb http://deb.qubes-os.org/r2/vm @DIST@-unstable main
+#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-unstable main
 #deb-src http://deb.qubes-os.org/r2/vm @DIST@-unstable main

network/80-qubes.conf

@@ -0,0 +1 @@
+net.ipv4.ip_forward=1

network/qubes-firewall

@@ -23,8 +23,8 @@ while true; do
 		TRIGGER=reload
 	else
 		# Wait for changes in xenstore file
-		/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
-		TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
+		xenstore-watch-qubes $XENSTORE_IPTABLES
+		TRIGGER=$(xenstore-read $XENSTORE_IPTABLES)
 	fi
 
 	if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
@@ -34,19 +34,19 @@ while true; do
 	# during the time when the rules are being (re)applied
 	echo "0" > /proc/sys/net/ipv4/ip_forward
 
-	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER)
-	IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
-	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true`
+	RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER)
+	IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
+	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
 
 	for i in $(xenstore-list qubes-iptables-domainrules) ; do
-		RULES=$(/usr/bin/xenstore-read qubes-iptables-domainrules/"$i")
+		RULES=$(xenstore-read qubes-iptables-domainrules/"$i")
 		ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
 		if [ -n "$ERRS" ]; then
 			echo "Failed applying rules for $i: $ERRS" >&2
 			OUT="$OUT$ERRS"
 		fi
 	done		
-	/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
+	xenstore-write $XENSTORE_ERROR "$OUT"
 	if [ -n "$OUT" ]; then
 		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
 	fi

network/qubes-netwatcher

@@ -11,9 +11,9 @@ echo $$ >$PIDFILE
 trap 'exit 0' SIGTERM
 
 while true; do
-	NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :)
+	NET_DOMID=$(xenstore-read qubes-netvm-domid || :)
 	if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
-		UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
+		UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
 		# UNTRUSTED_NETCFG is not parsed in any way
 		# thus, no sanitization ready
 		# but be careful when passing it to other shell scripts
@@ -21,11 +21,11 @@ while true; do
 			/sbin/service qubes-firewall stop
 			/sbin/service qubes-firewall start
 			CURR_NETCFG="$UNTRUSTED_NETCFG"
-			/usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
+			xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
 		fi
 
-		/usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
+		xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
 	else
-		/usr/bin/xenstore-watch -n 2 qubes-netvm-domid
+		xenstore-watch -n 2 qubes-netvm-domid
 	fi
 done

network/qubes-setup-dnat-to-ns

@@ -10,7 +10,7 @@ addrule()
         fi
 }
 export PATH=$PATH:/sbin:/bin
-source /var/run/qubes/qubes-ns
+. /var/run/qubes/qubes-ns
 if [ "X"$NS1 = "X" ] ; then exit ; fi
 iptables -t nat -F PR-QBS
 FIRSTONE=yes

rpm_spec/core-vm.spec

@@ -210,6 +210,17 @@ if ! grep -q localhost /etc/hosts; then
 EOF
 fi
 
+# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
+# in the form expected by qubes-sysinit.sh
+for ip in '127\.0\.0\.1' '::1'; do
+    if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
+        sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+        sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
+    else
+        echo "${ip} `hostname`" >> /etc/hosts
+    fi
+done
+
 if [ "$1" !=  1 ] ; then
 # do the rest of %post thing only when updating for the first time...
 exit 0

vm-systemd/network-proxy-setup.sh

@@ -1,11 +1,11 @@
 #!/bin/sh
 
 # Setup gateway for all the VMs this netVM is serviceing...
-network=$(/usr/bin/xenstore-read qubes-netvm-network 2>/dev/null)
+network=$(xenstore-read qubes-netvm-network 2>/dev/null)
 if [ "x$network" != "x" ]; then
-    gateway=$(/usr/bin/xenstore-read qubes-netvm-gateway)
-    netmask=$(/usr/bin/xenstore-read qubes-netvm-netmask)
-    secondary_dns=$(/usr/bin/xenstore-read qubes-netvm-secondary-dns)
+    gateway=$(xenstore-read qubes-netvm-gateway)
+    netmask=$(xenstore-read qubes-netvm-netmask)
+    secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
     modprobe netbk 2> /dev/null || modprobe xen-netback
     echo "NS1=$gateway" > /var/run/qubes/qubes-ns
     echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns

vm-systemd/prepare-dvm.sh

@@ -29,7 +29,7 @@ if xenstore-read qubes-save-request 2>/dev/null ; then
     echo "Waiting for save/restore..."
     # ... wait until qubes-restore.c (in Dom0) recreates VM-specific keys
     while ! xenstore-read qubes-restore-complete 2>/dev/null ; do
-        usleep 10000
+        sleep 0.01
     done
     echo Back to life.
 fi

vm-systemd/qubes-qrexec-agent.service

@@ -3,6 +3,7 @@ Description=Qubes remote exec agent
 After=qubes-dvm.service
 
 [Service]
+ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn'
 ExecStart=/usr/lib/qubes/qrexec-agent
 StandardOutput=syslog
 

vm-systemd/qubes-sysinit.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # List of services enabled by default (in case of absence of xenstore entry)
 DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
@@ -33,6 +33,8 @@ mkdir -p /var/run/xen-hotplug
 
 # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read
 chmod 666 /proc/xen/xenbus
+
+[ -e /proc/u2mfn ] || modprobe u2mfn
 # Set permissions to files needed to listen at vchan
 chmod 666 /proc/u2mfn
 
@@ -62,14 +64,24 @@ done
 name=`$XS_READ name`
 if [ -n "$name" ]; then
     hostname $name
-    sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
+    if [ -e /etc/debian_version ]; then
+        ipv4_localhost_re="127\.0\.1\.1"
+    else
+        ipv4_localhost_re="127\.0\.0\.1"
+    fi
+    sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
+    sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
 fi
 
 timezone=`$XS_READ qubes-timezone 2> /dev/null`
 if [ -n "$timezone" ]; then
-    ln -f /usr/share/zoneinfo/$timezone /etc/localtime
-    echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
-    echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
+    cp -p /usr/share/zoneinfo/$timezone /etc/localtime
+    if [ -e /etc/debian_version ]; then
+        echo "$timezone" > /etc/timezone
+    else
+        echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
+        echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
+    fi
 fi
 
 # Prepare environment for other services