From b0ac8adca3a46c849a66f9e9386b4f9c0291f643 Mon Sep 17 00:00:00 2001 From: HW42 Date: Thu, 25 Sep 2014 03:57:33 +0200 Subject: [PATCH 01/13] move fedora specific stuff to install-rh target --- Makefile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index b318c3b..a0e8590 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,9 @@ install-rh: install -d $(DESTDIR)/etc/init.d install vm-init.d/* $(DESTDIR)/etc/init.d/ + install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf + install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login + install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/ @@ -76,10 +79,12 @@ install-rh: install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf + install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ + install -d $(DESTDIR)/var/lib/qubes/dom0-updates + install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action + install-common: install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes - install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf - install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login install -d $(DESTDIR)/var/lib/qubes @@ -87,10 +92,8 @@ install-common: install -d $(DESTDIR)/etc/udev/rules.d install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules install -d $(DESTDIR)/usr/lib/qubes/ - install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/ install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/ - install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs @@ -117,8 +120,6 @@ install-common: install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes - install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables - install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy @@ -162,7 +163,6 @@ install-common: install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -d $(DESTDIR)/mnt/removable - install -d $(DESTDIR)/var/lib/qubes/dom0-updates install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf From dad11bd378614c3bafab4194ae98b29cf7917b1f Mon Sep 17 00:00:00 2001 From: HW42 Date: Fri, 26 Sep 2014 23:19:01 +0200 Subject: [PATCH 02/13] don't track debina/files (since it is autogenerated) --- debian/files | 1 - 1 file changed, 1 deletion(-) delete mode 100644 debian/files diff --git a/debian/files b/debian/files deleted file mode 100644 index 67ae435..0000000 --- a/debian/files +++ /dev/null @@ -1 +0,0 @@ -qubes-core-agent_2.1.33_amd64.deb admin extra From 435c04e8a4d6951c2e7747f566fd14bacb6519fc Mon Sep 17 00:00:00 2001 From: HW42 Date: Thu, 25 Sep 2014 16:33:49 +0200 Subject: [PATCH 03/13] use systemd in debian --- Makefile | 17 +++- debian/init.d | 224 -------------------------------------------------- debian/rules | 6 +- 3 files changed, 16 insertions(+), 231 deletions(-) delete mode 100644 debian/init.d diff --git a/Makefile b/Makefile index a0e8590..2ef4c76 100644 --- a/Makefile +++ b/Makefile @@ -51,16 +51,15 @@ install-rh: install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login - install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init - install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ - install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/ - install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)/lib/systemd/system/ install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/cups.* $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/ntpd.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/chronyd.service $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-update-check.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-update-check.timer $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-yum-proxy.service $(DESTDIR)/lib/systemd/system/ install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ @@ -169,6 +168,16 @@ install-common: install -d $(DESTDIR)/var/run/qubes install -d $(DESTDIR)/home_volatile/user + install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init + install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-dvm.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-firewall.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-misc-post.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-netwatcher.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-network.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-qrexec-agent.service $(DESTDIR)/lib/systemd/system/ + install -m 0644 vm-systemd/qubes-sysinit.service $(DESTDIR)/lib/systemd/system/ + install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list diff --git a/debian/init.d b/debian/init.d deleted file mode 100644 index 1ec6ad9..0000000 --- a/debian/init.d +++ /dev/null @@ -1,224 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: qubes-core-agent -# Required-Start: $network $local_fs $remote_fs -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Qubes qrexec agent -# Description: The qrexec agent runs in qubes domU domains. It runs -# commands on request from dom0. -### END INIT INFO - -# Author: Davíð Steinn Geirsson -# Most of this script is copied from vm-init.d/qubes-core with -# some fedora-specific stuff removed. - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC=qrexec-agent -NAME=qrexec-agent -DAEMON=/usr/lib/qubes/qrexec-agent -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x $DAEMON ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - - # Ensure necessary modules are loaded - modprobe xen_evtchn - modprobe u2mfn - - - # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read - chmod 666 /proc/xen/xenbus - # Set permissions to files needed to listen at vchan - chmod 666 /proc/u2mfn - - mkdir -p /var/run/xen-hotplug - - name=$(/usr/sbin/xenstore-read name) - if ! [ -f /etc/this-is-dvm ] ; then - # we don't want to set hostname for DispVM - # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) - # (let's be frank: nobody's gonna use xterm on DispVM) - if ! [ -z "$name" ]; then - echo $name > /etc/hostname - hostname $name - grep '127.0.1.1' /etc/hosts > /dev/null - if [ $? -ne 0 ]; then - echo "127.0.1.1 $name" >> /etc/hosts - else - sed -i "s/127\.0\.1\.1.*/127.0.1.1 $name/" /etc/hosts - fi - fi - fi - - timezone=`/usr/sbin/xenstore-read qubes-timezone 2> /dev/null` - if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - fi - - # Set IP address again (besides action in udev rules); this is needed by - # DispVM (to override DispVM-template IP) and in case when qubes-ip was - # called by udev before loading evtchn kernel module - in which case - # xenstore-read fails - INTERFACE=eth0 /usr/lib/qubes/setup-ip - - mkdir -p /var/run/qubes - - if [ -e /dev/xvdb ] ; then - resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed" - mount /rw - - if ! [ -d /rw/home ] ; then - echo - echo "--> Virgin boot of the VM: Linking /home to /rw/home" - - mkdir -p /rw/config - touch /rw/config/rc.local - - mkdir -p /rw/home - cp -a /home.orig/user /rw/home - - mkdir -p /rw/usrlocal - cp -a /usr/local.orig/* /rw/usrlocal - - touch /var/lib/qubes/first-boot-completed - fi - fi - if [ -L /home ]; then - rm /home - mkdir /home - fi - mount /home - - [ -x /rw/config/rc.local ] && /rw/config/rc.local - - - start-stop-daemon --start --quiet -b --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet -b --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/rules b/debian/rules index dc13a10..e447f05 100755 --- a/debian/rules +++ b/debian/rules @@ -7,7 +7,7 @@ export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ + dh $@ --with=systemd override_dh_auto_build: make all @@ -19,5 +19,5 @@ override_dh_auto_install: override_dh_fixperms: dh_fixperms -a -Xqfile-unpacker -override_dh_installinit: - dh_installinit --no-restart-on-upgrade +override_dh_systemd_start: + dh_systemd_start --no-restart-on-upgrade From 70bbc7923d36b130ad644e916b58e29e8b86ccbf Mon Sep 17 00:00:00 2001 From: HW42 Date: Fri, 26 Sep 2014 18:55:42 +0200 Subject: [PATCH 04/13] install iptables/forwarding for debian --- Makefile | 4 ++++ debian/control | 2 +- network/80-qubes.conf | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 network/80-qubes.conf diff --git a/Makefile b/Makefile index 2ef4c76..d2087a3 100644 --- a/Makefile +++ b/Makefile @@ -182,5 +182,9 @@ install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg + install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4 + install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6 + install -d $(DESTDIR)/etc/sysctl.d + install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install-vm: install-rh install-common diff --git a/debian/control b/debian/control index 62967a7..670ecea 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, diff --git a/network/80-qubes.conf b/network/80-qubes.conf new file mode 100644 index 0000000..119d730 --- /dev/null +++ b/network/80-qubes.conf @@ -0,0 +1 @@ +net.ipv4.ip_forward=1 From 4886411570f48bc571be4c57f1820090b39158a0 Mon Sep 17 00:00:00 2001 From: HW42 Date: Fri, 26 Sep 2014 19:56:12 +0200 Subject: [PATCH 05/13] various patches for debian this should enable debian based templates to be used as proxy/netvm --- network/qubes-firewall | 18 +++++++++--------- network/qubes-netwatcher | 10 +++++----- network/qubes-setup-dnat-to-ns | 2 +- vm-systemd/misc-post.sh | 16 ++++++++++++---- vm-systemd/qubes-qrexec-agent.service | 1 + vm-systemd/qubes-sysinit.sh | 18 ++++++++++++------ 6 files changed, 40 insertions(+), 25 deletions(-) diff --git a/network/qubes-firewall b/network/qubes-firewall index 0b8da66..dd5ed23 100755 --- a/network/qubes-firewall +++ b/network/qubes-firewall @@ -23,8 +23,8 @@ while true; do TRIGGER=reload else # Wait for changes in xenstore file - /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES - TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + xenstore-watch-qubes $XENSTORE_IPTABLES + TRIGGER=$(xenstore-read $XENSTORE_IPTABLES) fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi @@ -34,19 +34,19 @@ while true; do # during the time when the rules are being (re)applied echo "0" > /proc/sys/net/ipv4/ip_forward - RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) - IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') - OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true` + RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER) + IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true` for i in $(xenstore-list qubes-iptables-domainrules) ; do - RULES=$(/usr/bin/xenstore-read qubes-iptables-domainrules/"$i") - ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` + RULES=$(xenstore-read qubes-iptables-domainrules/"$i") + ERRS=`echo -e "$RULES" | iptables-restore -n 2>&1 || true` echo "Failed applying rules for $i: $ERRS" >&2 OUT="$OUT$ERRS" done - /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + xenstore-write $XENSTORE_ERROR "$OUT" if [ "$OUT" ]; then - DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : + DISPLAY=:0 notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi # Check if user didn't define some custom rules to be applied as well... diff --git a/network/qubes-netwatcher b/network/qubes-netwatcher index 0acab7f..81edffe 100755 --- a/network/qubes-netwatcher +++ b/network/qubes-netwatcher @@ -11,9 +11,9 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do - NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :) + NET_DOMID=$(xenstore-read qubes-netvm-domid || :) if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then - UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) + UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) # UNTRUSTED_NETCFG is not parsed in any way # thus, no sanitization ready # but be careful when passing it to other shell scripts @@ -21,11 +21,11 @@ while true; do /sbin/service qubes-firewall stop /sbin/service qubes-firewall start CURR_NETCFG="$UNTRUSTED_NETCFG" - /usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" + xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid + xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid else - /usr/bin/xenstore-watch -n 2 qubes-netvm-domid + xenstore-watch -n 2 qubes-netvm-domid fi done diff --git a/network/qubes-setup-dnat-to-ns b/network/qubes-setup-dnat-to-ns index 6a30126..a1f9bc1 100755 --- a/network/qubes-setup-dnat-to-ns +++ b/network/qubes-setup-dnat-to-ns @@ -10,7 +10,7 @@ addrule() fi } export PATH=$PATH:/sbin:/bin -source /var/run/qubes/qubes-ns +. /var/run/qubes/qubes-ns if [ "X"$NS1 = "X" ] ; then exit ; fi iptables -t nat -F PR-QBS FIRSTONE=yes diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index e718d02..43e944c 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,9 +1,17 @@ #!/bin/sh -if [ -f /var/run/qubes-service/yum-proxy-setup ]; then - echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf +if [ -e /etc/debian_version ]; then + if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo 'Acquire::http::proxy "http://10.137.255.254:8082/";' > /etc/apt/apt.conf.d/80qubes-proxy + else + echo > /etc/apt/apt.conf.d/80qubes-proxy + fi else - echo > /etc/yum.conf.d/qubes-proxy.conf + if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + else + echo > /etc/yum.conf.d/qubes-proxy.conf + fi fi # Set IP address again (besides action in udev rules); this is needed by @@ -51,7 +59,7 @@ fi # Start AppVM specific services if [ ! -f /etc/systemd/system/cups.service ]; then if [ -f /var/run/qubes-service/cups ]; then - /sbin/service cups start + service cups start # Allow also notification icon sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop else diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service index 483e694..72bbe84 100644 --- a/vm-systemd/qubes-qrexec-agent.service +++ b/vm-systemd/qubes-qrexec-agent.service @@ -3,6 +3,7 @@ Description=Qubes remote exec agent After=qubes-dvm.service [Service] +ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn' ExecStart=/usr/lib/qubes/qrexec-agent StandardOutput=syslog diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 17d9fde..08b610e 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # List of services enabled by default (in case of absence of xenstore entry) DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" @@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" DEFAULT_ENABLED="meminfo-writer" -XS_READ=/usr/bin/xenstore-read -XS_LS=/usr/bin/xenstore-ls +XS_READ=xenstore-read +XS_LS=xenstore-ls read_service() { $XS_READ qubes-service/$1 2> /dev/null @@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read chmod 666 /proc/xen/xenbus + +[ -e /proc/u2mfn ] || modprobe u2mfn # Set permissions to files needed to listen at vchan chmod 666 /proc/u2mfn @@ -65,9 +67,13 @@ fi timezone=`$XS_READ qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock - echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + cp -p /usr/share/zoneinfo/$timezone /etc/localtime + if [ -e /etc/debian_version ]; then + echo "$timezone" > /etc/timezone + else + echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock + echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + fi fi # Prepare environment for other services From 0d0261d1c1c911b78e986178ac2541ed310669ba Mon Sep 17 00:00:00 2001 From: HW42 Date: Mon, 29 Sep 2014 05:03:25 +0200 Subject: [PATCH 06/13] improve update of /etc/hosts * use 127.0.1.1 under debian (since it's the default there) * also set the IPv6 loopback address (::1) since some tools tries to AAAA resolve the hostname (for example sendmail) * ensure proper /etc/hosts format through postinst-script (hostname as last entry) --- debian/qubes-core-agent.postinst | 15 +++++++++++++++ rpm_spec/core-vm.spec | 11 +++++++++++ vm-systemd/qubes-sysinit.sh | 8 +++++++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 debian/qubes-core-agent.postinst diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst new file mode 100644 index 0000000..de26e6b --- /dev/null +++ b/debian/qubes-core-agent.postinst @@ -0,0 +1,15 @@ +# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is +# in the form expected by qubes-sysinit.sh +for ip in '127\.0\.1\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi +done +# remove hostname from 127.0.0.1 line (in debian the hostname is by default +# resolved to 127.0.1.1) +sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + +#DEBHELPER# diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index d5fd886..503fba9 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -210,6 +210,17 @@ if ! grep -q localhost /etc/hosts; then EOF fi +# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is +# in the form expected by qubes-sysinit.sh +for ip in '127\.0\.0\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi +done + if [ "$1" != 1 ] ; then # do the rest of %post thing only when updating for the first time... exit 0 diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 08b610e..c5ee1ce 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -62,7 +62,13 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + if [ -e /etc/debian_version ]; then + ipv4_localhost_re="127\.0\.1\.1" + else + ipv4_localhost_re="127\.0\.0\.1" + fi + sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts + sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` From 217b5a4a5d48f85d8e1f7bec168134ce1aa7d098 Mon Sep 17 00:00:00 2001 From: HW42 Date: Mon, 29 Sep 2014 05:50:24 +0200 Subject: [PATCH 07/13] make source.list multiarch compatible tell apt that the qubes repos provides only packages for amd64. Without this "apt-get update" will fail if multiarch is used in the templatevm. --- misc/qubes-r2.list.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misc/qubes-r2.list.in b/misc/qubes-r2.list.in index 77a444f..0ab7837 100644 --- a/misc/qubes-r2.list.in +++ b/misc/qubes-r2.list.in @@ -1,11 +1,11 @@ # Main qubes updates repository -deb http://deb.qubes-os.org/r2/vm @DIST@ main +deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@ main deb-src http://deb.qubes-os.org/r2/vm @DIST@ main # Qubes updates candidates repository -#deb http://deb.qubes-os.org/r2/vm @DIST@-testing main +#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-testing main #deb-src http://deb.qubes-os.org/r2/vm @DIST@-testing main # Qubes experimental/unstable repository -#deb http://deb.qubes-os.org/r2/vm @DIST@-unstable main +#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-unstable main #deb-src http://deb.qubes-os.org/r2/vm @DIST@-unstable main From bbb0b3610b5e57eb5799f9097e8e52ff0328dd23 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 02:17:29 +0200 Subject: [PATCH 08/13] add xserver-xorg-video-dummy to the dependencies list of qubes-core-agent the dummy video module is needed by the dvm prepare script --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 670ecea..6fdc9e2 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, xserver-xorg-video-dummy, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, From 5fcf7505fc56235424b8cfb4d895b37a91ad4004 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 02:21:12 +0200 Subject: [PATCH 09/13] dispvm-presun.sh needs bash --- misc/dispvm-prerun.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misc/dispvm-prerun.sh b/misc/dispvm-prerun.sh index 8bb2583..9489144 100755 --- a/misc/dispvm-prerun.sh +++ b/misc/dispvm-prerun.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash apps="evince /usr/libexec/evinced soffice firefox" From 434a794dda8eb19d9d18fb8bfa9953c713899ae3 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 03:44:33 +0200 Subject: [PATCH 10/13] use sleep instead os usleep since it is more portable --- vm-systemd/prepare-dvm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/prepare-dvm.sh b/vm-systemd/prepare-dvm.sh index bdd1506..c0f30a8 100755 --- a/vm-systemd/prepare-dvm.sh +++ b/vm-systemd/prepare-dvm.sh @@ -29,7 +29,7 @@ if xenstore-read qubes-save-request 2>/dev/null ; then echo "Waiting for save/restore..." # ... wait until qubes-restore.c (in Dom0) recreates VM-specific keys while ! xenstore-read qubes-restore-complete 2>/dev/null ; do - usleep 10000 + sleep 0.01 done echo Back to life. fi From 00e846bbbe581aceeeaf4a8369748d4ff450b1b0 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 03:45:03 +0200 Subject: [PATCH 11/13] debian: chown /home_volatile/user in posinst --- debian/qubes-core-agent.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index de26e6b..b23c8ce 100644 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -12,4 +12,6 @@ done # resolved to 127.0.1.1) sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts +chown user:user /home_volatile/user + #DEBHELPER# From a91dfdf48b0ac55baa1d43b8f2d1c47fe082cb73 Mon Sep 17 00:00:00 2001 From: HW42 Date: Wed, 1 Oct 2014 06:51:58 +0200 Subject: [PATCH 12/13] fix xenstore-read path in network-proxy-setup.sh for debian --- vm-systemd/network-proxy-setup.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index 020edb2..2227920 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -1,11 +1,11 @@ #!/bin/sh # Setup gateway for all the VMs this netVM is serviceing... -network=$(/usr/bin/xenstore-read qubes-netvm-network 2>/dev/null) +network=$(xenstore-read qubes-netvm-network 2>/dev/null) if [ "x$network" != "x" ]; then - gateway=$(/usr/bin/xenstore-read qubes-netvm-gateway) - netmask=$(/usr/bin/xenstore-read qubes-netvm-netmask) - secondary_dns=$(/usr/bin/xenstore-read qubes-netvm-secondary-dns) + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) modprobe netbk 2> /dev/null || modprobe xen-netback echo "NS1=$gateway" > /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns From 457196ba584f501f95557ef0bd80168567aab983 Mon Sep 17 00:00:00 2001 From: HW42 Date: Tue, 4 Nov 2014 04:59:17 +0100 Subject: [PATCH 13/13] debian: add dependency on xen-utils since it's needed for proxy/netvm xen-utils provides the /etc/xen/ scripts which are needed for the network setup. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 60c9559..d773943 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, xserver-xorg-video-dummy, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, iptables-persistent, xserver-xorg-video-dummy, xen-utils, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support,