diff --git a/debian/control b/debian/control index 2523068..a4e6164 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, diff --git a/debian/postinst b/debian/postinst new file mode 100755 index 0000000..39a707b --- /dev/null +++ b/debian/postinst @@ -0,0 +1,242 @@ +#!/bin/bash +# postinst script for core-agent-linux +# +# see: dh_installdeb(1) + +set -x + +# The postint script may be called in the following ways: +# * 'configure' +# * 'abort-upgrade' +# * 'abort-remove' 'in-favour' +# +# * 'abort-remove' +# * 'abort-deconfigure' 'in-favour' +# 'removing' +# +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +case "$1" in + configure) + # disable some Upstart services + for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do + if [ -e /etc/init/$F.conf ]; then + mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled + fi + done + + remove_ShowIn () { + if [ -e /etc/xdg/autostart/$1.desktop ]; then + sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop + fi + } + + + # Stops Qt form using the MIT-SHM X11 Shared Memory Extension + echo 'export QT_X11_NO_MITSHM=1' >> /etc/profile + + # Sudo's defualt umask is 077 so set sane default of 022 + # Also don't allow QT to used shared memory to prevent errors + echo 'Defaults umask = 0002' >> /etc/sudoers + echo 'Defaults umask_override' >> /etc/sudoers + echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' >> /etc/sudoers + + # reenable abrt-aplet if disable by some earlier version of package + remove_ShowIn abrt-applet.desktop + + # don't want it at all + for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop + fi + done + + # don't want it in DisposableVM + for F in gcm-apply ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=DisposableVM;' >> /etc/xdg/autostart/$F.desktop + fi + done + + # want it in AppVM only + for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop + fi + done + + # remove existing rule to add own later + for F in gpk-update-icon nm-applet ; do + remove_ShowIn $F + done + + echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : + echo 'OnlyShowIn=GNOME;QUBES;' >> /etc/xdg/autostart/nm-applet.desktop || : + + # Create NetworkManager configuration if we do not have it + if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + fi + /usr/lib/qubes/qubes-fix-nm-conf.sh + + + # Remove ip_forward setting from sysctl, so NM will not reset it + sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf + + # Remove old firmware updates link + if [ -L /lib/firmware/updates ]; then + rm -f /lib/firmware/updates + fi + + #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then + # echo >> /etc/yum.conf + # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf + #fi + + # Revert 'Prevent unnecessary updates in VMs': + #sed -i -e '/^exclude = kernel/d' /etc/yum.conf + + # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content + #if ! grep -q localhost /etc/hosts; then + cat < /etc/hosts +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +EOF + #fi + + #if [ "$1" != 1 ] ; then + # # do the rest of %post thing only when updating for the first time... + # exit 0 + #fi + + if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig + fi + + # Remove most of the udev scripts to speed up the VM boot time + # Just leave the xen* scripts, that are needed if this VM was + # ever used as a net backend (e.g. as a VPN domain in the future) + #echo "--> Removing unnecessary udev scripts..." + mkdir -p /var/lib/qubes/removed-udev-scripts + for f in /etc/udev/rules.d/* + do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "50-qubes-misc.rules" ] ; then + continue + fi + + if echo $f | grep -q qubes; then + continue + fi + + mv $f /var/lib/qubes/removed-udev-scripts/ + done + mkdir -p /rw + #rm -f /etc/mtab + #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" + #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig + #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + + ####################################################################### + # systemd post-init + ####################################################################### + for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-updates-proxy qubes-qrexec-agent; do + /bin/systemctl enable $srv.service 2> /dev/null + done + + /bin/systemctl enable qubes-update-check.timer 2> /dev/null + + UNITDIR=/lib/systemd/system + OVERRIDEDIR=/usr/lib/qubes/init + + # XXX: Debian specific + if [ -f "$OVERRIDEDIR/NetworkManager.service" ]; then + mv -f $OVERRIDEDIR/NetworkManager.service $OVERRIDEDIR/network-manager.service + sed 's/NetworkManager/network-manager/' -i $OVERRIDEDIR/network-manager.service + fi + if [ -f "$OVERRIDEDIR/NetworkManager-wait-online.service" ]; then + mv -f $OVERRIDEDIR/NetworkManager-wait-online.service $OVERRIDEDIR/network-manager-wait-online.service + sed 's/NetworkManager/network-manager/' -i $OVERRIDEDIR/network-manager-wait-online.service + fi + if [ -f "$OVERRIDEDIR/ModemManager" ]; then + mv -f $OVERRIDEDIR/ModemManager $OVERRIDEDIR/modemmanager.service + sed 's/ModemManager/modemmanager/' -i $OVERRIDEDIR/modemmanager.service + fi + + # Install overriden services only when original exists + #for srv in cups modemmanager network-manager network-manager-wait-online ntpd chronyd; do + for srv in cups modemmanager network-manager network-manager-wait-online; do + if [ -f $UNITDIR/$srv.service ]; then + cp $OVERRIDEDIR/$srv.service /etc/systemd/system/ + fi + if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then + cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/ + fi + if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then + cp $OVERRIDEDIR/$srv.path /etc/systemd/system/ + fi + done + + # Set default "runlevel" + rm -f /etc/systemd/system/default.target + ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + + #DISABLE_SERVICES="alsa-store alsa-restore auditd avahi avahi-daemon backuppc cpuspeed crond" + #DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save" + #DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late" + #DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait" + #DISABLE_SERVICES="$DISABLE_SERVICES sshd tcsd sm-client sendmail mdmonitor-takeover" + #DISABLE_SERVICES="$DISABLE_SERVICES rngd smartd upower irqbalance colord" + #for srv in $DISABLE_SERVICES; do + # if [ -f /lib/systemd/system/$srv.service ]; then + # if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then + # /bin/systemctl disable $srv.service 2> /dev/null + # else + # # forcibly disable + # ln -sf /dev/null /etc/systemd/system/$srv.service + # fi + # fi + #done + + rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service + + # Enable some services + /bin/systemctl enable iptables.service 2> /dev/null + /bin/systemctl enable ip6tables.service 2> /dev/null + /bin/systemctl enable rsyslog.service 2> /dev/null + /bin/systemctl enable ntpd.service 2> /dev/null + + # Enable cups only when it is real SystemD service + [ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/postrm b/debian/postrm new file mode 100755 index 0000000..ae7eb72 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,54 @@ +#!/bin/bash +# postrm script for core-agent-linux +# +# see: dh_installdeb(1) + +set -x + +# The prerm script may be called in the following ways: +# * 'remove' +# * 'purge' +# * 'upgrade' +# * 'disappear' +# +# The postrm script is called after the package's files have been removed +# or replaced. The package whose postrm is being called may have previously been +# deconfigured and only be "Unpacked", at which point subsequent package changes +# do not consider its dependencies. Therefore, all postrm actions may only rely +# on essential packages and must gracefully skip any actions that require the +# package's dependencies if those dependencies are unavailable.[48] +# +# * 'failed-upgrade' +# +# Called when the old postrm upgrade action fails. The new package will be +# unpacked, but only essential packages and pre-dependencies can be relied on. +# Pre-dependencies will either be configured or will be "Unpacked" or +# "Half-Configured" but previously had been configured and was never removed. +# +# * 'abort-install' +# * 'abort-install' +# * 'abort-upgrade' +# +# Called before unpacking the new package as part of the error handling of +# preinst failures. May assume the same state as preinst can assume. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "remove" ] ; then + /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || : + + if [ -L /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/preinst b/debian/preinst new file mode 100755 index 0000000..4a6876e --- /dev/null +++ b/debian/preinst @@ -0,0 +1,112 @@ +#!/bin/bash +# preinst script for core-agent-linux +# +# see: dh_installdeb(1) + +set -x + +# The preinst script may be called in the following ways: +# * 'install' +# * 'install' +# * 'upgrade' +# +# The package will not yet be unpacked, so the preinst script cannot rely +# on any files included in its package. Only essential packages and +# pre-dependencies (Pre-Depends) may be assumed to be available. +# Pre-dependencies will have been configured at least once, but at the time the +# preinst is called they may only be in an "Unpacked" or "Half-Configured" state +# if a previous version of the pre-dependency was completely configured and has +# not been removed since then. +# +# +# * 'abort-upgrade' +# +# Called during error handling of an upgrade that failed after unpacking the +# new package because the postrm upgrade action failed. The unpacked files may +# be partly from the new version or partly missing, so the script cannot rely +# on files included in the package. Package dependencies may not be available. +# Pre-dependencies will be at least "Unpacked" following the same rules as +# above, except they may be only "Half-Installed" if an upgrade of the +# pre-dependency failed.[46] +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "install" ] ; then + # -------------------------------------------------------------------------- + # Create required directories + # -------------------------------------------------------------------------- + mkdir -p /var/lib/qubes + mkdir -p /lib/modules + #mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this + + if [ -e /etc/fstab ] ; then + mv /etc/fstab /var/lib/qubes/fstab.orig + fi + + # -------------------------------------------------------------------------- + # Many Qubes scripts reference /bin/sh expecting the shell to be bash but + # in Debian it is dash so some scripts will fail so force an alternate for + # /bin/sh to be /bin/bash + # -------------------------------------------------------------------------- + update-alternatives --force --install /bin/sh sh /bin/bash 999 + + # -------------------------------------------------------------------------- + # Modules setup + # -------------------------------------------------------------------------- + echo "xen_netfront" >> /etc/modules + + # -------------------------------------------------------------------------- + # Remove `mesg` from root/.profile? + # -------------------------------------------------------------------------- + sed -i -e '/^mesg n/d' /root/.profile + + # -------------------------------------------------------------------------- + # Update /etc/fstab + # -------------------------------------------------------------------------- + cat > /etc/fstab < 'remove' +# * 'upgrade' +# * 'remove' 'in-favour' +# * 'deconfigure' 'in-favour' +# [removing conflicting-package version] +# +# The package whose prerm is being called will be at least "Half-Installed". +# All package dependencies will at least be "Half-Installed" and will have +# previously been configured and not removed. If there was no error, all +# dependencies will at least be "Unpacked", but these actions may be called in +# various error states where dependencies are only "Half-Installed" due to a +# partial upgrade. +# +# * 'failed-upgrade' +# +# Called during error handling when prerm upgrade fails. The new package +# will not yet be unpacked, and all the same constraints as for preinst +# upgrade apply. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "remove" ] ; then + # no more packages left + if [ -e /var/lib/qubes/fstab.orig ] ; then + mv /var/lib/qubes/fstab.orig /etc/fstab + fi + + if [ -d /var/lib/qubes/removed-udev-scripts ] ; then + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + fi + + if [ -e /var/lib/qubes/serial.orig ] ; then + mv /var/lib/qubes/serial.orig /etc/init/serial.conf + fi +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/network/filter-updates b/network/filter-updates index c1afa54..5fec48b 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -5,7 +5,7 @@ ^mirrors\.fedoraproject\.org:443$ ^http://mirrors\..*/mirrorlist\? \.deb$ -/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$ -/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ -/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ -/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ +/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)$ +/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|.*\)$ +/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ +/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 4c69a6f..43cbf9f 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -276,7 +276,7 @@ fi if [ $1 -eq 0 ] ; then /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : - if [ -l /lib/firmware/updates ]; then + if [ -L /lib/firmware/updates ]; then rm /lib/firmware/updates fi fi