Merge branch 'hvm' of git://10.141.1.101/joanna/core into hvm

2012-06-04 16:42:30 +04:00 · 2012-06-04 16:42:30 +04:00 · f92a5c80fb
commit f92a5c80fb
parent 651f202213 4365b7b270
11 changed files with 224 additions and 8 deletions
--- a/network/filter-qubes-yum
+++ b/network/filter-qubes-yum
@ -0,0 +1,6 @@
+.*/repodata/[A-Za-z0-9-]*\(primary\|filelist\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
+.*/repodata/repomd\.xml$
+.*\.rpm$
+.*\.drpm$
+mirrors.fedoraproject.org:443
+^http://mirrors\..*/mirrorlist
--- a/network/iptables
+++ b/network/iptables
@ -4,7 +4,9 @@
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :PR-QBS - [0:0]
+:PR-QBS-SERVICES - [0:0]
 -A PREROUTING -j PR-QBS
+-A PREROUTING -j PR-QBS-SERVICES
 -A POSTROUTING -o vif+ -j ACCEPT
 -A POSTROUTING -o lo -j ACCEPT
 -A POSTROUTING -j MASQUERADE
--- a/network/tinyproxy-qubes-yum.conf
+++ b/network/tinyproxy-qubes-yum.conf
@ -0,0 +1,30 @@
+User tinyproxy
+Group tinyproxy
+Port 8082
+Timeout 60
+DefaultErrorFile "/usr/share/tinyproxy/default.html"
+
+#StatHost "tinyproxy.stats"
+StatFile "/usr/share/tinyproxy/stats.html"
+Syslog On
+LogLevel Notice
+PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid"
+
+MaxClients 50
+MinSpareServers 2
+MaxSpareServers 10
+StartServers 2
+MaxRequestsPerChild 0
+ViaProxyName "tinyproxy"
+
+Allow 127.0.0.1
+Allow 10.137.0.0/16
+
+
+Filter "/etc/tinyproxy/filter-qubes-yum"
+FilterURLs On
+#FilterExtended On
+#FilterCaseSensitive On
+FilterDefaultDeny Yes
+ConnectPort 443
+
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@ -53,8 +53,9 @@ if [ "${ip}" ] ; then
 	for addr in ${ip} ; do
 		${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
 	done
-		echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
-		${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
+	${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
+	back_ip=${ip%.*}.1
+	${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
 fi

 log debug "Successful vif-route-qubes $command for $vif."
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@ -37,6 +37,7 @@ Requires:   yum-plugin-post-transaction-actions
 Requires:   NetworkManager >= 0.8.1-1
 Requires:	/usr/bin/mimeopen
 Requires:   /sbin/ethtool
+Requires:   tinyproxy
 Provides:   qubes-core-vm
 Obsoletes:  qubes-core-commonvm
 Obsoletes:  qubes-core-appvm
@ -80,7 +81,7 @@ su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2'

 %install

-install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab
+install -m 0644 -D misc/fstab $RPM_BUILD_ROOT/etc/fstab
 install -d $RPM_BUILD_ROOT/etc/init.d
 install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/

@ -116,7 +117,7 @@ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes

 install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules

-install network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules
+install -m 0644 network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules
 install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes
 install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes
 install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/
@ -126,7 +127,12 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes
 install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes
-install -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
+install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
+install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf
+install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum
+
+install -d $RPM_BUILD_ROOT/etc/yum.conf.d
+touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf

 install -d $RPM_BUILD_ROOT/usr/sbin
 install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/
@ -233,6 +239,12 @@ fi
 # Remove ip_forward setting from sysctl, so NM will not reset it
 sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf

+if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then
+  echo >> /etc/yum.conf
+  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
+  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
+fi
+
 # Prevent unnecessary updates in VMs:
 sed -i -e '/^exclude = kernel/d' /etc/yum.conf
 echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf
@ -334,10 +346,13 @@ rm -rf $RPM_BUILD_ROOT
 /etc/sudoers.d/qubes
 /etc/sysconfig/iptables
 /etc/sysconfig/modules/qubes_core.modules
+/etc/tinyproxy/filter-qubes-yum
+/etc/tinyproxy/tinyproxy-qubes-yum.conf
 /etc/udev/rules.d/50-qubes_memory.rules
 /etc/udev/rules.d/99-qubes_block.rules
 /etc/udev/rules.d/99-qubes_network.rules
 /etc/xen/scripts/vif-route-qubes
+/etc/yum.conf.d/qubes-proxy.conf
 /etc/yum.repos.d/qubes.repo
 /etc/yum/post-actions/qubes_trigger_sync_appmenus.action
 /lib/firmware/updates
@ -422,6 +437,7 @@ The Qubes core startup configuration for SysV init (or upstart).
 /etc/init.d/qubes_core_netvm
 /etc/init.d/qubes-firewall
 /etc/init.d/qubes-netwatcher
+/etc/init.d/qubes-yum-proxy

 %post sysvinit

@ -454,6 +470,8 @@ chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!"
 chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!"
 chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!"
 chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!"
+chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!"
+chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!"

 # TODO: make this not display the silly message about security context...
 sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab
@ -466,6 +484,7 @@ if [ "$1" = 0 ] ; then
    chkconfig qubes_core_appvm off
    chkconfig qubes-firewall off
    chkconfig qubes-netwatcher off
+    chkconfig qubes-yum-proxy off
 fi

 %package systemd
@ -495,6 +514,7 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/qubes-sysinit.service
 /lib/systemd/system/qubes-update-check.service
 /lib/systemd/system/qubes-update-check.timer
+/lib/systemd/system/qubes-yum-proxy.service
 %dir /usr/lib/qubes/init
 /usr/lib/qubes/init/prepare-dvm.sh
 /usr/lib/qubes/init/network-proxy-setup.sh
@ -509,7 +529,7 @@ The Qubes core startup configuration for SystemD init.

 %post systemd

-for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall; do
+for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy; do
    /bin/systemctl enable $srv.service 2> /dev/null
 done

--- a/vm-init.d/qubes-yum-proxy
+++ b/vm-init.d/qubes-yum-proxy
@ -0,0 +1,121 @@
+#!/bin/sh
+#
+# tinyproxy     Startup script for the tinyproxy server as Qubes yum proxy
+#
+# chkconfig:   - 85 15
+# description: small, efficient HTTP/SSL proxy daemon
+#
+# processname: tinyproxy
+# config:      /etc/tinyproxy/tinyproxy-qubes-yum.conf
+# config:      /etc/sysconfig/tinyproxy-qubes-yum
+# pidfile:     /var/run/tinyproxy/tinyproxy-qubes-yum.pid
+#
+# Note: pidfile is created by tinyproxy in its config
+# see PidFile in the configuration file.
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+.  /etc/sysconfig/network
+
+# Check that networking is up.
+[ "$NETWORKING" = "no" ] && exit 0
+
+exec="/usr/sbin/tinyproxy"
+prog=$(basename $exec)
+config="/etc/tinyproxy/tinyproxy-qubes-yum.conf"
+pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid"
+
+[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum
+
+lockfile=/var/lock/subsys/tinyproxy-qubes-yum
+
+start() {
+    type=`/usr/bin/xenstore-read qubes_vm_type`
+    start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null`
+    if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then
+        # Yum proxy disabled
+        exit 0
+    fi
+
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    # setup network redirection
+    /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+    /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+
+    echo -n $"Starting $prog (as Qubes yum proxy): "
+    daemon $exec -c $config
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc -p $pidfile $prog
+    retval=$?
+    echo
+    /sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+    /sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    echo -n $"Reloading $prog: "
+    killproc -p $pidfile $prog -HUP
+    echo
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+
--- a/vm-init.d/qubes_core
+++ b/vm-init.d/qubes_core
@ -36,6 +36,13 @@ start()
 		echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
 	fi

+	yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null)
+	if [ "$yum_proxy_setup" != "0" ]; then
+		echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
+	else
+		echo > /etc/yum.conf.d/qubes-proxy.conf
+	fi
+
 	# Set IP address again (besides action in udev rules); this is needed by
 	# DispVM (to override DispVM-template IP) and in case when qubes_ip was
 	# called by udev before loading evtchn kernel module - in which case
--- a/vm-systemd/misc-post.sh
+++ b/vm-systemd/misc-post.sh
@ -1,5 +1,11 @@
 #!/bin/sh

+if [ -f /var/run/qubes-service/yum-proxy-setup ]; then
+    echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
+else
+    echo > /etc/yum.conf.d/qubes-proxy.conf
+fi
+
 # Set IP address again (besides action in udev rules); this is needed by
 # DispVM (to override DispVM-template IP) and in case when qubes_ip was
 # called by udev before loading evtchn kernel module - in which case
--- a/vm-systemd/qubes-sysinit.sh
+++ b/vm-systemd/qubes-sysinit.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # List of services enabled by default (in case of absence of xenstore entry)
-DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check"
+DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy"
 DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check"
 DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
 DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM
@ -61,3 +61,11 @@ if [ -n "$timezone" ]; then
    echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
    echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
 fi
+
+# Prepare environment for other services
+echo > /var/run/qubes-service-environment
+
+debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null`
+if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then
+    echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment
+fi
--- a/vm-systemd/qubes-update-check.service
+++ b/vm-systemd/qubes-update-check.service
@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check

 [Service]
 Type=oneshot
-ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l'
+ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0'
--- a/vm-systemd/qubes-yum-proxy.service
+++ b/vm-systemd/qubes-yum-proxy.service
@ -0,0 +1,15 @@
+[Unit]
+Description=Qubes yum proxy (tinyproxy)
+ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy
+After=iptables.service
+
+[Service]
+ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
+ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf
+ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+
+[Install]
+WantedBy=multi-user.target