From 386597a26f05cd2244f56b1bbb8f3f5a88d7e9b4 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 22 May 2012 16:49:03 +0200 Subject: [PATCH 1/9] vm/systemd: generate opts for GUI based on debug-mode (#567) --- vm-systemd/qubes-sysinit.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 02e2a9a..1fb463c 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -61,3 +61,11 @@ if [ -n "$timezone" ]; then echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + +# Prepare environment for other services +echo > /var/run/qubes-service-environment + +debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null` +if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then + echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment +fi From f87a620aa64c1a36ea071c5e5134461505f846d5 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 30 May 2012 13:40:27 +0200 Subject: [PATCH 2/9] vm/notify-update: do not treat network problems as updates pending symptom --- vm-systemd/qubes-update-check.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index 5566eda..6ac37e3 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l' +ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' From e820841d6b56aa4d18deb455951ac2c33e10c742 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:03:12 +0200 Subject: [PATCH 3/9] vm+dom0/vif-script: indent fix --- network/vif-route-qubes | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/network/vif-route-qubes b/network/vif-route-qubes index c807017..f4e8989 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -53,8 +53,7 @@ if [ "${ip}" ] ; then for addr in ${ip} ; do ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done - echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP - ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP fi log debug "Successful vif-route-qubes $command for $vif." From 72521b88e160cf69d965f6bdaf9aabd87ab86807 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:03:55 +0200 Subject: [PATCH 4/9] dom0+vm/vif-script: setup IP address of net backend interface This is needed to connect to ProxyVM/NetVM, not only pass traffic ahead. Still firewall rules applies. --- network/vif-route-qubes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network/vif-route-qubes b/network/vif-route-qubes index f4e8989..6809028 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -54,6 +54,8 @@ if [ "${ip}" ] ; then ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + back_ip=${ip%.*}.1 + ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} fi log debug "Successful vif-route-qubes $command for $vif." From bfe9e92c11b86bd602bfd27541b10e0964a52a43 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:07:01 +0200 Subject: [PATCH 5/9] dom0+vm/iptables: add PR-QBS-SERVICES chain in PREROUTING nat table Additional chain for some qubes-related redirections. BTW PR-QBS should be renamed now to PR-QBS-DNS... --- network/iptables | 2 ++ 1 file changed, 2 insertions(+) diff --git a/network/iptables b/network/iptables index 6e6e6d8..5977ff2 100644 --- a/network/iptables +++ b/network/iptables @@ -4,7 +4,9 @@ :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PR-QBS - [0:0] +:PR-QBS-SERVICES - [0:0] -A PREROUTING -j PR-QBS +-A PREROUTING -j PR-QBS-SERVICES -A POSTROUTING -o vif+ -j ACCEPT -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE From 181426c19df7709ba43a7c397abc0cfdd32d8115 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:17:09 +0200 Subject: [PATCH 6/9] vm/spec: remove executable perm where not needed --- rpm_spec/core-vm.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0b9d5ff..4473e08 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -80,7 +80,7 @@ su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' %install -install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab +install -m 0644 -D misc/fstab $RPM_BUILD_ROOT/etc/fstab install -d $RPM_BUILD_ROOT/etc/init.d install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ @@ -116,7 +116,7 @@ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules -install network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules +install -m 0644 network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -126,7 +126,7 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes -install -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ From 81806796ca3274275872b5f5d0c673426442433b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:24:49 +0200 Subject: [PATCH 7/9] vm: qubes-yum-proxy service (#568) Introduce proxy service, which allow only http(s) traffic to yum repos. The filter rules are based on URL regexp, so it isn't full-featured content inspection and can be easy bypassed, but should be enough to prevent some erroneus user actions (like clicking on invalid link). It is set up to intercept connections to 10.137.255.254:8082, so VM can connect to this IP regardless of VM in which proxy is running. By default it is started in every NetVM, but this can be changed using qvm-service or qubes-manager (as always). --- network/filter-qubes-yum | 6 ++ network/tinyproxy-qubes-yum.conf | 30 +++++++ rpm_spec/core-vm.spec | 12 ++- vm-init.d/qubes-yum-proxy | 121 +++++++++++++++++++++++++++++ vm-systemd/qubes-sysinit.sh | 2 +- vm-systemd/qubes-yum-proxy.service | 14 ++++ 6 files changed, 183 insertions(+), 2 deletions(-) create mode 100644 network/filter-qubes-yum create mode 100644 network/tinyproxy-qubes-yum.conf create mode 100755 vm-init.d/qubes-yum-proxy create mode 100644 vm-systemd/qubes-yum-proxy.service diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum new file mode 100644 index 0000000..b244f3c --- /dev/null +++ b/network/filter-qubes-yum @@ -0,0 +1,6 @@ +.*/repodata/[A-Za-z0-9-]*\(primary\|filelist\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +.*/repodata/repomd\.xml$ +.*\.rpm$ +.*\.drpm$ +mirrors.fedoraproject.org:443 +^http://mirrors\..*/mirrorlist diff --git a/network/tinyproxy-qubes-yum.conf b/network/tinyproxy-qubes-yum.conf new file mode 100644 index 0000000..43b5082 --- /dev/null +++ b/network/tinyproxy-qubes-yum.conf @@ -0,0 +1,30 @@ +User tinyproxy +Group tinyproxy +Port 8082 +Timeout 60 +DefaultErrorFile "/usr/share/tinyproxy/default.html" + +#StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +Syslog On +LogLevel Notice +PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +MaxClients 50 +MinSpareServers 2 +MaxSpareServers 10 +StartServers 2 +MaxRequestsPerChild 0 +ViaProxyName "tinyproxy" + +Allow 127.0.0.1 +Allow 10.137.0.0/16 + + +Filter "/etc/tinyproxy/filter-qubes-yum" +FilterURLs On +#FilterExtended On +#FilterCaseSensitive On +FilterDefaultDeny Yes +ConnectPort 443 + diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 4473e08..10da4d2 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -37,6 +37,7 @@ Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: /sbin/ethtool +Requires: tinyproxy Provides: qubes-core-vm Obsoletes: qubes-core-commonvm Obsoletes: qubes-core-appvm @@ -127,6 +128,8 @@ install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf +install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ @@ -334,6 +337,8 @@ rm -rf $RPM_BUILD_ROOT /etc/sudoers.d/qubes /etc/sysconfig/iptables /etc/sysconfig/modules/qubes_core.modules +/etc/tinyproxy/filter-qubes-yum +/etc/tinyproxy/tinyproxy-qubes-yum.conf /etc/udev/rules.d/50-qubes_memory.rules /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules @@ -422,6 +427,7 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes_core_netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher +/etc/init.d/qubes-yum-proxy %post sysvinit @@ -454,6 +460,8 @@ chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" +chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab @@ -466,6 +474,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core_appvm off chkconfig qubes-firewall off chkconfig qubes-netwatcher off + chkconfig qubes-yum-proxy off fi %package systemd @@ -495,6 +504,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer +/lib/systemd/system/qubes-yum-proxy.service %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -509,7 +519,7 @@ The Qubes core startup configuration for SystemD init. %post systemd -for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall; do +for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy; do /bin/systemctl enable $srv.service 2> /dev/null done diff --git a/vm-init.d/qubes-yum-proxy b/vm-init.d/qubes-yum-proxy new file mode 100755 index 0000000..52f329b --- /dev/null +++ b/vm-init.d/qubes-yum-proxy @@ -0,0 +1,121 @@ +#!/bin/sh +# +# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy +# +# chkconfig: - 85 15 +# description: small, efficient HTTP/SSL proxy daemon +# +# processname: tinyproxy +# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf +# config: /etc/sysconfig/tinyproxy-qubes-yum +# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid +# +# Note: pidfile is created by tinyproxy in its config +# see PidFile in the configuration file. + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ "$NETWORKING" = "no" ] && exit 0 + +exec="/usr/sbin/tinyproxy" +prog=$(basename $exec) +config="/etc/tinyproxy/tinyproxy-qubes-yum.conf" +pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum + +lockfile=/var/lock/subsys/tinyproxy-qubes-yum + +start() { + type=`/usr/bin/xenstore-read qubes_vm_type` + start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null` + if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then + # Yum proxy disabled + exit 0 + fi + + [ -x $exec ] || exit 5 + [ -f $config ] || exit 6 + # setup network redirection + /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + + echo -n $"Starting $prog (as Qubes yum proxy): " + daemon $exec -c $config + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $pidfile $prog + retval=$? + echo + /sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + /sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + echo -n $"Reloading $prog: " + killproc -p $pidfile $prog -HUP + echo +} + +force_reload() { + restart +} + +rh_status() { + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? + diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 1fb463c..0c8e9d0 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,7 +1,7 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service new file mode 100644 index 0000000..39c14ec --- /dev/null +++ b/vm-systemd/qubes-yum-proxy.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes yum proxy (tinyproxy) +ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy +After=iptables.service + +[Service] +ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT +ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf +ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + +[Install] +WantedBy=multi-user.target From 9c434abc82cdfc3d364960340e2d1a6549a169f9 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:33:56 +0200 Subject: [PATCH 8/9] vm/qubes-yum-proxy: create dir for pidfile under FC15 (#568) On FC>=15 /var/run is on tmpfs, so /var/run/tinyproxy from rpm don't survive reboot. This is bug in Fedora package (should include config file for tmpfiles service). For now create dir just before starting service. --- vm-systemd/qubes-yum-proxy.service | 1 + 1 file changed, 1 insertion(+) diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service index 39c14ec..b03c34d 100644 --- a/vm-systemd/qubes-yum-proxy.service +++ b/vm-systemd/qubes-yum-proxy.service @@ -4,6 +4,7 @@ ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy After=iptables.service [Service] +ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf From 4365b7b2709b42f00fc42882d4732e756a12c058 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 31 May 2012 02:37:53 +0200 Subject: [PATCH 9/9] vm/qubes-yum-proxy: setup yum to use qubes-yum-proxy (#568) The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it is reasonable to bypass the proxy. Some examples: - usage of non-standard repos with some exotic file layout, which will be blocked by the proxy - usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM) This commit introduces 'yum-proxy-setup' pseudo-service, which can be controlled via standard qvm-service or qubes-manager. When enabled - yum will be configured at VM startup to use qubes proxy, otherwise - to connect directly (proxy setting will be cleared). --- rpm_spec/core-vm.spec | 10 ++++++++++ vm-init.d/qubes_core | 7 +++++++ vm-systemd/misc-post.sh | 6 ++++++ 3 files changed, 23 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 10da4d2..06004ea 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -131,6 +131,9 @@ install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum +install -d $RPM_BUILD_ROOT/etc/yum.conf.d +touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf + install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ @@ -236,6 +239,12 @@ fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf +if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then + echo >> /etc/yum.conf + echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf +fi + # Prevent unnecessary updates in VMs: sed -i -e '/^exclude = kernel/d' /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf @@ -343,6 +352,7 @@ rm -rf $RPM_BUILD_ROOT /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules /etc/xen/scripts/vif-route-qubes +/etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /lib/firmware/updates diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index 7193d38..de194f8 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -36,6 +36,13 @@ start() echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) + if [ "$yum_proxy_setup" != "0" ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + else + echo > /etc/yum.conf.d/qubes-proxy.conf + fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 9ebdf2e..dbefd43 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,5 +1,11 @@ #!/bin/sh +if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf +else + echo > /etc/yum.conf.d/qubes-proxy.conf +fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case