Commit Graph

266 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
7e608a8bb4
Remove DisposableVM savefile related files
In Qubes 4.0 we no longer use two-stage DisposableVM startup.
2017-06-08 22:11:35 +02:00
Marek Marczykowski-Górecki
4514500ee6
Fix detection of PCI passthrough
Do not enable meminfo-writer (and in consequence qmemman) for the VM if
any real PCI device is present. Do not count qemu-emulated devices.
2017-05-26 05:25:30 +02:00
Marek Marczykowski-Górecki
b49ae50ad5
Implement qrexec-based connection to updates proxy
Configure package manager to use 127.0.0.1:8082 as proxy instead of
"magic" IP intercepted later. The listen on this port and whenever
new connection arrives, spawn qubes.UpdatesProxy service call (to
default target domain - subject to configuration in dom0) and connect
its stdin/out to the local TCP connection. This part use systemd.socket
unit in case of systemd, and ncat --exec otherwise.

On the other end - in target domain - simply pass stdin/out to updates
proxy (tinyproxy) running locally.

It's important to _not_ configure the same VM to both be updates proxy and
use it. In practice such configuration makes little sense - if VM can
access network (which is required to run updates proxy), package manager
can use it directly. Even if this network access is through some
VPN/Tor. If a single VM would be configured as both proxy provider and
proxy user, connection would loop back to itself. Because of this, proxy
connection redirection (to qrexec service) is disabled when the same VM
also run updates proxy.

Fixes QubesOS/qubes-issues#1854
2017-05-26 05:25:29 +02:00
Marek Marczykowski-Górecki
34fa6e7ced
debian: make haveged.service patch less intrusive...
...but installed on all Debian versions. This is mostly required by
vebose file list in debian/qubes-core-agent.install. But also make it
use new options when upstream will set them.

QubesOS/qubes-issues#2161
2017-05-22 17:30:06 +02:00
Marek Marczykowski-Górecki
ce70887a57
Merge branch 'core3-devel' 2017-05-20 14:43:53 +02:00
Marek Marczykowski-Górecki
13c99f1f10
systemd: fix race condition between qubes-db and qubes-early-vm-config
qubes-early-vm-config.service depend on qubes-db daemon running, to
retrieve various configuration parameters. But the startup ordering
declaration was missing

Fixes QubesOS/qubes-issues#2750
2017-05-14 23:13:26 +02:00
Marek Marczykowski-Górecki
d177e73bba
Merge remote-tracking branch 'qubesos/pr/43'
* qubesos/pr/43:
  Fix more shellcheck warnings
  Fix handling of binds containing spaces
2017-03-17 11:56:22 +01:00
Robin Schneider
e0814b481f
bind-dirs: Create ro if bind target exists
Before, the script skipped none existing ro paths even if the path
existed below /rw. This would require someone who wants to use bind-dirs
only in TemplateBasedVM to ensure that the paths exist before the
bind-dirs script gets called.

This patch changes this behavior so that if the path exists below /rw, it
is ensured that an (empty) file/directory is present in ro (where the
corresponding path from /rw is then bind mounted over).

Requires: Docs update. I can open a PR when this PRs looks good.
Fixes limitation: "Does not work if the file / folder in question does
  not already exist in the root image. I.e. a file that does not exist in
  the root image cannot be bind mounted in the TemplateBasedVM."
Example use case: https://github.com/debops/ansible-persistent_paths
Tested on: Qubes OS 3.2; Debian 8 TemplateBasedVM (and Template)
Related to: https://github.com/QubesOS/qubes-issues/issues/2661
2017-03-16 12:56:54 +01:00
Robin Schneider
a205c86bfe
Fix more shellcheck warnings 2017-03-14 20:13:23 +01:00
Robin Schneider
0facff3a01
Fix handling of binds containing spaces
```bash
binds+=( '/etc/tmp/s s' )
```

was handled incorrectly before.
2017-03-14 20:10:26 +01:00
unman
1ed2954f91
Stop unnecessary services in Debian 2017-02-16 22:41:14 +00:00
Marek Marczykowski-Górecki
08edfa630d
Merge remote-tracking branch 'qubesos/pr/35'
* qubesos/pr/35:
  Constrain cron and anacron in Ubuntu also
  Stop anacron from starting in Debian using existing constraint on cron
2017-02-12 23:59:43 +01:00
unman
a361fb454c
Stop anacron from starting in Debian using existing constraint on cron 2017-02-05 23:36:27 +00:00
Patrick Schleizer
3cc1a855dc comment 2016-12-21 00:15:12 +01:00
Marek Marczykowski-Górecki
41e3d591ef
Merge remote-tracking branch 'qubesos/pr/25'
* qubesos/pr/25:
  Add systemd override for haveged in xenial and stretch. (#2161) Reenable haveged.service after debian package installation

Fixes QubesOS/qubes-issues#2161
2016-11-28 15:02:32 +01:00
unman
58febd6d20
Add systemd override for haveged in xenial and stretch. (#2161)
Reenable haveged.service after debian package installation
2016-11-14 02:33:20 +00:00
Manuel Amador (Rudd-O)
6ca10b42eb Initialize home_volatile for disposable VMs. 2016-11-13 21:20:46 +00:00
Manuel Amador (Rudd-O)
251ecbd529 Clean up specfile unit activation aspect.
Up until today, Qubes OS would insist on either masking or disabling
or activating units that should get their state properly changed
but only on first package install (when the template is built).

This commit adds the possibility of having two types of unit presets:

* Initial presets: these are only changed state during first package
  installs.
* Upgrade presets: these get their state changed during first
  package installs as well as during upgrades.

All the maintainer has to do is abide by the instructions in the
preset file.  Nothing else is necessary.

Namely, this allows users to enable SSHD on their templates or
standalone VMs and still keep it enabled even after the
qubes-core-vm-systemd package is upgraded.

Matt really wanted that, and so did I, so now we can do it!

:-)
2016-10-28 08:35:36 +00:00
Manuel Amador (Rudd-O)
d15696ebef Fix VM settings running while / is readonly. 2016-10-28 05:21:40 +00:00
Manuel Amador (Rudd-O)
59aec8e5eb Clean up early initialization and setup of /rw 2016-10-23 20:19:51 +00:00
Marek Marczykowski-Górecki
b7c7b4ad52
Merge remote-tracking branch 'qubesos/pr/20'
* qubesos/pr/20:
  Eliminate race condition with qubes-setup-dnat-to-ns

Fixes QubesOS/qubes-issues#1067
2016-10-17 21:12:39 +02:00
unman
f04712cf02
Revert version and correct unit files 2016-10-16 13:39:01 +01:00
unman
da82d93780
use bind-dirs to handle crontab persistence 2016-10-16 01:14:02 +01:00
Rudd-O
b7d8d66bb1 Eliminate race condition with qubes-setup-dnat-to-ns
qubes-setup-dnat-to-ns is called multiple times during boot.  Of particular interest are the two invocations done by:

1. `/usr/lib/qubes/init/network-proxy.setup.sh` (`qubes-network.service`)
2. `/usr/lib/qubes/init/misc-post.sh` (`qubes-misc-post.service`)

These can, and do often, run in parallel.  Often enough that the `PR-QBS` `nat` chain can end up with eight rules instead of four, or (worse) zero rules.

This commit represents the proper boot ordering of these services, where the post startup *must* happen after Qubes has already started its iptables, firewall, network setup and netwatcher.

This eliminates the race.
2016-10-12 15:19:46 +00:00
unman
a493b7c121
Remove custom mount when starting cron, in favour of bind-dirs 2016-10-11 11:28:48 +01:00
Marek Marczykowski-Górecki
2c8fe644f3
network: remove qubes-netwatcher
This tool/service is obsolete for a long time (it does nothing on R3.0
and later).
2016-09-12 05:58:26 +02:00
HW42
be0e8a250f
bind-dirs: copy from ro only if bind target doesn't exists
f4d367a6 dropped the check if the bind target exists and added
"--no-clobber" to the cp call. For directories this does not work as
desired: cp checks per (recursive) file instead of once for the
specified directory.
2016-09-01 03:41:31 +02:00
Marek Marczykowski-Górecki
c3d630f288
Disable meminfo-writer if there is any PCI device attached
This code used to be in dom0, but it's easier to maintain it in VM.

QubesOS/qubes-issues#2101
2016-08-17 21:27:28 +02:00
Marek Marczykowski-Górecki
60c30e6cdb
Merge remote-tracking branch 'origin/pr/82'
* origin/pr/82:
  comment legacy function
2016-08-06 18:42:16 +02:00
Marek Marczykowski-Górecki
1fd69636f8
systemd: fix syntax error in preset file
Services needs to be named with full unit name.

Fixes QubesOS/qubes-issues#2188
2016-08-06 18:36:30 +02:00
Patrick Schleizer
15274f8bb8 comment legacy function 2016-07-27 15:07:32 +02:00
Marek Marczykowski-Górecki
441a78df49
Merge remote-tracking branch 'origin/pr/81' 2016-07-27 05:20:13 +02:00
Marek Marczykowski-Górecki
60d16ea587
systemd: improve ordering of systemd units
- qubes-misc-post.service is no longer responsible for mounting /rw
- both qubes-sysinit.service and qubes-mount-dirs.service are part of
  basic.target, so no need to mention them explicitly (as long as
  DefaultDependencies=yes)

QubesOS/qubes-issues#2198
2016-07-27 05:19:47 +02:00
Marek Marczykowski-Górecki
48a35d40d1
systemd: load xen-privcmd module
It is needed for vchan communication. It was loaded implicitly by mount
/proc/xen, but since we're moving away from this legacy interface, load
it explicitly.

QubesOS/qubes-issues#2194
2016-07-27 05:19:46 +02:00
Marek Marczykowski-Górecki
e0e89f153f
systemd: order qubes-mount-dirs.service before local-fs.target
The service is really responsible for mounting /rw and /home, so should
be ordered before local-fs.target - this will allow other services
to use standard ordering targets.

This probably makes Before=qubes-gui-agent.service not needed anymore,
but do not remove it yet without extensive testing to not risk
regression.

Fixes QubesOS/qubes-issues#2194
2016-07-27 05:19:46 +02:00
Patrick Schleizer
67dd174cec empty legacy function
leaving that to Whonix

https://github.com/Whonix/qubes-whonix/blob/master/usr/lib/qubes-bind-dirs.d/41_qubes-whonix-legacy.conf

https://github.com/QubesOS/qubes-issues/issues/2191
2016-07-24 00:09:11 +00:00
Marek Marczykowski-Górecki
65f0b26600
systemd: plug random seed loading into systemd-random-seed
Reuse its dependencies to make sure it is loaded early enough.

Reported by @adrelanos
Fixes QubesOS/qubes-issues#1761
2016-07-17 04:26:01 +02:00
Marek Marczykowski-Górecki
9b362a6d7d
systemd: don't mark updates check service failed
Even if update check fails for some reason (network problem, apt-get lock
being held etc), don't mark the service as failed. The update check
mechanism is designed this way to not worry about such single failures
- other VM(s) may still check and report updates availability.

Fixes QubesOS/qubes-issues#1889
2016-07-16 15:30:40 +02:00
Marek Marczykowski-Górecki
6cf30bff29
Merge remote-tracking branch 'origin/pr/66'
* origin/pr/66:
  fixed qubes-core-agent upgrading double package manager lock

  Fixes QubesOS/qubes-issues#1889
2016-07-13 22:38:25 +02:00
Marek Marczykowski-Górecki
6bd6380918
Merge remote-tracking branch 'qubesos/pr/18'
* qubesos/pr/18:
  Enable xendriverdomain.service in 75-qubes-vm.preset
  Remove 'if true' wrapper from 06a0d30d50
  *Do* block until good random is available again
  dvm, then xendriverdomain, then qrexec-agent
2016-07-10 17:17:11 +02:00
Rusty Bird
0cc4803a9d
Enable xendriverdomain.service in 75-qubes-vm.preset 2016-07-03 05:00:29 +00:00
Rusty Bird
ae1a334a1d
Remove 'if true' wrapper from 06a0d30d50 2016-07-01 16:01:48 +00:00
Rusty Bird
cb55dfa6ae
*Do* block until good random is available again 2016-07-01 16:01:47 +00:00
Rusty Bird
fbf4c93730
dvm, then xendriverdomain, then qrexec-agent
Fixes QubesOS/qubes-issues#2126
Fixes QubesOS/qubes-issues#1990
2016-07-01 16:01:47 +00:00
Rusty Bird
ca03e093f7
Order network management units after network-pre.target
Network management software should order itself after network-pre.target
(man 7 systemd.special) so that other units can order themselves before
the *beginning* of network initialization. (qubes-misc-post too because
it calls setup-ip.)

Relevant for QubesOS/qubes-issues#2108
2016-06-30 16:20:47 +00:00
Patrick Schleizer
191b2a4cd9
Do not start tor@default service in TemplateVM.
Not doing that already for the tor service.

Since the actual tor service was renamed to tor@default by upstream.
2016-06-11 13:46:58 +00:00
Marek Marczykowski-Górecki
817606a09d
Merge remote-tracking branch 'origin/pr/72'
* origin/pr/72:
  systemd: order units checking for qubes-service after qubes-sysinit
2016-05-17 21:16:02 +02:00
Marek Marczykowski-Górecki
5e08e2bc1d
systemd: order units checking for qubes-service after qubes-sysinit
Files in /var/run/qubes-service are created by qubes-sysinit.service. So
defer that condition check after that service start.

Thanks @adrelanos for the report.

Fixes QubesOS/qubes-issues#1985
2016-05-12 00:17:05 +02:00
Patrick Schleizer
23bdcb90a7 minor debug xtrace output 2016-05-03 15:16:59 +02:00
Patrick Schleizer
d14203f1ac
fixed bind-dirs legacy import function
https://phabricator.whonix.org/T501
2016-04-29 23:44:18 +02:00
Patrick Schleizer
cfb75f3cba
fixed qubes-core-agent upgrading double package manager lock
https://github.com/QubesOS/qubes-issues/issues/1889
2016-04-02 15:00:10 +00:00
Marek Marczykowski-Górecki
437680b731
Fix bind-dirs.sh path 2016-03-30 14:17:04 +02:00
Marek Marczykowski-Górecki
1b0e604eca
Merge remote-tracking branch 'origin/pr/65'
* origin/pr/65:
  minor indent
2016-03-21 14:21:57 +01:00
Patrick Schleizer
5a1ea4f5e5 minor indent 2016-03-19 16:26:29 +01:00
Patrick Schleizer
77d51a69ea use 'true' rather than ':' for consistency 2016-03-19 16:23:36 +01:00
Marek Marczykowski-Górecki
74625b1657
Merge remote-tracking branch 'origin/pr/58'
* origin/pr/58:
  refactoring / code simplification
  fixed broken file copy for files in multi level directories
  also exit from bind-directories if file /var/run/qubes-service/qubes-dvm exists
  use symlink_level_max rather than hardcoding 10; comment
  run /usr/lib/qubes/bind-dirs.sh from mount-dirs.sh
  renamed:    bind-dirs -> bind-dirs.sh
  renamed:    misc/bind-dirs -> vm-systemd/bind-dirs
  work on bind-dirs
  work on bind-dirs
  work on bind-dirs https://phabricator.whonix.org/T414
2016-03-14 16:14:10 +01:00
Marek Marczykowski-Górecki
7f686b1aae
Merge remote-tracking branch 'origin/pr/60'
* origin/pr/60:
  do not start the Tor service inside Qubes TemplateVMs
2016-03-14 16:11:44 +01:00
Marek Marczykowski-Górecki
07ad58b511
Merge remote-tracking branch 'origin/pr/62'
* origin/pr/62:
  disable systemd-timesyncd
2016-03-14 16:10:50 +01:00
Marek Marczykowski-Górecki
fb9b3b62c0
network: use qubes-primary-dns QubesDB entry if present
For a long time the DNS address was the same as default gateway. This is
still the case in R3.x, but using `qubes-gateway` configuration
parameter for it is misleading. It should be up to dom0 to provide DNS
address (whether the value is the same as gateway or not).

Fixes QubesOS/qubes-issues#1817
2016-03-07 13:37:45 +01:00
Patrick Schleizer
83d0ae6df4 disable systemd-timesyncd
fixes https://github.com/QubesOS/qubes-issues/issues/1754
2016-02-19 02:34:08 +01:00
Patrick Schleizer
aee3f5ed12
do not start the Tor service inside Qubes TemplateVMs
Private data inside /var/lib/tor should not be shared.
Tor should not be run inside TemplateVMs.

https://github.com/QubesOS/qubes-issues/issues/1625#issuecomment-172369781
2016-01-18 15:19:13 +01:00
Marek Marczykowski-Górecki
fb470fe86f
sysinit: Accept also old xenbus kernel interface
qubes-sysinit.sh waits for xenbus initialization by watching its
interface file presence. In linux before 3.10 there is no
/dev/xen/xenbus, which is the case in Debian 7 (3.2 kernel). The problem
applies only to the VMs with PVGrub enabled, because otherwise VM would
use dom0 privided kernel, which is much newer.

Fixes QubesOS/qubes-issues#1609
2016-01-13 05:05:00 +01:00
Patrick Schleizer
f4d367a6a7
refactoring / code simplification
Thanks to @marmarek for the suggestion!
2016-01-08 00:36:26 +00:00
Patrick Schleizer
e9fca8fb9f
fixed broken file copy for files in multi level directories
Thanks to @marmarek for the report and help fixing!
2016-01-07 21:19:52 +00:00
Patrick Schleizer
184f49dbbd
also exit from bind-directories if file /var/run/qubes-service/qubes-dvm exists
Thanks to @marmarek for the suggestion!

https://github.com/QubesOS/qubes-issues/issues/1328#issuecomment-169483029
2016-01-06 23:08:33 +00:00
Patrick Schleizer
7e8649f8c7
use symlink_level_max rather than hardcoding 10; comment 2016-01-06 20:46:38 +00:00
Patrick Schleizer
eb00e40bab
run /usr/lib/qubes/bind-dirs.sh from mount-dirs.sh 2015-12-25 12:30:36 +00:00
Patrick Schleizer
5a87313ea6
renamed: bind-dirs -> bind-dirs.sh 2015-12-25 12:30:35 +00:00
Patrick Schleizer
8f2a80982b
renamed: misc/bind-dirs -> vm-systemd/bind-dirs 2015-12-25 12:30:35 +00:00
MB
9c68afe14c [network-proxy-setup] Permit !CONFIG_MODuLES
* Check whether sysctl is accessible
* Check whether a key which exists when CONFIG_MODULES=y is not accessible

If true, CONFIG_MODULES=n, so ignore modprobe failure.
If false, fail.
2015-11-29 00:00:00 +00:00
Patrick Schleizer
e323d3f4bd
Have qubes-sysinit create /var/run/qubes VM type files.
- /var/run/qubes/this-is-appvm
- /var/run/qubes/this-is-netvm
- /var/run/qubes/this-is-proxyvm
- /var/run/qubes/this-is-templatevm

This is useful for checking ConditionPathExists from within systemd units.

(Came up in https://phabricator.whonix.org/T432#7206.)
2015-11-22 21:55:51 +00:00
Marek Marczykowski-Górecki
13c9149b6c
Use improved update-notify script also in Fedora
Among other things this also fixes build failure - those scripts were
installed but not listed in spec file.

Actual check doesn't perform 'apt-get update', so do that when running
"standalone" (not as a hook from 'apt-get').

QubesOS/qubes-issues#1066
2015-11-13 05:28:47 +01:00
qubesuser
f380c346cf Allow to provide customized DispVM home directly in the template VM
This significantly speeds up DispVM creation for large customized
homes, since no data has to be copied, and instead CoW is used.
2015-11-12 15:33:01 +01:00
Marek Marczykowski-Górecki
97e5072315
Revert "preset disable tinyproxy by default"
This reverts commit f32dccb5e3.
Not needed anymore since dropin approach is implemented.
2015-11-11 16:04:52 +01:00
Marek Marczykowski-Górecki
3324307ee2
Merge remote-tracking branch 'origin/pr/46'
* origin/pr/46:
  No longer start /etc/init.d/tinyproxy by default anymore.
2015-11-11 16:04:40 +01:00
Patrick Schleizer
5d6cf722a8
No longer start /etc/init.d/tinyproxy by default anymore.
But allow users to re-enable it through qubes-service framework.
/var/run/qubes-service/tinyproxy

Thanks to @marmarek for helping with this fix!

https://github.com/QubesOS/qubes-issues/issues/1401
2015-11-11 14:57:36 +00:00
Marek Marczykowski-Górecki
2a589f2c20
updates-proxy: use separate directory for PID file
And also use systemd-tmpfiles for that directory creation.

Fixes QubesOS/qubes-issues#1401
2015-11-11 05:57:57 +01:00
Marek Marczykowski-Górecki
90b4398863
Merge remote-tracking branch 'origin/pr/43'
* origin/pr/43:
  preset disable tinyproxy by default
2015-11-11 05:27:52 +01:00
Marek Marczykowski-Górecki
3466f3df35
systemd: make sure that update check is started only after qrexec-agent 2015-11-11 02:36:57 +01:00
Patrick Schleizer
f32dccb5e3 preset disable tinyproxy by default
Fixes https://github.com/QubesOS/qubes-issues/issues/1401
2015-11-10 20:08:26 +00:00
Olivier MEDOC
0c33c73b8e dropins: implement dropins for systemd user starting with pulseaudio systemd service and socket masking
Conflicts:
	Makefile
2015-11-07 19:12:30 +01:00
Olivier MEDOC
4b5332081e add DROPINS for org.cups.cupsd systemd files. 2015-11-06 19:36:52 +01:00
Marek Marczykowski-Górecki
6752be9196
No longer disable auditd
On Fedora 22 console is trashed with a lot of messages without auditd
running.

QubesOS/qubes-issues#1282
2015-11-03 18:15:20 +01:00
Marek Marczykowski-Górecki
c2596a0435
Setup updates proxy in dnf and PackageKit
DNF doesn't support even including another config file, so all the
settings needs to go into `/etc/dnf/dnf.conf`. The same about
PackageKit, which is needed because it doesn't use `dnf.conf`:
http://lists.freedesktop.org/archives/packagekit/2015-September/026389.html

Because that proxy settings goes to so many places now, create a
separate script for that.

QubesOS/qubes-issues#1282
QubesOS/qubes-issues#1197
2015-10-30 15:13:56 +01:00
Patrick Schleizer
f063b4a90f
Renamed qubes-mount-home to qubes-mount-dirs.
Renamed qubes-mount-home service and mount-home.sh script to qubes-mount-dirs service and mount-dirs.sh.
Because mount-home.sh also processed /rw/usrlocal.
preparation to fix the following issues:
- upstream bind-directories functionality to Qubes - https://phabricator.whonix.org/T414
- Bind mount /rw/usrlocal -> /usr/local instead of symlink - https://github.com/QubesOS/qubes-issues/issues/1150
- /bin/sync hangs forever in whonix-ws-dvm - https://github.com/QubesOS/qubes-issues/issues/1328
2015-10-15 20:57:43 +00:00
Patrick Schleizer
2eb0ed2be1
removed trailing spaces 2015-10-15 04:34:55 +02:00
Marek Marczykowski-Górecki
7963fb91c7
systemd: actually enable qubes-random-seed service
QubesOS/qubes-issues#1311
2015-10-10 16:23:46 +02:00
HW42
05292c0ac5
reload qubes-random-seed when restoring DispVM 2015-10-10 00:45:48 +02:00
HW42
0ffa746678
qubes-random-seed: feed kernel rng with randomness from dom0 2015-10-10 00:45:44 +02:00
Marek Marczykowski-Górecki
2bdbf37ef9
Run 'ldconfig' to update /usr/local/lib* cache, if applicable
Fixes QubesOS/qubes-issues#1255
2015-10-05 06:13:49 +02:00
Marek Marczykowski-Górecki
8e497bffc0
Merge branch 'qubes-iptables'
Conflicts:
	debian/control
	rpm_spec/core-vm.spec

QubesOS/qubes-issues#1067
2015-10-05 01:47:01 +02:00
Marek Marczykowski-Górecki
2a39adfe0f
Enlarge /tmp and /dev/shm
Initial size of those tmpfs-mounted directories is calculated as 50% of
RAM at VM startup time. Which happen to be quite small number, like
150M. Having such small /tmp and/or /dev/shm apparently isn't enough for
some applications like Google chrome. So set the size statically at 1GB,
which would be the case for baremetal system with 2GB of RAM.

Fixes QubesOS/qubes-issues#1003
2015-10-04 23:07:10 +02:00
Patrick Schleizer
c13e11d57e fixed 'Debian 8 apt.config.d misconfiguration'
prevent the Acquire::http::Proxy setting ending up multiple times inside /etc/apt/apt.conf.d/01qubes-proxy
(reported by @Scinawa)
https://github.com/QubesOS/qubes-issues/issues/1186
2015-09-12 18:34:49 +00:00
Marek Marczykowski-Górecki
c09d1d9d61
systemd: fix starting cups 2015-09-01 17:19:59 +02:00
Marek Marczykowski-Górecki
4703e3fca7
Remove dynamically generated autostart desktop files
qubesos/qubes-issues#1151
2015-08-27 22:08:04 +02:00
Marek Marczykowski-Górecki
3ccbde9a3c
debian: disable netfilter-persistent.service
This is now handled by qubes-iptables.service

qubesos/qubes-issues#1067
2015-08-09 20:32:35 +02:00
Marek Marczykowski-Górecki
65e9e4c72c
network: use own iptables service instead of repurposing existing one
There were multiple problems with reusing existing one:
 - need to sync with upstream changes (configuration path etc)
 - conflicts resolution on updates
 - lack of iptables --wait, which causes firewall fail to load sometimes

QubesOS/qubes-issues#1067
2015-08-09 20:09:51 +02:00
Marek Marczykowski-Górecki
13c54badcb
Move /usr/share/qubes/xdg to /var/lib/qubes/xdg
No files in /usr should be modified during package runtime, `/var` is
for that. So move this data there.
2015-08-08 02:01:15 +02:00
Jason Mehring
b6c19fc2ef qubes-desktop-file-install: Manages xdg desktop entry files
qubes-desktop-file-install is called by qubes-triggers-desktop-file-install. It's
arguments are based on the Gnome desktop-install-file utility to allow it to be replaced
by same.  Currently the Gnome utility can not be used since it automatically validates
the .desktop entry files with no option to skip validation and will fail on some third
party .desktop files that are not formed properly.

A single trigger script is shared between Fedora, Debian.  This script is used by the
package managers triggers and will copy original .desktop files from `/etc/xdg/autostart`
to `/usr/share/qubes/xdg/autostart` and modify the OnlyShownIn / NotShownIn, etc.  The
original .desktop files are left untouched and left in place.

Qubes modifies the XDG_CONFIG_DIRS to first include the `/usr/share/qubes/xdg`
directory (XDG_CONFIG_DIRS=/usr/share/qubes/xdg:/etc/xdg).

If a package gets removed, it's desktop entry is also removed from the /usr/share/qubes/xdg
directory.

'qubes-desktop-file-install' options:
   --dir DIR                          Install desktop files to the DIR directory (default: <FILE>)
   --force                            Force overwrite of existing desktop files (default: False)
   --remove-show-in                   Remove the "OnlyShowIn" and "NotShowIn" entries from the desktop file (default: False)
   --remove-key KEY                   Remove the KEY key from the desktop files, if present
   --set-key (KEY VALUE)              Set the KEY key to VALUE
   --remove-only-show-in ENVIRONMENT  Remove ENVIRONMENT from the list of desktop environment where the desktop files should be displayed
   --add-only-show-in ENVIRONMENT     Add ENVIRONMENT to the list of desktop environment where the desktop files should be displayed
   --remove-not-show-in ENVIRONMENT   Remove ENVIRONMENT from the list of desktop environment where the desktop files should not be displayed
   --add-not-show-in ENVIRONMENT      Add ENVIRONMENT to the list of desktop environment where the desktop files should not be displayed
2015-08-07 09:15:30 -04:00
Jason Mehring
b3a692b8cc vm-systemd: Add systemd drop-in support which include conditionals to prevent services from starting
Added all the drop-ins and remove older .service overrides
2015-08-04 10:32:41 -04:00