It isn't really needed. It was used to workaround libusb bug (causing
crash when the system does not have any USB controller), but since we
use HVM now which do have some USB controllers it isn't needed anymore.
Also, it is not available in stock Fedora kernels.
Configure package manager to use 127.0.0.1:8082 as proxy instead of
"magic" IP intercepted later. The listen on this port and whenever
new connection arrives, spawn qubes.UpdatesProxy service call (to
default target domain - subject to configuration in dom0) and connect
its stdin/out to the local TCP connection. This part use systemd.socket
unit in case of systemd, and ncat --exec otherwise.
On the other end - in target domain - simply pass stdin/out to updates
proxy (tinyproxy) running locally.
It's important to _not_ configure the same VM to both be updates proxy and
use it. In practice such configuration makes little sense - if VM can
access network (which is required to run updates proxy), package manager
can use it directly. Even if this network access is through some
VPN/Tor. If a single VM would be configured as both proxy provider and
proxy user, connection would loop back to itself. Because of this, proxy
connection redirection (to qrexec service) is disabled when the same VM
also run updates proxy.
FixesQubesOS/qubes-issues#1854
For a long time the DNS address was the same as default gateway. This is
still the case in R3.x, but using `qubes-gateway` configuration
parameter for it is misleading. It should be up to dom0 to provide DNS
address (whether the value is the same as gateway or not).
FixesQubesOS/qubes-issues#1817
A file is created in /var/lib/qubes/protected-files. Scripts can grep this file before modifying
known files to be protected and skip any modifications if the file path is within protected-files.
Usage Example:
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
the enable/disable systemd unit files functions
Offline resize requires to run fsck -f first. Because we support only
growing that image, we can simply use online resize instead.
This finally fixesqubesos/qubes-issues#772
This patch introduces two new qvm-services:
- disable-default-route
- disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org
Conflicts:
network/setup-ip
vm-init.d/qubes-core
vm-systemd/qubes-sysinit.sh
This patch introduces two new qvm-services:
- set-default-route
- set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org
Conflicts:
network/setup-ip
vm-init.d/qubes-core
vm-systemd/qubes-sysinit.sh
Get rid of underscores in filenames, use dashes instead.
This is first part of cleanup in filenames.
"qubes_rpc" still untouched - will be in separate commit.
No more ugly symlink creation at VM startup, nautilus-actions have system-wide
dir (in opposite to nautilus-scripts).
Currently old symlinks are not cleaned up. Maybe it should, but leaving them
have one advantage: will not break existing users behavior.
When /rw/home/user/.qubes-dispvm-customized is present use /rw/home/user
instead of default /etc/dispvm-dotfiles.tbz. Also make sure that /rw will not
remain mounted during DispVM creation.
The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it
is reasonable to bypass the proxy. Some examples:
- usage of non-standard repos with some exotic file layout, which will be
blocked by the proxy
- usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM)
This commit introduces 'yum-proxy-setup' pseudo-service, which can be
controlled via standard qvm-service or qubes-manager. When enabled - yum will
be configured at VM startup to use qubes proxy, otherwise - to connect directly
(proxy setting will be cleared).
Introduce proxy service, which allow only http(s) traffic to yum repos. The
filter rules are based on URL regexp, so it isn't full-featured content
inspection and can be easy bypassed, but should be enough to prevent some
erroneus user actions (like clicking on invalid link).
It is set up to intercept connections to 10.137.255.254:8082, so VM can connect
to this IP regardless of VM in which proxy is running. By default it is
started in every NetVM, but this can be changed using qvm-service or
qubes-manager (as always).
