Apparently even iptables-restore does not handle concurrent firewall
updates. This is especially a problem in case of HVM, which have two
network interfaces (one through stubom and the other direct) added at
the same time.
The later one is present only in latest iptables version - especially
debian does not have it. But we need to handle "Device or resources
busy" problem somehow.
Even when iptables.service is configured to use different file, the
service would not start when there is no /etc/sysconfig/iptables. Fedora
20 package does not provide it.
Instead of overriding /etc/sysconfig/ip{,6}tables, store qubes rules in
/etc/sysconfig/iptables.qubes and configure the service to use that file
instead. This will prevent conflict on that file and also handle upgrades.
Restore support for older yum: no --downloadonly option, so use
yumdownloader.
Also add some a code to handle some Debian quirks - especially default
rpmdb location in user home...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVeKW1AAoJEBu5sftaTG2tK70P/1h1dP8a+KDEzmF09qmOdnTS
qED7kIkcMW5BZUbXL1J2zClgNNK0WyWf2FJrKXDnGzVihL59vk3PIZWQYWZeQyrQ
YN4vpimLQUiWFCoUMUNBEPBSls26KVdlL/QwQitlpe3tzFUwJ0SIqFHtKJ1qO3SL
kFfYDR62CFa1QncIOz/uIWX4JSg1VLTZblxbR2Vu5uayb2r5fDPm0IuZRYyz0GZv
wz6Inc8Pan6hMD7heQ1pk5Zed39jiu7gVLKDV/uXGqmh86Z8o/tdGVj0Q6DJ902Z
c2HECrdljyd50smQsl1p0cqW2352xo2V5p/5JrT9WFYVzIHs6uq05JMX7WWRhWZA
56tzgW7nZpcpm8yEFapH+ZKLtXnHlO3JN3CdqNbhGekcYrSLHEqNc/3+eRWdcFol
btyPjnGXr4lQxq1yOiEL/hKm33pfeqUpxunzf7DplL8iYrNVDT/9kVJH8e2UjvL9
OiA2q/wvnpJXtk8JDB3Tgymi1zmYb9fGDkm7Vgqe81GHD3TD7mrvJ309089G1flV
V7Oqb61ibMcTyf8yVAZ8T99QmM3dvVmrFf2b8vQlmt9dUQyK9nSB0+3fmjS+Q9/j
QkMGMcMtYHRtTpnGQG+YkGzHOoyfOJv+sknfHiphTaeMabgEYTuFQB8DEeQNRyNV
otHUCWz1KbaSr8Xs6x0F
=jTq0
-----END PGP SIGNATURE-----
Merge tag 'jm_0ccd2c9a'
Tag for commit 0ccd2c9a98
# gpg: Signature made Wed 10 Jun 2015 11:01:41 PM CEST using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007 8F27 1BB9 B1FB 5A4C 6DAD
* tag 'jm_0ccd2c9a':
Set a default locale if missing
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVQ0FeAAoJEBu5sftaTG2tTD8QAI3u9kF9FJq++THFDtjMtGK/
LYQONH8KrJZrnVOI60Du4Vsf5EIZI+cNfnsp4i71McRDGAfb1fv2hu5rDv4pJ7+U
ITYq2/pwuyrV8Yi9kGnFXN4sXN+B194lWmXQDwPq2v2JDysZlM7C++bV3wYFul6f
r2JyyTQj5sE/Khrykuk2n4lGpWrCa/LC1ENbiqa+QogAGETBdLXkxhXNaRKF0Kml
OKpcMcrMxgiMsPXkPj3m3WV6NAnx6bkaaBnt3GWOlvvThOOxZ0Nzzy/KTvSl0s+O
Fnxr4Qqt36dhQ/Fc6dk7OVzwjuQsRbGbuMsBuf4+72PJC5pmgNj0H4Q5A57ru3cr
xYDIFSC0JoooOzQ06qjbqou43ubpCiZG9KdACJ/Dc5jJuUt3rubIXWTtjWR7ivw9
JtPhXqNTOs3Ee+SjqO1Xl7xfgcs94VDtNFMMNKNY5synhEt6jxjECHenaxyIQRvZ
ZNUvD9FJLslVylB8+kyUUevcnc9uvI42B0BJv1vAUYOeM5FDtd/w7aB9VTrFp48r
a0sAIw1paxYgON0RwvUjluHacGI5ZP43a+t8+8KQNVRL5/RZMMTSoASOff23FdZA
hDVsI7EM0XiSeB1BQaA8HjngUBxn2JMcEhVv/3vDd3ZMe3NEJcOzjD/iktKbXnIK
niNKyHMTh//17qsI/kXt
=YGZB
-----END PGP SIGNATURE-----
Merge tag 'jm_15459b0e'
Tag for commit 15459b0e82
# gpg: Signature made Fri 01 May 2015 11:03:26 AM CEST using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007 8F27 1BB9 B1FB 5A4C 6DAD
* tag 'jm_15459b0e':
debian: Allow apt-get post hook to fail gracefully (won't work in chroot)
debian: Only notify dom0 on apt-get post hook; don't update package index
There is a possiblilty of the apt-get post hook getting triggered
more than once for each apt-get session, therefore we only notify
dom0 that there are no updates available and do not perform an
apt-get update.
The qubes-update-check.service will still perform an update so even
if the dist-upgrade failed and there was actually more files to update
the qubes-update-check.serivce would then at some point notify dom0
about those updates being available
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVO0XmAAoJEBu5sftaTG2tTpsQAJaSV/4vUt1R+HloAxpiAkQQ
ai6C9r0jXEDOggO+jqeNLhM6ZaFxPOqI7+O09EXoRQXnFjtXPq6V4Yj8vr7urh5Z
ozg3K2atQ6htvoDjqktSHuMwJLTGCHDCKzHV/uvZlFT0o90XomGLAJ+3RuWqgZu7
5h+jnzfo+pLxme2jiCFQvFQ+p6Y+yZiphiUc5HbnIs4aTvDJxKmhZHMXVshbFJQe
wPr1kp4xdefiys5A5agKejPOdQm8z4PVzZfnehfQZholkKlYFSgOLc7s4qJ+WOFl
Bwl8B0Nm4LqIr0hkyEvPBX7PwmAu8/2aHeEj423rLXCDvHjGbmDWE99LSRvDYFK4
nuZkrR+dI0kbYqtfkWH8MMfu/YHcC+uHrkVbLpqV4r8F8jT/f6ysyJ/kb76WoVEK
B2q/nfBjtcHXOb/7GT/Q8MIvIXDsAVNp9jtEiQ/u/Jr8T7t9GtuQbgy1Y+eDOl4G
Hg5635qfj6SImKtj6e4VqOb968TqeE0qoqBeLFEG2boqyVOjHbfk8gj5IZParp3R
WfZDAS6OpY95W+gJzH0rBUh0h5fcuB+aN16ak4snaDxwd6gl9NfdPOydt4zQTs4q
tmKnyuXig5age0IgGFliubdWlAL72GSN8M+uBp+Pe0QoEoJRPN3AiaY63OgUBk9S
ID6TzMI990IRIxGTQnho
=nJSZ
-----END PGP SIGNATURE-----
Merge tag 'jm_21d89335'
Tag for commit 21d89335fe
# gpg: Signature made Sat Apr 25 09:44:38 2015 CEST using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007 8F27 1BB9 B1FB 5A4C 6DAD
* tag 'jm_21d89335':
debian: Update notification now notifies dom0 when an upgrade is completed
A file is created in /var/lib/qubes/protected-files. Scripts can grep this file before modifying
known files to be protected and skip any modifications if the file path is within protected-files.
Usage Example:
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
the enable/disable systemd unit files functions
vif-route-qubes can be called simultaneously, for example in case of:
- multiple domains startup
- HVM startup (two interfaces: one to the target domain, second one to
stubdom)
If that happens, one of calls can fail because of iptables lock.
Offline resize requires to run fsck -f first. Because we support only
growing that image, we can simply use online resize instead.
This finally fixesqubesos/qubes-issues#772
Apparently it doesn't help much with DispVM startup time, but causes a
lot of problems when such app do not close in time (either can be killed
forcibly and will complain about it at next run, or will spontaneously
show itself when DispVM is started).
This will probably break some user configuration. Do that only when
installing for the first time (during template build), during upgrade
set only those installed by this package instead of all.
systemctl is-enabled always reports "disabled" for them (actually not a
real "disabled", but and error, but exit code is the same). So simply
always disable the unit, it is no-op for already disabled ones.
BTW systemctl preset also do not work for them.