Commit Graph

2292 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
51d55c03dc
debian: fix permissions of /var/lib/qubes/dom0-updates
qubesos/qubes-issues#1029
2015-07-18 15:06:40 +02:00
Olivier MEDOC
78dcdd0f6a archlinux: fix syntax errors in install file 2015-07-14 08:09:11 +02:00
Olivier MEDOC
d84c07295b archlinux: reorganize install script to make it more easily compareable with the .spec file 2015-07-08 15:01:21 +02:00
Olivier MEDOC
0373f1cdfb archlinux: update dependency list based on .spec file 2015-07-08 15:00:50 +02:00
Marek Marczykowski-Górecki
916824eb3f qubes-core-vm-kernel-placeholder 1.0-3 2015-07-08 06:09:12 +02:00
Marek Marczykowski-Górecki
3491c1401b kernel-placeholder: prevent xl2tpd from pulling kernel packages 2015-07-02 17:51:12 +02:00
Marek Marczykowski-Górecki
a122380624 version 3.0.13 2015-07-01 07:05:53 +02:00
Marek Marczykowski-Górecki
4e44008607 network: disable tx csum offload on vif interfaces
It doesn't work with HVMs - more precisely with (ancient) qemu in
stubdomain.
2015-07-01 04:53:31 +02:00
Marek Marczykowski-Górecki
13c078ddbd network: guard iptables call with manual lock
Apparently even iptables-restore does not handle concurrent firewall
updates. This is especially a problem in case of HVM, which have two
network interfaces (one through stubom and the other direct) added at
the same time.
2015-07-01 01:25:00 +02:00
Marek Marczykowski-Górecki
2bfc6edddc network: use iptables-restore instead of iptables --wait
The later one is present only in latest iptables version - especially
debian does not have it. But we need to handle "Device or resources
busy" problem somehow.
2015-06-27 04:55:56 +02:00
Marek Marczykowski-Górecki
5176228abc fedora/systemd: fix service enabling code
Do not try to enable qubes-update-check.service, it is meant to be
started by qubes-update-check.timer (which is correctly enabled).
2015-06-26 19:57:44 +02:00
Marek Marczykowski-Górecki
3aca3f8c48 fedora: ensure that /etc/sysconfig/iptables exists (Fedora 20)
Even when iptables.service is configured to use different file, the
service would not start when there is no /etc/sysconfig/iptables. Fedora
20 package does not provide it.
2015-06-26 19:54:22 +02:00
Marek Marczykowski-Górecki
ea0615d4da version 3.0.12 2015-06-23 20:06:23 +02:00
Marek Marczykowski-Górecki
549761a144 Do not override file pointed by /etc/localtime symlink
On Fedora 21 (and probably others) /etc/localtime is no longer file
copy, but a symlink to original timezone file. Using `cp` to change
timezone here would override original file instead of just changing the
timezone.

Details:
https://groups.google.com/d/msgid/qubes-users/4a0de9457e08b93d1a39ac4cdbc6b632%40ruggedinbox.com
2015-06-23 19:59:17 +02:00
Marek Marczykowski-Górecki
0382f84eae rpm: improve setting iptables rules
Instead of overriding /etc/sysconfig/ip{,6}tables, store qubes rules in
/etc/sysconfig/iptables.qubes and configure the service to use that file
instead. This will prevent conflict on that file and also handle upgrades.
2015-06-19 09:42:55 +02:00
Marek Marczykowski-Górecki
b368ffe5c6 fedora, debian: make sure that default locale is generated
Otherwise some GUI applications would not start.
2015-06-16 02:27:23 +02:00
Marek Marczykowski-Górecki
3fdb67ac2b dom0-updates: make the tool working on Debian
Restore support for older yum: no --downloadonly option, so use
yumdownloader.
Also add some a code to handle some Debian quirks - especially default
rpmdb location in user home...
2015-06-16 02:22:42 +02:00
Marek Marczykowski-Górecki
cdebf33cf6 version 3.0.11 2015-06-11 04:06:26 +02:00
Marek Marczykowski-Górecki
a2f1f28825 Tag for commit 0ccd2c9a98
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVeKW1AAoJEBu5sftaTG2tK70P/1h1dP8a+KDEzmF09qmOdnTS
 qED7kIkcMW5BZUbXL1J2zClgNNK0WyWf2FJrKXDnGzVihL59vk3PIZWQYWZeQyrQ
 YN4vpimLQUiWFCoUMUNBEPBSls26KVdlL/QwQitlpe3tzFUwJ0SIqFHtKJ1qO3SL
 kFfYDR62CFa1QncIOz/uIWX4JSg1VLTZblxbR2Vu5uayb2r5fDPm0IuZRYyz0GZv
 wz6Inc8Pan6hMD7heQ1pk5Zed39jiu7gVLKDV/uXGqmh86Z8o/tdGVj0Q6DJ902Z
 c2HECrdljyd50smQsl1p0cqW2352xo2V5p/5JrT9WFYVzIHs6uq05JMX7WWRhWZA
 56tzgW7nZpcpm8yEFapH+ZKLtXnHlO3JN3CdqNbhGekcYrSLHEqNc/3+eRWdcFol
 btyPjnGXr4lQxq1yOiEL/hKm33pfeqUpxunzf7DplL8iYrNVDT/9kVJH8e2UjvL9
 OiA2q/wvnpJXtk8JDB3Tgymi1zmYb9fGDkm7Vgqe81GHD3TD7mrvJ309089G1flV
 V7Oqb61ibMcTyf8yVAZ8T99QmM3dvVmrFf2b8vQlmt9dUQyK9nSB0+3fmjS+Q9/j
 QkMGMcMtYHRtTpnGQG+YkGzHOoyfOJv+sknfHiphTaeMabgEYTuFQB8DEeQNRyNV
 otHUCWz1KbaSr8Xs6x0F
 =jTq0
 -----END PGP SIGNATURE-----

Merge tag 'jm_0ccd2c9a'

Tag for commit 0ccd2c9a98

# gpg: Signature made Wed 10 Jun 2015 11:01:41 PM CEST using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007  8F27 1BB9 B1FB 5A4C 6DAD

* tag 'jm_0ccd2c9a':
  Set a default locale if missing
2015-06-11 04:06:18 +02:00
Jason Mehring
0ccd2c9a98
Set a default locale if missing 2015-06-10 17:01:33 -04:00
Marek Marczykowski-Górecki
f05268bf59 debian: fix apt sources.list generation (missing debian version field)
Add Build-Depends: lsb-release, which is used for that.
2015-06-08 08:47:22 +02:00
Marek Marczykowski-Górecki
bd9a3bf515 version 3.0.10 2015-06-02 11:20:18 +02:00
Marek Marczykowski-Górecki
c454c9063d rpm: add missing dependencies
Fixes qubesos/qubes-issues#1002
2015-05-27 22:34:43 +02:00
Marek Marczykowski-Górecki
52a1fee533 qrexec: do not show message about missing fork-sever - it isn't an error 2015-05-24 20:47:34 +02:00
Marek Marczykowski-Górecki
d922552198 rpm: ensure that all the services are enabled after upgrade
Especially when some new service was introduced in the meantime. For
example this happened between R2 and R3.x release.
2015-05-15 23:36:34 +02:00
Marek Marczykowski-Górecki
eb3e0c8c25 version 3.0.9 2015-05-15 03:27:58 +02:00
Marek Marczykowski-Górecki
447bb4cd9c rpm: mark service files as configuration to not override user changes 2015-05-13 23:23:07 +02:00
Marek Marczykowski-Górecki
23a9512402 qrexec: prefer VM-local service file (if present) over default one
This will allow a service to be overridden per-VM.
2015-05-13 23:21:01 +02:00
Marek Marczykowski-Górecki
6c288d0ac2 appmenus: hide message about missing /usr/local/share/applications
Debian template doesn't have this directory by default.
2015-05-11 22:06:03 +02:00
Marek Marczykowski-Górecki
c037afc52c Tag for commit 15459b0e82
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVQ0FeAAoJEBu5sftaTG2tTD8QAI3u9kF9FJq++THFDtjMtGK/
 LYQONH8KrJZrnVOI60Du4Vsf5EIZI+cNfnsp4i71McRDGAfb1fv2hu5rDv4pJ7+U
 ITYq2/pwuyrV8Yi9kGnFXN4sXN+B194lWmXQDwPq2v2JDysZlM7C++bV3wYFul6f
 r2JyyTQj5sE/Khrykuk2n4lGpWrCa/LC1ENbiqa+QogAGETBdLXkxhXNaRKF0Kml
 OKpcMcrMxgiMsPXkPj3m3WV6NAnx6bkaaBnt3GWOlvvThOOxZ0Nzzy/KTvSl0s+O
 Fnxr4Qqt36dhQ/Fc6dk7OVzwjuQsRbGbuMsBuf4+72PJC5pmgNj0H4Q5A57ru3cr
 xYDIFSC0JoooOzQ06qjbqou43ubpCiZG9KdACJ/Dc5jJuUt3rubIXWTtjWR7ivw9
 JtPhXqNTOs3Ee+SjqO1Xl7xfgcs94VDtNFMMNKNY5synhEt6jxjECHenaxyIQRvZ
 ZNUvD9FJLslVylB8+kyUUevcnc9uvI42B0BJv1vAUYOeM5FDtd/w7aB9VTrFp48r
 a0sAIw1paxYgON0RwvUjluHacGI5ZP43a+t8+8KQNVRL5/RZMMTSoASOff23FdZA
 hDVsI7EM0XiSeB1BQaA8HjngUBxn2JMcEhVv/3vDd3ZMe3NEJcOzjD/iktKbXnIK
 niNKyHMTh//17qsI/kXt
 =YGZB
 -----END PGP SIGNATURE-----

Merge tag 'jm_15459b0e'

Tag for commit 15459b0e82

# gpg: Signature made Fri 01 May 2015 11:03:26 AM CEST using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007  8F27 1BB9 B1FB 5A4C 6DAD

* tag 'jm_15459b0e':
  debian: Allow apt-get post hook to fail gracefully (won't work in chroot)
  debian: Only notify dom0 on apt-get post hook; don't update package index
2015-05-10 04:23:09 +02:00
Jason Mehring
15459b0e82
debian: Allow apt-get post hook to fail gracefully (won't work in chroot) 2015-05-01 05:03:14 -04:00
Jason Mehring
293aab9e6a
debian: Only notify dom0 on apt-get post hook; don't update package index
There is a possiblilty of the apt-get post hook getting triggered
more than once for each apt-get session, therefore we only notify
dom0 that there are no updates available and do not perform an
apt-get update.

The qubes-update-check.service will still perform an update so even
if the dist-upgrade failed and there was actually more files to update
the qubes-update-check.serivce would then at some point notify dom0
about those updates being available
2015-05-01 01:35:36 -04:00
Marek Marczykowski-Górecki
4a7b355490 version 3.0.8 2015-04-28 12:51:48 +02:00
Marek Marczykowski-Górecki
04533a8f21 Tag for commit 21d89335fe
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJVO0XmAAoJEBu5sftaTG2tTpsQAJaSV/4vUt1R+HloAxpiAkQQ
 ai6C9r0jXEDOggO+jqeNLhM6ZaFxPOqI7+O09EXoRQXnFjtXPq6V4Yj8vr7urh5Z
 ozg3K2atQ6htvoDjqktSHuMwJLTGCHDCKzHV/uvZlFT0o90XomGLAJ+3RuWqgZu7
 5h+jnzfo+pLxme2jiCFQvFQ+p6Y+yZiphiUc5HbnIs4aTvDJxKmhZHMXVshbFJQe
 wPr1kp4xdefiys5A5agKejPOdQm8z4PVzZfnehfQZholkKlYFSgOLc7s4qJ+WOFl
 Bwl8B0Nm4LqIr0hkyEvPBX7PwmAu8/2aHeEj423rLXCDvHjGbmDWE99LSRvDYFK4
 nuZkrR+dI0kbYqtfkWH8MMfu/YHcC+uHrkVbLpqV4r8F8jT/f6ysyJ/kb76WoVEK
 B2q/nfBjtcHXOb/7GT/Q8MIvIXDsAVNp9jtEiQ/u/Jr8T7t9GtuQbgy1Y+eDOl4G
 Hg5635qfj6SImKtj6e4VqOb968TqeE0qoqBeLFEG2boqyVOjHbfk8gj5IZParp3R
 WfZDAS6OpY95W+gJzH0rBUh0h5fcuB+aN16ak4snaDxwd6gl9NfdPOydt4zQTs4q
 tmKnyuXig5age0IgGFliubdWlAL72GSN8M+uBp+Pe0QoEoJRPN3AiaY63OgUBk9S
 ID6TzMI990IRIxGTQnho
 =nJSZ
 -----END PGP SIGNATURE-----

Merge tag 'jm_21d89335'

Tag for commit 21d89335fe

# gpg: Signature made Sat Apr 25 09:44:38 2015 CEST using RSA key ID 5A4C6DAD
# gpg: Good signature from "Jason Mehring (Qubes OS Signing Key) <nrgaway@gmail.com>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E0E3 2283 FDCA C1A5 1007  8F27 1BB9 B1FB 5A4C 6DAD

* tag 'jm_21d89335':
  debian: Update notification now notifies dom0 when an upgrade is completed
2015-04-28 01:27:29 +02:00
Marek Marczykowski-Górecki
7adbc3fd59 Use iptables --wait only when it is supported 2015-04-28 00:51:05 +02:00
Jason Mehring
21d89335fe
debian: Update notification now notifies dom0 when an upgrade is completed 2015-04-25 03:44:28 -04:00
Marek Marczykowski-Górecki
32374123cd version 3.0.7 2015-04-25 02:36:55 +02:00
Jason Mehring
4373cda566 Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-files.d 2015-04-25 02:36:43 +02:00
Jason Mehring
56b0685aaa whonix: Added protected-files file used to prevent scripts from modifying files that need to be protected
A file is created in /var/lib/qubes/protected-files.  Scripts can grep this file before modifying
        known files to be protected and skip any modifications if the file path is within protected-files.

        Usage Example:
            if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then

        Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
        the enable/disable systemd unit files functions
2015-04-25 02:36:43 +02:00
Marek Marczykowski-Górecki
0c0cb5f6b2 rpm: cleanup R2->R3.0 transitional package 2015-04-23 02:20:56 +02:00
Marek Marczykowski-Górecki
c49d9283f0 network: wait for iptables lock instead of aborting
vif-route-qubes can be called simultaneously, for example in case of:
 - multiple domains startup
 - HVM startup (two interfaces: one to the target domain, second one to
   stubdom)
If that happens, one of calls can fail because of iptables lock.
2015-04-21 04:41:57 +02:00
Marek Marczykowski-Górecki
f2cf6933b9 prepare-dvm: fix bashism
$(( )) is POSIX syntax for shell arithmetic operations. Especially dash
(default shell in Debian) doesn't support $[ ].
2015-04-15 18:52:42 +02:00
Marek Marczykowski-Górecki
ab38410f5c debian: install qubes-download-dom0-updates.sh 2015-04-14 00:22:35 +02:00
Marek Marczykowski-Górecki
3768426306 version 3.0.6 2015-04-11 03:40:57 +02:00
Marek Marczykowski-Górecki
ff63a0b876 Minor fixes in mount-home.sh
Hide unneeded messages.
2015-04-11 02:51:10 +02:00
Marek Marczykowski-Górecki
65bc22fd1d Fix resizing of /rw partition (private.img)
Offline resize requires to run fsck -f first. Because we support only
growing that image, we can simply use online resize instead.

This finally fixes qubesos/qubes-issues#772
2015-04-11 02:47:16 +02:00
Marek Marczykowski-Górecki
3c8a294221 dispvm: do not start GUI apps during prerun
Apparently it doesn't help much with DispVM startup time, but causes a
lot of problems when such app do not close in time (either can be killed
forcibly and will complain about it at next run, or will spontaneously
show itself when DispVM is started).
2015-04-11 02:43:03 +02:00
Marek Marczykowski-Górecki
285071bd59 systemd: disable avahi-daemon and dnf-makecache
Especially dnf-makecache is senseless as its state will not survive VM
restart, but it takes a lot of CPU time.
2015-04-10 18:23:14 +02:00
Marek Marczykowski-Górecki
5fef29e1a4 rpm/systemd: do not use preset-all during package upgrade
This will probably break some user configuration. Do that only when
installing for the first time (during template build), during upgrade
set only those installed by this package instead of all.
2015-04-10 18:08:28 +02:00
Marek Marczykowski-Górecki
731ee3e09a qrexec: do not reset umask to 077 for every started process
This umask will be inherited by any process started directly by qrexec
(i.e. without help of fork-server).
2015-04-10 18:07:32 +02:00