This will save a lot of dependencies if networking is not needed in VMs
based on given template. Thanks to updates proxy over qrexec, template
itself do not need to have network configured too.
QubesOS/qubes-issues#2771
In Fedora it makes little sense, but in Debian it allows to avoid a lot
of dependencies. So split in both, to keep it simple.
QubesOS/qubes-issues#2771
This is meant to notify dom0 about features supported by just-installed
template. This service is called by dom0 just after template
installation.
FixesQubesOS/qubes-issues#1637
Documentation pending: QubesOS/qubes-issues#2829
Configure package manager to use 127.0.0.1:8082 as proxy instead of
"magic" IP intercepted later. The listen on this port and whenever
new connection arrives, spawn qubes.UpdatesProxy service call (to
default target domain - subject to configuration in dom0) and connect
its stdin/out to the local TCP connection. This part use systemd.socket
unit in case of systemd, and ncat --exec otherwise.
On the other end - in target domain - simply pass stdin/out to updates
proxy (tinyproxy) running locally.
It's important to _not_ configure the same VM to both be updates proxy and
use it. In practice such configuration makes little sense - if VM can
access network (which is required to run updates proxy), package manager
can use it directly. Even if this network access is through some
VPN/Tor. If a single VM would be configured as both proxy provider and
proxy user, connection would loop back to itself. Because of this, proxy
connection redirection (to qrexec service) is disabled when the same VM
also run updates proxy.
FixesQubesOS/qubes-issues#1854
...but installed on all Debian versions. This is mostly required by
vebose file list in debian/qubes-core-agent.install. But also make it
use new options when upstream will set them.
QubesOS/qubes-issues#2161
This reverts commit 5dfcf06ef4.
python3-daemon isn't widespread enough yet - for Debian jessie available
only in packports.
In addition to the revert itself, adjust packaging for this change
(mostly for Debian).
Add --install-layout=deb option to setup.py, so files will not land in
/usr/local.
Also, explicitly list packaged files - make it easier to split the
package later.
This way:
- VM prompt do know VM list, the list may be filtered based on policy
- source VM don't learn name of target VM
FixesQubesOS/qubes-issues#910
* qubesos/pr/25:
Add systemd override for haveged in xenial and stretch. (#2161) Reenable haveged.service after debian package installation
FixesQubesOS/qubes-issues#2161
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
- change language from bash to python, introduce qubesagent python package
- support both nftables (preferred) and iptables
- new interface (https://qubes-os.org/doc/vm-interface/)
- IPv6 support
- unit tests included
- nftables version support running along with other firewall loaded
FixesQubesOS/qubes-issues#1815QubesOS/qubes-issues#718
The systemctl in Debian unstable fails when trying to disable a removed
service. The manpage do not mention a switch to change this behaviour.
But it says:
Note that this operation creates only the suggested symlinks for
the units. While this command is the recommended way to manipulate
the unit configuration directory, the administrator is free to make
additional changes manually by placing or removing symlinks in the
directory.
So a simple rm should be fine.
xdg-open is more robust in choosing default application for particular
file type: it supports fallback if the preferred application isn't
working, and most importantly it support system-wide defaults
(/usr/share/applications/defaults.list,
/usr/share/applications/mimeapps.list), so no "random" application is
chosen.
By default xdg-open tries to use environment-specific tool, like
gvfs-open - which isn't good for us, because many such tools do not wait
for editor/viewer termination. That would mean that DisposableVM would
be destroyed just after opening the file.
To avoid such effect, we set DE=generic.
FixesQubesOS/qubes-issues#1621
Apparently unmanaged devices are loaded only from main
NetworkManager.conf. Exactly the same line pasted (not typed!) to main
NetworkManager.conf works, but in
/etc/NetworkManager/conf.d/30-qubes.conf it doesn't.
BTW There was a typo in option name ("unmanaged_devices" instead of
"unmanaged-devices", but it wasn't the cause).
This reverts commit 6c4831339c.
QubesOS/qubes-issues#1176
Since /lib/modules is not mounted read-only anymore (only a selected
subdirectory there), it is no longer required to prevent kernel package
installation. Even more - since PV Grub being supported, it makes sense
to have kernel installed in the VM.
QubesOS/qubes-issues#1354
The custom way proved to be unreliable - for example does not survive
`locales` package upgrade. So settle on much more reliable way.
FixesQubesOS/qubes-issues#1195
Do not modify main /etc/NetworkManager/NetworkManager.conf as it would
cause conflicts during updates. Use
/etc/NetworkManager/conf.d/30-qubes.conf instead.
Also remove some dead code for dynamically generated parts (no longer
required to "blacklist" eth0 in VMs - we have proper connection
generated for it). It was commented out for some time already
FixesQubesOS/qubes-issues#1176
* origin/pr/31:
Fixed /etc/pam.d/su.qubes. (Moved line 'auth sufficient pam_permit.so' up. May not be low '@include' lines.)
- Prevent 'su -' from asking for password in Debian [based] templates. Thanks to @unman and @marmarek for suggesting the fix! Fixes https://github.com/QubesOS/qubes-issues/issues/1128. - Changed 'ifeq (1,${DEBIANBUILD})' to 'ifeq ($(shell lsb_release -is), Debian)' to make the build work outside of Qubes Builder as well.
Conflicts:
debian/control
Thanks to @unman and @marmarek for suggesting the fix!
Fixes https://github.com/QubesOS/qubes-issues/issues/1128.
- Changed 'ifeq (1,${DEBIANBUILD})' to 'ifeq ($(shell lsb_release -is), Debian)' to make the build work outside of Qubes Builder as well.
