Commit Graph

2423 Commits

Author SHA1 Message Date
Rudd-O
b7d8d66bb1 Eliminate race condition with qubes-setup-dnat-to-ns
qubes-setup-dnat-to-ns is called multiple times during boot.  Of particular interest are the two invocations done by:

1. `/usr/lib/qubes/init/network-proxy.setup.sh` (`qubes-network.service`)
2. `/usr/lib/qubes/init/misc-post.sh` (`qubes-misc-post.service`)

These can, and do often, run in parallel.  Often enough that the `PR-QBS` `nat` chain can end up with eight rules instead of four, or (worse) zero rules.

This commit represents the proper boot ordering of these services, where the post startup *must* happen after Qubes has already started its iptables, firewall, network setup and netwatcher.

This eliminates the race.
2016-10-12 15:19:46 +00:00
unman
a493b7c121
Remove custom mount when starting cron, in favour of bind-dirs 2016-10-11 11:28:48 +01:00
Marek Marczykowski-Górecki
dd30d91375
version 3.2.11 2016-10-03 11:32:40 +02:00
Marek Marczykowski-Górecki
a302dd2b29
Merge remote-tracking branch 'origin/pr/83'
* origin/pr/83:
  Configure NetworkManager to keep /etc/resolv.conf as plain file
2016-10-03 11:30:17 +02:00
Marek Marczykowski-Górecki
8afc07c513
network: minor setup-ip fix
Don't exit with non-zero exit code just because custom hook isn't
installed
2016-09-19 01:04:25 +02:00
Marek Marczykowski-Górecki
e73d662bf1
Configure NetworkManager to keep /etc/resolv.conf as plain file
Do not use a symlink there, as it will be left after NetworkManager
shutdown - as a broken link then

Fixes QubesOS/qubes-issues#2320
Reported by Achim Patzner <noses@noses.com>
2016-09-15 01:26:35 +02:00
Marek Marczykowski-Górecki
2c8fe644f3
network: remove qubes-netwatcher
This tool/service is obsolete for a long time (it does nothing on R3.0
and later).
2016-09-12 05:58:26 +02:00
Marek Marczykowski-Górecki
ee0a292b21
network: rewrite qubes-firewall daemon
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
 - change language from bash to python, introduce qubesagent python package
 - support both nftables (preferred) and iptables
 - new interface (https://qubes-os.org/doc/vm-interface/)
 - IPv6 support
 - unit tests included
 - nftables version support running along with other firewall loaded

Fixes QubesOS/qubes-issues#1815
QubesOS/qubes-issues#718
2016-09-12 05:22:53 +02:00
HW42
be0e8a250f
bind-dirs: copy from ro only if bind target doesn't exists
f4d367a6 dropped the check if the bind target exists and added
"--no-clobber" to the cp call. For directories this does not work as
desired: cp checks per (recursive) file instead of once for the
specified directory.
2016-09-01 03:41:31 +02:00
Marek Marczykowski-Górecki
b50cba3f2c
Add qubes.ResizeDisk service to adjust filesystem size
Do this using qubes rpc service, instead of calling resize2fs directly
by dom0.
2016-08-17 21:47:22 +02:00
Marek Marczykowski-Górecki
779414d216
Merge remote-tracking branch 'woju/master' into core3-devel
* woju/master:
  misc: add qvm-features-request
2016-08-17 21:28:37 +02:00
Marek Marczykowski-Górecki
c3d630f288
Disable meminfo-writer if there is any PCI device attached
This code used to be in dom0, but it's easier to maintain it in VM.

QubesOS/qubes-issues#2101
2016-08-17 21:27:28 +02:00
Marek Marczykowski-Górecki
76e12cae2d
Rename qubes.xdg python module to qubesxdg
Do not interfere with 'qubes' module.

QubesOS/qubes-issues#1813
2016-08-17 21:27:28 +02:00
Marek Marczykowski-Górecki
1a601ddbe9
version 3.2.10 2016-08-08 05:23:02 +02:00
Marek Marczykowski-Górecki
60c30e6cdb
Merge remote-tracking branch 'origin/pr/82'
* origin/pr/82:
  comment legacy function
2016-08-06 18:42:16 +02:00
Marek Marczykowski-Górecki
1fd69636f8
systemd: fix syntax error in preset file
Services needs to be named with full unit name.

Fixes QubesOS/qubes-issues#2188
2016-08-06 18:36:30 +02:00
Marek Marczykowski-Górecki
d99a563542
network: reload NM connection after setting it up
Apparently NM monitor only its main configuration for changes, but not
connection files. Force reloading it.
2016-08-02 02:08:36 +02:00
HW42
7c15b9b0ea
systemd: remove obsolete symlinks with rm instead of systemctl
The systemctl in Debian unstable fails when trying to disable a removed
service. The manpage do not mention a switch to change this behaviour.
But it says:

  Note that this operation creates only the suggested symlinks for
  the units. While this command is the recommended way to manipulate
  the unit configuration directory, the administrator is free to make
  additional changes manually by placing or removing symlinks in the
  directory.

So a simple rm should be fine.
2016-07-28 21:54:50 +02:00
HW42
5ab7e80306
systemd: fix qubes-mount-home path in cleanup script 2016-07-28 21:54:38 +02:00
Patrick Schleizer
15274f8bb8 comment legacy function 2016-07-27 15:07:32 +02:00
Marek Marczykowski-Górecki
fd8a116744
version 3.2.9 2016-07-27 06:08:56 +02:00
Marek Marczykowski-Górecki
441a78df49
Merge remote-tracking branch 'origin/pr/81' 2016-07-27 05:20:13 +02:00
Marek Marczykowski-Górecki
bad589bc00
Merge remote-tracking branch 'origin/pr/80' 2016-07-27 05:20:12 +02:00
Marek Marczykowski-Górecki
60d16ea587
systemd: improve ordering of systemd units
- qubes-misc-post.service is no longer responsible for mounting /rw
- both qubes-sysinit.service and qubes-mount-dirs.service are part of
  basic.target, so no need to mention them explicitly (as long as
  DefaultDependencies=yes)

QubesOS/qubes-issues#2198
2016-07-27 05:19:47 +02:00
Marek Marczykowski-Górecki
ed434ad63f
systemd: include tor-disabling drop-ins in the package
QubesOS/qubes-issues#1625
2016-07-27 05:19:47 +02:00
Marek Marczykowski-Górecki
48a35d40d1
systemd: load xen-privcmd module
It is needed for vchan communication. It was loaded implicitly by mount
/proc/xen, but since we're moving away from this legacy interface, load
it explicitly.

QubesOS/qubes-issues#2194
2016-07-27 05:19:46 +02:00
Marek Marczykowski-Górecki
e0e89f153f
systemd: order qubes-mount-dirs.service before local-fs.target
The service is really responsible for mounting /rw and /home, so should
be ordered before local-fs.target - this will allow other services
to use standard ordering targets.

This probably makes Before=qubes-gui-agent.service not needed anymore,
but do not remove it yet without extensive testing to not risk
regression.

Fixes QubesOS/qubes-issues#2194
2016-07-27 05:19:46 +02:00
Marek Marczykowski-Górecki
90be5be630
systemd: cleanup removed services
Fixes QubesOS/qubes-issues#2192
2016-07-27 05:19:46 +02:00
Patrick Schleizer
67dd174cec empty legacy function
leaving that to Whonix

https://github.com/Whonix/qubes-whonix/blob/master/usr/lib/qubes-bind-dirs.d/41_qubes-whonix-legacy.conf

https://github.com/QubesOS/qubes-issues/issues/2191
2016-07-24 00:09:11 +00:00
Patrick Schleizer
a003093953
add /usr/lib/qubes/bind-dirs.sh compatibility symlink
https://github.com/QubesOS/qubes-issues/issues/2191
2016-07-23 21:44:00 +00:00
Marek Marczykowski-Górecki
979e2d2bf8
version 3.2.8 2016-07-17 04:27:04 +02:00
Marek Marczykowski-Górecki
f4d53fb7e6
Include Qubes Master Key in the VM template
It is useful to verify other qubes-related keys.

Fixes QubesOS/qubes-issues#1614
2016-07-17 04:26:01 +02:00
Marek Marczykowski-Górecki
65f0b26600
systemd: plug random seed loading into systemd-random-seed
Reuse its dependencies to make sure it is loaded early enough.

Reported by @adrelanos
Fixes QubesOS/qubes-issues#1761
2016-07-17 04:26:01 +02:00
Marek Marczykowski-Górecki
9b362a6d7d
systemd: don't mark updates check service failed
Even if update check fails for some reason (network problem, apt-get lock
being held etc), don't mark the service as failed. The update check
mechanism is designed this way to not worry about such single failures
- other VM(s) may still check and report updates availability.

Fixes QubesOS/qubes-issues#1889
2016-07-16 15:30:40 +02:00
Marek Marczykowski-Górecki
10cadc58a0
Revert "systemd: preset xendriverdomain on update"
This doesn't help when xen update is installed after this one. So, deal
with it in xen %post itself.
This reverts commit f2257e1e3b.

QubesOS/qubes-issues#2141
2016-07-16 01:37:12 +02:00
Marek Marczykowski-Górecki
40d5f85b36
dom0-updates: fix cleaning downloaded packages 2016-07-15 11:27:35 +02:00
Marek Marczykowski-Górecki
8781a5c588
version 3.2.7 2016-07-13 22:43:06 +02:00
Marek Marczykowski-Górecki
6cf30bff29
Merge remote-tracking branch 'origin/pr/66'
* origin/pr/66:
  fixed qubes-core-agent upgrading double package manager lock

  Fixes QubesOS/qubes-issues#1889
2016-07-13 22:38:25 +02:00
Marek Marczykowski-Górecki
0eb1f7c679
Merge remote-tracking branch 'origin/pr/77'
* origin/pr/77:
  archlinux: fix update-proxy-configs to use pacman.d drop-ins
  archlinux: ensure repositories are the last pacman.d files included
  archlinux: Setup default package repository
  archlinux: switch to usage of pacman.d drop-ins
2016-07-13 22:25:26 +02:00
Marek Marczykowski-Górecki
4996dd7609
rpm: fix misleading systemd warnings during upgrade
systemctl preset output lengthy warning when trying to operate on
non-existing unit. This preset action is meant to disable unit, so it's
even better it doesn't exists.
2016-07-13 22:13:17 +02:00
Marek Marczykowski-Górecki
f2257e1e3b
systemd: preset xendriverdomain on update
Make sure it is enabled, regardless of update installation order.
2016-07-13 21:48:42 +02:00
Marek Marczykowski-Górecki
e7b1711e21
version 3.2.6 2016-07-13 04:38:18 +02:00
Olivier MEDOC
7cea09711a archlinux: fix update-proxy-configs to use pacman.d drop-ins 2016-07-12 11:38:14 +02:00
Olivier MEDOC
a346de7e46 archlinux: ensure repositories are the last pacman.d files included 2016-07-12 11:25:03 +02:00
Olivier MEDOC
d449d75162 archlinux: Setup default package repository 2016-07-12 11:20:12 +02:00
Marek Marczykowski-Górecki
b8b3433d3f
Merge remote-tracking branch 'origin/pr/77'
* origin/pr/77:
  archlinux: remove unnecessary glib-compile-scheme
  archlinux: provide automatic qubes-trigger-sync-appmenus through pacman hooks
  archlinux: update installer script in prevision of pacman.d drop-ins
2016-07-12 06:32:23 +02:00
Olivier MEDOC
b6a6d4e4e0 archlinux: switch to usage of pacman.d drop-ins 2016-07-11 17:21:55 +02:00
Olivier MEDOC
245c6d1716 archlinux: remove unnecessary glib-compile-scheme
This is now automatically handled through pacman hooks
2016-07-11 15:32:36 +02:00
Olivier MEDOC
c82b82d7b4 archlinux: provide automatic qubes-trigger-sync-appmenus through pacman hooks 2016-07-11 15:29:31 +02:00
Olivier MEDOC
051d806f0a archlinux: update installer script in prevision of pacman.d drop-ins 2016-07-11 15:15:45 +02:00