GNOME automatically set scaling factor to 2 when HiDPI is detected.
Unfortunately it does it also on not really HiDPI displays, making the
whole UI unusably large. There is no middle ground - scaling factor must
be integer, so 1.5 is not supported. Lets opt on a conservative side and
fallback to scaling factor 1.
Solution by @alyssais, thanks!
FixesQubesOS/qubes-issues#3108
It is more robust, especially handle "# Units below this line will be
re-preset on package upgrade" part of 75-qubes-vm.preset file. This is
needed to fix system configuration without the need to rebuild the whole
template.
QubesOS/qubes-issues#2913
* qubesos/pr/72:
Fix UCA mistake and qvm-actions script
Fix ShellCheck comments
Add debian package support
Disable Thunar thumbnails
Add support for Thunar Qubes VM tools
If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.
FixesQubesOS/qubes-issues#718
* fixes-20171019:
debian: cleanup after splitting qubes-core-agent
Fix removing temporary file after editing in (Disp)VM
network: fix rules for network setup on new udev
debian: disable timer-based apt-get
Debian stretch in default configuration calls apt-get update every 24h.
And additionally, have automatic unattended security updates enabled.
Generally it would be good thing on standalone system, but in AppVM
which loose its rootfs changes after restart it is a waste of resources.
Especially when it kicks in on multiple VMs simultaneously, while on
battery (apt-daily.service have ConditionACPower=true, but VM don't have
that information...).
It would make some sense on TemplateVM/StandaloneVM, but then it kicks
in just at VM startup. Which conflicts with starting the update manually
then (by clicking "update VM" button in manager for example, or using
salt).
So, disable this feature completely.
The actual solution is based on pkg-manager-no-autoupdate by @adrelanos.
FixesQubesOS/qubes-issues#2621
If root filesystem is the last partition (new layout), resize it
in-place. Use 'parted' tool because it can resize just one partition,
without need to specify the whole new partition table. Since the
partition is mounted, parted is unhappy to modify it. Force it by
answering to its interactive prompts, and add (apparently not
documented) ---pretend-input-tty to use those answers even
though stdin is not a tty. Split the operation into multiple parted
calls, for more reliable interactive prompts handling.
Qubes 3.x disk layout (no partition table) is also supported, but the
one that was used in Qubes 4.0 rc1 (root filesystem as the first
partition) is not.
FixesQubesOS/qubes-issues#3173QubesOS/qubes-issues#3143
* fixes-20171002:
qubes.ResizeDisk: handle dmroot being a symlink
qrexec: use user shell instead of hardcoded /bin/sh
qrexec: code style fix - use spaces for indentation
Add convenient wrappers for qvm-copy-to-vm and qvm-move-to-vm
Default `ask` policy ignore target domain specified by the caller, so it
doesn't make sense to specify one. Provide convenient wrappers not
needing one. Do not change behaviour of existing tools for compatibility
reasons.
FixesQubesOS/qubes-issues#3141
clock synchronization mechanism rewritten to use systemd-timesync instead of NtpDate; at the moment, requires:
- modifying /etc/qubes-rpc/policy/qubes.GetDate to redirect GetDate to designated clockvm
- enabling clocksync service in clockvm ( qvm-features clockvm-name service/clocksync true )
Works as specified in issue listed below, except for:
- each VM synces with clockvm after boot and every 6h
- clockvm synces time with the Internet using systemd-timesync
- dom0 synces itself with clockvm every 1h (using cron)
fixesQubesOS/qubes-issues#1230
Instead of calling 'su' to switch the user, use own implementation of
this. Thanks to PAM it's pretty simple. The main reason is to have
control over process waiting for session termination (to call
pam_close_sesion/pam_end). Especially we don't want it to keep std* fds
open, which would prevent qrexec-agent from receiving EOF when one of
them will be closed.
Also, this will preserve QREXEC_AGENT_PID environment variable.
FixesQubesOS/qubes-issues#2851
It isn't really needed. It was used to workaround libusb bug (causing
crash when the system does not have any USB controller), but since we
use HVM now which do have some USB controllers it isn't needed anymore.
Also, it is not available in stock Fedora kernels.
Qubes VM require few config options in grub. Ship appropriate
configuration. Debian have grub.d support, so it can be done cleanly.
On Fedora, /etc/default/grub needs to be modified. Still keep the
options in separate file, but include it manually from
/etc/default/grub.
QubesOS/qubes-issues#2577
- there are many netcat versions (openbsd, nmap, ...), which behave
differently - especially while handling EOF
- Debian jessie doesn't have nmap-ncat (which handle EOFs sufficiently
good)
QubesOS/qubes-issues#1854
While it doesn't make sense to install qubes-core-agent without qrexec,
it may make sense to do the otherway around - install just
qrexec-agent without all the qrexec services and configuration. For
example on some pre-installed system.
QubesOS/qubes-issues#2771
When a file is moved to other package, the new package needs Replaces:
and Breaks: dependecies on old package. Otherwise dpkg will refuse to
change file ownership.
QubesOS/qubes-issues#2771
This will save a lot of dependencies if networking is not needed in VMs
based on given template. Thanks to updates proxy over qrexec, template
itself do not need to have network configured too.
QubesOS/qubes-issues#2771
In Fedora it makes little sense, but in Debian it allows to avoid a lot
of dependencies. So split in both, to keep it simple.
QubesOS/qubes-issues#2771
This is meant to notify dom0 about features supported by just-installed
template. This service is called by dom0 just after template
installation.
FixesQubesOS/qubes-issues#1637
Documentation pending: QubesOS/qubes-issues#2829
Configure package manager to use 127.0.0.1:8082 as proxy instead of
"magic" IP intercepted later. The listen on this port and whenever
new connection arrives, spawn qubes.UpdatesProxy service call (to
default target domain - subject to configuration in dom0) and connect
its stdin/out to the local TCP connection. This part use systemd.socket
unit in case of systemd, and ncat --exec otherwise.
On the other end - in target domain - simply pass stdin/out to updates
proxy (tinyproxy) running locally.
It's important to _not_ configure the same VM to both be updates proxy and
use it. In practice such configuration makes little sense - if VM can
access network (which is required to run updates proxy), package manager
can use it directly. Even if this network access is through some
VPN/Tor. If a single VM would be configured as both proxy provider and
proxy user, connection would loop back to itself. Because of this, proxy
connection redirection (to qrexec service) is disabled when the same VM
also run updates proxy.
FixesQubesOS/qubes-issues#1854
...but installed on all Debian versions. This is mostly required by
vebose file list in debian/qubes-core-agent.install. But also make it
use new options when upstream will set them.
QubesOS/qubes-issues#2161
This reverts commit 5dfcf06ef4.
python3-daemon isn't widespread enough yet - for Debian jessie available
only in packports.
In addition to the revert itself, adjust packaging for this change
(mostly for Debian).
Add --install-layout=deb option to setup.py, so files will not land in
/usr/local.
Also, explicitly list packaged files - make it easier to split the
package later.
This way:
- VM prompt do know VM list, the list may be filtered based on policy
- source VM don't learn name of target VM
FixesQubesOS/qubes-issues#910
* qubesos/pr/25:
Add systemd override for haveged in xenial and stretch. (#2161) Reenable haveged.service after debian package installation
FixesQubesOS/qubes-issues#2161
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
- change language from bash to python, introduce qubesagent python package
- support both nftables (preferred) and iptables
- new interface (https://qubes-os.org/doc/vm-interface/)
- IPv6 support
- unit tests included
- nftables version support running along with other firewall loaded
FixesQubesOS/qubes-issues#1815QubesOS/qubes-issues#718
The systemctl in Debian unstable fails when trying to disable a removed
service. The manpage do not mention a switch to change this behaviour.
But it says:
Note that this operation creates only the suggested symlinks for
the units. While this command is the recommended way to manipulate
the unit configuration directory, the administrator is free to make
additional changes manually by placing or removing symlinks in the
directory.
So a simple rm should be fine.
xdg-open is more robust in choosing default application for particular
file type: it supports fallback if the preferred application isn't
working, and most importantly it support system-wide defaults
(/usr/share/applications/defaults.list,
/usr/share/applications/mimeapps.list), so no "random" application is
chosen.
By default xdg-open tries to use environment-specific tool, like
gvfs-open - which isn't good for us, because many such tools do not wait
for editor/viewer termination. That would mean that DisposableVM would
be destroyed just after opening the file.
To avoid such effect, we set DE=generic.
FixesQubesOS/qubes-issues#1621
Apparently unmanaged devices are loaded only from main
NetworkManager.conf. Exactly the same line pasted (not typed!) to main
NetworkManager.conf works, but in
/etc/NetworkManager/conf.d/30-qubes.conf it doesn't.
BTW There was a typo in option name ("unmanaged_devices" instead of
"unmanaged-devices", but it wasn't the cause).
This reverts commit 6c4831339c.
QubesOS/qubes-issues#1176
Since /lib/modules is not mounted read-only anymore (only a selected
subdirectory there), it is no longer required to prevent kernel package
installation. Even more - since PV Grub being supported, it makes sense
to have kernel installed in the VM.
QubesOS/qubes-issues#1354
The custom way proved to be unreliable - for example does not survive
`locales` package upgrade. So settle on much more reliable way.
FixesQubesOS/qubes-issues#1195
Do not modify main /etc/NetworkManager/NetworkManager.conf as it would
cause conflicts during updates. Use
/etc/NetworkManager/conf.d/30-qubes.conf instead.
Also remove some dead code for dynamically generated parts (no longer
required to "blacklist" eth0 in VMs - we have proper connection
generated for it). It was commented out for some time already
FixesQubesOS/qubes-issues#1176
* origin/pr/31:
Fixed /etc/pam.d/su.qubes. (Moved line 'auth sufficient pam_permit.so' up. May not be low '@include' lines.)
- Prevent 'su -' from asking for password in Debian [based] templates. Thanks to @unman and @marmarek for suggesting the fix! Fixes https://github.com/QubesOS/qubes-issues/issues/1128. - Changed 'ifeq (1,${DEBIANBUILD})' to 'ifeq ($(shell lsb_release -is), Debian)' to make the build work outside of Qubes Builder as well.
Conflicts:
debian/control
Thanks to @unman and @marmarek for suggesting the fix!
Fixes https://github.com/QubesOS/qubes-issues/issues/1128.
- Changed 'ifeq (1,${DEBIANBUILD})' to 'ifeq ($(shell lsb_release -is), Debian)' to make the build work outside of Qubes Builder as well.