Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
3e7a45b4ac
core-agent-linux/vm-systemd/75-qubes-vm.preset
Marek Marczykowski-Górecki b49ae50ad5
Implement qrexec-based connection to updates proxy 
Configure package manager to use 127.0.0.1:8082 as proxy instead of
"magic" IP intercepted later. The listen on this port and whenever
new connection arrives, spawn qubes.UpdatesProxy service call (to
default target domain - subject to configuration in dom0) and connect
its stdin/out to the local TCP connection. This part use systemd.socket
unit in case of systemd, and ncat --exec otherwise.

On the other end - in target domain - simply pass stdin/out to updates
proxy (tinyproxy) running locally.

It's important to _not_ configure the same VM to both be updates proxy and
use it. In practice such configuration makes little sense - if VM can
access network (which is required to run updates proxy), package manager
can use it directly. Even if this network access is through some
VPN/Tor. If a single VM would be configured as both proxy provider and
proxy user, connection would loop back to itself. Because of this, proxy
connection redirection (to qrexec service) is disabled when the same VM
also run updates proxy.

Fixes QubesOS/qubes-issues#1854
2017-05-26 05:25:29 +02:00

97 lines
3.3 KiB
Plaintext
Raw Blame History

# Units that should not run by default in Qubes VMs.
#
# This file is part of the qubes-core-vm-systemd package. To ensure that the
# default configuration is applied to all units in the list regardless of
# package installation order, including units added to the list by
# qubes-core-vm-systemd upgrades, all units in the list are preset by a
# scriptlet every time qubes-core-vm-systemd is installed or upgraded. That
# means that to permanently enable a unit with an [Install] section, you must
# create your own higher-priority preset file. (It might be possible to be
# smarter and keep a list of units previously preset, but this is not
# implemented.)
#
# For units below with no [Install] section, the scriptlet masks them instead.
# Qubes currently does not provide a way to permanently prevent such units from
# being masked.
#
# Maintainer information:
#
# * All units listed here are preset during first install of the *-systemd RPM.
# For those units which are disabled here, but don't have an install section
# (static units), we mask them during that install.
# * All units listed here that find themselves below the comment titled
# "# Units below this line will be re-preset on package upgrade"
# are preset both during install and during upgrade. This allows you to add
# new units here and have them become active when the user's machine upgrades
# their *-systemd RPM built by this project.
#
# Hi, Matt! I see you did great with this conversion to systemd presets!
# Thank you! Skyler sends you her regards from Europe!
# - Rudd-O
#
# https://groups.google.com/d/topic/qubes-users/dpM_GHfmEOk/discussion
disable avahi.service
disable avahi-daemon.service
disable avahi-daemon.socket
# Fedora only services
disable rpcbind.service
disable sendmail.service
disable sm-client.service
disable sshd.service
disable backuppc.service
# Units below this line will be re-preset on package upgrade
disable alsa-store.service
disable alsa-restore.service
disable hwclock-save.service
disable mdmonitor.service
disable plymouth-start.service
disable plymouth-read-write.service
disable plymouth-quit.service
disable plymouth-quit-wait.service
disable smartd.service
disable upower.service
disable colord.service
disable systemd-timesyncd.service
# Fedora only services
disable cpuspeed.service
disable dnf-makecache.timer
disable fedora-autorelabel.service
disable fedora-autorelabel-mark.service
disable fedora-storage-init.service
disable fedora-storage-init-late.service
disable hwclock-load.service
disable ipmi.service
disable iptables.service
disable ip6tables.service
disable irqbalance.service
disable mcelog.service
disable mdmonitor-takeover.service
disable multipathd.service
disable openct.service
disable rngd.service
disable tcsd.service
enable qubes-sysinit.service
enable qubes-early-vm-config.service
enable qubes-db.service
enable qubes-gui-agent.service
enable qubes-update-check.timer
enable qubes-misc-post.service
enable qubes-updates-proxy.service
enable qubes-dvm.service
enable qubes-network.service
enable qubes-qrexec-agent.service
enable qubes-mount-dirs.service
enable qubes-firewall.service
enable qubes-meminfo-writer.service
enable qubes-iptables.service
enable qubes-updates-proxy-forwarder.socket
enable haveged.service
enable chronyd.service
enable xendriverdomain.service
Reference in New Issue View Git Blame Copy Permalink