Commit Graph

48 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
264ded8101
Merge remote-tracking branch 'origin/pr/53'
* origin/pr/53:
  Added enabling of qrexec-policy-daemon.service
2020-01-04 20:54:05 +01:00
Marek Marczykowski-Górecki
4a88c520ac
kernel-install: consider both grub2 and grub2-efi configs
Since EFI boot now also use grub2, update its config too when present.

Reported-by: @JarrahG
QubesOS/qubes-issues#4902
2019-12-19 05:33:34 +01:00
Marta Marczykowska-Górecka
761b5b1ef4
Added enabling of qrexec-policy-daemon.service
used by https://github.com/QubesOS/qubes-core-qrexec/pull/6
references QubesOS/qubes-issues#5125
2019-12-03 20:01:18 +01:00
Marek Marczykowski-Górecki
c56c4a7a9d
kernel-install: adjust EFI check to look for xen.cfg
Even if EFI directory is present it may not be populated. kernel-install
part care specifically about xen.cfg file, so check it explicitly. If
grub2-efi is in use, the file wont be there and the script isn't
supposed to do anything.
2019-06-27 14:28:15 +02:00
Marek Marczykowski-Górecki
2ec29a4d4c
Cleanup lvm archived metadata files
Those files may easily accumulate in large quantities, to the point
where just listing the /etc/lvm/archive directory takes a long time.
This affects every lvm command call, so every VM start/stop.
Those archive files are rarely useful, as Qubes do multiple LVM
operations at each VM startup, so older data is really out of date very
quickly.

Automatically remove files in /etc/lvm/archive older than one day.

Fixes QubesOS/qubes-issues#4927
Fixes QubesOS/qubes-issues#2963
2019-04-02 18:04:26 +02:00
Marek Marczykowski-Górecki
d705fa6ed4
system-config: enable dbus in system- and user- presets
It is no longer enabled by default by systemd package.

QubesOS/qubes-issues#4225
2019-04-01 06:23:21 +02:00
Marek Marczykowski-Górecki
9eefe23f4c
kernel-install: fix initramfs copying scripts
Fix current EFI boot dir discovery script.

Also, adjust scripts order:
50-dracut generates initramfs in /boot/(efi/)?/$MACHINE_ID/.../initrd
80-grub2 copies it to /boot/initramfs-....img
90-xen-efi copies it to /boot/efi/EFI/qubes/initramfs-....img

Make the above order explicit, rather than relying on xen sorted later
than grub2.

QubesOS/qubes-issues#3234
2018-06-28 02:56:16 +02:00
Marek Marczykowski-Górecki
53730c4ba2
kernel-install: remove EFI variant of BLS dirs too
Remove also EFI version of BootLoader Specification dirs. This will:
- really force to re-generate initramfs during installation, after all
relevant configs are updated; previously, dracut (called by anaconda
through kernel-install) refuse to update already existing
/boot/efi/.../initrd file.
- save some precious space in /boot/efi

Fixes QubesOS/qubes-issues#3234
2018-06-27 03:59:05 +02:00
Marek Marczykowski-Górecki
861ddc9ce0
kernel-install: cleanup old kernel binary on remove
Don't let kernel images accumulate on EFI partition.
2018-05-22 19:51:47 +02:00
Marek Marczykowski-Górecki
bcf7c9e978
kernel-install: use up to date initramfs
During installation, /usr/lib/kernel/install.d/50-dracut.install
generate initramfs in $BOOT_DIR_ABS. It is important to use that one,
even if there is one in /boot/initramfs-*.img already, because it was
generated later and contains all required config files (including
keyboard layout for entering LUKS passphrase).

This fixes d1f3be0eed "kernel-install:
avoid creating initramfs multiple times".

Fixes QubesOS/qubes-issues#3234
2018-03-27 19:20:36 +02:00
Marek Marczykowski-Górecki
bae443dfce
systemd-preset: enable fstrim.timer
On LVM thin it is easy to fill the pool if fstrim (or 'discard' mount
option) isn't used from time to time. Enable fstrim.timer by default,
which will do fstrim once a week.
2018-03-04 03:43:54 +01:00
Marek Marczykowski-Górecki
d1f3be0eed
kernel-install: avoid creating initramfs multiple times
There are multiple places where initramfs can be created:
 - /boot/iniramfs-*.img
 - /boot/$MACHINE_ID/.../initrd (unused on Qubes, but created by Fedora
   scripts)
 - /boot/efi/EFI/.../initramfs-*.img

Do not generate all of those from scratch, but try to reuse existing
image (if exists). Since one dracut call may last even 5 minutes, this
change should greatly reduce installation time.

Fixes QubesOS/qubes-issues#3637
2018-02-27 23:19:50 +01:00
Rusty Bird
629d02948f
Don't let udev parse 'file' driver .img anywhere 2018-01-19 18:04:56 +01:00
Marek Marczykowski-Górecki
21df9d55bb
Add qubes-core-dom0 to dnf protected packages set
This will prevent its accidental removal, which would lead to completely
broken system.
2017-11-03 03:27:10 +01:00
Marek Marczykowski-Górecki
5c84a0be92
udev: don't exclude loop devices pointing outside of /var/lib/qubes
Generally list loop devices in qvm-block, but exclude only those
pointing at files in /var/lib/qubes (VM disk images).

Fixes QubesOS/qubes-issues#3084
2017-09-12 04:22:25 +02:00
Marek Marczykowski-Górecki
f609afddb6
Merge remote-tracking branch 'qubesos/pr/28' 2017-07-12 12:54:55 +02:00
Marta Marczykowska-Górecka
6d424f91a5
clock synchronization rewrite
clock synchronization mechanism rewritten to use systemd-timesync instead of NtpDate; at the moment, requires:
- modifying /etc/qubes-rpc/policy/qubes.GetDate to redirect GetDate to designated clockvm
- enabling clocksync service in clockvm ( qvm-features clockvm-name service/clocksync true )

Works as specified in issue listed below, except for:
- each VM synces with clockvm after boot and every 6h
- clockvm synces time with the Internet using systemd-timesync
- dom0 synces itself with clockvm every 1h (using cron)

fixes QubesOS/qubes-issues#1230
2017-07-06 23:37:26 +02:00
Marek Marczykowski-Górecki
6ffac092ed
udev: exclude LVM volumes for VM images
QubesOS/qubes-issues#2319
2017-07-06 19:41:44 +02:00
Marek Marczykowski-Górecki
9b75dd1321
systemd: remove qubes-block-cleaner 2017-06-06 01:25:54 +02:00
Marek Marczykowski-Górecki
e62acf815a
Really disable lesspipe
Only files with .sh suffix are loaded.

Fixes QubesOS/qubes-issues#2808
2017-05-26 05:44:33 +02:00
Rusty Bird
6c8df74b7f
Get rid of forked f23 60-persistent-storage.rules
Use UDEV_DISABLE_PERSISTENT_STORAGE_RULES_FLAG instead, which is
available since systemd 231.

- Do not merge to branches where dom0 is older than Fedora 25 -
2017-05-18 01:42:08 +00:00
Marek Marczykowski-Górecki
ad2a976924
Merge branch 'core3-devel' 2017-05-18 01:26:20 +02:00
Marek Marczykowski-Górecki
83308758f0
systemd: enable qubesd.service 2017-05-17 13:54:36 +02:00
Jean-Philippe Ouellet
9b7667c3a5
Ignore EFI boot args when parsing for filename
I need to set some flags in order to boot as described here:
https://www.qubes-os.org/doc/uefi-troubleshooting/

My settings look like this:
    $ efibootmgr -v
    BootCurrent: 0000
    Boot0000* Qubes HD(...)/File(\EFI\qubes\xen.efi)p.l.a.c.e.h.o...

which causes awk to get confused and think my $EFI_DIR should be:
    /EFI/qubesp.l.a.c.e.h.o.l.d.e.r. ./.m.a.p.b.s. ./.n.o.e.x.i.t.b.o.o.t.

This causes the script to later bail:
    if [ ! -d "$EFI_DIR" ]; then
        # non-EFI system
        exit 0;
    fi

So my xen.cfg did not get new entries when installing dom0 kernel packages.
2016-11-11 16:22:23 -05:00
Marek Marczykowski-Górecki
daf1fd4759
systemd: enable xen-init-dom0.service
This is the right upstream service to init dom0 entries. Instead of our
own script.
2016-08-08 01:15:56 +02:00
Marek Marczykowski-Górecki
37f92396c4
install-kernel: handle custom EFI directory
Fixes QubesOS/qubes-issues#1676
2016-07-21 14:16:52 +02:00
Marek Marczykowski-Górecki
6cd45f88c5
Merge remote-tracking branch 'qubesos/pr/8'
* qubesos/pr/8:
  Don't probe disk contents of loop* or xvd*
  Copy unmodified(!) 60-persistent-storage.rules from Fedora 23
2016-06-26 22:03:18 +02:00
Rusty Bird
fe6846d5eb
Add AEM services to 75-qubes-dom0.preset
They will only start if booted with rd.antievilmaid anyway.
2016-06-26 15:17:38 +00:00
Rusty Bird
ae7656e348
Don't probe disk contents of loop* or xvd*
Adds a standalone rule to the very top of 60-persistent-storage.rules.
2016-06-26 12:51:20 +00:00
Rusty Bird
e85363da20
Copy unmodified(!) 60-persistent-storage.rules from Fedora 23 2016-06-26 12:36:31 +00:00
Marek Marczykowski-Górecki
60488d4439
system-config: add systemd-preset configuration
Fixes QubesOS/qubes-issues#2049
2016-06-06 02:22:58 +02:00
Marek Marczykowski-Górecki
4d4e7cc5e9
kernel-install: do not add kernel entry if already present
The entry may be already present for example when reinstalling package,
or calling the script multiple times (which apparently is the case
during system installation).
2016-06-03 20:51:18 +02:00
Marek Marczykowski-Górecki
f7eaa7bec2
kernel-install: don't fail on kernel removal in non-EFI installs
In non-EFI installation /boot/efi/EFI/qubes may not exists. In this case
do not try to touch (non-existing) files there.

Fixes QubesOS/qubes-issues#1829
2016-05-15 11:19:18 +02:00
Marek Marczykowski-Górecki
1430861c6b
kernel-install: (EFI) really install kernel image
Not only add it to the configuration.

Fixes QubesOS/qubes-issues#1492
2015-12-05 15:18:08 +01:00
Marek Marczykowski-Górecki
8a9d3de1ef
kernel-install: fix EFI dir path in xen.cfg generation script
Fixes QubesOS/qubes-issues#1492
2015-12-05 15:05:34 +01:00
Marek Marczykowski-Górecki
867baa7266
kernel-install: add new kernel to xen.cfg for xen.efi
QubesOS/qubes-issues#794
2015-09-26 03:56:16 +02:00
Marek Marczykowski-Górecki
0e733bd0de
kernel-install: call grub2-mkconfig only when it is installed
On systems booting with EFI, there is no grub2 installed at all - the
system is started directly to xen.efi.
2015-09-26 02:54:32 +02:00
Marek Marczykowski-Górecki
f795e58483
Undo 'Boot Loader Spec' by deleting /boot/MACHINE_ID
The specification doesn't cover how to boot Xen (or any other multiboot
binary), but the sole presence of such directory changes dracut default
path. So get rid of that directory.
2015-08-03 03:00:59 +02:00
Marek Marczykowski-Górecki
fddeb4a23c
Generate initramfs in kernel-install hook
The default one generates initramfs in location expected by Boot Loader
Specification, which as noted before, isn't useful for Qubes.
2015-07-12 01:54:53 +02:00
Marek Marczykowski-Górecki
2a14ae9c0b
Add kernel post-installation script to regenerate grub2 config
Since we now allow using Fedora kernel, add a script to generate proper
bootloader configuration then. Standard Fedora mechanism relies on
Boot Loader Specification support in grub2, which sadly does not support
Xen, so it is useless in Qubes.
2015-07-10 17:54:24 +02:00
Marek Marczykowski-Górecki
8acd40905d Disable lesspipe in dom0
It can be dangerous when processing untrusted content (for example VM
logs).
Details:
https://groups.google.com/d/msgid/qubes-users/20150527215812.GA13915%40mail-itl
2015-06-25 02:37:29 +02:00
Marek Marczykowski-Górecki
c457b485cb Load xen-acpi-processor module
It is required for cpufreq to work.
2015-04-10 17:56:58 +02:00
Marek Marczykowski-Górecki
5035fc7eed Remove iptables config
Dom0 have no network at all, it isn't needed.
2015-03-31 22:55:25 +02:00
Marek Marczykowski-Górecki
4449d51d98 udev: prevent race with kpartx -d
udevd calls (internal) blkid, which opens the device, so kpartx -d
cannot remove it.
2015-02-01 04:05:05 +01:00
Marek Marczykowski-Górecki
9687180a62 udev: prevent dom0 processes from accessing templates root image 2014-07-04 04:29:31 +02:00
Marek Marczykowski-Górecki
5af0530e8d udev: prevent VM disks content from being accessed by dom0 processes
To not expose dom0 processes like blkid for attacks from VM (e.g. by
placing malicious filesystem header in private.img).
2014-06-11 02:41:20 +02:00
Marek Marczykowski-Górecki
2c4aae132a Use 'conntrack' iptables module instead of obsoleted 'state' 2014-04-04 11:30:55 +02:00
Marek Marczykowski
dbe9693851 Other Linux-specific files 2013-03-16 19:52:16 +01:00