Merge remote-tracking branch 'nrgaway/wheezy' into wheezy

2014-11-11 23:22:22 +01:00 · 2014-11-11 23:22:22 +01:00 · 162f3bfec1
commit 162f3bfec1
parent a526f17ef8 d92d6d1577
24 changed files with 179 additions and 104 deletions
--- a/create_template_list.sh
+++ b/create_template_list.sh
@ -1,48 +1,55 @@
 #!/bin/bash
 # vim: set ts=4 sw=4 sts=4 et :
 #
 # Creates a small script to copy to dom0 to retrieve the generated template rpm's
 #
-TEMPLATES="./rpm/install-templates.sh"
+template_dir="$(readlink -m ./rpm/install-templates.sh)"
 files=( $(ls rpm/noarch) )
 name=$(xenstore-read name)
-write() {
+# -----------------------------------------------------------------------------
-    echo "$1" >> "$TEMPLATES"
+# Write $vars
-}
+# -----------------------------------------------------------------------------
 cat << EOF > "${template_dir}"
 #!/bin/bash
-if [ -x /usr/sbin/xenstore-read ]; then
+# Use the following command in DOM0 to retreive this file:
-        XENSTORE_READ="/usr/sbin/xenstore-read"
+# qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh
 else
        XENSTORE_READ="/usr/bin/xenstore-read"
 fi
-TEMPLATES="$(readlink -m $TEMPLATES)"
+files="
-VERSION="-$(cat ./version)"
+$(printf "%s \n" ${files[@]})
-name=$($XENSTORE_READ name)
+"
 path="$(readlink -m .)"
 files=$(ls rpm/noarch)
-#
+path="$(readlink -m .)/rpm/noarch"
-# Write to install-templates
+version="-$(cat ./version)"
-#
+name="${name}"
 EOF
-echo "#!/bin/bash" > "$TEMPLATES"
+# -----------------------------------------------------------------------------
-write ""
+# Write installation function
 # -----------------------------------------------------------------------------
 cat << 'EOF' >> "${template_dir}"
 for file in ${files[@]}; do
-    write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}"
+    if [ ! -e ${file} ]; then
-    write ""
+        echo "Copying ${file} from ${name} to ${PWD}/${file}..."
-    write "sudo yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")"
+        qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file}
-    write ""
+    fi
-    write "sudo yum install ${file}"
+
-    write ""
+    sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && {
-    write ""
+        sudo yum install ${file} && {
            rm -f ${file}
        }
    }
 done
 EOF
-write "# Use the following command in DOM0 to retreive this file:"
+# -----------------------------------------------------------------------------
-write "# qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh"
+# Display instructions
-
+# -----------------------------------------------------------------------------
 echo "Use the following command in DOM0 to retreive this file:"
-echo "qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh"
+echo "qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh"
--- a/functions.sh
+++ b/functions.sh
@ -67,8 +67,7 @@ if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
    chroot() {
        local retval
        true ${blue}
-        /usr/sbin/chroot "$@"
+        /usr/sbin/chroot "$@" && { retval=$?; true; } || { retval=$?; true; }
        retval=$?
        true ${reset}
        return $retval
    }
--- a/scripts_debian/01_install_core.sh
+++ b/scripts_debian/01_install_core.sh
@ -26,7 +26,7 @@ buildStep "$0" "pre"
 if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
    debug "Installing base ${DEBIANVERSION} system"
    COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
-        --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \
+        --components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \
        "${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; }
    chroot "${INSTALLDIR}" chmod 0666 "/dev/null"
    touch "${INSTALLDIR}/tmp/.prepared_debootstrap"
--- a/scripts_debian/keys/jessie-debian-archive-keyring.gpg
+++ b/scripts_debian/keys/jessie-debian-archive-keyring.gpg
--- a/scripts_debian/keys/wheezy-debian-archive-keyring.gpg
+++ b/scripts_debian/keys/wheezy-debian-archive-keyring.gpg
--- a/scripts_debian/vars.sh
+++ b/scripts_debian/vars.sh
@ -11,8 +11,8 @@
 DEBIANVERSION=${DIST}
 # Location to grab debian packages
-DEBIAN_MIRROR=http://ftp.us.debian.org/debian/
+DEBIAN_MIRROR=http://ftp.us.debian.org/debian
 #DEBIAN_MIRROR=http://http.debian.net/debian
-#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/
+#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian
 APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y"
--- a/scripts_debian/wheezy+whonix-gateway/files/.facl
+++ b/scripts_debian/wheezy+whonix-gateway/files/.facl
@ -40,6 +40,13 @@ user::rw-
 group::r--
 other::r--
 # file: lib/systemd/system/qubes-whonix-init.service
 # owner: root
 # group: root
 user::rw-
 group::r--
 other::r--
 # file: etc
 # owner: root
 # group: root
@ -166,14 +173,14 @@ user::rwx
 group::r-x
 other::r-x
-# file: usr/lib/whonix/whonix.sh
+# file: usr/lib/whonix/init
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
-# file: usr/lib/whonix/init
+# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
 # owner: root
 # group: root
 user::rwx
@ -201,12 +208,12 @@ user::rwx
 group::r-x
 other::r-x
-# file: usr/lib/whonix/init/qubes-firewall-user-script
+# file: usr/lib/whonix/init/qubes-whonix-tor.service
 # owner: root
 # group: root
-user::rwx
+user::rw-
-group::r-x
+group::r--
-other::r-x
+other::r--
 # file: usr/lib/whonix/messages.yaml
 # owner: root
--- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
@ -4,11 +4,9 @@ After=qubes-whonix-network.service
 Before=network.target
 [Service]
-Type=oneshot
+ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
 RemainAfterExit=yes
 ExecStartPre=/usr/lib/whonix/init/init.sh
 ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
 StandardOutput=syslog
 [Install]
 WantedBy=multi-user.target
 Alias=qubes-firewall.service
--- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service
@ -0,0 +1,13 @@
 [Unit]
 Description=Qubes Whonix initialization script
 After=qubes-whonix-network.service
 Before=qubes-whonix-firewall.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/lib/whonix/init/init.sh
 StandardOutput=syslog
 [Install]
 WantedBy=multi-user.target
--- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
@ -2,7 +2,7 @@
 Description=Qubes Whonix network proxy setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=qubes-firewall.service
+After=iptables.service
 [Service]
 Type=oneshot
@ -12,3 +12,4 @@ StandardOutput=syslog
 [Install]
 WantedBy=multi-user.target
 Alias=qubes-network.service
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
@ -53,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
    # we can use to identify that its a tor proxy so updates are secure
    error_file="/usr/share/tinyproxy/default.html"
    grep -q "${PROXY_META}" "${error_file}" || {
-        sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
+        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
    }
 fi
 # Copy firewall script so Qubes will reload it when it reloads
 cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script
@ -2,16 +2,16 @@
 . /usr/lib/whonix/utility_functions
 if [ -x /usr/sbin/xenstore-read ]; then
    XENSTORE_READ="/usr/sbin/xenstore-read"
 else
    XENSTORE_READ="/usr/bin/xenstore-read"
 fi
 # Make sure IP forwarding is disabled
 echo "0" > /proc/sys/net/ipv4/ip_forward
 if [ "${WHONIX}" != "template" ]; then
    # Make sure IP forwarding is disabled
    echo "0" > /proc/sys/net/ipv4/ip_forward
    if [ -x /usr/sbin/xenstore-read ]; then
        XENSTORE_READ="/usr/sbin/xenstore-read"
    else
        XENSTORE_READ="/usr/bin/xenstore-read"
    fi
    ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
    # Start Whonix Firewall
@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
 iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
    fi
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service
@ -0,0 +1,16 @@
 [Unit]
 Description = Anonymizing overlay network for TCP
 After = syslog.target network.target nss-lookup.target
 [Service]
 Type = simple
 ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet
 ExecReload = /bin/kill -HUP ${MAINPID}
 ExecStop = /bin/kill -INT ${MAINPID}
 TimeoutSec = 60
 Restart = on-failure
 LimitNOFILE = 32768
 [Install]
 WantedBy = multi-user.target
 Alias=tor.service
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
@ -7,6 +7,3 @@ update:
      <p><B>Tor netvm required for updates!</B></p>
      <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
      <p>No updates are possible without an active (running) Whonix gateway VM.</p>
      <p/>
      <p><b>Template will now power off</b></p>
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
    fi
 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
    # Set secure defaults.
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    # Flush old rules.
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Display warning that netvm is not connected to a torvm
    /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
    #sudo /sbin/poweroff 
 fi
--- a/scripts_debian/wheezy+whonix-workstation/files/.facl
+++ b/scripts_debian/wheezy+whonix-workstation/files/.facl
@ -40,6 +40,13 @@ user::rw-
 group::r--
 other::r--
 # file: lib/systemd/system/qubes-whonix-init.service
 # owner: root
 # group: root
 user::rw-
 group::r--
 other::r--
 # file: etc
 # owner: root
 # group: root
@ -145,14 +152,14 @@ user::rwx
 group::r-x
 other::r-x
-# file: usr/lib/whonix/whonix.sh
+# file: usr/lib/whonix/init
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
-# file: usr/lib/whonix/init
+# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
 # owner: root
 # group: root
 user::rwx
@ -180,13 +187,6 @@ user::rwx
 group::r-x
 other::r-x
 # file: usr/lib/whonix/init/qubes-firewall-user-script
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
 # file: usr/lib/whonix/messages.yaml
 # owner: root
 # group: root
--- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
+++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
@ -4,11 +4,9 @@ After=qubes-whonix-network.service
 Before=network.target
 [Service]
-Type=oneshot
+ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
 RemainAfterExit=yes
 ExecStartPre=/usr/lib/whonix/init/init.sh
 ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
 StandardOutput=syslog
 [Install]
 WantedBy=multi-user.target
 Alias=qubes-firewall.service
--- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service
+++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service
@ -0,0 +1,13 @@
 [Unit]
 Description=Qubes Whonix initialization script
 After=qubes-whonix-network.service
 Before=qubes-whonix-firewall.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/lib/whonix/init/init.sh
 StandardOutput=syslog
 [Install]
 WantedBy=multi-user.target
--- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
+++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
@ -2,7 +2,7 @@
 Description=Qubes Whonix network proxy setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=qubes-firewall.service
+After=iptables.service
 [Service]
 Type=oneshot
@ -12,3 +12,4 @@ StandardOutput=syslog
 [Install]
 WantedBy=multi-user.target
 Alias=qubes-network.service
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
@ -2,12 +2,6 @@
 . /usr/lib/whonix/utility_functions
 # Or just enable them :)
 #ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
 #ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
 #ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
 INTERFACE="eth1"
 if [ "${WHONIX}" == "gateway" ]; then
@ -59,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
    # we can use to identify that its a tor proxy so updates are secure
    error_file="/usr/share/tinyproxy/default.html"
    grep -q "${PROXY_META}" "${error_file}" || {
-        sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
+        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
    }
 fi
 # Copy firewall script so Qubes will reload it when it reloads
 cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script
@ -2,16 +2,16 @@
 . /usr/lib/whonix/utility_functions
 if [ -x /usr/sbin/xenstore-read ]; then
    XENSTORE_READ="/usr/sbin/xenstore-read"
 else
    XENSTORE_READ="/usr/bin/xenstore-read"
 fi
 # Make sure IP forwarding is disabled
 echo "0" > /proc/sys/net/ipv4/ip_forward
 if [ "${WHONIX}" != "template" ]; then
    # Make sure IP forwarding is disabled
    echo "0" > /proc/sys/net/ipv4/ip_forward
    if [ -x /usr/sbin/xenstore-read ]; then
        XENSTORE_READ="/usr/sbin/xenstore-read"
    else
        XENSTORE_READ="/usr/bin/xenstore-read"
    fi
    ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
    # Start Whonix Firewall
@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
 iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
 iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
    fi
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
@ -7,6 +7,3 @@ update:
      <p><B>Tor netvm required for updates!</B></p>
      <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
      <p>No updates are possible without an active (running) Whonix gateway VM.</p>
      <p/>
      <p><b>Template will now power off</b></p>
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
    fi
 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
    # Set secure defaults.
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP
    # Flush old rules.
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Display warning that netvm is not connected to a torvm
    /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
    #sudo /sbin/poweroff 
 fi
--- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
+++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
@ -19,11 +19,21 @@ else
    set -e
 fi
 # ------------------------------------------------------------------------------
 # Make sure IP forwarding is disabled (Qubes enables it by default)
 # ------------------------------------------------------------------------------
 echo "0" > /proc/sys/net/ipv4/ip_forward
 # ------------------------------------------------------------------------------
 # Enable Qubes-Whonix services
 # ------------------------------------------------------------------------------
 chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || :
 chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
-chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || :
+
 chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || :
 chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || :
 chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || :
 # ------------------------------------------------------------------------------
 # Restore Whonix apt-get