Commit Graph

366 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
6501b26a36
initrd: mount / rw for the overlayfs setup time
overlayfs refuse to use R/O upperdir. Since dmroot is properly set
already, it's ok to mount it R/W.
But remount it later R/O, to not confuse startup scripts.

Fixes QubesOS/qubes-issues#5087

(cherry picked from commit 84188910cf)
2019-06-10 00:41:22 +02:00
Marek Marczykowski-Górecki
042b6717a8
version 4.0.24 2019-06-06 21:30:30 +02:00
Marek Marczykowski-Górecki
9c6c825691
initramfs: use overlayfs for /lib/modules, if available
If overlay fs is available, use it for /lib/modules. This way the whole
/lib/modules will be writable and changes (like extra modules) will
persist in TemplateVM/StandaloneVM.

In practice, this will allow to conveniently build in-vm kernel modules,
even for dom0-provided kernels.

QubesOS/qubes-issues#2908
2019-06-06 01:41:51 +02:00
Marek Marczykowski-Górecki
90641b0dce
Merge remote-tracking branch 'origin/pr/40'
* origin/pr/40:
  travis: remove older Fedora releases and add Fedora 30
  travis: switch to xenial
  python3: use macro pkgversion
2019-06-05 19:04:23 +02:00
Marek Marczykowski-Górecki
e7c90c705f
Declare u2mfn module version, skip build for qubes kernels
This will allow dkms to skip u2mfn module install if one is already
shipped with the kernel package - which is the case for kernels
delivered through dom0.
Make the version high enough to be considered newer than dkms package.

Sadly, it does not prevent module build. And the build fails becaue of
mismatching compiler version (kernel headers include gcc plugins).
Skip the build by setting BUILD_EXCLUSIVE_KERNEL in dkms.conf. Ideally,
we'd set some value indicating "don't build on kernel *qubes*", but
this variable does not support negation. So, set this variable to a
dummy value after manually checking $kernelver variable.

Fixes QubesOS/qubes-issues#4963
2019-06-05 18:21:49 +02:00
Frédéric Pierret (fepitre)
f365d7cce8
travis: remove older Fedora releases and add Fedora 30 2019-06-05 00:00:53 +02:00
Frédéric Pierret (fepitre)
2b8411346f
travis: switch to xenial
QubesOS/qubes-issues#4613
2019-06-04 23:59:51 +02:00
Frédéric Pierret (fepitre)
e00a64a915
python3: use macro pkgversion 2019-06-04 23:59:12 +02:00
Marek Marczykowski-Górecki
24a25cce5f
version 4.0.23 2019-02-25 21:46:52 +01:00
Marek Marczykowski-Górecki
de2150e3d3
Add xen_scrub_pages=0 kernel option only if initramfs was rebuilt
Rebuild initramfs on package upgrade (already done for Debian
previously) and store 1 into /var/lib/qubes/initramfs-updated. Then,
only add xen_scrub_pages=0 kernel option if
/var/lib/qubes/initramfs-updated is there (with "1" or greater number).
This way, if initramfs rebuild doesn't happen for any reason,
xen_scrub_pages=0 will not be added.

Fixes 456fe99 "Disable scrubbing memory pages during initial balloon down"
QubesOS/qubes-issues#1963
2019-02-25 06:38:53 +01:00
Marek Marczykowski-Górecki
ad790a53d4
Really install xen-scrub-pages dracut module
Fixes 456fe99 "Disable scrubbing memory pages during initial balloon down"
QubesOS/qubes-issues#1963
2019-02-25 06:38:53 +01:00
Marek Marczykowski-Górecki
2c696013cd
Do not use /proc/xen for detecting dom0 anymore
Phase out /proc/xen usage. Relevant device files are available in
/dev/xen. Dom0 check can be replaced with uuid check - dom0 have
well-known value of all-0.

QubesOS/qubes-issues#2540
2019-02-19 00:06:06 +01:00
Marek Marczykowski-Górecki
4fe08d31e4
Adjust permissions of /dev/xen/hypercall
Starting with Linux 4.18, there is new device node for issuing
hypercalls from user space - /dev/xen/hypercall (partially duplicating
functionality of /dev/xen/privcmd). New Xen tools (4.12) make use of it,
so make it available for them. Otherwise such tools will fail the
operation (there is no fallback to privcmd on EACCESS).
2019-02-16 14:56:14 +01:00
Marek Marczykowski-Górecki
da61cb7511
dracut: add a flag file indicating scrub-pages option support
Indicate when the dracut "qubes-vm-simple" module supports (re-)enabling
xen_scrub_pages option. This means the kernel can be safely booted with
xen_scrub_pages=0.

QubesOS/qubes-issues#1963
2019-02-15 20:33:03 +01:00
Marek Marczykowski-Górecki
5eb526da4b
dracut: fix checking for "Root filesystem" label, improve udev sync
Don't try to dereference "Root filesytem" partlabel symlink, unless it's
really present (not only directory for it).

Also, use udevadm settle for waiting for /dev/xvda, instead of naive
wait sleep loop.
2019-02-06 20:20:08 +01:00
Marek Marczykowski-Górecki
456fe99fa6
Disable scrubbing memory pages during initial balloon down
Balloon driver scrub memory page before giving it back to the
hypervisor. Normally this is a good thing, to avoid leaking VM's memory
data into Xen and other domains. But during initial startup when maxmem
is bigger than initial memory, on HVM and PVH, Populate-on-Demand (PoD) is in use.
This means every page on initial balloon down needs to be first mapped
by Xen into VM's memory (as it wasn't populated before - and in fact
didn't have any data), scrubbed by the kernel and then given back to
Xen. This is great waste of time. Such operation with default settings
(initial memory 400M, maxmem 4000M) can take few seconds, delaying every
VM startup (including DispVM). In extreme situation, when running inside
nested virtualization, the effect is much worse.

Avoid this problem by disabling memory scrubbing during initial boot,
and re-enable it as soon as user space kicks in - in initramfs, before
mounting root filesystem, to be sure it's enabled before memory contains
any kind of secrets.

This commit handle only one case - when kernel in managed by the VM
itself. It is critical to enable initramfs module whenever
xen_scrub_pages=0 kernel option is given, so make them depend on the
same condition and ship them in the same package.

Fixes QubesOS/qubes-issues#1963
2019-02-06 20:20:08 +01:00
Marek Marczykowski-Górecki
14be8aa5ae
version 4.0.22 2018-10-29 01:04:00 +01:00
Marek Marczykowski-Górecki
4543ab1ff0
tests: skip the other img converter test too
if qubes-img-converter is not installed
2018-10-26 01:44:24 +02:00
Marek Marczykowski-Górecki
4bfd10baaa
imgconverter: allow icons up to 2048x2048
Recently some applications ships with large icons like 1024x1024
(Signal-desktop for example). To not degrade any fancy HiDPI 8K
experience, allow for that, instead of downscaling.
The max icon size is only anti-DoS protection anyway.
2018-10-17 05:27:27 +02:00
Marek Marczykowski-Górecki
0255f4d843
tests: skip img converter test if qubes-img-converter is not installed 2018-10-16 22:13:46 +02:00
Marek Marczykowski-Górecki
e2d7f08d42
version 4.0.21 2018-10-09 00:25:11 +02:00
Marek Marczykowski-Górecki
76fa9c9d9f
travis: update Fedora and Debian versions 2018-10-08 23:29:10 +02:00
Marek Marczykowski-Górecki
3ca9f130b7
rpm: adjust for fc29
Don't rely on python -> python2 symlink and default %{python_*} macros.
Add explicit BR: gcc (default build env for fc29 doesn't have it
anymore).

QubesOS/qubes-issues#4223
2018-10-02 20:53:08 +02:00
Rusty Bird
6cd4a1b888
Order qubes-meminfo-writer-dom0 before systemd-user-sessions
qubes-vm@.service would already cause this ordering, but not every user
has any autostart=True VMs.

Also needed to maybe f*x QubesOS/qubes-issues#3149 at some point.
2018-09-06 16:23:12 +00:00
Marek Marczykowski-Górecki
ab7ca7be89
version 4.0.20 2018-07-03 21:11:00 +02:00
Marek Marczykowski-Górecki
f7b8a79ce6
udev: create /dev/mapper/dmroot -> xvda3 symlink when its mounted directly
When root device is available read-write (TemplateVM/StandaloneVM), its
mounted directly, instead of using device-mapper layer. But
/dev/mapper/dmroot still needs to exists (it is pointed from
/etc/fstab), otherwise various tools, including grub-mkconfig get
confused.
Create a symlink using udev rule. It is already done in initramfs, and
in case of Fedora that udev rule/symlink survive switching to
non-initramfs udev, but not on Debian. So, add appropriate udev rules
file.

Fixes QubesOS/qubes-issues#3178
2018-06-13 15:48:00 +02:00
Marek Marczykowski-Górecki
915c8f0cf7
version 4.0.19 2018-05-02 17:55:10 +02:00
Marek Marczykowski-Górecki
645d23b712
travis: add centos7 2018-05-01 16:07:51 +02:00
Marek Marczykowski-Górecki
89776c7f18
rpm: use proper macros for systemd handling 2018-05-01 16:07:16 +02:00
Marek Marczykowski-Górecki
4157f919b6
version 4.0.18 2018-04-21 14:36:39 +02:00
Marek Marczykowski-Górecki
cf6438807b
travis: update Fedora versions 2018-04-21 14:22:01 +02:00
Marek Marczykowski-Górecki
0df0d23ec6
Merge remote-tracking branch 'qubesos/pr/34'
* qubesos/pr/34:
  spec.in: add changelog placeholder
  Fix debug symbols
  Remove _builddir
  Makefile.builder: currently disable Mock
  rpm: preparation for src.rpm building
2018-04-21 01:22:35 +02:00
Marek Marczykowski-Górecki
9eafc65cb4
udev: don't call udev-block-add-change for devices excluded by other rules
The script call is quite expensive (it does multiple things, including
checking device-mapper, qubesdb etc). Don't call it for devices we (or
else) already excluded earlier.
This is the most relevant for dom0, where udev "change" event is
triggered quite often, for multiple LVM volumes - all excluded, because
being VM's disks.
2018-04-20 16:47:46 +02:00
Frédéric Pierret
f049d63571
spec.in: add changelog placeholder 2018-04-07 17:56:20 -04:00
Frédéric Pierret
2b3b684107
Fix debug symbols 2018-04-07 17:56:20 -04:00
Frédéric Pierret
a716102a08
Remove _builddir 2018-04-07 17:56:20 -04:00
Frédéric Pierret
0630c17588
Makefile.builder: currently disable Mock 2018-04-07 17:56:20 -04:00
Marek Marczykowski-Górecki
84c9ae4bf1
rpm: preparation for src.rpm building
QubesOS/qubes-issues#1508
2018-04-03 22:13:47 +02:00
Marek Marczykowski-Górecki
610e7d8f3e
version 4.0.17 2018-02-27 15:17:12 +01:00
Marek Marczykowski-Górecki
258b7926ef
Merge remote-tracking branch 'qubesos/pr/33'
* qubesos/pr/33:
  drop busybox dependance
  centos: fix python packages names
  Remove busybox as it is not provided in RHEL7 anymore
  Fix python3 package names with respect to CentOS for consistency with python34 names
2018-02-25 21:15:46 +01:00
Frédéric Pierret
d60964ee23
drop busybox dependance 2018-02-22 18:32:59 +01:00
Frédéric Pierret
2f511d4881
centos: fix python packages names 2018-02-22 18:32:54 +01:00
Frédéric Pierret
e3179e066c
Remove busybox as it is not provided in RHEL7 anymore 2018-02-22 18:02:24 +01:00
Frédéric Pierret
d1ce12f610
Fix python3 package names with respect to CentOS for consistency with python34 names 2018-02-21 20:20:41 +01:00
Marek Marczykowski-Górecki
ff36d11c19
version 4.0.16 2018-02-20 00:05:31 +01:00
Marek Marczykowski-Górecki
d623a3e7d3
debian: adjust required version after adding new function 2018-02-20 00:01:46 +01:00
Marek Marczykowski-Górecki
50412a8a8f
qrexec: provide common function for handling service call
Reduce code duplication by moving parsing of "QUBESRPC" magic command to
one place.
Call qubes-rpc-multiplexer directly with execve(), to avoid string
expansions in its parameters.
2018-02-16 04:20:31 +01:00
Marek Marczykowski-Górecki
ff2e2dbc22
version 4.0.15 2018-01-18 19:07:40 +01:00
Marek Marczykowski-Górecki
e37f9da355
udev: update detecting usbip-connected devices
Controller sysfs path have changed in recent kernels ('vhci_hcd' ->
'vhci_hcd.0'), look for vhci_hcd prefix, not exact this name.

QubesOS/qubes-issues#3455
2018-01-17 16:12:24 +01:00
Marek Marczykowski-Górecki
6eab71f678
version 4.0.14 2018-01-12 06:16:06 +01:00