diff --git a/Makefile b/Makefile index 9f5e127dd..fd93d657a 100644 --- a/Makefile +++ b/Makefile @@ -146,13 +146,15 @@ endif # Systemd service files SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service) vm-systemd/dev-xvdc1-swap.service -SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service vm-systemd/qubes-sysctl-minimal-sys-net.service +SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service SYSTEMD_SELINUX_SERVICES := vm-systemd/qubes-relabel-root.service vm-systemd/qubes-relabel-rw.service SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES) $(SYSTEMD_SELINUX_SERVICES), $(SYSTEMD_ALL_SERVICES)) +SYSTEMD_USER_SERVICES := $(wildcard vm-systemd/user/qubes-*.service) .PHONY: install-systemd install-systemd: install-init install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} \ + $(DESTDIR)$(SYSLIBDIR)/systemd/user{,-preset} \ $(DESTDIR)$(LIBDIR)/qubes/init \ $(DESTDIR)$(SYSLIBDIR)/modules-load.d \ $(DESTDIR)/etc/systemd/system \ @@ -160,6 +162,7 @@ install-systemd: install-init $(DESTDIR)$(SYSLIBDIR)/systemd/resolved.conf.d/ \ $(DESTDIR)$(SYSLIBDIR)/systemd/user-environment-generators install -m 0644 $(SYSTEMD_CORE_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/ + install -m 0644 $(SYSTEMD_USER_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/user/ install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/ install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/ install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/ @@ -169,6 +172,8 @@ install-systemd: install-init install -m 0644 vm-systemd/home.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/ install -m 0755 vm-systemd/user-environment-generators/30-qubes.sh $(DESTDIR)$(SYSLIBDIR)/systemd/user-environment-generators/30-qubes.sh install -m 0644 vm-systemd/usr-local.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/ + install -m 0755 vm-systemd/setup-minimal-vm $(DESTDIR)$(LIBDIR)/qubes/setup-minimal-vm + install -m 0644 vm-systemd/user/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/user-preset/ .PHONY: install-sysvinit install-sysvinit: install-init diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install index af0d96af8..0e90c503b 100644 --- a/debian/qubes-core-agent-networking.install +++ b/debian/qubes-core-agent-networking.install @@ -18,7 +18,6 @@ lib/systemd/system/qubes-antispoof.service lib/systemd/system/qubes-network.service lib/systemd/system/qubes-network-uplink.service lib/systemd/system/qubes-network-uplink@.service -lib/systemd/system/qubes-sysctl-minimal-sys-net.service lib/systemd/system/qubes-updates-proxy.service lib/systemd/network/80-qubes-vif.link usr/lib/qubes/init/network-proxy-setup.sh diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 5c1c92c86..6711f3098 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -100,6 +100,7 @@ lib/systemd/system/qubes-early-vm-config.service lib/systemd/system/qubes-misc-post.service lib/systemd/system/qubes-mount-dirs.service lib/systemd/system/qubes-rootfs-resize.service +lib/systemd/system/qubes-setup-minimal-vm.service lib/systemd/system/qubes-sysinit.service lib/systemd/system/qubes-update-check.service lib/systemd/system/qubes-update-check.timer @@ -122,7 +123,9 @@ lib/systemd/system/user@.service.d/90-session-stop-timeout.conf lib/systemd/resolved.conf.d/30_resolved-no-mdns-or-llmnr.conf lib/systemd/system/home.mount lib/systemd/system/usr-local.mount +lib/systemd/user/qubes-setup-minimal-vm.service lib/systemd/user-environment-generators/30-qubes.sh +lib/systemd/user-preset/75-qubes-vm.preset usr/lib/sysctl.d/20-qubes-core.conf usr/lib/systemd/user/tracker-extract-3.service.d/30_qubes.conf usr/lib/systemd/user/tracker-miner-fs-3.service.d/30_qubes.conf @@ -189,6 +192,7 @@ usr/lib/qubes/qvm-move-to-vm.gnome usr/lib/qubes/qvm-move-to-vm.kde usr/lib/qubes/qvm-service-wrapper usr/lib/qubes/resize-rootfs +usr/lib/qubes/setup-minimal-vm usr/lib/qubes/tar2qfile usr/lib/qubes/update-proxy-configs usr/lib/qubes/upgrades-installed-check diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index 231e6c5fb..1546a0ed2 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -129,11 +129,13 @@ case "${1}" in # Systemd preload-all preset_units /lib/systemd/system-preset/75-qubes-vm.preset initial + preset_units /lib/systemd/user-preset/75-qubes-vm.preset initial "--global" # Maybe install overridden serial.conf init script installSerialConf else preset_units /lib/systemd/system-preset/75-qubes-vm.preset upgrade + preset_units /lib/systemd/user-preset/75-qubes-vm.preset upgrade "--global" fi systemctl reenable haveged || : diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index e6d79b96c..6f13813c4 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -1145,7 +1145,6 @@ rm -f %{name}-%{version} %_unitdir/qubes-network.service %_unitdir/qubes-network-uplink.service %_unitdir/qubes-network-uplink@.service -%_unitdir/qubes-sysctl-minimal-sys-net.service %_unitdir/qubes-updates-proxy.service /usr/lib/systemd/network/80-qubes-vif.link /usr/lib/qubes/init/network-proxy-setup.sh @@ -1251,6 +1250,7 @@ The Qubes core startup configuration for SystemD init. %_unitdir/systemd-nsresourced.service.d/30_qubes.conf %dir %_unitdir/systemd-nsresourced.socket.d %_unitdir/systemd-nsresourced.socket.d/30_qubes.conf +%_unitdir/qubes-setup-minimal-vm.service %dir %_userunitdir/*.service.d %_userunitdir/tracker-extract-3.service.d/30_qubes.conf %_userunitdir/tracker-miner-fs-3.service.d/30_qubes.conf @@ -1267,6 +1267,9 @@ The Qubes core startup configuration for SystemD init. %_userunitdir/pipewire.service.d/40_minimal.conf %_userunitdir/wireplumber.service.d/30_qubes.conf /usr/lib/systemd/user-environment-generators/30-qubes.sh +%_userunitdir/qubes-setup-minimal-vm.service +%{_userunitdir}-preset/75-qubes-vm.preset +/usr/lib/qubes/setup-minimal-vm %post systemd @@ -1277,9 +1280,11 @@ changed= if [ $1 -eq 1 ] then preset_units %{_presetdir}/%qubes_preset_file initial + preset_units %{_userunitdir}-preset/75-qubes-vm.preset initial "--global" changed=true else preset_units %{_presetdir}/%qubes_preset_file upgrade + preset_units %{_userunitdir}-preset/75-qubes-vm.preset upgrade "--global" changed=true # Upgrade path - now qubes-iptables is used instead for svc in iptables ip6tables diff --git a/vm-systemd/75-qubes-vm.preset b/vm-systemd/75-qubes-vm.preset index 48b333857..0e55f5a84 100644 --- a/vm-systemd/75-qubes-vm.preset +++ b/vm-systemd/75-qubes-vm.preset @@ -118,7 +118,7 @@ enable qubes-psu-client@.service default sys-usb enable dev-xvdc1-swap.service enable NetworkManager.service enable NetworkManager-dispatcher.service -enable qubes-sysctl-minimal-sys-net.service +enable qubes-setup-minimal-vm.service # Disable useless Xen services in Qubes VM disable xenstored.service diff --git a/vm-systemd/qubes-setup-minimal-vm.service b/vm-systemd/qubes-setup-minimal-vm.service new file mode 100644 index 000000000..ffc928ff5 --- /dev/null +++ b/vm-systemd/qubes-setup-minimal-vm.service @@ -0,0 +1,15 @@ +[Unit] +Description=Apply minimal vm runtime configuration +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-modules-load.service qubes-sysinit.service +Before=sysinit.target shutdown.target +ConditionPathExists=|/var/run/qubes-service/minimal-netvm +ConditionPathExists=|/var/run/qubes-service/minimal-usbvm + +[Service] +Type=oneshot +ExecStart=/usr/lib/qubes/setup-minimal-vm + +[Install] +WantedBy=sysinit.target diff --git a/vm-systemd/qubes-sysctl-minimal-sys-net.service b/vm-systemd/qubes-sysctl-minimal-sys-net.service deleted file mode 100644 index f13f014bb..000000000 --- a/vm-systemd/qubes-sysctl-minimal-sys-net.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=Apply minimal sys-net kernel variables -DefaultDependencies=no -Conflicts=shutdown.target -After=systemd-modules-load.service qubes-sysinit.service -Before=sysinit.target shutdown.target -ConditionPathIsReadWrite=/proc/sys/net/ -ConditionPathExists=/var/run/qubes-service/minimal-netvm - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/lib/systemd/systemd-sysctl /etc/sysctl.d/82-qubes-minimal-sys-net.conf.optional -TimeoutSec=90s -ImportCredential=sysctl.* - -[Install] -WantedBy=sysinit.target diff --git a/vm-systemd/setup-minimal-vm b/vm-systemd/setup-minimal-vm new file mode 100755 index 000000000..1821ac268 --- /dev/null +++ b/vm-systemd/setup-minimal-vm @@ -0,0 +1,37 @@ +#!/bin/bash + +# License: GPL-2+ +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + + +is_minimal_netvm() { + test -f /run/qubes-service/minimal-netvm +} + +is_minimal_usbvm() { + test -f /run/qubes-service/minimal-usbvm +} + + +setup_minimal_netvm() { + if [ "$UID" == "0" ]; then + /usr/lib/systemd/systemd-sysctl /etc/sysctl.d/82-qubes-minimal-sys-net.conf.optional + else + /usr/bin/systemctl --user --runtime mask gvfs-daemon.service + fi +} + +is_minimal_netvm && setup_minimal_netvm diff --git a/vm-systemd/user/75-qubes-vm.preset b/vm-systemd/user/75-qubes-vm.preset new file mode 100644 index 000000000..ec172489f --- /dev/null +++ b/vm-systemd/user/75-qubes-vm.preset @@ -0,0 +1,3 @@ +# Units below this line will be re-preset on package upgrade + +enable qubes-setup-minimal-vm.service diff --git a/vm-systemd/user/qubes-setup-minimal-vm.service b/vm-systemd/user/qubes-setup-minimal-vm.service new file mode 100644 index 000000000..c537f6b28 --- /dev/null +++ b/vm-systemd/user/qubes-setup-minimal-vm.service @@ -0,0 +1,15 @@ +[Unit] +Description=Apply minimal vm runtime configuration +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-modules-load.service qubes-sysinit.service +Before=sysinit.target shutdown.target +ConditionPathExists=|/var/run/qubes-service/minimal-netvm +ConditionPathExists=|/var/run/qubes-service/minimal-usbvm + +[Service] +Type=oneshot +ExecStart=/usr/lib/qubes/setup-minimal-vm + +[Install] +WantedBy=default.target \ No newline at end of file