mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2024-12-28 08:39:34 -05:00
Merge pull request #116 from talex5/solo5
Upgrade to Mirage 6 for solo5 PVH support
This commit is contained in:
commit
089f349a05
10
Dockerfile
10
Dockerfile
@ -1,15 +1,15 @@
|
||||
# Pin the base image to a specific hash for maximum reproducibility.
|
||||
# It will probably still work on newer images, though, unless Debian
|
||||
# It will probably still work on newer images, though, unless an update
|
||||
# changes some compiler optimisations (unlikely).
|
||||
#FROM ocurrent/opam:alpine-3.10-ocaml-4.10
|
||||
FROM ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
|
||||
#FROM ocurrent/opam:fedora-32-ocaml-4.10
|
||||
FROM ocurrent/opam@sha256:2e0e1689d2260c202bf944034f15ba8ebe945dba6b126cc6dd6b185c223014f3
|
||||
|
||||
# Pin last known-good version for reproducible builds.
|
||||
# Remove this line (and the base image pin above) if you want to test with the
|
||||
# latest versions.
|
||||
RUN cd ~/opam-repository && git fetch origin master && git reset --hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
|
||||
RUN cd ~/opam-repository && git fetch origin master && git reset --hard 6ef290f5681b7ece5d9c085bcf0c55268c118292 && opam update
|
||||
|
||||
RUN opam depext -i -y mirage.3.8.0 lwt.5.3.0
|
||||
RUN opam depext -i -y mirage
|
||||
RUN mkdir /home/opam/qubes-mirage-firewall
|
||||
ADD config.ml /home/opam/qubes-mirage-firewall/config.ml
|
||||
WORKDIR /home/opam/qubes-mirage-firewall
|
||||
|
26
README.md
26
README.md
@ -13,6 +13,10 @@ See the [Deploy](#deploy) section below for installation instructions.
|
||||
|
||||
## Build from source
|
||||
|
||||
Note: The most reliable way to build is using Docker.
|
||||
Fedora 30 works well for this, but installing Docker on Fedora 31 or 32 is more difficult.
|
||||
Debian 10 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker
|
||||
(don't use Debian's version).
|
||||
|
||||
Create a new Fedora-30 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 4096 MiB. Open a terminal.
|
||||
|
||||
@ -33,8 +37,6 @@ It gives Docker more disk space and avoids losing the Docker image cache when yo
|
||||
Note: the object files are stored in the `_build` directory to speed up incremental builds.
|
||||
If you change the dependencies, you will need to delete this directory before rebuilding.
|
||||
|
||||
If you want to build on Debian, follow the instructions at [docker.com][debian-docker] to get Docker and then run `sudo ./build-with-docker.sh` as above.
|
||||
|
||||
It's OK to install the Docker package in a template VM if you want it to remain
|
||||
after a reboot, but the build of the firewall itself should be done in a regular AppVM.
|
||||
|
||||
@ -59,12 +61,11 @@ Copy `vmlinuz` to `/var/lib/qubes/vm-kernels/mirage-firewall` directory in dom0,
|
||||
[tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/mirage-firewall/
|
||||
[tal@dom0 mirage-firewall]$ qvm-run -p dev 'cat mirage-firewall/vmlinuz' > vmlinuz
|
||||
|
||||
Finally create dummy files required by Qubes OS:
|
||||
Finally, create [a dummy file required by Qubes OS](https://github.com/QubesOS/qubes-issues/issues/5516):
|
||||
|
||||
[tal@dom0 mirage-firewall]$ touch modules.img
|
||||
[tal@dom0 mirage-firewall]$ gzip -n9 < /dev/null > initramfs
|
||||
|
||||
Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above:
|
||||
Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above
|
||||
|
||||
```
|
||||
qvm-create \
|
||||
@ -75,16 +76,29 @@ qvm-create \
|
||||
--property netvm=sys-net \
|
||||
--property provides_network=True \
|
||||
--property vcpus=1 \
|
||||
--property virt_mode=pv \
|
||||
--property virt_mode=pvh \
|
||||
--label=green \
|
||||
--class StandaloneVM \
|
||||
mirage-firewall
|
||||
|
||||
qvm-features mirage-firewall qubes-firewall 1
|
||||
qvm-features mirage-firewall no-default-kernelopts 1
|
||||
```
|
||||
|
||||
**Note**: for `virt_mode`, use `pv` instead of `pvh` for firewall versions before 0.8.
|
||||
|
||||
## Upgrading
|
||||
|
||||
To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM.
|
||||
|
||||
If upgrading from a version before 0.8, you will also need to update a few options:
|
||||
|
||||
```
|
||||
qvm-prefs mirage-firewall kernelopts ''
|
||||
qvm-prefs mirage-firewall virt_mode pvh
|
||||
qvm-features mirage-firewall no-default-kernelopts 1
|
||||
```
|
||||
|
||||
### Configure AppVMs to use it
|
||||
|
||||
You can run `mirage-firewall` alongside your existing `sys-firewall` and you can choose which AppVMs use which firewall using the GUI.
|
||||
|
@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
|
||||
echo Building Firewall...
|
||||
docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
|
||||
echo "SHA2 of build: $(sha256sum qubes_firewall.xen)"
|
||||
echo "SHA2 last known: 0f6b41fa3995afccff1809cb893c45c0863477d4dfacc441c11e3382bec31d39"
|
||||
echo "SHA2 last known: 583d22327500fa092f436af1d0d9b1b78ebe12abd814c128ec7452c2f4cf319a"
|
||||
echo "(hashes should match for released versions)"
|
||||
|
@ -33,7 +33,7 @@ let main =
|
||||
package "mirage-qubes" ~min:"0.8.2";
|
||||
package "mirage-nat" ~min:"2.2.1";
|
||||
package "mirage-logs";
|
||||
package "mirage-xen" ~min:"5.0.0";
|
||||
package "mirage-xen" ~min:"6.0.0";
|
||||
package ~min:"4.5.0" "dns-client";
|
||||
package "pf-qubes";
|
||||
]
|
||||
|
@ -6,44 +6,48 @@ open Lwt
|
||||
let src = Logs.Src.create "memory_pressure" ~doc:"Memory pressure monitor"
|
||||
module Log = (val Logs.src_log src : Logs.LOG)
|
||||
|
||||
let total_pages = OS.MM.Heap_pages.total ()
|
||||
let pagesize_kb = Io_page.page_size / 1024
|
||||
let wordsize_in_bytes = Sys.word_size / 8
|
||||
|
||||
let meminfo ~used =
|
||||
let mem_total = total_pages * pagesize_kb in
|
||||
let mem_free = (total_pages - used) * pagesize_kb in
|
||||
Log.info (fun f -> f "Writing meminfo: free %d / %d kB (%.2f %%)"
|
||||
mem_free mem_total (float_of_int mem_free /. float_of_int mem_total *. 100.0));
|
||||
let fraction_free stats =
|
||||
let { OS.Memory.free_words; heap_words; _ } = stats in
|
||||
float free_words /. float heap_words
|
||||
|
||||
let meminfo stats =
|
||||
let { OS.Memory.free_words; heap_words; _ } = stats in
|
||||
let mem_total = heap_words * wordsize_in_bytes in
|
||||
let mem_free = free_words * wordsize_in_bytes in
|
||||
Log.info (fun f -> f "Writing meminfo: free %a / %a (%.2f %%)"
|
||||
Fmt.bi_byte_size mem_free
|
||||
Fmt.bi_byte_size mem_total
|
||||
(fraction_free stats *. 100.0));
|
||||
Printf.sprintf "MemTotal: %d kB\n\
|
||||
MemFree: %d kB\n\
|
||||
Buffers: 0 kB\n\
|
||||
Cached: 0 kB\n\
|
||||
SwapTotal: 0 kB\n\
|
||||
SwapFree: 0 kB\n" mem_total mem_free
|
||||
SwapFree: 0 kB\n" (mem_total / 1024) (mem_free / 1024)
|
||||
|
||||
let report_mem_usage used =
|
||||
let report_mem_usage stats =
|
||||
Lwt.async (fun () ->
|
||||
let open OS in
|
||||
Xs.make () >>= fun xs ->
|
||||
Xs.immediate xs (fun h ->
|
||||
Xs.write h "memory/meminfo" (meminfo ~used)
|
||||
Xs.write h "memory/meminfo" (meminfo stats)
|
||||
)
|
||||
)
|
||||
|
||||
let init () =
|
||||
Gc.full_major ();
|
||||
let used = OS.MM.Heap_pages.used () in
|
||||
report_mem_usage used
|
||||
let stats = OS.Memory.quick_stat () in
|
||||
report_mem_usage stats
|
||||
|
||||
let status () =
|
||||
let used = OS.MM.Heap_pages.used () |> float_of_int in
|
||||
let frac = used /. float_of_int total_pages in
|
||||
if frac < 0.9 then `Ok
|
||||
let stats = OS.Memory.quick_stat () in
|
||||
if fraction_free stats > 0.1 then `Ok
|
||||
else (
|
||||
Gc.full_major ();
|
||||
let used = OS.MM.Heap_pages.used () in
|
||||
report_mem_usage used;
|
||||
let frac = float_of_int used /. float_of_int total_pages in
|
||||
if frac > 0.9 then `Memory_critical
|
||||
let stats = OS.Memory.quick_stat () in
|
||||
report_mem_usage stats;
|
||||
if fraction_free stats < 0.1 then `Memory_critical
|
||||
else `Ok
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user