Merge pull request #116 from talex5/solo5

Upgrade to Mirage 6 for solo5 PVH support

Dockerfile

@@ -1,15 +1,15 @@
 # Pin the base image to a specific hash for maximum reproducibility.
-# It will probably still work on newer images, though, unless Debian
+# It will probably still work on newer images, though, unless an update
 # changes some compiler optimisations (unlikely).
-#FROM ocurrent/opam:alpine-3.10-ocaml-4.10
+#FROM ocurrent/opam:fedora-32-ocaml-4.10
-FROM ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
+FROM ocurrent/opam@sha256:2e0e1689d2260c202bf944034f15ba8ebe945dba6b126cc6dd6b185c223014f3
 
 # Pin last known-good version for reproducible builds.
 # Remove this line (and the base image pin above) if you want to test with the
 # latest versions.
-RUN cd ~/opam-repository && git fetch origin master && git reset --hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
+RUN cd ~/opam-repository && git fetch origin master && git reset --hard 6ef290f5681b7ece5d9c085bcf0c55268c118292 && opam update
 
-RUN opam depext -i -y mirage.3.8.0 lwt.5.3.0
+RUN opam depext -i -y mirage
 RUN mkdir /home/opam/qubes-mirage-firewall
 ADD config.ml /home/opam/qubes-mirage-firewall/config.ml
 WORKDIR /home/opam/qubes-mirage-firewall

README.md

@@ -13,6 +13,10 @@ See the [Deploy](#deploy) section below for installation instructions.
 
 ## Build from source
 
+Note: The most reliable way to build is using Docker.
+Fedora 30 works well for this, but installing Docker on Fedora 31 or 32 is more difficult.
+Debian 10 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker
+(don't use Debian's version).
 
 Create a new Fedora-30 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 4096 MiB. Open a terminal.
 
@@ -33,8 +37,6 @@ It gives Docker more disk space and avoids losing the Docker image cache when yo
 Note: the object files are stored in the `_build` directory to speed up incremental builds.
 If you change the dependencies, you will need to delete this directory before rebuilding.
 
-If you want to build on Debian, follow the instructions at [docker.com][debian-docker] to get Docker and then run `sudo ./build-with-docker.sh` as above.
-
 It's OK to install the Docker package in a template VM if you want it to remain
 after a reboot, but the build of the firewall itself should be done in a regular AppVM.
 
@@ -59,12 +61,11 @@ Copy `vmlinuz` to `/var/lib/qubes/vm-kernels/mirage-firewall` directory in dom0,
     [tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/mirage-firewall/
     [tal@dom0 mirage-firewall]$ qvm-run -p dev 'cat mirage-firewall/vmlinuz' > vmlinuz
 
-Finally create dummy files required by Qubes OS:
+Finally, create [a dummy file required by Qubes OS](https://github.com/QubesOS/qubes-issues/issues/5516):
 
-    [tal@dom0 mirage-firewall]$ touch modules.img
     [tal@dom0 mirage-firewall]$ gzip -n9 < /dev/null > initramfs
 
-Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above:
+Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above
 
 ```
 qvm-create \
@@ -75,16 +76,29 @@ qvm-create \
   --property netvm=sys-net \
   --property provides_network=True \
   --property vcpus=1 \
-  --property virt_mode=pv \
+  --property virt_mode=pvh \
   --label=green \
   --class StandaloneVM \
   mirage-firewall
 
 qvm-features mirage-firewall qubes-firewall 1
+qvm-features mirage-firewall no-default-kernelopts 1
 ```
 
+**Note**: for `virt_mode`, use `pv` instead of `pvh` for firewall versions before 0.8.
+
+## Upgrading
+
 To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM.
 
+If upgrading from a version before 0.8, you will also need to update a few options:
+
+```
+qvm-prefs mirage-firewall kernelopts ''
+qvm-prefs mirage-firewall virt_mode pvh
+qvm-features mirage-firewall no-default-kernelopts 1
+```
+
 ### Configure AppVMs to use it
 
 You can run `mirage-firewall` alongside your existing `sys-firewall` and you can choose which AppVMs use which firewall using the GUI.

build-with-docker.sh

@@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum qubes_firewall.xen)"
-echo "SHA2 last known: 0f6b41fa3995afccff1809cb893c45c0863477d4dfacc441c11e3382bec31d39"
+echo "SHA2 last known: 583d22327500fa092f436af1d0d9b1b78ebe12abd814c128ec7452c2f4cf319a"
 echo "(hashes should match for released versions)"

config.ml

@@ -33,7 +33,7 @@ let main =
       package "mirage-qubes" ~min:"0.8.2";
       package "mirage-nat" ~min:"2.2.1";
       package "mirage-logs";
-      package "mirage-xen" ~min:"5.0.0";
+      package "mirage-xen" ~min:"6.0.0";
       package ~min:"4.5.0" "dns-client";
       package "pf-qubes";
     ]

memory_pressure.ml

@@ -6,44 +6,48 @@ open Lwt
 let src = Logs.Src.create "memory_pressure" ~doc:"Memory pressure monitor"
 module Log = (val Logs.src_log src : Logs.LOG)
 
-let total_pages = OS.MM.Heap_pages.total ()
+let wordsize_in_bytes = Sys.word_size / 8
-let pagesize_kb = Io_page.page_size / 1024
 
-let meminfo ~used =
+let fraction_free stats =
-  let mem_total = total_pages * pagesize_kb in
+  let { OS.Memory.free_words; heap_words; _ } = stats in
-  let mem_free = (total_pages - used) * pagesize_kb in
+  float free_words /. float heap_words
-  Log.info (fun f -> f "Writing meminfo: free %d / %d kB (%.2f %%)"
+
-    mem_free mem_total (float_of_int mem_free /. float_of_int mem_total *. 100.0));
+let meminfo stats =
+  let { OS.Memory.free_words; heap_words; _ } = stats in
+  let mem_total = heap_words * wordsize_in_bytes in
+  let mem_free = free_words * wordsize_in_bytes in
+  Log.info (fun f -> f "Writing meminfo: free %a / %a (%.2f %%)"
+    Fmt.bi_byte_size mem_free
+    Fmt.bi_byte_size mem_total
+    (fraction_free stats *. 100.0));
   Printf.sprintf "MemTotal: %d kB\n\
                   MemFree: %d kB\n\
                   Buffers: 0 kB\n\
                   Cached: 0 kB\n\
                   SwapTotal: 0 kB\n\
-                  SwapFree: 0 kB\n" mem_total mem_free
+                  SwapFree: 0 kB\n" (mem_total / 1024) (mem_free / 1024)
 
-let report_mem_usage used =
+let report_mem_usage stats =
   Lwt.async (fun () ->
     let open OS in
     Xs.make () >>= fun xs ->
     Xs.immediate xs (fun h ->
-      Xs.write h "memory/meminfo" (meminfo ~used)
+      Xs.write h "memory/meminfo" (meminfo stats)
     )
   )
 
 let init () =
   Gc.full_major ();
-  let used = OS.MM.Heap_pages.used () in
+  let stats = OS.Memory.quick_stat () in
-  report_mem_usage used
+  report_mem_usage stats
 
 let status () =
-  let used = OS.MM.Heap_pages.used () |> float_of_int in
+  let stats = OS.Memory.quick_stat () in
-  let frac = used /. float_of_int total_pages in
+  if fraction_free stats > 0.1 then `Ok
-  if frac < 0.9 then `Ok
   else (
     Gc.full_major ();
-    let used = OS.MM.Heap_pages.used () in
+    let stats = OS.Memory.quick_stat () in
-    report_mem_usage used;
+    report_mem_usage stats;
-    let frac = float_of_int used /. float_of_int total_pages in
+    if fraction_free stats < 0.1 then `Memory_critical
-    if frac > 0.9 then `Memory_critical
     else `Ok
   )