Merge pull request #116 from talex5/solo5

Upgrade to Mirage 6 for solo5 PVH support
This commit is contained in:
Thomas Leonard 2020-10-28 12:11:00 +00:00 committed by GitHub
commit 089f349a05
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 50 additions and 32 deletions

View File

@ -1,15 +1,15 @@
# Pin the base image to a specific hash for maximum reproducibility.
# It will probably still work on newer images, though, unless Debian
# It will probably still work on newer images, though, unless an update
# changes some compiler optimisations (unlikely).
#FROM ocurrent/opam:alpine-3.10-ocaml-4.10
FROM ocurrent/opam@sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
#FROM ocurrent/opam:fedora-32-ocaml-4.10
FROM ocurrent/opam@sha256:2e0e1689d2260c202bf944034f15ba8ebe945dba6b126cc6dd6b185c223014f3
# Pin last known-good version for reproducible builds.
# Remove this line (and the base image pin above) if you want to test with the
# latest versions.
RUN cd ~/opam-repository && git fetch origin master && git reset --hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
RUN cd ~/opam-repository && git fetch origin master && git reset --hard 6ef290f5681b7ece5d9c085bcf0c55268c118292 && opam update
RUN opam depext -i -y mirage.3.8.0 lwt.5.3.0
RUN opam depext -i -y mirage
RUN mkdir /home/opam/qubes-mirage-firewall
ADD config.ml /home/opam/qubes-mirage-firewall/config.ml
WORKDIR /home/opam/qubes-mirage-firewall

View File

@ -13,6 +13,10 @@ See the [Deploy](#deploy) section below for installation instructions.
## Build from source
Note: The most reliable way to build is using Docker.
Fedora 30 works well for this, but installing Docker on Fedora 31 or 32 is more difficult.
Debian 10 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker
(don't use Debian's version).
Create a new Fedora-30 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 4096 MiB. Open a terminal.
@ -33,8 +37,6 @@ It gives Docker more disk space and avoids losing the Docker image cache when yo
Note: the object files are stored in the `_build` directory to speed up incremental builds.
If you change the dependencies, you will need to delete this directory before rebuilding.
If you want to build on Debian, follow the instructions at [docker.com][debian-docker] to get Docker and then run `sudo ./build-with-docker.sh` as above.
It's OK to install the Docker package in a template VM if you want it to remain
after a reboot, but the build of the firewall itself should be done in a regular AppVM.
@ -59,12 +61,11 @@ Copy `vmlinuz` to `/var/lib/qubes/vm-kernels/mirage-firewall` directory in dom0,
[tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/mirage-firewall/
[tal@dom0 mirage-firewall]$ qvm-run -p dev 'cat mirage-firewall/vmlinuz' > vmlinuz
Finally create dummy files required by Qubes OS:
Finally, create [a dummy file required by Qubes OS](https://github.com/QubesOS/qubes-issues/issues/5516):
[tal@dom0 mirage-firewall]$ touch modules.img
[tal@dom0 mirage-firewall]$ gzip -n9 < /dev/null > initramfs
Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above:
Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above
```
qvm-create \
@ -75,16 +76,29 @@ qvm-create \
--property netvm=sys-net \
--property provides_network=True \
--property vcpus=1 \
--property virt_mode=pv \
--property virt_mode=pvh \
--label=green \
--class StandaloneVM \
mirage-firewall
qvm-features mirage-firewall qubes-firewall 1
qvm-features mirage-firewall no-default-kernelopts 1
```
**Note**: for `virt_mode`, use `pv` instead of `pvh` for firewall versions before 0.8.
## Upgrading
To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM.
If upgrading from a version before 0.8, you will also need to update a few options:
```
qvm-prefs mirage-firewall kernelopts ''
qvm-prefs mirage-firewall virt_mode pvh
qvm-features mirage-firewall no-default-kernelopts 1
```
### Configure AppVMs to use it
You can run `mirage-firewall` alongside your existing `sys-firewall` and you can choose which AppVMs use which firewall using the GUI.

View File

@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
echo Building Firewall...
docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
echo "SHA2 of build: $(sha256sum qubes_firewall.xen)"
echo "SHA2 last known: 0f6b41fa3995afccff1809cb893c45c0863477d4dfacc441c11e3382bec31d39"
echo "SHA2 last known: 583d22327500fa092f436af1d0d9b1b78ebe12abd814c128ec7452c2f4cf319a"
echo "(hashes should match for released versions)"

View File

@ -33,7 +33,7 @@ let main =
package "mirage-qubes" ~min:"0.8.2";
package "mirage-nat" ~min:"2.2.1";
package "mirage-logs";
package "mirage-xen" ~min:"5.0.0";
package "mirage-xen" ~min:"6.0.0";
package ~min:"4.5.0" "dns-client";
package "pf-qubes";
]

View File

@ -6,44 +6,48 @@ open Lwt
let src = Logs.Src.create "memory_pressure" ~doc:"Memory pressure monitor"
module Log = (val Logs.src_log src : Logs.LOG)
let total_pages = OS.MM.Heap_pages.total ()
let pagesize_kb = Io_page.page_size / 1024
let wordsize_in_bytes = Sys.word_size / 8
let meminfo ~used =
let mem_total = total_pages * pagesize_kb in
let mem_free = (total_pages - used) * pagesize_kb in
Log.info (fun f -> f "Writing meminfo: free %d / %d kB (%.2f %%)"
mem_free mem_total (float_of_int mem_free /. float_of_int mem_total *. 100.0));
let fraction_free stats =
let { OS.Memory.free_words; heap_words; _ } = stats in
float free_words /. float heap_words
let meminfo stats =
let { OS.Memory.free_words; heap_words; _ } = stats in
let mem_total = heap_words * wordsize_in_bytes in
let mem_free = free_words * wordsize_in_bytes in
Log.info (fun f -> f "Writing meminfo: free %a / %a (%.2f %%)"
Fmt.bi_byte_size mem_free
Fmt.bi_byte_size mem_total
(fraction_free stats *. 100.0));
Printf.sprintf "MemTotal: %d kB\n\
MemFree: %d kB\n\
Buffers: 0 kB\n\
Cached: 0 kB\n\
SwapTotal: 0 kB\n\
SwapFree: 0 kB\n" mem_total mem_free
SwapFree: 0 kB\n" (mem_total / 1024) (mem_free / 1024)
let report_mem_usage used =
let report_mem_usage stats =
Lwt.async (fun () ->
let open OS in
Xs.make () >>= fun xs ->
Xs.immediate xs (fun h ->
Xs.write h "memory/meminfo" (meminfo ~used)
Xs.write h "memory/meminfo" (meminfo stats)
)
)
let init () =
Gc.full_major ();
let used = OS.MM.Heap_pages.used () in
report_mem_usage used
let stats = OS.Memory.quick_stat () in
report_mem_usage stats
let status () =
let used = OS.MM.Heap_pages.used () |> float_of_int in
let frac = used /. float_of_int total_pages in
if frac < 0.9 then `Ok
let stats = OS.Memory.quick_stat () in
if fraction_free stats > 0.1 then `Ok
else (
Gc.full_major ();
let used = OS.MM.Heap_pages.used () in
report_mem_usage used;
let frac = float_of_int used /. float_of_int total_pages in
if frac > 0.9 then `Memory_critical
let stats = OS.Memory.quick_stat () in
report_mem_usage stats;
if fraction_free stats < 0.1 then `Memory_critical
else `Ok
)