mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2025-01-15 00:57:06 -05:00
commit
a62e81314e
@ -1,3 +1,10 @@
|
|||||||
|
### 0.8.5 (2023-07-05)
|
||||||
|
|
||||||
|
- Remove memreport to Xen to avoid Qubes trying to get back some memory
|
||||||
|
(#176 @palainp)
|
||||||
|
- Use bookworm and snapshot.notset.fr debian packages for reproducibility
|
||||||
|
(#175 @palainp)
|
||||||
|
|
||||||
### 0.8.4 (2022-12-07)
|
### 0.8.4 (2022-12-07)
|
||||||
|
|
||||||
- Fix remote denial of service due to excessive console output (#166 @burghardt,
|
- Fix remote denial of service due to excessive console output (#166 @burghardt,
|
||||||
|
14
Dockerfile
14
Dockerfile
@ -1,19 +1,21 @@
|
|||||||
# Pin the base image to a specific hash for maximum reproducibility.
|
# Pin the base image to a specific hash for maximum reproducibility.
|
||||||
# It will probably still work on newer images, though, unless an update
|
# It will probably still work on newer images, though, unless an update
|
||||||
# changes some compiler optimisations (unlikely).
|
# changes some compiler optimisations (unlikely).
|
||||||
# ubuntu-20.04
|
# bookworm-slim
|
||||||
FROM ubuntu@sha256:b25ef49a40b7797937d0d23eca3b0a41701af6757afca23d504d50826f0b37ce
|
FROM debian@sha256:07c6cb2ae86479dcc1942a89b0a1f4049b6e9415f7de327ff641aed58b8e3100
|
||||||
|
# and set the package source to a specific release too
|
||||||
|
RUN printf "deb [check-valid-until=no] http://snapshot.notset.fr/archive/debian/20230418T024659Z bookworm main" > /etc/apt/sources.list
|
||||||
|
|
||||||
RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip make gcc g++ libc-dev
|
RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
|
||||||
RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.3/opam-2.1.3-i686-linux && chmod 755 /usr/bin/opam
|
RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.5/opam-2.1.5-i686-linux && chmod 755 /usr/bin/opam
|
||||||
|
|
||||||
ENV OPAMROOT=/tmp
|
ENV OPAMROOT=/tmp
|
||||||
ENV OPAMCONFIRMLEVEL=unsafe-yes
|
ENV OPAMCONFIRMLEVEL=unsafe-yes
|
||||||
# Pin last known-good version for reproducible builds.
|
# Pin last known-good version for reproducible builds.
|
||||||
# Remove this line (and the base image pin above) if you want to test with the
|
# Remove this line (and the base image pin above) if you want to test with the
|
||||||
# latest versions.
|
# latest versions.
|
||||||
RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#c9b2f766b7c7009be8cd68ac423d0d5b36044aca
|
RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#28b35f67988702df5018fbf30d1c725734425670
|
||||||
RUN opam switch create myswitch 4.14.0
|
RUN opam switch create myswitch 4.14.1
|
||||||
RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
|
RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
|
||||||
RUN mkdir /tmp/orb-build
|
RUN mkdir /tmp/orb-build
|
||||||
ADD config.ml /tmp/orb-build/config.ml
|
ADD config.ml /tmp/orb-build/config.ml
|
||||||
|
@ -7,6 +7,7 @@ tar: build
|
|||||||
touch _build/mirage-firewall/modules.img
|
touch _build/mirage-firewall/modules.img
|
||||||
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
cat /dev/null | gzip -n > _build/mirage-firewall/initramfs
|
||||||
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall
|
tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall
|
||||||
|
sha256sum mirage-firewall.tar.bz2 > mirage-firewall.sha256
|
||||||
|
|
||||||
fetchmotron: qubes_firewall.xen
|
fetchmotron: qubes_firewall.xen
|
||||||
test-mirage qubes_firewall.xen mirage-fw-test &
|
test-mirage qubes_firewall.xen mirage-fw-test &
|
||||||
|
@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
|
|||||||
echo Building Firewall...
|
echo Building Firewall...
|
||||||
docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
|
docker run --rm -i -v `pwd`:/tmp/orb-build qubes-mirage-firewall
|
||||||
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen)"
|
||||||
echo "SHA2 last known: 1f621d3bde2cf2905b5ad333f7dbde9ef99479251118e1a1da9b4da15957a87d"
|
echo "SHA2 last known: 8ae5314edf5b863b788c4b873e27bc4b206a2ff7ef1051c4c62ae41584ed3e14"
|
||||||
echo "(hashes should match for released versions)"
|
echo "(hashes should match for released versions)"
|
||||||
|
@ -27,19 +27,8 @@ let meminfo stats =
|
|||||||
SwapTotal: 0 kB\n\
|
SwapTotal: 0 kB\n\
|
||||||
SwapFree: 0 kB\n" (mem_total / 1024) (mem_free / 1024)
|
SwapFree: 0 kB\n" (mem_total / 1024) (mem_free / 1024)
|
||||||
|
|
||||||
let report_mem_usage stats =
|
|
||||||
Lwt.async (fun () ->
|
|
||||||
let open Xen_os in
|
|
||||||
Xs.make () >>= fun xs ->
|
|
||||||
Xs.immediate xs (fun h ->
|
|
||||||
Xs.write h "memory/meminfo" (meminfo stats)
|
|
||||||
)
|
|
||||||
)
|
|
||||||
|
|
||||||
let init () =
|
let init () =
|
||||||
Gc.full_major ();
|
Gc.full_major ()
|
||||||
let stats = Xen_os.Memory.quick_stat () in
|
|
||||||
report_mem_usage stats
|
|
||||||
|
|
||||||
let status () =
|
let status () =
|
||||||
let stats = Xen_os.Memory.quick_stat () in
|
let stats = Xen_os.Memory.quick_stat () in
|
||||||
@ -48,8 +37,6 @@ let status () =
|
|||||||
Gc.full_major ();
|
Gc.full_major ();
|
||||||
Xen_os.Memory.trim ();
|
Xen_os.Memory.trim ();
|
||||||
let stats = Xen_os.Memory.quick_stat () in
|
let stats = Xen_os.Memory.quick_stat () in
|
||||||
if fraction_free stats < 0.6 then begin
|
if fraction_free stats < 0.6 then `Memory_critical
|
||||||
report_mem_usage stats;
|
else `Ok
|
||||||
`Memory_critical
|
|
||||||
end else `Ok
|
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user