Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-10-01 01:05:39 -04:00
Code Issues Packages Projects Releases Wiki Activity
358 Commits 1 Branch 18 Tags 1 MiB
main
Commit Graph

55 Commits

Author SHA1 Message Date
Hannes Mehnert
6b0c18fd4e update opam repository in Dockerfile 
the reason behind this is that in the earlier commit, some urls point to
unavailable urls.
 2024-08-09 13:37:06 +02:00
Hannes Mehnert
8d67e9d47a use OCaml 4.14.2 -- the latest LTS release 2024-05-10 15:00:09 +02:00
Hannes Mehnert
a37584a720 update opam-repository commit 2024-05-10 14:59:51 +02:00
Pierre Alain
a7a7ea4c38 update the compilation toolchain, including upgrade to mirage 4.5.0 2024-04-23 18:11:08 +02:00
Pierre Alain
b9c8674b52 check opam hashsum in Dockerfile 2023-11-09 14:55:26 +01:00
Pierre Alain
2e86ea2ad3 pin to specific overlays hashes 2023-11-08 10:20:59 +01:00
Pierre Alain
95f165a059 change snapshots for debian ones 2023-11-08 08:05:32 +01:00
Hannes Mehnert
a34aab52e9
Apply suggestions from code review 2023-07-05 17:06:00 +02:00
palainp
d3e8e691fd do not check valid-until in debian release file: this permits to keep a debian packages list more than one week 2023-05-16 11:18:34 +02:00
palainp
cbf6c8c941 update build script 2023-04-18 14:51:13 +02:00
Hannes Mehnert
0c3959af04 update opam repository commit to get solo5 0.7.5 2022-12-07 19:15:44 +01:00
Hannes Mehnert
ba6629f4ca Reproducible build systems: use in GitHub action the build-with-docker.sh 
Also upload the artifact to GitHub action, and in addition use the same setup
(ubuntu 20.04 image) and build directories as done on builds.robur.coop.

Also use `strip` on the resulting binary to reduce it's size (since the debug
section aren't mapped into the running unikernel, there's nothing we get from
them -- also they are preserved (as .debug file) and uploaded to
https://builds.robur.coop if one needs them).

This entails binary reproducibility between the different systems:
- a developer using ./build-with-docker.sh
- GitHub action (run on every PR)
- builds.robur.coop with the ubuntu-20.04 worker
 2022-11-13 15:20:59 +01:00
Hannes Mehnert
b414230735 Dockerfile: install ocaml-solo5 earlier to help caching more 2022-11-11 16:10:28 +01:00
Hannes Mehnert
2023cc4655 changes for 0.8.3, and checksum updates 2022-11-11 15:50:50 +01:00
Hannes Mehnert
2afa24536d update to dns 6.4.0 2022-10-27 11:48:52 +02:00
Hannes Mehnert
c66d6a8727 raise lower bound of mirage-nat to 3.0.0, bump opam-repo commit 2022-10-11 13:34:55 +02:00
Hannes Mehnert
29ddbea03d update opam repository to mirage-qubes 0.9.3 release 2022-09-14 09:42:35 +02:00
palainp
df4f7bf811 update to mirage 4.2.1 2022-08-29 11:31:44 +02:00
palainp
ba1b04432d must make depend before building solo5 with make tar 2022-08-11 13:17:44 +02:00
palainp
e73c160cd4 update docker build for mirage 4.2 2022-08-09 14:16:16 +02:00
Hannes Mehnert
ed0f7667e4 update to ethernet 3.0 API 2022-01-09 12:55:35 +01:00
Hannes Mehnert
748f803ca0 update to dns 6.1.0 2021-11-11 10:18:38 +01:00
Hannes Mehnert
ba8dbc3f57 Dockerfile: update opam-repository to current master 
config.ml: require more recent dns and ipaddr packages
 2021-11-05 19:41:52 +01:00
Thomas Leonard
a368b12648 Update to mirage-qubes 0.9.1 for qrexec3 compatibility 
Also, switch to building with OCaml 4.11.
 2020-12-03 16:20:53 +00:00
Thomas Leonard
be7461a20a Switch Docker base image from Alpine to Fedora 
There seems to be a problem with Xen events getting lost on Alpine.
 2020-10-26 15:38:41 +00:00
Thomas Leonard
3dbb9ecb27 BROKEN: Upgrade to Mirage 6 for solo5 PVH support 
For me, this mostly hangs at:
```
2020-10-26 11:16:31 -00:00: INF [qubes.rexec] waiting for client...
2020-10-26 11:16:31 -00:00: INF [qubes.gui] waiting for client...
2020-10-26 11:16:31 -00:00: INF [qubes.db] connecting to server...
```

Sometimes it gets a bit further:
```
2020-10-26 11:14:19 -00:00: INF [qubes.rexec] waiting for client...
2020-10-26 11:14:19 -00:00: INF [qubes.gui] waiting for client...
2020-10-26 11:14:19 -00:00: INF [qubes.db] connecting to server...
2020-10-26 11:14:19 -00:00: INF [qubes.db] connected
2020-10-26 11:14:19 -00:00: INF [qubes.rexec] client connected, using protocol version 2
2020-10-26 11:14:19 -00:00: INF [qubes.gui] client connected (screen size: 3840x2160 depth: 24 mem: 32401x)
2020-10-26 11:14:19 -00:00: INF [unikernel] GUI agent connected
```
 2020-10-26 15:38:41 +00:00
Hannes Mehnert
de0eb9d970 adapt to mirage 3.8.0 changes (ipaddr5, tcpip5); bump opam-repository hash (to get netchannel+mirage-net-xen 0.13.1) 2020-07-03 16:39:06 +02:00
Hannes Mehnert
620bbb5b35 update opam repository commit hash for release 2020-06-19 08:24:18 +00:00
linse
53bf4f960c update to ocaml 4.10 and mirage 3.7.7 2020-05-19 14:35:22 +02:00
linse
87df5bdcc0 Read firewall rules from QubesDB. The module Rules contains a rule matcher instead of hardcoded rules now. 
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
 2020-05-15 16:25:46 +02:00
Thomas Leonard
65324b4197 Update Dockerfile to get new mirage-nat version 2020-02-19 14:16:49 +00:00
Thomas Leonard
48b38fa992 Fix Lwt.4.5.0 in the Dockerfile for faster builds 
Otherwise, it installs Lwt 5 and then has to downgrade it in the next
step.
 2020-01-13 09:49:37 +00:00
Hannes Mehnert
730957d19b upgrade opam repository to current head and mirage to 3.7.4 2020-01-11 15:46:22 +01:00
Thomas Leonard
930d209cdb Fix build 
- A new ocaml-migrate-parsetree.1.4.0 was released, replacing the old
  1.4.0 with new code. This was rejected by the checksum test.
  Fixed by updating to the latest opam-repository.
  See: https://github.com/ocaml/opam-repository/pull/15294

- The latest opam-repository pulls in mirage 3.7, which doesn't work
  (`No available version of mirage-clock satisfies the constraints`), so
  pin the previous mirage 3.5.2 version instead.

- Mirage now generates `.merlin`, so remove it from Git.
 2019-11-17 14:33:56 +00:00
Thomas Leonard
49195ed5e1 Update Docker build for new mirage-xen 
Also, switched to the experimental new OCurrent images, as they are much
smaller:

- Before: 1 GB (ocaml/opam2:debian-10-ocaml-4.08)
- Now:  309 MB (ocurrent/opam:alpine-3.10-ocaml-4.08)
 2019-08-25 19:01:22 +01:00
Thomas Leonard
8b411db751 Removed some hard-coded installs from Dockerfile 
There's no advantage to installing these manually, and with the current
version of mirage they had to be downgraded again in the next step.
 2019-07-28 16:49:16 +01:00
xaki23
16231e2e52 Adjust to ipaddr-4.0.0 renaming _bytes to _octets 2019-07-28 16:49:04 +01:00
Thomas Leonard
d36ecf96af Remove cmdliner pin as 1.0.4 is now released 
Reverts 06511e076f
 2019-06-15 12:57:37 +01:00
Thomas Leonard
0a4dd7413c Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients 
Xen appears to configure the same MAC address for both the frontend
and backend in XenStore. e.g.

    [tal@dom0 ~]$ xenstore-ls /local/domain/3/backend/vif/19/0
    frontend = "/local/domain/19/device/vif/0"
    mac = "00:16:3e:5e:6c:00"
    [...]

    [tal@dom0 ~]$ xenstore-ls /local/domain/19/device/vif/0
    mac = "00:16:3e:5e:6c:00"

This works if the client uses just a simple ethernet device, but fails
if it connects via a bridge. HVM domains have an associated stub domain
running qemu, which provides an emulated network device. The stub domain
uses a bridge to connect qemu's interface with eth0, and this didn't
work.

Force the use of the fixed version of mirage-net-xen, which no longer
uses XenStore to get the backend MAC, and provides a new function to get
the frontend one.
 2019-05-06 09:52:46 +01:00
Thomas Leonard
45eef49c95 Upgrade to latest mirage-nat to fix ICMP 
Now ping and traceroute should work.
 2019-04-16 18:21:07 +01:00
Thomas Leonard
06511e076f Add patch to cmdliner for reproducible build 
See https://github.com/dbuenzli/cmdliner/pull/106
 2019-04-08 10:35:42 +01:00
Thomas Leonard
cb7078633e Update dependencies 
Remove pin on mirage 3.4 - it should now be working with the latest
release.
 2019-04-03 12:32:13 +01:00
Thomas Leonard
7f99973a02 Update Docker build for Mirage 3.5 2019-03-24 13:21:39 +00:00
Thomas Leonard
2edb088650 Update to latest Debian and opam 
Reported by Honzoo.
 2019-02-01 09:36:08 +00:00
Thomas Leonard
78e219da8c Update Debian base image in Docker build 
Had stopped working:

    Err http://security.debian.org/ jessie/updates/main libxenstore3.0 amd64 4.4.1-9+deb8u10
      404  Not Found [IP: 128.61.240.73 80]

Updated from Debian 8 to Debian 9, and from opam to opam2.
 2018-11-03 17:27:48 +00:00
Thomas Leonard
6e6ff755eb Update to newly released version of netchannel 2017-12-16 22:37:41 +00:00
Thomas Leonard
aca156f21b Update to released shared-memory-ring 2017-11-15 17:28:33 +00:00
Thomas Leonard
b114e569f2 Use Git master for shared-memory-ring and netchannel 
This adds support for HVM and disposable domains.

Also, update the suggested RAM allocation slightly as 20 MB can be too
small with lots of VMs.
 2017-11-09 17:08:59 +00:00
Thomas Leonard
997d538a93 Use released mirage-nat 1.0 2017-10-15 15:24:56 +01:00
Thomas Leonard
794ca35d23 Update Dockerfile to use newer Debian base image 
Was failing with

```
E: Failed to fetch http://security.debian.org/pool/updates/main/x/xen/libxenstore3.0_4.4.1-9+deb8u8_amd64.deb  404  Not Found [IP: 212.211.132.32 80]
```
 2017-09-12 16:57:01 +01:00