Compare commits

...

13 commits

17 changed files with 229 additions and 53 deletions

View file

@ -42,14 +42,27 @@ lint:
build-v3.18:
extends: .build
when: always
variables:
CI_ALPINE_TARGET_RELEASE: v3.18
tags:
- apk-v3.18-x86_64
- apk-$CI_ALPINE_TARGET_RELEASE-x86_64
build-v3.17:
build-v3.19:
extends: .build
when: manual
when: always
variables:
CI_ALPINE_TARGET_RELEASE: v3.19
tags:
- apk-v3.17-x86_64
- apk-$CI_ALPINE_TARGET_RELEASE-x86_64
build-edge:
extends: .build
when: always
variables:
CI_ALPINE_TARGET_RELEASE: edge
tags:
- apk-$CI_ALPINE_TARGET_RELEASE-x86_64
push:
interruptible: true

View file

@ -169,7 +169,8 @@ copy_artifacts() {
if [ "$packages_size" -lt $MAX_ARTIFACT_SIZE ]; then
msg "Copying packages for artifact upload"
cp -ar "$REPODEST"/* packages/ 2>/dev/null
mkdir packages/$CI_ALPINE_TARGET_RELEASE
cp -ar "$REPODEST"/* packages/$CI_ALPINE_TARGET_RELEASE 2>/dev/null
cp ~/.abuild/*.rsa.pub keys/
else
msg "Artifact size $packages_size larger than max ($MAX_ARTIFACT_SIZE), skipping uploading them" yellow

View file

@ -11,8 +11,6 @@ readonly APORTSDIR=$CI_PROJECT_DIR
readonly REPOS="backports user"
readonly BASEBRANCH=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
ALPINE_RELEASE=$(echo $CI_RUNNER_TAGS | awk -F '-' '{print $2}')
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
gitlab_key_to_rsa $ABUILD_KEY rsa-private $HOME/.abuild/$ABUILD_KEY_NAME.rsa
@ -25,14 +23,6 @@ echo "PACKAGER_PRIVKEY=$HOME/.abuild/$ABUILD_KEY_NAME.rsa" > $HOME/.abuild/abuil
echo "REPODEST=$HOME/repo-apk/qubes" >> $HOME/.abuild/abuild.conf
sudo cp $HOME/.abuild/$ABUILD_KEY_NAME.rsa.pub /etc/apk/keys/.
if [ -d $HOME/repo-apk ]; then
git -C $HOME/repo-apk fetch
git -C $HOME/repo-apk checkout $ALPINE_RELEASE
git -C $HOME/repo-apk pull --rebase
else
git clone git@lab.ilot.io:ayakael/repo-apk -b $ALPINE_RELEASE $HOME/repo-apk
fi
get_qubes_release() {
case $BASEBRANCH in
r*) echo $BASEBRANCH;;
@ -43,22 +33,33 @@ get_qubes_release() {
QUBES_REL=$(get_qubes_release)
for i in $(find packages -type f -name "*.apk"); do
install -vDm644 $i ${i/packages\/qubes-aports/$HOME\/repo-apk\/qubes\/$QUBES_REL}
done
for release in $(find packages -type d -maxdepth 1 -mindepth 1 -printf '%f\n'); do
fetch_flags="-qn"
git fetch $fetch_flags "$CI_MERGE_REQUEST_PROJECT_URL" \
if [ -d $HOME/repo-apk ]; then
git -C $HOME/repo-apk fetch
git -C $HOME/repo-apk checkout $release
git -C $HOME/repo-apk pull --rebase
else
git clone git@lab.ilot.io:ayakael/repo-apk -b $release $HOME/repo-apk
fi
for i in $(find packages/$release -type f -name "*.apk"); do
install -vDm644 $i ${i/packages\/$release\/qubes-aports/$HOME\/repo-apk\/qubes\/$QUBES_REL}
done
fetch_flags="-qn"
git fetch $fetch_flags "$CI_MERGE_REQUEST_PROJECT_URL" \
"+refs/heads/$BASEBRANCH:refs/heads/$BASEBRANCH"
rm $HOME/repo-apk/qubes/$QUBES_REL/*/APKINDEX.tar.gz || true
mkdir -p qubes/$QUBES_REL/DUMMY
echo "pkgname=DUMMY" > qubes/$QUBES_REL/DUMMY/APKBUILD
cd qubes/$QUBES_REL/DUMMY
abuild index
cd "$CI_PROJECT_DIR"
rm -R qubes/$QUBES_REL/DUMMY
rm $HOME/repo-apk/qubes/$QUBES_REL/*/APKINDEX.tar.gz || true
mkdir -p qubes/$QUBES_REL/DUMMY
echo "pkgname=DUMMY" > qubes/$QUBES_REL/DUMMY/APKBUILD
cd qubes/$QUBES_REL/DUMMY
abuild index
cd "$CI_PROJECT_DIR"
rm -R qubes/$QUBES_REL/DUMMY
git -C $HOME/repo-apk add .
git -C $HOME/repo-apk commit -m "Update from $CI_MERGE_REQUEST_IID - $CI_MERGE_REQUEST_TITLE"
git -C $HOME/repo-apk push
git -C $HOME/repo-apk add .
git -C $HOME/repo-apk commit -m "Update from $CI_MERGE_REQUEST_IID - $CI_MERGE_REQUEST_TITLE"
git -C $HOME/repo-apk push
done

53
README.md Normal file
View file

@ -0,0 +1,53 @@
# qubes-aports
Upstream: https://lab.ilot.io/ayakael/qubes-aports
## Description
This repository contains aports that allow Alpine Linux to be used as an Alpine
Linux template. The upstream repo uses GitLab's CI to build and deploy packages
targetting multiple Alpine Linux versions. QubesOS releases are tracked using
branches.
#### Template builder
The template builder is housed in its [own repo](https://lab.ilot.io/ayakael/qubes-builder-alpine).
RPMs are built in-pipeline using the build artifacts produced by this repo. These RPMs facilitate
installation of your very own Alpine Linux template on QubesOS.
#### Provided packages
Use `abuild-r` to build the following packages.
For more information on how to build an Alpine Package, read [this](https://wiki.alpinelinux.org/wiki/Creating_an_Alpine_package)
Core VM packages
* qubes-vm-xen - Qubes's version of xen
* qubes-libvchan-xen - libvchan library dependency
* qubes-db-vm - qubes-db package
* qubes-vm-utils - qubes-meminfo-writer service package
* qubes-vm-core - Core init.d / qubes scripts
* qubes-vm-gui-dev - Library dependencies for `qubes-vm-gui`
* qubes-vm-gui - GUI agent
* qubes-vm-qrexec - qrexec agent
* qubes-gpg-split
* qubes-usb-proxy
* qubes-meta-packages - Meta package that pulls everything when added to world
Extra packages
* qubes-pass - Aport for Rudd-O's inter-VM password manager for Qubes OS
Omitted packages
* qubes-vmm-xen - The default Alpine xen package seems to provide the necessary modules
#### Known issues
Known issues are currently being tracked in [qubes-builder-alpine](https://lab.ilot.io/ayakael/qubes-builder-alpine) repo.
#### Issues, recommendations and proposals
**To report an issue or share a recommendation**
Go [here](https://gitlab.alpinelinux.org/ayakael/qubes-aports/-/issues)
**To make a merge request**
* Fork the repo from Alpine's GitLab [here](https://gitlab.alpinelinux.org/ayakael/qubes-aports)
* Clone your fork locally. (`git clone $repo`)
* Make a branch with a descriptive name (`git checkout -b $descriptivename`)
* Make the changes you want to see in the world, commit, and push to the GitLab's remote repo
* Request a merge [here](https://gitlab.alpinelinux.org/ayakael/qubes-aports/-/merge_requests)

View file

@ -4,7 +4,7 @@
pkgname=qubes-db-vm
subpackages="$pkgname-openrc"
pkgver=4.1.17
pkgrel=0
pkgrel=2
_gittag="v$pkgver"
pkgdesc="QubesDB libs and daemon service."
arch="x86_64"

View file

@ -5,7 +5,7 @@ pkgname=qubes-gpg-split
subpackages="$pkgname-doc"
pkgver=2.0.69
_gittag="v$pkgver"
pkgrel=0
pkgrel=2
pkgdesc="Used Qubes AppVM as a “smart card”"
arch="x86_64"
url="https://github.com/QubesOS/qubes-app-linux-split-gpg"

View file

@ -0,0 +1,61 @@
From 8c4c3807119f27957e6c7f87d505d66d0ea4c3d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
<marmarek@invisiblethingslab.com>
Date: Sat, 18 Nov 2023 18:27:28 +0100
Subject: [PATCH] Support changed libxenctrl API in Xen 4.18.0
The xc_domain_getinfo() is gone, it's replaced with
xc_domain_getinfo_single. While the new API is a bit nicer, xenctrl.h
does not provide any #define to know which one is available. Check
library version in the makefile for that.
---
vchan/Makefile.linux | 4 ++++
vchan/io.c | 10 ++++++++++
2 files changed, 14 insertions(+)
diff --git a/vchan/Makefile.linux b/vchan/Makefile.linux
index 281f2b5..587cb34 100644
--- a/vchan/Makefile.linux
+++ b/vchan/Makefile.linux
@@ -27,6 +27,11 @@ CFLAGS += -g -Wall -Wextra -Werror -fPIC -O2 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -
all: libvchan-xen.so vchan-xen.pc
-include *.dep
+# xenctrl.h does not provide any #define to distinguish API versions
+XENCTRL_VERSION := $(shell pkg-config --modversion xencontrol)
+CFLAGS += $(shell if printf '%s\n' '4.18.0' '$(XENCTRL_VERSION)' | \
+ sort -CV; then echo -DHAVE_XC_DOMAIN_GETINFO_SINGLE; fi)
+
libvchan-xen.so : init.o io.o
$(CC) $(LDFLAGS) -shared -o libvchan-xen.so $^ -lxenvchan -lxenctrl
clean:
diff --git a/vchan/io.c b/vchan/io.c
index 3d0ed35..0c23223 100644
--- a/vchan/io.c
+++ b/vchan/io.c
@@ -33,14 +33,24 @@
/* check if domain is still alive */
int libvchan__check_domain_alive(xc_interface *xc_handle, int dom) {
struct evtchn_status evst;
+#ifdef HAVE_XC_DOMAIN_GETINFO_SINGLE
+ xc_domaininfo_t dominfo;
+#else
xc_dominfo_t dominfo;
+#endif
int ret;
/* first try using domctl, more reliable but available in a privileged
* domain only */
+#ifdef HAVE_XC_DOMAIN_GETINFO_SINGLE
+ ret = xc_domain_getinfo_single(xc_handle, dom, &dominfo);
+ if (ret == 0)
+ return !(dominfo.flags & XEN_DOMINF_dying);
+#else
ret = xc_domain_getinfo(xc_handle, dom, 1, &dominfo);
if (ret == 1)
return dominfo.domid == (uint32_t)dom && !dominfo.dying;
+#endif
else if (ret == -1 && errno == ESRCH)
return 0;
/* otherwise fallback to xc_evtchn_status method */

View file

@ -3,18 +3,21 @@
pkgname=qubes-libvchan-xen
pkgver=4.1.13
pkgrel=1
pkgrel=4
_gittag=v$pkgver
pkgdesc="The Qubes core libraries for installation inside a Qubes Dom0 and VM."
arch="x86_64"
url="https://github.com/QubesOS/qubes-core-vchan-xen"
license='GPL'
depends="xen"
makedepends="xen-dev"
makedepends="xen-dev coreutils"
builddir="$srcdir"/qubes-core-vchan-xen-$pkgver
subpackages="$pkgname-dev"
source="$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-vchan-xen/archive/refs/tags/$_gittag.tar.gz"
source="
$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-vchan-xen/archive/refs/tags/$_gittag.tar.gz
39_support-changed-libxenctrl-api-xen418.patch
"
build() {
cd "$builddir"/vchan
@ -27,4 +30,5 @@ package() {
sha512sums="
cefb6b89f75936d791910d2169170536221d3123a1b33a14bea1fc5c08950ce934666719bf08eb3cc86ac055f85e6834f71e21c31189fa7299af09296c3cd99f qubes-libvchan-xen-v4.1.13.tar.gz
fedcba617d3843e41f257ff16b0a3108af844184252d4e702df8eccba21a4ef17d62c96acdb87bb4964e783b7f2f026305777be3379e7e7b51f4535a4704b52a 39_support-changed-libxenctrl-api-xen418.patch
"

View file

@ -8,7 +8,7 @@ subpackages="
"
pkgver=4.1.24
_gittag="v$pkgver"
pkgrel=0
pkgrel=2
pkgdesc="Meta packages for Qubes-specific components"
arch="noarch"
url="https://github.com/QubesOS/qubes-meta-packages"

View file

@ -4,7 +4,7 @@
pkgname=qubes-pass
pkgver=0.1.0
_gittag="v$pkgver"
pkgrel=0
pkgrel=2
pkgdesc="An inter-VM password manager for Qubes OS"
arch="noarch"
url="https://github.com/Rudd-O/qubes-pass"

View file

@ -4,7 +4,7 @@
pkgname=qubes-usb-proxy
pkgver=1.1.5
_gittag="v$pkgver"
pkgrel=0
pkgrel=2
pkgdesc="The Qubes service for proxying USB devices"
arch="noarch"
url="https://github.com/QubesOS/qubes-app-linux-usb-proxy"

View file

@ -9,7 +9,7 @@ subpackages="
$pkgname-doc
"
pkgver=4.1.44
pkgrel=0
pkgrel=6
_gittag="v$pkgver"
pkgdesc="The Qubes core files for installation inside a Qubes VM."
arch="x86_64"
@ -18,9 +18,13 @@ license="GPL"
options="!check" # No testsuite
depends="
coreutils
blkid
dconf
desktop-file-utils
device-mapper
diffutils
e2fsprogs
e2fsprogs-extra
ethtool
fakeroot
gawk
@ -48,6 +52,7 @@ makedepends="
gcc
libx11-dev
linux-pam-dev
lsb-release-minimal
make
pandoc
pkgconf

View file

@ -4,7 +4,7 @@
pkgname=qubes-vm-gui-dev
pkgver=4.1.1
_gittag="v$pkgver"
pkgrel=1
pkgrel=3
pkgdesc="Common files for Qubes GUI - protocol headers."
arch="noarch"
url="https://github.com/QubesOS/qubes-gui-common"

View file

@ -4,7 +4,7 @@
pkgname=qubes-vm-gui
subpackages="qubes-vm-pulseaudio $pkgname-openrc"
pkgver=4.1.31
pkgrel=0
pkgrel=3
_gittag="v$pkgver"
pkgdesc="The Qubes GUI Agent for AppVMs"
arch="x86_64"
@ -62,10 +62,6 @@ build() {
sed 's:ExecStartPre=/bin/touch:#ExecStartPre=/bin/touch:' -i appvm-scripts/qubes-gui-agent.service
# Ensure that qubes-gui-agent starts after user autologin
sed 's/After=\(.*\)qubes-misc-post.service/After=\1qubes-misc-post.service getty.target/' -i appvm-scripts/qubes-gui-agent.service
# Starts qubes-session after X11 start
install -Dm 755 "$srcdir"/qubes-sessions.sh "$pkgdir"/etc/X11/xinit/xinitrc.d/90-qubes-sessions.sh
# Remove broken pam and replace with adequate
install -Dm 644 "$srcdir"/qubes-gui-agent.pam "$pkgdir"/etc/pam.d/qubes-gui-agent
make BACKEND_VMM="$_qubes_backend_vmm" appvm
make appvm
@ -80,6 +76,12 @@ build() {
package() {
make install-rh-agent DESTDIR="$pkgdir" LIBDIR=/usr/lib USRLIBDIR=/usr/lib SYSLIBDIR=/lib
install -Dm 755 "$srcdir"/qubes-gui-agent.openrc "$pkgdir"/etc/init.d/qubes-gui-agent
# Starts qubes-session after X11 start
install -Dm 755 "$srcdir"/qubes-sessions.sh "$pkgdir"/etc/X11/xinit/xinitrc.d/90-qubes-sessions.sh
# Remove broken pam and replace with adequate
install -Dm 644 "$srcdir"/qubes-gui-agent.pam "$pkgdir"/etc/pam.d/qubes-gui-agent
}
pulseaudio() {

View file

@ -5,7 +5,7 @@ pkgname=qubes-vm-qrexec
subpackages="$pkgname-openrc $pkgname-doc"
pkgver=4.1.22
_gittag="v$pkgver"
pkgrel=0
pkgrel=3
pkgdesc="The Qubes qrexec files (qube side)"
arch="x86_64"
url="https://github.com/QubesOS/qubes-core-qrexec"
@ -13,17 +13,18 @@ license='GPL'
depends="qubes-libvchan-xen"
options="!check" # No testsuite
makedepends="
gcc
grep
make
lsb-release-minimal
pandoc
pkgconf
py3-setuptools
lld
qubes-libvchan-xen-dev
"
source="
$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-qrexec/archive/refs/tags/$_gittag.tar.gz
qubes-qrexec-agent.openrc
makefile-remove-cc-cflags.patch
agent-qrexec-fork-server-undef-fortify-source.patch
"
builddir="$srcdir/qubes-core-qrexec-${_gittag/v}"
@ -47,7 +48,6 @@ build() {
}
package() {
export LDFLAGS="$LDFLAGS -fuse-ld=lld"
make install-base DESTDIR="$pkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib
make install-vm DESTDIR="$pkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib
install -Dm 755 "$srcdir"/qubes-qrexec-agent.openrc "$pkgdir"/etc/init.d/qubes-qrexec-agent
@ -55,5 +55,6 @@ package() {
sha512sums="
c4d993dae87446fe73f390bdf0aa3bcfacce1a630b1f0e5f20c6ea7710c14cd9a7a0a66a66e5731dee47c6958c659e61b3c0ebea5a99a31317a52fb326650a2f qubes-vm-qrexec-v4.1.22.tar.gz
e2dd5cace82e881c40d5d37c69f7327fbabde81c9d23283de23de9f1197b7b018ef07a8d90e95c61bd249426d9d8297e7cb372333245941ffa0682c90ea3461f qubes-qrexec-agent.openrc
e48a06778a880915827fb2ef3e38379eb2bc6cf63f7fed79472be4732f7110b0c642c7a62a43236f53404ce69afddd40a5bc92a984403aae74caae1580c31200 makefile-remove-cc-cflags.patch
69b88c8d344f0d575eac398937040ba39a0d8fb8ea0a2b160c48d84775e1da4e226a76f3c5d3be7b045f577b634bb35cd5c5536248e18117c4121a38f9f3bf13 agent-qrexec-fork-server-undef-fortify-source.patch
"

View file

@ -0,0 +1,35 @@
diff --git a/Makefile.orig b/Makefile
index ade10bf..7de05a4 100644
--- a/Makefile.orig
+++ b/Makefile
@@ -26,7 +24,7 @@ all-base:
$(PYTHON) setup.py build
.PHONY: all-base
-install-base: all-base
+install-base:
+$(MAKE) install -C libqrexec
$(PYTHON) setup.py install -O1 $(PYTHON_PREFIX_ARG) --skip-build --root $(DESTDIR)
ln -sf qrexec-policy-exec $(DESTDIR)/usr/bin/qrexec-policy
@@ -75,7 +73,7 @@ all-vm-selinux:
+$(MAKE) -f /usr/share/selinux/devel/Makefile -C selinux qubes-core-qrexec.pp
.PHONY: all-vm
-install-vm: all-vm
+install-vm:
+$(MAKE) install -C agent
install -d $(DESTDIR)/$(SYSLIBDIR)/systemd/system -m 755
install -t $(DESTDIR)/$(SYSLIBDIR)/systemd/system -m 644 systemd/qubes-qrexec-agent.service
diff --git a/agent/Makefile.orig b/agent/Makefile
index e1500f1..d75f60e 100644
--- a/agent/Makefile.orig
+++ b/agent/Makefile
@@ -32,7 +32,7 @@ else
endif
-install: all
+install:
install -d $(DESTDIR)/etc/qubes-rpc $(DESTDIR)/usr/lib/qubes \
$(DESTDIR)/usr/bin $(DESTDIR)/usr/share/man/man1
install qrexec-agent $(DESTDIR)/usr/lib/qubes

View file

@ -7,7 +7,7 @@ subpackages="
$pkgname-openrc
"
pkgver=4.1.19
pkgrel=0
pkgrel=2
_gittag="v$pkgver"
pkgdesc="Common Linux files for Qubes VM."
arch="x86_64"