173 lines
6.3 KiB
Bash
173 lines
6.3 KiB
Bash
|
#!/bin/bash
|
||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||
|
|
||
|
set -o pipefail || exit 1
|
||
|
|
||
|
# was in /usr/lib/whonix-libvirt/install
|
||
|
# unlike that one, this should be idempotent
|
||
|
# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0
|
||
|
|
||
|
prog=$( basename $0 .bash )
|
||
|
PREFIX=/usr/local
|
||
|
ROLE=base
|
||
|
. /usr/local/bin/usr_local_tput.bash
|
||
|
|
||
|
GATEW=1
|
||
|
# for testforge use we only need the Gateway
|
||
|
WORKS=
|
||
|
|
||
|
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||
|
. /usr/local/bin/proxy_ping_lib.bash || \
|
||
|
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
|
||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||
|
|
||
|
MODE=`proxy_ping_mode`
|
||
|
[ $MODE = whonix ] || exit 0
|
||
|
|
||
|
#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10
|
||
|
|
||
|
[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12
|
||
|
/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13
|
||
|
|
||
|
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14
|
||
|
chmod 1777 /usr/local/var/log
|
||
|
|
||
|
[ -f /etc/firewall.conf.whonix ] || \
|
||
|
cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15
|
||
|
|
||
|
[ -f /etc/firewall.conf ] || \
|
||
|
cp -p /etc/firewall.conf.whonix /etc/firewall.conf || exit 16
|
||
|
|
||
|
# ERROR: proxy_ping_firewall_check /etc/firewall.conf empty
|
||
|
[ -x /etc/libvirt/hooks/network ] || cat > /etc/libvirt/hooks/network << \EOF
|
||
|
#!/bin/sh
|
||
|
[ -d /usr/local/var/log ] || mkdir /usr/local/var/log
|
||
|
echo INFO: hooks/network $* > /usr/local/var/log/libvirt_network.log
|
||
|
bash /usr/local/bin/proxy_libvirt_hook_network.bash "$@" \
|
||
|
>> /usr/local/var/log/libvirt_network.log 2>&1
|
||
|
EOF
|
||
|
[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network
|
||
|
/etc/libvirt/hooks/network || exit 16
|
||
|
|
||
|
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||
|
## See the file COPYING for copying conditions.
|
||
|
set -e
|
||
|
|
||
|
## {{ Taken from qemu-system-common.postinst.
|
||
|
# Add the kvm group unless it's already there
|
||
|
if ! getent group kvm >/dev/null; then
|
||
|
addgroup --quiet --system kvm || true
|
||
|
fi
|
||
|
## }} Taken from qemu-system-common.postinst.
|
||
|
|
||
|
## {{ Taken from libvirt-bin.postinst.
|
||
|
if ! getent group libvirt >/dev/null; then
|
||
|
addgroup --system libvirt
|
||
|
fi
|
||
|
## }} Taken from libvirt-bin.postinst.
|
||
|
|
||
|
## Existence of user "user" is not guaranteed at this point.
|
||
|
if grep -q ^user /etc/passwd ; then
|
||
|
grep -q ^kvm /etc/group || addgroup user kvm
|
||
|
grep -q ^libvirt /etc/group || addgroup user libvirt
|
||
|
fi
|
||
|
|
||
|
## Create shared directory and adjust permissions
|
||
|
[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
|
||
|
[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
|
||
|
chmod 1777 /mnt/gateway-shared
|
||
|
[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared
|
||
|
|
||
|
|
||
|
## networks
|
||
|
proxy_virsh net-list --all | grep -q default || \
|
||
|
virsh -c qemu:///system net-autostart "default" || exit 1$?
|
||
|
#? virsh -c qemu:///system net-start "default" || exit 2$?
|
||
|
proxy_virsh net-list --all | grep -q Whonix-External || \
|
||
|
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-External.xml" \
|
||
|
|| exit 3$?
|
||
|
proxy_virsh net-list --all | grep -q Whonix-Internal || \
|
||
|
virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-Internal.xml" \
|
||
|
|| exit 4$?
|
||
|
|
||
|
#no virsh -c qemu:///system net-autostart "Whonix-External"
|
||
|
proxy_virsh net-list | grep -q Whonix-External || \
|
||
|
virsh -c qemu:///system net-start "Whonix-External" || exit 5$?
|
||
|
# no virsh -c qemu:///system net-autostart "Whonix-Internal"
|
||
|
proxy_virsh net-list | grep -q Whonix-Internal || \
|
||
|
virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$?
|
||
|
|
||
|
lsmod | grep -q kvm||modprobe kvm || exit 7
|
||
|
temp_dir=/usr/local/etc/libvirt/qemu
|
||
|
|
||
|
if virsh capabilities | grep -q "<domain type='kvm'" ; then
|
||
|
true "OK: found KVM"
|
||
|
else
|
||
|
## replace the 'kvm' domain type with 'qemu'
|
||
|
search="<domain type='kvm'>"
|
||
|
replace="<domain type='qemu'>"
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||
|
[ -n "$WORKS" ] && \
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||
|
|
||
|
search="<cpu mode='host-passthrough'/>"
|
||
|
replace=""
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||
|
|
||
|
## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
|
||
|
search="<pvspinlock state='on'/>"
|
||
|
replace=""
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||
|
[ -n "$WORKS" ] && \
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||
|
|
||
|
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||
|
search="<vcpu placement='static' cpuset='0'>1</vcpu>"
|
||
|
replace=""
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Gateway.xml"
|
||
|
|
||
|
## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
|
||
|
search="<vcpu placement='static' cpuset='1'>1</vcpu>"
|
||
|
replace=""
|
||
|
[ -n "$WORKS" ] && \
|
||
|
str_replace "$search" "$replace" "$temp_dir/Whonix-Workstation.xml"
|
||
|
fi
|
||
|
|
||
|
[ -z "$GATEW" ] || \
|
||
|
proxy_virsh list --all | grep -q Whonix-Gateway || \
|
||
|
virsh -c qemu:///system define "$temp_dir/Whonix-Gateway.xml" || exit 8$?
|
||
|
[ -z "$WORKS" ] || \
|
||
|
proxy_virsh list --all | grep -q Whonix-Workstation || \
|
||
|
virsh -c qemu:///system define "$temp_dir/Whonix-Workstation.xml" || exit 9$?
|
||
|
|
||
|
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Gateway.xml" || \
|
||
|
virt-xml "Whonix-Gateway" --add-device \
|
||
|
--filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || exit 10$?
|
||
|
|
||
|
[ -z "$WORKS" ] || \
|
||
|
grep -q /mnt/gateway-shared "$temp_dir/Whonix-Workstation.xml" || \
|
||
|
virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
|
||
|
|
||
|
[ -d /var/lib/whonix-libvirt ] || \
|
||
|
mkdir --parents /var/lib/whonix-libvirt
|
||
|
touch /var/lib/whonix-libvirt/install.done
|
||
|
|
||
|
proxy_virsh list | grep -q Whonix-Gateway || \
|
||
|
virsh -c qemu:///system start "Whonix-Gateway" || exit 19$?
|
||
|
|
||
|
if [ -d ~user ] ; then
|
||
|
# kicksecure installs ~user/.xchat2/ not owned by user and it seems to screw up X
|
||
|
# with "unable load load a failsafe session" unable to determine failsafe session name
|
||
|
# even with no-allow-failsafe in /etc/X11/Xsession.options
|
||
|
# Linkname:Xfce - Unable to load a failsafe session / Newbie... / Arch Linux Forums
|
||
|
# https://bbs.archlinux.org/viewtopic.php?id=77646
|
||
|
chown -R user ~user
|
||
|
|
||
|
[ -x /var/local/bin/testforge_user_profile.bash ] && \
|
||
|
su -c /var/local/bin/testforge_user_profile.bash -s /bin/bash user
|
||
|
|
||
|
fi
|
||
|
|
||
|
exit 0
|