Interim Bind-Directory Support

entr0py · June 7, 2016, 8:27pm

Until bind-directory functionality is completed upstream and implemented as /usr/lib/qubes/bind-dirs.sh, files & directories can be added to the BINDS array in /usr/lib/qubes-whonix/bind-directories to have them persist across reboots.

Example: Persistent OpenVPN Configuration

Open File as root: /usr/lib/qubes-whonix/bind-directories
Add entries to BINDS array:

'/rw/srv/etc/sudoers.d/tunnel_unpriv:/etc/sudoers.d/tunnel_unpriv'
'/rw/srv/etc/openvpn:/etc/openvpn'
'/rw/srv/lib/systemd/system/openvpn@openvpn.service:/lib/systemd/system/openvpn@openvpn.service'
'/rw/srv/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service:/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service'

(Correct?)

Patrick · June 7, 2016, 8:50pm

From VPN documentation.

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

bind-dirs config snippet in theory.

binds+=( '/lib/systemd/system/openvpn@openvpn.service' )

Does not work in practice yet. The issue with bind-directories which will still be an issue with bind-dirs is, the files / folders that do not exist in the TemplateVM at all.

“Does not work if the file / folder in question does not already exist in the root image. I.e. a file that does not exist in the root image cannot be bind mounted in the TemplateBasedVM.”

Problematic code:

github.com

marmarek/qubes-core-agent-linux/blob/23bdcb90a78866a703435a7ea95cacd0da66aa02/vm-systemd/bind-dirs.sh#L101-L110


# Initially copy over data directories to /rw if rw directory does not exist.
if [ -d "$fso_ro" ] || [ -f "$fso_ro" ]; then
   cp --verbose --no-clobber --archive --recursive --parents "$fso_ro" "$rw_dest_dir"
else
   true "$fso_ro is neither a directory nor a file or does not exist, skipping."
   continue
fi


# Bind the fso.
mount --bind "$fso_rw" "$fso_ro"

Issues described on qubes-devel mailing list but no one had an idea how to solve it:
https://groups.google.com/d/msg/qubes-devel/tcYQ4eV-XX4/J89DRLzOBQAJ

entr0py · June 8, 2016, 6:15am

Ok. Needed a little systemd primer first to understand.

IIUC: At present, openvpn can not be enabled or disabled per proxyVM (although binding /etc/openvpn will allow for per-proxyVM openvpn conf’s).

This is because

/lib/systemd/system/openvpn@openvpn.service
/etc/systemd/system/multi-user.target.wants/openvpn@openvpn.service

need to exist in the templateVM and the way to create them is to sudo systemctl enable openvpn... So no point in binding what is already in the Template. There could be a point in binding these files if they could then be deleted in proxyVMs that didn’t need openvpn but that’s not possible either:

[1] Files that exist in the TempalteVM root image cannot be made deleted in the TemlateBasedVMs root image using bind-dirs.sh.

So: use dedicated openvpn TemplateVM or standalone VM. Template still has advantages: 1. non-persistent root fs, 2. per-proxyVM openvpn .conf

Actually, it is possible to enable openvpn per-proxyVM if you bind the directories instead of the files:

/lib/systemd/system/
/etc/systemd/system/multi-user.target.wants/

Is that just going overboard? (Maybe less system breakage by binding /etc/systemd/system/ instead of multi-user.target.wants/)

Patrick · June 8, 2016, 3:40pm

We might be able to create openvpn@openvpn.service in the TemplateVM with no harm. Just needs to check an additional condition. ConditionPathExists=... And then that file could be located in /rw.

Not sure if wise to bind that one. Updates in TemplateVM might be missed in TemplateBasedVM then.

Patrick · September 9, 2016, 4:35pm

For reference:
TemplateBasedVMs: make selected files and folders located in the root image persistent- review bind-dirs.sh

Patrick · September 14, 2016, 12:09pm

For reference: