qubes-mirage-firewall 0.7
ssch...@gmail.com
https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7
This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall. It requires around 64MB of RAM when running and requires "0.0s" of CPU time to boot, according to "xl list". It does not need or use a hard-disk, and does not persist any state between reboots.
For installation instructions, see:
https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md
To upgrade from an earlier release, just overwrite /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz in dom0 with the new version and restart the firewall VM.
This version adapts qubes-mirage-firewall with
- dynamic rulesets via QubesDB (as defined in Qubes 4.0), and
- adds support for DNS hostnames in rules, using the pf-qubes library for parsing.
The DNS client is provided by DNS (>= 4.2.0) which uses a cache for name lookups. Not every packet will lead to a DNS
lookup if DNS rules are in place.
A test unikernel is available in the test subdirectory.
This project was done by @linse and @yomimono in summer 2019, see PR #96.
Additional changes and bugfixes:
Support Mirage 3.7 and mirage-nat 2.0.0 (@hannesm, #89).
The main improvement is fragmentation and reassembly support.Use the smaller OCurrent images as the base for building the Docker images (@talex5, #80).
- Before: 1 GB (ocaml/opam2:debian-10-ocaml-4.08)
- Now: 309 MB (ocurrent/opam:alpine-3.10-ocaml-4.08)
Documentation:
Add note that AppVM used to build from source may need a private image larger than the default 2048MB (@marmot1791,
#83).README: create the symlink-redirected docker dir (@xaki23, #75). Otherwise, installing the docker package removes t
he dangling symlink.Note that mirage-firewall cannot be used as UpdateVM (@talex5, #68).
Fix ln(1) call in build instructions (@jaseg, #69). The arguments were backwards.
Keeping up with upstream changes:
Adjust to ipaddr-4.0.0 renaming
_bytesto_octets(@xaki23, #75).Use OCaml 4.08.0 for qubes-builder builds (was 4.07.1) (@xaki23, #75).
Remove netchannel pin as 1.11.0 is now released (@talex5, #72).
Remove cmdliner pin as 1.0.4 is now released (@talex5, #71).
qubeslover
I'm pleased to announce the release of qubes-mirage-firewall 0.7:https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7
This is a unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It may be useful if you want something smaller or faster-to-start than the Linux-based sys-firewall. It requires around 64MB of RAM when running and requires "0.0s" of CPU time to boot, according to "xl list". It does not need or use a hard-disk, and does not persist any state between reboots.
ssch...@gmail.com
On Saturday, 23 May 2020 17:24:42 UTC+2, qubeslover wrote:
Is there any plan to create a package for Qubes Dom0 repo for the future?
dhorf-hfre...@hashmail.org
> On Saturday, 23 May 2020 17:24:42 UTC+2, qubeslover wrote:
> Is there any plan to create a package for Qubes Dom0 repo for the future?
https://github.com/QubesOS/qubes-builder/blob/master/example-configs/mirage.conf
which builds mirage firewall (and ssh-agent) as a template-vm,
which reduces the problem to the more generic "how to ship/install
a template" (which can be handled entirely outside dom0 already)
as opposed to the very mirage-specific "how to install a vm-kernel in
dom0" (which is very dom0 oriented).
it actualy works well enough, i have been building+deploying all my
mirage vms for more than a year this way.
there are some points left to improve:
1) how to include vm-specific prefs/feats with a template pkg.
this mainly needs a way for a vm-specific builder to include
a file in the final rpm, and that isnt really straightforward
since the rpm-builder and vm-builder are like three layers of
abstraction apart.
2) "@tag:buildvm @tag:created-by-@srcvm allow" in qubesrpc-policy.
the "reference srcvm in dstvm spec" part doesnt exist.
3) automated way to create the pvgrub vm-kernel entry. (probably salt)
4) polishing. (which doesnt make too much sense as long as 1-3 are open)
these are not actualy required, but would make the whole thing a lot
more userfriendly.
bernhard haak
> I'm pleased to announce the release of qubes-mirage-firewall 0.7:
>
> https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.7
I try to build on buster, but already new-docker fails.
DKMS: install completed.
Building initial module for 4.19.120-1.pvops.qubes.x86_64
Error! Bad return status for module build on kernel:
4.19.120-1.pvops.qubes.x86_64 (x86_64)
Consult /var/lib/dkms/aufs/4.19+20190211/build/make.log for more
information.
dpkg: error processing package aufs-dkms (--configure):
installed aufs-dkms package post-installation script subprocess
returned error exit status 10
Errors were encountered while processing:
aufs-dkms
If I ignore it, (docker is installed, but incomplete), the build fails,
without surprise. Someone has a hint on that? Cheers, Bernhard