what's the correct way to auto-start a script in dom0, whitout login.
49 views
Skip to first unread message
aco31
Feb 19, 2020, 9:54:37 AM2/19/20
to qubes-devel
hello,
This vpn must be mouted as soon as possible after each boot (juste after network.target for example).
For security reasons I can't have any scripts on other VM's than the specific dom0. So this vpn must be launched from dom0. All routes, port forwarding, and iptables rules are defined from scripts on dom0.
And as the computer has no display, no login on dom0 or others VMs is possible.
I have tried many configurations of systemd services without succes on Dom0. the service is trigered only if an user login is done.
Thanks a lot
alain
Marek Marczykowski-Górecki
Feb 19, 2020, 12:26:36 PM2/19/20
to aco31, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Feb 19, 2020 at 06:54:36AM -0800, aco31 wrote:
> hello,
>
> In my application (2 sys-net plugged on one firewall with 2 applications
> Vms), I must launch an ipsec tunnel, configure routes and iptables.
> This vpn must be mouted as soon as possible after each boot (juste after
> network.target for example).
> For security reasons I can't have any scripts on other VM's than the
> specific dom0. So this vpn must be launched from dom0.
Those two requirements ("as soon as possible" and "no scripts in the
vm") are contradicting each other. Outside of the VM you don't really
see what boot stage it is, so you can't really execute things at
arbitrary boot stage. Also, dom0's ability to execute anything in the VM
is launched pretty late in the boot process, so it may not be possible
at all to do things early from dom0.
If what you really want is to avoid ability for a compromised sys-net to
persist using some startup scripts in /rw, then the solution is
different: use DispVM for sys-net[1]. This way no configuration change
will persist, regardless if that's a script in /rw or change in your IPsec
configuration rendering it useless (which BTW wouldn't be prevented by
"no scripts in a vm" approach) or any other thing.
[1] https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-
This way, you have one VM that can be started to modify the
configuration (including startup scripts to start the VPN) and another
that is actual sys-net to run this configuration, but can't really
modify it persistently.
And with this approach, you can use standard scripts, like described
here:
https://www.qubes-os.org/doc/vpn/
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5Nb8EACgkQ24/THMrX
1yymWwf/f5VtvaKThXKpKBadGETQ7Ck0xV+hmkbmKZBgrppWGKjYO1MElptzp1oW
UZ6QPqsLZrkF8M76Gd5EDPg6e+LbjCoZNAG5f6LpsE7g6ClHs3uZR4ypXfo+D1UC
qJUmuibHoqHhVNHRLEM4hJZ3dBOYmi2rGY/zW9jh8f8tfQ7AgDA+46Lsa86dLy/E
iWEPQFeNdGg9ObwihoM4iQzoUguB31hnCTmMN7fm7qOHEs9luIeizwbhjvnG8Y8e
Unw+zVdNz8zPz0u0i1g5bS45M9SvBGIBG7EMVHAwglafxg4qSqE5ZZBL4cXvFdSy
h0jeo+5afCxctpJnxCwoGzmMFbMa7g==
=9BR7
-----END PGP SIGNATURE-----
Hash: SHA256
On Wed, Feb 19, 2020 at 06:54:36AM -0800, aco31 wrote:
> hello,
>
> In my application (2 sys-net plugged on one firewall with 2 applications
> Vms), I must launch an ipsec tunnel, configure routes and iptables.
> This vpn must be mouted as soon as possible after each boot (juste after
> network.target for example).
> For security reasons I can't have any scripts on other VM's than the
> specific dom0. So this vpn must be launched from dom0.
vm") are contradicting each other. Outside of the VM you don't really
see what boot stage it is, so you can't really execute things at
arbitrary boot stage. Also, dom0's ability to execute anything in the VM
is launched pretty late in the boot process, so it may not be possible
at all to do things early from dom0.
If what you really want is to avoid ability for a compromised sys-net to
persist using some startup scripts in /rw, then the solution is
different: use DispVM for sys-net[1]. This way no configuration change
will persist, regardless if that's a script in /rw or change in your IPsec
configuration rendering it useless (which BTW wouldn't be prevented by
"no scripts in a vm" approach) or any other thing.
[1] https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-
This way, you have one VM that can be started to modify the
configuration (including startup scripts to start the VPN) and another
that is actual sys-net to run this configuration, but can't really
modify it persistently.
And with this approach, you can use standard scripts, like described
here:
https://www.qubes-os.org/doc/vpn/
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5Nb8EACgkQ24/THMrX
1yymWwf/f5VtvaKThXKpKBadGETQ7Ck0xV+hmkbmKZBgrppWGKjYO1MElptzp1oW
UZ6QPqsLZrkF8M76Gd5EDPg6e+LbjCoZNAG5f6LpsE7g6ClHs3uZR4ypXfo+D1UC
qJUmuibHoqHhVNHRLEM4hJZ3dBOYmi2rGY/zW9jh8f8tfQ7AgDA+46Lsa86dLy/E
iWEPQFeNdGg9ObwihoM4iQzoUguB31hnCTmMN7fm7qOHEs9luIeizwbhjvnG8Y8e
Unw+zVdNz8zPz0u0i1g5bS45M9SvBGIBG7EMVHAwglafxg4qSqE5ZZBL4cXvFdSy
h0jeo+5afCxctpJnxCwoGzmMFbMa7g==
=9BR7
-----END PGP SIGNATURE-----
aco31
Feb 20, 2020, 2:40:07 AM2/20/20
to qubes-devel
Without doubt the requirement 'as soon as possible' is not clear, that means after all Vms are launched and that network services are launched too. My need is that dom0 excute several actions dedicaced at each vm, et user cases. And that, whitout login on machine.
For example in the spirit of systemd service it is:
Required=network.target
after==network.target
...
WantedBy=multi-user.target.
For example in the spirit of systemd service it is:
Required=network.target
after==network.target
...
WantedBy=multi-user.target.
On other computers (debian) of the installation the systemd services start automaticaly without login, but not on dom0 (fedora template)
thanks
alain
Reply all
Reply to author
Forward
0 new messages