> On 05.06.2016 18:26, 981'0932481'029438'0194328'0913284'0913284'09182'3 wrote: >> Hello, > >> Can I build a Template VM hierarchy? > No, it isn't possible. Template VMs are done at block device level, not > filesystem level (to limit attack surface), so it isn't possible to > merge different levels. [...] > I think this would be difficult to implement. One reason for this is that when > you update TVM1 for example, the filesystem of it diverges. You would have to > do something like a three-Way Merge as known from version control systems like > git. I am not aware how this could be done.
That's a deliberate architectural choice; what if there were as many virtual disks (/dev/xvdN) as the level, and the mounting was done via something like overlayfs? This would allow for mounting from many disks into the same directory, specifying which source would be the "lower one" (read only) and the "upper one" (read-write), and merging directory contents too. Any AppVM would have all the lower layers as read-only, one above the other, and still keep /rw as the only read-write filesystem mounted with unionfs. This would semi-solve the update problem: you would update the cascade of templates starting from the root, and you would have your binaries updated. The only problem is with the installed application database from the package manager, which would be out-of-sync in the child templates with the actual version installed of the apps in the root templates. This is imho the biggest problem, not the actual technical implementation of the overlay/union of filesystems; as long as there is no package manager that can "discover" the actual packages installed and needed without a separate database, or without a carefully designed single-file-per-package-info database, this will only be an update nightmare. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b016fd3b-aa71-3790-3977-2e21a7de3d87%40gmx.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
