On 08/20/2016 06:00 PM, J.M. Porup wrote:
On Sat, Aug 20, 2016 at 05:56:39PM -0400, J.M. Porup wrote:
On Sat, Aug 20, 2016 at 05:29:19PM -0400, J.M. Porup wrote:
files in three different vms have disappeared in the last week.
In one case I lost work.
previously I've seen a vm start without local data, somehow it doesn't
"catch", usually a shutdown and restart solves the problem. In this case
multiple restarts over multiple days is not working.
what can I investigate to discover the cause of the missing data?
assuming, for the sake of argument, accident and not adversary.
I can reproduce this with appvms based on debian 8, but not fedora 23.
* create new appvm
* open a terminal, 'touch foo'
* shutdown vm
* restart vm, file is gone
fedora 23 based appvms persist, but the debian 8 based appvms did not,
at least in this test. I have not checked all my vms yet.
Additional data point.
* Download the Equation Group files from Mega to report on them
* qvm-copy-to-vm --> new fedora 23 based appvm
* open terminal in new vm, files are there
* shutdown, reboot--files are gone
jmp
One avenue to investigate is to reproduce the problem and then see if
another vm can manually mount that filesystem and access the files:
1. Start the appvm in question ("VM1") - private data files do not appear
2. Pause VM1
3. Start a testing appvm ("VM2").
4. Use qvm-block in dom0:
$ qvm-block -A --ro VM2 dom0:/var/lib/qubes/appvms/VM1/private.img
5. In VM2, run:
$ mkdir data
$ sudo mount /dev/xvdi data
$ ls data/home/user
6. Look for your data files
If you can see your data in VM2, then the problem may be due to some bug
in the boot sequence for the template used by VM1. But that doesn't
necessarily rule out foul play... You may want to use VM2 to inspect
vulnerable files in 'data' such as home/user/.bashrc and
home/user/.profile to see if they've been tampered with.
To undo the above attach+mount, run 'sudo umount data' in VM2 then
shutdown VM2. Finally, un-pause VM1.
Chris
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d4f40f95-c58e-48ae-14ce-efe69dab42bd%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
