On Tuesday, February 13, 2018 at 9:29:40 AM UTC+1, Ivan Mitev wrote: > On 02/12/2018 07:12 PM, Ivan Mitev wrote: > > > > > > On 02/12/2018 06:47 PM, Unman wrote: > >> On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote: > >>> > >>> > >>> On 02/12/2018 06:26 PM, Unman wrote: > >>>> On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: > >>>>> > >>>>> > >>>>> On 02/12/2018 11:42 AM, Yuraeitha wrote: > >>>>>> On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> In an effort to decrease R4's memory consumption I'm replacing the > >>>>>>> default fedora-26 template with a customized one based on the > >>>>>>> official > >>>>>>> minimal fedora-26 template. > >>>>>>> > >>>>>>> I installed additional RPMs according to the documentation [1] and > >>>>>>> everything seems to be working well, with a noticeable decrease of > >>>>>>> memory usage. However I get the following error when opening a VM's > >>>>>>> firewall settings gui: > >>>>>>> > >>>>>>> "The 'work' qube is network connected to 'sys-firewall', which > >>>>>>> does not > >>>>>>> support firewall! > >>>>>>> You may edit the 'work' qube firewall rules, but these will not > >>>>>>> take any > >>>>>>> effect until you connect it to a working Firewall qube." > >>>>>>> > >>>>>>> But again, everything seems to work fine: the firewall rules are > >>>>>>> properly enforced, there's no problem with net connectivity, the > >>>>>>> update > >>>>>>> proxy is working, ... > >>>>>>> > >>>>>>> There's no error message when sys-firewall is based on the default > >>>>>>> fedora-26 template so I'm likely missing something but I don't > >>>>>>> see what. > >>>>>>> I compared the qubes rpms installed in both templates but didn't > >>>>>>> notice > >>>>>>> anything striking. Maybe there's a flag/preference or something that > >>>>>>> needs to be set but I don't see where. > >>>>>>> > >>>>>>> Any ideas ? > >>>>>>> > >>>>>>> Thanks > >>>>>>> Ivan > >>>>>>> > >>>>>>> [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ > >>>>>> > >>>>>> > >>>>>> It sounds odd, it usually should work changing the template. My > >>>>>> initial thought-line on this issue goes like this, maybe it can be > >>>>>> of use. > >>>>>> > >>>>>> Is the iptable firewall package installed in the minimal template? > >>>>>> > >>>>>> I'm thinking it may be iptables that is missing, since minimal > >>>>>> templates can be used for offline purposes too, then iptables is > >>>>>> probably not included like most other things that has been removed. > >>>>> > >>>>> iptables is installed (that's one of the first thing I checked > >>>>> after I saw > >>>>> the error msg). > >>>>> > >>>>> > >>>>> [...] > >>>>> > >>>>>> - If Qubes tools are installed, networking works etc, and you got > >>>>>> iptables installed already, then my thoughts are that it's likely > >>>>>> missing system-config-*'s and the unavoidable full array of > >>>>>> dependencies going with it. > >>>>> > >>>>> Hmm, what are those system-config-*s you're talking about ? > >>>>> > >>>>> > >>>>>> - Try clone the template and essentially go berserk and not > >>>>>> holding back, install the entire system-config- array of packages, > >>>>>> see if networking works. If not, then either something is still > >>>>>> missing, or firewalling has nothing to do with the system-config > >>>>>> packages. > >>>>>> > >>>>>> - If it works, then try narrow down which packages that are used > >>>>>> for firewalling, perhaps you can reduce the amount of dependency > >>>>>> packages being pulled if you install just the package that > >>>>>> firewall is using. > >>>>> > >>>>> If there aren't hardcoded changes or manual configurations made in the > >>>>> default fedora-26 template then yes, installing the exact same of > >>>>> rpms would > >>>>> in theory fix the problem. But before spending significant time on > >>>>> installing a bunch of rpms and then dissecting I thought I'd ask > >>>>> fellow > >>>>> users first... Maybe the cause is obvious and I'm overlooking > >>>>> something. > >>>>> > >>>> > >>>> I just want to check - you say that the firewall rules are properly > >>>> enforced, and that everything works properly EXCEPT that you get a > >>>> warning. > >>> > >>> Exactly. > >>> > >>> BTW qvm-firewall works and doesn't output any error message... > >>> > >> > >> Yes, thought so - it's probably a bug in the gui code that checks > >> connected netvm status. Does it happen with every connected qube? > > > > Yes, it happens to all the vms connected to sys-firewall. > > > > I just reverted sys-firewall's template to the default f26 and there was > > no more error message, so it doesn't look like a bug in the gui, > > something is likely missing in my customized template. Just have to find > > what :) > > figured it out quickly this morning: in qubes-manager/settings.py the > error message is displayed when the template doesn't have the > 'qubes-firewall' feature. > > fix: > > qvm-features fedora-26-minimal qubes-firewall 1 > > out of curiosity I tried to find where/when this feature is set for the > default fedora-26 template: there's a comment in > qubes/ext/core_features.py that says '[this feature] can be freely > enabled or disabled by template' but I don't understand what it's > supposed to mean - whether the template automatically sets it somehow > (but then how ?) or if it can be set for each template. It's probably > the latter; in that case maybe the feature is set by the template's rpm > postscripts (but then I couldn't find any mention of "qvm-features" in > the qubes-builder-fedora repo).
Interesting, I haven't seen qvm-feature before, isn't this quite new? But it seems like this is the kind of thing that could be used to flag Windows HVM's properly too, if the first impression of it is right. About the system-config-*s, it's a lot of the fedora system tools that are ripped out in the minimal templates, but are in larger representation place in the regular fedora templates. For example in order to get printing to work, it's currently the default approach to install cups and system-config-printer, cups for the server service, and the system-config-printer for the backbone infrastructure. I believe system-config-'s together with XFCE4 is what makes up the overall user interface? Thinking about it, it shouldn't be able to impact firewall's which should work without any interface too on servers without a interface. Well I'm not so sure about the details. But either way this isn't important now that you found the issue and fixed it, it's just to reply back. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/972b6e98-e20e-4f58-8168-134a04309542%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
