-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Feb 13, 2018 at 10:29:33AM +0200, Ivan Mitev wrote:
> 
> 
> On 02/12/2018 07:12 PM, Ivan Mitev wrote:
> > 
> > 
> > On 02/12/2018 06:47 PM, Unman wrote:
> > > On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote:
> > > > 
> > > > 
> > > > On 02/12/2018 06:26 PM, Unman wrote:
> > > > > On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote:
> > > > > > 
> > > > > > 
> > > > > > On 02/12/2018 11:42 AM, Yuraeitha wrote:
> > > > > > > On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev 
> > > > > > > wrote:
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > In an effort to decrease R4's memory consumption I'm replacing 
> > > > > > > > the
> > > > > > > > default fedora-26 template with a customized one
> > > > > > > > based on the official
> > > > > > > > minimal fedora-26 template.
> > > > > > > > 
> > > > > > > > I installed additional RPMs according to the documentation [1] 
> > > > > > > > and
> > > > > > > > everything seems to be working well, with a noticeable decrease 
> > > > > > > > of
> > > > > > > > memory usage. However I get the following error when opening a 
> > > > > > > > VM's
> > > > > > > > firewall settings gui:
> > > > > > > > 
> > > > > > > > "The 'work' qube is network connected to
> > > > > > > > 'sys-firewall', which does not
> > > > > > > > support firewall!
> > > > > > > > You may edit the 'work' qube firewall rules, but
> > > > > > > > these will not take any
> > > > > > > > effect until you connect it to a working Firewall qube."
> > > > > > > > 
> > > > > > > > But again, everything seems to work fine: the firewall rules are
> > > > > > > > properly enforced, there's no problem with net
> > > > > > > > connectivity, the update
> > > > > > > > proxy is working, ...
> > > > > > > > 
> > > > > > > > There's no error message when sys-firewall is based on the 
> > > > > > > > default
> > > > > > > > fedora-26 template so I'm likely missing
> > > > > > > > something but I don't see what.
> > > > > > > > I compared the qubes rpms installed in both
> > > > > > > > templates but didn't notice
> > > > > > > > anything striking. Maybe there's a flag/preference or something 
> > > > > > > > that
> > > > > > > > needs to be set but I don't see where.
> > > > > > > > 
> > > > > > > > Any ideas ?
> > > > > > > > 
> > > > > > > > Thanks
> > > > > > > > Ivan
> > > > > > > > 
> > > > > > > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/
> > > > > > > 
> > > > > > > 
> > > > > > > It sounds odd, it usually should work changing the
> > > > > > > template. My initial thought-line on this issue goes
> > > > > > > like this, maybe it can be of use.
> > > > > > > 
> > > > > > > Is the iptable firewall package installed in the minimal template?
> > > > > > > 
> > > > > > > I'm thinking it may be iptables that is missing,
> > > > > > > since minimal templates can be used for offline
> > > > > > > purposes too, then iptables is probably not included
> > > > > > > like most other things that has been removed.
> > > > > > 
> > > > > > iptables is installed (that's one of the first thing I
> > > > > > checked after I saw
> > > > > > the error msg).
> > > > > > 
> > > > > > 
> > > > > > [...]
> > > > > > 
> > > > > > > - If Qubes tools are installed, networking works
> > > > > > > etc, and you got iptables installed already, then my
> > > > > > > thoughts are that it's likely missing
> > > > > > > system-config-*'s and the unavoidable full array of
> > > > > > > dependencies going with it.
> > > > > > 
> > > > > > Hmm, what are those system-config-*s you're talking about ?
> > > > > > 
> > > > > > 
> > > > > > > - Try clone the template and essentially go berserk
> > > > > > > and not holding back, install the entire
> > > > > > > system-config- array of packages, see if networking
> > > > > > > works. If not, then either something is still
> > > > > > > missing, or firewalling has nothing to do with the
> > > > > > > system-config packages.
> > > > > > > 
> > > > > > > - If it works, then try narrow down which packages
> > > > > > > that are used for firewalling, perhaps you can
> > > > > > > reduce the amount of dependency packages being
> > > > > > > pulled if you install just the package that firewall
> > > > > > > is using.
> > > > > > 
> > > > > > If there aren't hardcoded changes or manual configurations made in 
> > > > > > the
> > > > > > default fedora-26 template then yes, installing the
> > > > > > exact same of rpms would
> > > > > > in theory fix the problem. But before spending significant time on
> > > > > > installing a bunch of rpms and then dissecting I thought
> > > > > > I'd ask fellow
> > > > > > users first... Maybe the cause is obvious and I'm
> > > > > > overlooking something.
> > > > > > 
> > > > > 
> > > > > I just want to check - you say that the firewall rules are properly
> > > > > enforced, and that everything works properly EXCEPT that you get a
> > > > > warning.
> > > > 
> > > > Exactly.
> > > > 
> > > > BTW qvm-firewall works and doesn't output any error message...
> > > > 
> > > 
> > > Yes, thought so - it's probably a bug in the gui code that checks
> > > connected  netvm status. Does it happen with every connected qube?
> > 
> > Yes, it happens to all the vms connected to sys-firewall.
> > 
> > I just reverted sys-firewall's template to the default f26 and there was
> > no more error message, so it doesn't look like a bug in the gui,
> > something is likely missing in my customized template. Just have to find
> > what :)
> 
> figured it out quickly this morning: in qubes-manager/settings.py the error
> message is displayed when the template doesn't have the 'qubes-firewall'
> feature.
> 
> fix:
> 
> qvm-features fedora-26-minimal qubes-firewall 1
> 
> out of curiosity I tried to find where/when this feature is set for the
> default fedora-26 template: there's a comment in qubes/ext/core_features.py
> that says '[this feature] can be freely enabled or disabled by template' but
> I don't understand what it's supposed to mean - whether the template
> automatically sets it somehow (but then how ?) or if it can be set for each
> template. It's probably the latter; in that case maybe the feature is set by
> the template's rpm postscripts (but then I couldn't find any mention of
> "qvm-features" in the qubes-builder-fedora repo).

See here: https://github.com/QubesOS/qubes-issues/issues/2829

In short: there is qubes.PostInstall service called just after template
installation, to let template advertise supported features. I think it
should be also called automatically after installing new packages (or
even updating existing), because that can influence supported features -
like in this case. 

You can try triggering it manually. From the template call

    /etc/qubes-rpc/qubes.PostInstall

Issue for tracking this problem: 
https://github.com/QubesOS/qubes-issues/issues/3579

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqDCiIACgkQ24/THMrX
1yzUUgf+M7K7E8HqHlVnoF3GO5wStFRagUxU9NDy3DEigJguETCTDuwqN5cf85gL
dwWUL/oKZRjFX8yug1jl+78OxH5A/4jE1+pZF2x90P1z+PwunIYl3ppVbobyVKWB
t6qCY5BIs2t6nVWRBI3QA+/ap0c7X5WK48Ep5x7QJq2GFhv4wNFZdhS/NJW/5MHf
PZI6Y5yj2pEZvZgzL1fGuTMkZSus6ePB3GVQCAvnMyv+q79KoVwielzFEcij0FrG
tLq89++Xr9+MQAn6cGJ1/SD7kZaxTx3HpqCTRvM2mOGdd+QvVgEGNOcZKzTkWO4R
SgsvsT6wep8CjSqN+7AUJ33sVC5DJQ==
=a8Yr
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180213155418.GA4835%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Reply via email to