-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Feb 13, 2018 at 10:29:33AM +0200, Ivan Mitev wrote: > > > On 02/12/2018 07:12 PM, Ivan Mitev wrote: > > > > > > On 02/12/2018 06:47 PM, Unman wrote: > > > On Mon, Feb 12, 2018 at 06:41:49PM +0200, Ivan Mitev wrote: > > > > > > > > > > > > On 02/12/2018 06:26 PM, Unman wrote: > > > > > On Mon, Feb 12, 2018 at 12:03:46PM +0200, Ivan Mitev wrote: > > > > > > > > > > > > > > > > > > On 02/12/2018 11:42 AM, Yuraeitha wrote: > > > > > > > On Monday, February 12, 2018 at 8:21:12 AM UTC+1, Ivan Mitev > > > > > > > wrote: > > > > > > > > Hi, > > > > > > > > > > > > > > > > In an effort to decrease R4's memory consumption I'm replacing > > > > > > > > the > > > > > > > > default fedora-26 template with a customized one > > > > > > > > based on the official > > > > > > > > minimal fedora-26 template. > > > > > > > > > > > > > > > > I installed additional RPMs according to the documentation [1] > > > > > > > > and > > > > > > > > everything seems to be working well, with a noticeable decrease > > > > > > > > of > > > > > > > > memory usage. However I get the following error when opening a > > > > > > > > VM's > > > > > > > > firewall settings gui: > > > > > > > > > > > > > > > > "The 'work' qube is network connected to > > > > > > > > 'sys-firewall', which does not > > > > > > > > support firewall! > > > > > > > > You may edit the 'work' qube firewall rules, but > > > > > > > > these will not take any > > > > > > > > effect until you connect it to a working Firewall qube." > > > > > > > > > > > > > > > > But again, everything seems to work fine: the firewall rules are > > > > > > > > properly enforced, there's no problem with net > > > > > > > > connectivity, the update > > > > > > > > proxy is working, ... > > > > > > > > > > > > > > > > There's no error message when sys-firewall is based on the > > > > > > > > default > > > > > > > > fedora-26 template so I'm likely missing > > > > > > > > something but I don't see what. > > > > > > > > I compared the qubes rpms installed in both > > > > > > > > templates but didn't notice > > > > > > > > anything striking. Maybe there's a flag/preference or something > > > > > > > > that > > > > > > > > needs to be set but I don't see where. > > > > > > > > > > > > > > > > Any ideas ? > > > > > > > > > > > > > > > > Thanks > > > > > > > > Ivan > > > > > > > > > > > > > > > > [1] https://www.qubes-os.org/doc/templates/fedora-minimal/ > > > > > > > > > > > > > > > > > > > > > It sounds odd, it usually should work changing the > > > > > > > template. My initial thought-line on this issue goes > > > > > > > like this, maybe it can be of use. > > > > > > > > > > > > > > Is the iptable firewall package installed in the minimal template? > > > > > > > > > > > > > > I'm thinking it may be iptables that is missing, > > > > > > > since minimal templates can be used for offline > > > > > > > purposes too, then iptables is probably not included > > > > > > > like most other things that has been removed. > > > > > > > > > > > > iptables is installed (that's one of the first thing I > > > > > > checked after I saw > > > > > > the error msg). > > > > > > > > > > > > > > > > > > [...] > > > > > > > > > > > > > - If Qubes tools are installed, networking works > > > > > > > etc, and you got iptables installed already, then my > > > > > > > thoughts are that it's likely missing > > > > > > > system-config-*'s and the unavoidable full array of > > > > > > > dependencies going with it. > > > > > > > > > > > > Hmm, what are those system-config-*s you're talking about ? > > > > > > > > > > > > > > > > > > > - Try clone the template and essentially go berserk > > > > > > > and not holding back, install the entire > > > > > > > system-config- array of packages, see if networking > > > > > > > works. If not, then either something is still > > > > > > > missing, or firewalling has nothing to do with the > > > > > > > system-config packages. > > > > > > > > > > > > > > - If it works, then try narrow down which packages > > > > > > > that are used for firewalling, perhaps you can > > > > > > > reduce the amount of dependency packages being > > > > > > > pulled if you install just the package that firewall > > > > > > > is using. > > > > > > > > > > > > If there aren't hardcoded changes or manual configurations made in > > > > > > the > > > > > > default fedora-26 template then yes, installing the > > > > > > exact same of rpms would > > > > > > in theory fix the problem. But before spending significant time on > > > > > > installing a bunch of rpms and then dissecting I thought > > > > > > I'd ask fellow > > > > > > users first... Maybe the cause is obvious and I'm > > > > > > overlooking something. > > > > > > > > > > > > > > > > I just want to check - you say that the firewall rules are properly > > > > > enforced, and that everything works properly EXCEPT that you get a > > > > > warning. > > > > > > > > Exactly. > > > > > > > > BTW qvm-firewall works and doesn't output any error message... > > > > > > > > > > Yes, thought so - it's probably a bug in the gui code that checks > > > connected netvm status. Does it happen with every connected qube? > > > > Yes, it happens to all the vms connected to sys-firewall. > > > > I just reverted sys-firewall's template to the default f26 and there was > > no more error message, so it doesn't look like a bug in the gui, > > something is likely missing in my customized template. Just have to find > > what :) > > figured it out quickly this morning: in qubes-manager/settings.py the error > message is displayed when the template doesn't have the 'qubes-firewall' > feature. > > fix: > > qvm-features fedora-26-minimal qubes-firewall 1 > > out of curiosity I tried to find where/when this feature is set for the > default fedora-26 template: there's a comment in qubes/ext/core_features.py > that says '[this feature] can be freely enabled or disabled by template' but > I don't understand what it's supposed to mean - whether the template > automatically sets it somehow (but then how ?) or if it can be set for each > template. It's probably the latter; in that case maybe the feature is set by > the template's rpm postscripts (but then I couldn't find any mention of > "qvm-features" in the qubes-builder-fedora repo).
See here: https://github.com/QubesOS/qubes-issues/issues/2829 In short: there is qubes.PostInstall service called just after template installation, to let template advertise supported features. I think it should be also called automatically after installing new packages (or even updating existing), because that can influence supported features - like in this case. You can try triggering it manually. From the template call /etc/qubes-rpc/qubes.PostInstall Issue for tracking this problem: https://github.com/QubesOS/qubes-issues/issues/3579 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqDCiIACgkQ24/THMrX 1yzUUgf+M7K7E8HqHlVnoF3GO5wStFRagUxU9NDy3DEigJguETCTDuwqN5cf85gL dwWUL/oKZRjFX8yug1jl+78OxH5A/4jE1+pZF2x90P1z+PwunIYl3ppVbobyVKWB t6qCY5BIs2t6nVWRBI3QA+/ap0c7X5WK48Ep5x7QJq2GFhv4wNFZdhS/NJW/5MHf PZI6Y5yj2pEZvZgzL1fGuTMkZSus6ePB3GVQCAvnMyv+q79KoVwielzFEcij0FrG tLq89++Xr9+MQAn6cGJ1/SD7kZaxTx3HpqCTRvM2mOGdd+QvVgEGNOcZKzTkWO4R SgsvsT6wep8CjSqN+7AUJ33sVC5DJQ== =a8Yr -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180213155418.GA4835%40mail-itl. For more options, visit https://groups.google.com/d/optout.
