Patrick Schleizer: > https://getmonero.org/resources/user-guides/cli_wallet_daemon_isolation_qubes_whonix.html > is missing how to actually use it. > > I guess it is simply: run `monero-wallet-cli` or monero gui in > monero-wallet-ws."
Yes, I aimed for brevity and flexibility, targeting the advanced user in my first rendition. Looking back on this now I see at least a few improvements that I intend to make. Thank you for taking an interest in this! > > 0xB44EFD8751077F97: >> Patrick Schleizer: >>> I didn't notice this thread until now. >>> >>> Interesting! >>> >>> Now reference here: >>> https://www.whonix.org/wiki/Monero >>> >>> >>> I am wondering how to save users from as many manual steps as possible. >>> >>> >>> To save users from having to edit /rw/config/rc.local... >>> >>>> socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm >>> monerod-ws user.monerod" >>> >>> Could maybe replaced by file: >>> >>> /etc/anon-ws-disable-stacked-tor.d/40_monero.conf >>> >>> content: >>> >>> $pre_command socat TCP-LISTEN:18081,fork,bind=127.0.0.1 >>> EXEC:"qrexec-client-vm monerod-ws user.monerod" >>> >>> Should work after reboot (or after "sudo systemctl restart >>> anon-ws-disable-stacked-tor"). >>> >>> Untested. >>> >>> Reference: >>> https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf >>> >> >> Tested, works on Whonix 14/Qubes 4.0. >> >> Would you consider shipping this as a default Whonix file, or maybe part >> of a package? > > In package https://github.com/Whonix/qubes-whonix when using socket > activation, yes. > > Similar to: > > - > https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.socket > > - > https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor_autogen_port_9050.service > > File name should not contain "anon-ws-disable-stacked-tor" / "autogen". > > File names...? > > /lib/systemd/system/qubes-whonix-monerod.socket > /lib/systemd/system/qubes-whonix-monerod.service > > Replace "ExecStart=/lib/systemd/systemd-socket-proxyd 10.152.152.10:9050" > > with: > > socat TCP-LISTEN:18081,fork,bind=127.0.0.1 EXEC:"qrexec-client-vm > monerod-ws user.monerod" > > Untested. Does that work? > I wasn't able to get this one working. Are these both to be enabled on monero-wallet-ws? What port is the socket supposed to be on? Can't be the same as where socat listens in the service unit. I'm not familiar with this method, so I most likely made some mistakes. I won't have much time to play with it until this weekend. > Would this break monerod for users not using this Monero wallet/daemon > isolation? I mean, does monerod use local port 18081 by default? In that > case we'd need to change that port. By default monerod will use the following ports (depending on what network you're on): {1,2,3}8080 = mainnet,testnet,stagenet p2p-bind-port {1,2,3}8081 = mainnet,testnet,stagenet rpc-bind-port {1,2,3}8082 = mainnet,testnet,stagenet zmq-rpc-bind-port We should avoid these ports, as you say. > >> If not, the user will have to put this on the TemplateVM >> or config bind-dirs; which are both additional steps. >>> >>> >>> /etc/qubes-rpc/policy/user.monerod could maybe become: >>> /etc/qubes-rpc/policy/whonix.monerod >>> >>> To have users from manually creating it, could be dropped here: >>> >>> https://github.com/QubesOS/qubes-core-admin-addon-whonix/tree/master/qubes-rpc-policy >>> >>> If you like, create a pull request and see what Marek thinks. >>> >> >> This would be useful. It's on my radar. >> >>> >>> >>> /home/user/monerod.service would be better in /rw so only root can write >>> to it. Even better perhaps systemd user services? >>> >>> https://www.brendanlong.com/systemd-user-services-are-amazing.html >>> >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111 >>> >>> >> >> Interesting, I didn't know about this. I don't see how moving the file >> from /home/user/ to /home/user/.config/systemd/user is more secure, >> though. > >> I think moving it to /rw may be slightly better, but >> passwordless sudo kind of negates that. > > Indeed only useful for users of these: > > - https://www.qubes-os.org/doc/vm-sudo/ > - https://github.com/tasket/Qubes-VM-hardening > > Qubes-VM-hardening will be easily available one day probably. > > https://github.com/QubesOS/qubes-issues/issues/2748 > > I guess password protected sudo will get more and more easy in Qubes so > very much worth going for proper access rights. > Ok, I plan on that. >> The best would be to put it on the TemplateVM in /lib/systemd/system/, >> but, again, this is more steps for the user. >> >> In regards to monero being in stretch-backports now, I think it might be >> an equal number of steps or more than there is now, and more confusing >> for the user, to add stretch-backports to the TemplateVM's sources and >> install via apt. If it were in stretch this would be no question. >> > > And only monerod is in Debian. monero gui is not. > -- - 0xB44EFD8751077F97 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/59ee69e7-401e-6b90-4a93-e62a9d39fac0%40firemail.cc. For more options, visit https://groups.google.com/d/optout.
