On Tuesday, 9 April 2019 00:08:58 UTC+2, qmirfw wrote: > I don't understand why you want to do all that in a TemplateVM, > and not an AppVM. > Also why fight with Fedora, if my simple Debian based build gives the > same binary as the official (equal checksum) [...]
you are right that using a full fedora-29 would not do any harm, therefore I have used this template and luckily everything was very easy to setup. Thanks for the support! I have compiled all info which I need to setup Mirage-FW in a short howto, which might also be helpfull to others in a way that all steps can be run from dom0 which is much easier and which can be scripted (for example to rebuild your Qubes Setup from a default installation): @Mirage Firewall-Team: I think creating a document/script which does the build process for the user, will improve end user experience setting up mirage. ----- 8< ----- ----- ----- ----- MirageFW-BuildVM=my-mirage-buildvm TemplateVM=fedora-29 MirageFWAppVM=sys-mirage-fw # create a new VM to build mirage via docker qvm-create $MirageFW-BuildVM --class=AppVM --label=red --template=$TemplateVM # Resize private disk to 10 GB qvm-volume resize $MirageFW-BuildVM:private 10GB # Create a symbolic link to safe docker into the home directory qvm-run --auto --pass-io --no-gui $MirageFW-BuildVM \ 'sudo mkdir /home/user/var_lib_docker && \ sudo ln -s /var/lib/docker /home/user/var_lib_docker' # Install docker and git qvm-run --pass-io --no-gui $MirageFW-BuildVM \ 'sudo dnf -y install docker git' # Launch docker qvm-run --pass-io --no-gui $MirageFW-BuildVM \ 'sudo systemctl start docker' # Download and build mirage for qubes qvm-run --pass-io --no-gui $MirageFW-BuildVM \ 'git clone https://github.com/mirage/qubes-mirage-firewall.git && \ cd qubes-mirage-firewall && \ git pull origin pull/52/head && \ sudo ./build-with-docker.sh' # Copy the new kernel to dom0 cd /var/lib/qubes/vm-kernels qvm-run --pass-io $MirageFW-BuildVM 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf - # create the new mirage firewall qvm-create \ --property kernel=mirage-firewall \ --property kernelopts=None \ --property memory=32 \ --property maxmem=32 \ --property netvm=sys-net \ --property provides_network=True \ --property vcpus=1 \ --property virt_mode=pv \ --label=green \ --class StandaloneVM \ $MirageFWAppVM # The build VM could be deleted if you don't want to keep it # but if you want to upgrade Mirage Firewall for Qubes OS, # you need to rebuild this VM. qvm-shutdown --wait $MirageFW-BuildVM qvm-remove --force $MirageFW-BuildVM ----- 8< ----- ----- ----- ----- Link: https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md Now the next steps are to learn, how to tweak the firewall to allow specific communication between AppVMs, for example ssh/http. Thanks to all for the help/suggestions. - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ca3a0ecf-5e5e-40cb-a102-5679eee38cae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
