On 1/20/20 3:09 PM, tortuga verde wrote:
20.01.2020, 20:02, "tortuga verde" <[email protected]>:
I have considered changing from fedora templates to debian
templates, but this is what holds me back:
https://www.qubes-os.org/doc/templates/debian/#starting-services
I'm not a linux expert, so I don't know what/if services are
starting, and if after an update new services are introduced or
begin starting. It just seems like it would be an ongoing concern
that doesn't exist on fedora. Is it easily remedied?
I'm a basic user, I'm not running any servers. However, I certainly
would like to have templates that are more secure by default. I
would use the debian minimal template for all sys and vpn VMs. I
would clone it and expand it to include libreoffice, rhythmbox and
all the other things for a more full-featured template, that is
still smaller than the default template. Any insight/feedback would
be appreciated.
As an example:
I just downloaded debian-10-minimal. According to the qubes minimal
template page, I installed several packages, one of them being
network-manager-openvpn, so I can use this template for VPN VMs too.
During the install progress I saw that once the dependency 'openvpn' was
installed it started the service. Suspecting this is the sort of thing
the qubes' debian page warns about, I built a temp VM based off it.
I opened xterm on the VM and ran systemctl status. I didn't see anything
specific to openVPN, so I then ran systemctl status openvpn. It is
there, active (exited).
Yes, I thought of that specific example when you mentioned services. And
its an interesting point.
But the details...
* openvpn is not actually started because there is no configuration
(unless the user adds one).
* On Qubes, auto-started services that do run+listen in appVMs won't be
reachable unless the user makes exceptions in the Qubes firewall.
* Debian is conservative about what they add to their basic installation
over time. IIRC the Debian template is the basic install + Qubes
packages + keepassx + some wifi drivers that Debian doesn't install by
default.
To compare, I created a temp VM based off my fedora minimal, which also
has networkmanager-openvpn installed, and where the my VPN VMs work as
intended. I ran systemctl status openvpn, and it returns Unit
openvpn.service could not be found. Good.
Is this correctly illustrating the difference between fedora and debian?
So far, there's not much effective difference.
Is there a simple one-time mitigation so that it behaves more
like fedora?
Yes, run it on Qubes. :)
This is what has to be done to make services in a qube accessible to the
Internet:
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world
Also, since it was not listed in systemctl status, how would I be able
to easily enumerate all such services, so that if I want to see if any
service is running because I failed to disable it at install time, I can
find and disable it now? Is the debian way a bad idea?
I do like that the template with the necessary packages installed is
significantly smaller than the fedora (1.6gb vs 2.1gb).
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/85ab7c10-f8c3-cfad-f81b-a00dc0dbafd0%40posteo.net.
