Re: [qubes-devel] Safe Arch install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 24, 2020 at 04:12:27PM -0400, Demi M. Obenour wrote: > On 2020-05-24 15:58, Marek Marczykowski-Górecki wrote:>> That makes sense. > Writing to a qube’s root volume from dom0 is a > >> safe operation, since it doesn’t do anything that the qube could > >> not already do itself. It would be nice if that could be done by > >> `qvm-block import`, though. > > > > You can do that with `qvm-volume import`. And with some adjustments to > > the qrexec policy, you can do that even from your buildvm. > > Something like > > buildvm arch ask,target=dom0 > > in `/etc/qubes-rpc/policy/admin.vm.volume.Import+root`? Yes. In practice, qvm-volume may want also: - - admin.vm.volume.Resize+root - - admin.vm.volume.Info+root - - admin.vm.List (unfortunately...) and possibly few more. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7K4K0ACgkQ24/THMrX 1yyKXQf/U0YrjZAcxmRTZUmYi/C19V7hi8eGv/8i2KP6Xx0Ns9Ri7No5UB428Eo5 ItnNWpMTkLEJRcSXCjsQQjERx/wiNpF/PujF8pEA70ZBZ7nRXZROXkXlhfGK2kW9 P9OEtCeKxsAooXEZD69BIA0KifvR5fILyRNlkyW578W6AFilZcMaeVq+BykbKAZM Z03iE6F6hWVl2xgsm7niDUlpD/C7mJ4QRTGnoiRpcWOTdcUw8Od6YhrGXtvTKejS 2ofkVh5Yo9reSwSXkwlGPpUMw/vFoKhi9Rv6V0Ie4tB+Ffhpuq6V/r6ZEIVkqDRz HnrUjG8HY6EHqUAlPfkGrtwpihYz/Q== =W/KE -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524210131.GX98582%40mail-itl.
Re: [qubes-devel] Safe Arch install
On 2020-05-24 15:58, Marek Marczykowski-Górecki wrote:>> That makes sense. Writing to a qube’s root volume from dom0 is a >> safe operation, since it doesn’t do anything that the qube could >> not already do itself. It would be nice if that could be done by >> `qvm-block import`, though. > > You can do that with `qvm-volume import`. And with some adjustments to > the qrexec policy, you can do that even from your buildvm. Something like buildvm arch ask,target=dom0 in `/etc/qubes-rpc/policy/admin.vm.volume.Import+root`? Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/82ff499c-7c84-17e2-518d-b9d7de894cc6%40gmail.com. signature.asc Description: OpenPGP digital signature
Re: [qubes-devel] Safe Arch install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 24, 2020 at 03:53:24PM -0400, Demi M. Obenour wrote: > On 2020-05-24 15:13, dhorf-qriry.020b9...@hashmail.org wrote: > > On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote: > > > >>> https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh > >>> > >>> can be run in either dom0 or (with a lot of policy adjustments > >>> or a bazillion manual approvals and minor changes) an adminapi-vm. > >>> > >>> it is also mostly trivial to install the template-root right > >>> from the buildvm. (skipping the "rpm" part entirely) > >> > >> How does one do that? That sounds promising. > > > > > > see above shellscript for the general basic outline of "how to turn > > a template rpm into a template vm". > > > > most of the qvm-something steps are also avail in appvms through > > the adminapi these days. (== can be called from a buildvm) > > > > for "skipping the rpm part" prototype see > > https://github.com/QubesOS/qubes-builder/pull/87 > > and related PRs/diffs. > > > > both the shellscript and builder integration are fully functional, > > but need cleanup before they can be merged. > > the main open issue is how to integrate a template-specific > > settings-file (the "tplspec" parts) with the build process. > > this is mostly needed for the mirage templates. > > That makes sense. Writing to a qube’s root volume from dom0 is a > safe operation, since it doesn’t do anything that the qube could > not already do itself. It would be nice if that could be done by > `qvm-block import`, though. You can do that with `qvm-volume import`. And with some adjustments to the qrexec policy, you can do that even from your buildvm. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7K0fMACgkQ24/THMrX 1yzLFQf9FUU670LSbL8EOQYADryVyxxisnzeExfeMq0EpbprYys0Alv33JeeVQ7n GwFyC5KavAVWYB6dya92PBNp1lOt+znl016+dNAFXBQ2PMSn2WGDdJLYkC0Ld03r 2Pv0wyYzkNuicX9EYmeitHN+EFzNX0NTDo+jqupYaHkBCd8wjtx3LjaZ/h5hgmwD ecyTbYHYRvrVXkmGM2DPxUd1UMsL9ZSAaMLwfId0rctoj6uUt7Xrp/XIKbRjGuwB r6bvuBdT+Sq/YSYmulqxyKxjstImgJ/8aFJTBPA8zia/8b+U7mS0YDD10YUzrbXK 01swbNokTRbO7kqRLHrI72HrQyiJTg== =2C1r -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524195843.GW98582%40mail-itl.
[qubes-devel] RFC Offline Documentation
Hello community, The problem you're addressing (if any) As stated earlier in my GSoD introduction, I have been getting hands-on Qubes docs for weeks and have now finally decided to focus on the specific idea "Offline Documentation". I chose it as I experienced while using Qubes OS that there is a crucial need for guides for beginners to get-go on Qubes after first boot (or in case unable to access the internet). Describe the solution you'd like My solution involves a pre-constructed guidebook that can be included in the ISO build and present it through a web browser app after the first boot. For building docs, I'm using a "mdbook" tool that creates an HTML book from markdown files. Basically, it compiles all markdown files and renders to a single directory with index file `index.html` and all other js and CSS files. The guidebook is portable and can open on all platforms in offline mode without any need for a 'http' server. Besides, here [1] I've built sample docs and hosted online to show the basic structure of the guidebook. Currently, I've not included any content, it's just a minimal skeleton to show my approach that I'll follow to build the final offline docs. Where is the value to a user, and who might that user be? This doc will serve all types of users who want to know and sometimes troubleshoot the Qubes without the internet and online Qubes website. Additional context I've also tried 'Jekyll' and 'Sphinx' tool but I chose 'mdbook' over them because I find it more simple, easy, and fully markdown focussed. Jekyll is more for creating a static website and Sphinx uses reStructuredText as its markup language. Hence, being Qubes docs already in markdown, 'mdbook' suits the best and easiest for any contributors as well who don't want to learn new tools but knows markdown (that almost all contributors know). Also, it would be a benefit to write content that can be used interchangeably for both offline and online platforms. I've tested the offline book by moving it to another OS where the navigation links also work fine. The last thing, I want to mention that instead of browser I want to build a minimal application just to open the docs in AppVM so that users can open it whenever they want. Here I'm looking for suggestions so feel free to share your opinion. [1] https://qubes-os-offline.netlify.app/ Thanks Sarvottam Kumar -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAMQL9%3D8ehKDs%2B91bigdrnMH5W%3Dh%2BoOu%2BL8Li7W4ggYwXEZcdUg%40mail.gmail.com.
Re: [qubes-devel] Safe Arch install
On 2020-05-24 15:13, dhorf-qriry.020b9...@hashmail.org wrote: > On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote: > >>> https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh >>> >>> can be run in either dom0 or (with a lot of policy adjustments >>> or a bazillion manual approvals and minor changes) an adminapi-vm. >>> >>> it is also mostly trivial to install the template-root right >>> from the buildvm. (skipping the "rpm" part entirely) >> >> How does one do that? That sounds promising. > > > see above shellscript for the general basic outline of "how to turn > a template rpm into a template vm". > > most of the qvm-something steps are also avail in appvms through > the adminapi these days. (== can be called from a buildvm) > > for "skipping the rpm part" prototype see > https://github.com/QubesOS/qubes-builder/pull/87 > and related PRs/diffs. > > both the shellscript and builder integration are fully functional, > but need cleanup before they can be merged. > the main open issue is how to integrate a template-specific > settings-file (the "tplspec" parts) with the build process. > this is mostly needed for the mirage templates. That makes sense. Writing to a qube’s root volume from dom0 is a safe operation, since it doesn’t do anything that the qube could not already do itself. It would be nice if that could be done by `qvm-block import`, though. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ec021f93-d6f9-61d2-5713-455307de6cdf%40gmail.com. signature.asc Description: OpenPGP digital signature
Re: [qubes-devel] Safe Arch install
On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote: > > https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh > > > > can be run in either dom0 or (with a lot of policy adjustments > > or a bazillion manual approvals and minor changes) an adminapi-vm. > > > > it is also mostly trivial to install the template-root right > > from the buildvm. (skipping the "rpm" part entirely) > > How does one do that? That sounds promising. see above shellscript for the general basic outline of "how to turn a template rpm into a template vm". most of the qvm-something steps are also avail in appvms through the adminapi these days. (== can be called from a buildvm) for "skipping the rpm part" prototype see https://github.com/QubesOS/qubes-builder/pull/87 and related PRs/diffs. both the shellscript and builder integration are fully functional, but need cleanup before they can be merged. the main open issue is how to integrate a template-specific settings-file (the "tplspec" parts) with the build process. this is mostly needed for the mirage templates. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524191305.GS1079%40priv-mua.
Re: [qubes-devel] Safe Arch install
On 2020-05-24 14:49, dhorf-qriry.020b9...@hashmail.org wrote: > On Sun, May 24, 2020 at 02:36:00PM -0400, Demi M. Obenour wrote: >> Is it possible to build an Arch install ISO in addition to the >> TemplateVM RPMs? I would prefer to avoid copying the RPMs into >> my dom0, whereas installing from an ISO has no such problems. > > that is actualy worse than copying a rpm to dom0. I meant installing a qube from an ISO image in another qube. >> Alternatively, is it possible to extract a root filesystem image >> from an RPM and safely (without compromising dom0) import it into a >> fresh TemplateVM? > > https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh > > can be run in either dom0 or (with a lot of policy adjustments > or a bazillion manual approvals and minor changes) an adminapi-vm. > > it is also mostly trivial to install the template-root right > from the buildvm. (skipping the "rpm" part entirely) How does one do that? That sounds promising. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/2231e506-421c-6b85-33d7-f40e0b9ae76e%40gmail.com. signature.asc Description: OpenPGP digital signature
Re: [qubes-devel] Safe Arch install
On Sun, May 24, 2020 at 02:36:00PM -0400, Demi M. Obenour wrote: > Is it possible to build an Arch install ISO in addition to the > TemplateVM RPMs? I would prefer to avoid copying the RPMs into > my dom0, whereas installing from an ISO has no such problems. that is actualy worse than copying a rpm to dom0. > Alternatively, is it possible to extract a root filesystem image > from an RPM and safely (without compromising dom0) import it into a > fresh TemplateVM? https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh can be run in either dom0 or (with a lot of policy adjustments or a bazillion manual approvals and minor changes) an adminapi-vm. it is also mostly trivial to install the template-root right from the buildvm. (skipping the "rpm" part entirely) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524184902.GR1079%40priv-mua.
[qubes-devel] Safe Arch install
Is it possible to build an Arch install ISO in addition to the TemplateVM RPMs? I would prefer to avoid copying the RPMs into my dom0, whereas installing from an ISO has no such problems. Alternatively, is it possible to extract a root filesystem image from an RPM and safely (without compromising dom0) import it into a fresh TemplateVM? Alternatively, does ITL distribute Arch template packages? I could not find them in the repositories. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/1e29c88b-c143-a3b5-5f58-2b2577dd2f51%40gmail.com. signature.asc Description: OpenPGP digital signature