[qubes-users] Re: qubes-usb-proxy on Archlinux?

2017-07-06 Thread 'Olivier Médoc' via qubes-users 
On 07/04/2017 08:40 AM, Johannes Graumann wrote:
> Hello,
>
> Can anyone give any pointers what needs to be done to have "qubes-usb-
> proxy" available in the ArchLinux template kindly provided by Olivier
> Medoc? Is there a howto on building this package anywhere?
>
> I have the template running nicely following Olivier's recent hints in
> the group (https://groups.google.com/d/msg/qubes-users/5EJxdzgeRLY/rI5d
> otHTAQAJ), but would like to be able to pass usb device through to it -
> the Medoc-repo does not seem to contain the qubes-usb-proxy package ...
>
> Thank you for any hints.
>
> Sincerely, Joh 


Hello,

Are you talking about qubes-app-linux-usb-proxy repository [1] ?

I don't think somebody worked on this package for archlinux yet.

In order to implement it, you need to create a PKGBUILD and integrate it
into qubes builder.

The simplest way is to copy on qubes-gui-common builder [2]. You need to:
- Create inside qubes-app-linux-usb-proxy a archlinux directory
- Create a PKGBUILD file into this directory and adapt it to build
qubes-app-linux-usb-proxy
- Edit Makefile.builder inside qubes-app-linux-usb-proxy and add the
following line:

ARCH_BUILD_DIRS := archlinux

This should be sufficient to start building an archlinux package using
'make app-linux-usb-proxy-vm' inside qubes-builder.

The difficult part is then to test that everything work properly as it
is often required to adapt code in order to get it working properly in
archlinux.


[1] https://github.com/QubesOS/qubes-app-linux-usb-proxy
[2] https://github.com/QubesOS/qubes-gui-common

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c20fd2b2-0ffa-7394-855f-7aea1d95b34b%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Status of Archlinux template

2017-06-06 Thread 'Olivier Médoc' via qubes-users 
On 06/01/2017 05:10 PM, Damon Gant wrote:
> I've been trying to get the Arch template running following the guide
> at https://www.qubes-os.org/doc/templates/archlinux/ on a brand new
> install.
>
> I can get it to a point where the VM boots and I can spawn xterm, but
> pretty much everything else is broken.
>
> - /etc/pacman.d/*.conf is not included from pacman.conf. This breaks
> the custom repo and updating over the proxy.
> - fixing that, the GPG key is not imported to the pacman keychain by
> default
> - updating over proxy is still broken, but custom repo works at this
> point
> - the qubes guest tools that come with the image are a higher version
> than those available from repos
> - upgrades are impossible due to pulseaudio and xorg version
> conflicts; yes that's a known issue, but suspect to me because pacman
> tries to downgrade
>
> Can anyone confirm this is broken or working for them, or even maybe
> got an idea what's wrong?
>

Hello,

The archlinux template does not point to the right custom repository.

Here is my current /etc/pacman.d/99-qubes-repository-3.2.conf :
[qubes-r3.2]
Server = http://olivier.medoc.free.fr/archlinux/current/

As you suggested, you first need to include /etc/pacman.d/*.conf in
pacman.conf (this is also broken is the currently binary template).

Adding the custom GPG key must be done to make the custom repository
working properly (as described in
https://www.qubes-os.org/doc/templates/archlinux/)

After that, a template update through pacman -Suy should work properly
for Qubes 3.2 (the built packages versions are qubes-vm-core 3.2.15-11
and qubes-vm-gui 3.2.13-7).

I think we should either update
https://www.qubes-os.org/doc/templates/archlinux/ to document how to
update the broken template or build and distribute a new template.

To summarize:
- /etc/pacman.d/*.conf must be included manually from the initial template
- /etc/pacman.d/99-qubes-repository-3.2.conf should be modified to point
the the right custom repo (it will be probably better if I link the old
repository to the new one)
- the custom GPG key must be enabled in order to install packages from
the qubes-r3.2 repository
- updating over the proxy should work as soon as the qubes packages are
updated (the firewall need to be disabled for the initial update)
- there are currently no xorg or pulseaudio conflicts (at least with the
custom repository packages)
- copying between appvms work with the last packages (at least for me)
- I never tested archlinux as an usbvm, but it worked in the past for
mass storage (I'm not sure if the input proxy is working properly). I
will test this as soon as I have some time.

Thanks for your feedback anyway,

Olivier Médoc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/095120e8-cafa-a946-ea43-5caa4da7261f%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [Arch Linux + i3] High CPU usage after closing windows

2017-03-19 Thread 'Olivier Médoc' via qubes-users 
On 03/19/2017 02:18 PM, andres...@gmail.com wrote:
> Hello!
>
> When I close all terminals from a VM, CPU usage for that VM goes to around 
> 50% (shown by Qubes Manager) and stays there until I open another terminal to 
> the same VM. The problem only happens if I close the terminal using Ctrl+d, 
> not if I kill the window using i3.
>
> This happens both with Arch Linux template or appvms based on it. Doesn't 
> happens with Fedora.
>
> Example of commands that I used to open the terminals:
>
> qvm-run -a archlinux "xterm /bin/bash"
> qvm-run -a archappvm "xfce4-terminal -x /bin/zsh"
>
> (both bash or zsh, xterm or xfce4-terminal)
>
> I thought it could be some zsh config, but the problem persists even 
> commenting .zshrc content, or using bash (default configs).
>
> It also happens if I open Vim with something like:
> qvm-run -a archappvm "xfce4-terminal -x vim"
> and close it using ":q". If I close Vim killing the window (i3 hotkey), it 
> doesn't happens).
>
> I tried to log CPU usage from inside the VM using "ps", but it doesn't seem 
> to increase (no reported process started to consume more CPU). I thought it 
> could be a problem with Qubes Manager (displaying false high CPU usage), but 
> the fan do start to make more noise, so it must be using more CPU.
>
> Any ideas?
>
> Thanks for the attention!
>
Is it related to https://github.com/QubesOS/qubes-issues/issues/2702 ?

Try running as root:
# echo core > /proc/sys/kernel/core_pattern

When shutting down a VM, some service is apparently crashing, causing a
high CPU usage.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3874f6e-af67-7920-aa38-7ff00a70aa3e%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Archlinux Community Template Qubes OS 3.2

2017-03-06 Thread 'Olivier Médoc' via qubes-users 
On 03/05/2017 10:13 PM, andres...@gmail.com wrote:
> Hi!
>
> I saw in the repository some files about an Arch Linux Minimal template:
> https://github.com/QubesOS/qubes-builder-archlinux/blob/master/scripts/packages_minimal.list
>
> How should we install it? Must we build it?

Yes it must be built, but you can also use the prebuilt template, check
the additional packages installed in packages.list vs
packages_minimal.list and remove packages and dependencies that you
don't want using pacman -Rsc packagename.

>From what I understood, ITL try to not use minimal templates because
there are too much libraries that are needed by very useful features.
However, I often take the standard templates, check the packages that
are installed after the qubes agents in /var/log/yum.log or
/var/log/pacman.log and remove packages I dislike.

>
> I tried to install "qubes-template-archlinux-minimal", but it can't be found. 
> And "qubes-template-archlinux" came only with the default template.
>
> Also, the Arch Linux template is not shutting down normally (need to kill the 
> VM). With a quick look at logs it seems qetty is not terminating. I can try 
> to paste the logs here if it's an unknown bug.
>
> Regards
>
About the template not shutting down, I had this issue but I do not have
this problem anymore. Try updating the Qubes agents by enabling the
archlinux QubesOS repository inside your TemplateVM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef45209c-64cd-58ac-3f05-6925d07a7ee1%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Archlinux Community Template Qubes OS 3.2

2017-03-06 Thread 'Olivier Médoc' via qubes-users 

> Oiivier,
>
> Its great pacman is now supported for updating.  When I was working with 
> others to update the  build and doc to work with newer archlinux versions I 
> tried most everything asking many on the archlinux forum for help.  No one 
> could offer a good solution that did not break update security or require 
> manual opening and closing of the firewall access.
>
> https://groups.google.com/forum/#!searchin/qubes-users/tim$20w$20pacman/qubes-users/vT_ETcU5BvQ/sDhu879WDQAJ
>  I also had a thread on dev.  
>
> How was the functionality added?  To pacman to allow for proxy addition 
> without going thru wget or thru a change in qubes update proxy service?  
Hello,

In fact I use curl which is included by default (as pacman apparently
use curl libraries anyway). I update the configuration in /etc/pacman.d/
to use curl with a proxy by calling curl with http_proxy environment
variable.

No changes is actually required to the qubes update proxy.

> I found the powerpill pacman wrapper which used aria2 to allow for proxy 
> without breaking update proxy security to be at the time the best avenue not 
> to mention its added power and speed.  The only issue to have made everything 
> completely smooth was the reflector app to keep update mirror list current 
> had no option to allow for a proxy entry.  I planned to send a email to xyne 
> to see if he could add it as he has been quite responsive in the past to 
> similar request.
>
> Really glad its now working.  The reason I ask about how it was addressed is 
> I wondered if it would allow reflector program to go thru or does it have 
> still have the proxy option to plug in the ip?
>
> Thanks again for keeping the distro updated and working.
>
I did not tested reflector yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d80d86c-2f40-9d20-292c-4b9694f1c12b%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Installing using pacman command

2017-02-03 Thread 'Olivier Médoc' via qubes-users 
On 02/03/2017 03:45 AM, Tim W wrote:
> On Thursday, February 2, 2017 at 9:14:45 AM UTC-5, trule...@gmail.com wrote:
>> Hi, Tim. Olivier said :
>>
>> "Archlinux currently upgraded xorg and pulseaudio, however the integrated 
>> archlinux gui agent must be build for strict versions of xorg-server and 
>> pulseaudio. For this reason, you have to rebuild the agent using the 
>> most recent qubes repository, or wait for binary agents to be available. "
>>
>> Powerpill or Pacman, it doesn't matter, update system and break dependency 
>> and can't install anything.
> Ok I miss understood the issue.   Yes that is the same issue we ran into if 
> you do a search on the template a while back.  For that is was pulseaudio.   
> When xorg or pulseaduio versions are updated by ARchlinux we end up having to 
> rebuild the template from source.  If not you just get the failed errors when 
> trying to update.
>
> The issue I was originally speaking of was not being able to assign pacman a 
> proxy ip to use the qubes update proxy.  AT least not without breaking the 
> security model for it hence the while powerpill etc comments.  
>
> THere is another thread running concurrently that is dealing with the same 
> issue so maybe best to just use that thread to address the issue.
>
Hello,

Using the proxy instead of opening the firewall is actually fixed in the
qubes-core-agent-linux code (qubes-vm-core in archlinux).

If you take a look, qubes specific pacman configuration has been added
in /etc/pacman.d. I made the change some time ago, but I discovered
recently that I made an error in the package install file that enable
configuration files in /etc/pacman.d.

Another point is that I provide signed binary packages (as documented
https://www.qubes-os.org/doc/templates/archlinux/) that you have to
enable explicitly, so that you don't have necessarilly to rebuild packages.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c51bb09-a1ae-8d3e-3132-20cbc90cb554%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Some questions about Qubes (kali,blackarch,fedora security lab, coldkernel, ubuntu, torvm, bitmask)

2017-01-29 Thread 'Olivier Médoc' via qubes-users 
On 01/29/2017 01:01 PM, trul...@gmail.com wrote:
> Hello guys,
> Could you please help with following questions:
> HVM uses a lot of resources, is there any reason to use it on a notebook?
> I'm only using integrated templates based on Debian and Arch Linux, and I 
> create app vm's on categories from which traffic goes trough tor vm or vpm 
> bitmask.
>
> I'm not able to install black arch templates due dependency on pulse audio 
> xorg, a few screenshots in the attachment - is this correct logic, or am I 
> doing something wrong? 
Archlinux currently upgraded xorg and pulseaudio, however the integrated
archlinux gui agent must be build for strict versions of xorg-server and
pulseaudio. For this reason, you have to rebuild the agent using the
most recent qubes repository, or wait for binary agents to be available.
>
> Bitmask net vm with whois works fine, but dns leak test shows my real IP, 
> also in torify app vms there is no ping and application doesn't work 
> properly. Can debian cold kernel be used as sys-net and sys-firewall 
> templates?
> What about pen test, can fedora security lab be used as template? (yum group 
> install security lab)
>
> Could you please explain how to make ubuntu template with more detail? (tried 
> to use wiki qubes builder but unfortunately to no avail)
>
> And is there any point malware detection on xen?
> Thank you in advance for your assistance.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3e731bbc-28ac-19e6-39d3-c94fa4d5a678%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Archlinux Community Template Qubes OS 3.2

2016-12-30 Thread 'Olivier Médoc' via qubes-users 
On 12/30/2016 03:59 AM, Franz wrote:
>
>
> On Thu, Dec 29, 2016 at 2:41 AM, Franz <169...@gmail.com
> > wrote:
>
>
>
> On Mon, Dec 19, 2016 at 3:06 PM, J. Eppler
> > wrote:
>
> Hello,
>
> I just wanted to thank the person who created and uploaded the
> qubes-template-archlinux 3.0.6 to the Qubes OS 3.2 rpm repo.
>
> Saved a lot of work.
>
> You can installed it with:
> sudo qubes-dom0-update --enablerepo=qubes-templates-community
> qubes-template-archlinux
>
>
>
> A really nice Christmas present! Thanks
>
> When I digit
>  sudo pacman-key -populate archlinux
> I get
> pacman-key: invalid option -- 'p'
>
>
> I found the issue, there is a small clerical error in the
> documentation with a single"-". It should be
> sudo pacman-key --populate archlinux
> not
> sudo pacman-key -populate archlinux

By the way, the Qubes Update Proxy Service is now supported and most of
the pacman configuration occurs in /etc/pacman.d/ files with requiring
specific changes.



I will check that based on a new template and fix the documentation
accordingly.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f1c0042c-84d9-8897-fe76-3901c0f415f0%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New Lenovo laptops: X1 (4th Gen), T460/p, and T560

2016-12-27 Thread 'Olivier Médoc' via qubes-users 
On 12/27/2016 12:12 AM, Marek Marczykowski-Górecki wrote:
> On Mon, Dec 26, 2016 at 08:29:55PM +0100, 'Olivier Médoc' via
> qubes-users wrote:
> > Maybe, Qubes installer bootloader could support both stable and unstable
> > kernels, in order to support new hardware ?
>
> I'd wait for the next longterm support kernel, then maybe release
> updated installation disk with it.
>
Hello,

That would be perfect. For now I can at least install it on older hardware.

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0c1586f-000d-abd9-0fa1-6067e5aca2cf%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New Lenovo laptops: X1 (4th Gen), T460/p, and T560

2016-12-26 Thread 'Olivier Médoc' via qubes-users 
On 04/30/2016 09:13 AM, Andrew David Wong wrote:
> Has anyone had a chance to test (or is in a position to test) Qubes
> compatibility with any of the new higher-end Lenovo laptops, such as
> the X1 Carbon (4th Gen), the T460/p, or the T560?
>
> The only information I'm aware of so far is Linus' (very helpful)
> thread about the T460s:
> https://groups.google.com/d/topic/qubes-users/-xXKdAkIjxU/discussion
>

Qubes R3.2 works on Lenovo Thinkpad T560, however the installer is not
working properly as it does not use at least kernel 4.5.

In order to install it, I had :

1/ to extract the T560 laptop SSD, install Qubes using a different
supported laptop, and pluging the extracted SSD as an external hard drive.

2/ Then, the kernel must be upgraded to unstable (kernel 4.8), still on
the supported laptop by enabling qubes-dom0-unstable.

3/ Finally, shutdown the laptop, reinstall the SSD inside the Lenovo
T560, and it should work straightaway.

It seems to work properly, I have not tested thoroughly all features.

Maybe, Qubes installer bootloader could support both stable and unstable
kernels, in order to support new hardware ?

Regards,
Olivier Médoc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3fda7a4c-e8e9-0fa8-b77c-980c026d54de%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New Lenovo laptops: X1 (4th Gen), T460/p, and T560

2016-12-16 Thread 'Olivier Médoc' via qubes-users 
On 04/30/2016 09:49 AM, Holger Levsen wrote:
> On Sat, Apr 30, 2016 at 12:13:13AM -0700, Andrew David Wong wrote:
>> Has anyone had a chance to test (or is in a position to test) Qubes
>> compatibility with any of the new higher-end Lenovo laptops, such as
>> the X1 Carbon (4th Gen), the T460/p, or the T560?
> they need kernels with proper skylake support, so 4.5 at least, probably
> better 4.6 or 4.7. Not sure whether this also needs newer X. With kernel
> 4.1.13 from qubes, the graphics are completly broken after suspend and
> the power consumption is at least double of what it should be (=less
> than half of the battery time than under 4.5).
>
> According to http://mjg59.dreamwidth.org/41713.html running this
> hardware with such an old kernel might actually harm the CPU physically.

I can confirm that a Qubes 3.2 can boot on a Lenovo T560, however it
requires the kernel4.8 present in the qubes-dom0-unstable repository.

Without this kernel, the installer, or an already installed system will
reboot.

It is however possible to install the system on an external disk and
update the kernel from the unstable repository. The hard drive with the
updated system will then properly boot if used on the Lenovo T560.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0d18816-ee18-3161-9bf5-9c488970fc39%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Archlinux-template not sending application list to dom0

2016-09-18 Thread 'Olivier Médoc' via qubes-users 
On 09/17/2016 11:20 PM, Andrew David Wong wrote:
> On 2016-09-17 12:51, necrokulto wrote:
> > Is there anything I can do for i.e. scripts, command etc... if the
> Archlinux-template not sending the application list on every updates
> of its application to dom0? Should I recompile it back or not?
>
>
> You can try to trigger it manually using this command (in dom0):
>
> $ qvm-sync-appmenus 

However this should be done automatically now through a pacman hook with
the latest code of qubes 3.2 (pacman will output "updating qubes icon
cache").

Does /usr/lib/qubes/qubes-trigger-sync-appmenus.sh run from the vm works
properly?

If you want a backport of this feature in qubes 3.1 you can check my
repository (branch release3.1-stock [1]).


[1]
https://github.com/ptitdoc/qubes-core-agent-linux/commits/release3.1-stock


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f74b23d-18c2-3947-f26c-c82ea0fce342%40yahoo.fr.
For more options, visit https://groups.google.com/d/optout.