[qubes-users] Failure - Building mirage unikernel with debian-10 and Docker CE

[799]

Hello,

this maybe off-topic because it may be more a debian10 / docker / mirage
topic, but maybe someone has been able to build the mirage firewall with a
more recent template than fedora-30.

Has someone successfully build the mirage kernel on an AppVM which is newer
that fedora-30?
I tried to do so with an AppVM based on a debian-10 template and Docker CE
(version 20.10.9)
Docker installed correctly and has been verified by the "docker run
hello-world" command.

Trying to build mirage gives the following error:

 ./build-with-docker.sh'
[...]
Step 8/8 : CMD opam config exec -- mirage configure -t xen && opam
config exec -- make tar
 ---> Using cache
 ---> af7a122a9bdb
Successfully built af7a122a9bdb
Successfully tagged qubes-mirage-firewall:latest
Building Firewall...
mirage: unknown option `-t'.
Usage: mirage configure [OPTION]...
Try `mirage configure --help' or `mirage --help' for more information.
create temporary file /home/opam/qubes-mirage-firewall/bos-1cf2b3.tmp:
Permission denied

To reproduce my notes during installation (all from dom0):

TemplateVM=debian-10
MirageFWBuildVM=debian-10-miragbuildvm
MirageFWAppVM=sys-mirage-fw

# create a temporary BuildVM to build the mirage kernel
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM
qvm-volume resize $MirageFWBuildVM:private 10GB
qvm-prefs --set $MirageFWBuildVM netvm sys-firewall

# prequisitis to add the docker repository
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
'curl -fsSL https://download.docker.com/linux/debian/gpg | gpg
--dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
  'echo "deb [arch=$(dpkg --print-architecture)
signed-by=/usr/share/keyrings/docker-archive-keyring.gpg]
https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee
/etc/apt/sources.list.d/docker.list'

# update system & install & test docker
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get
update --allow-releaseinfo-change'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get
update && apt-get -y upgrade'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get -y
install apt-transport-https ca-certificates curl gnupg lsb-release git'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'apt-get -y
install docker-ce docker-ce-cli containerd.io'
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM 'docker run
hello-world'

# Launch docker & build mirage
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM  'systemctl start
docker'
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM 'git clone
https://github.com/mirage/qubes-mirage-firewall.git && \
cd qubes-mirage-firewall && \
mkdir -p /home/opam/qubes-mirage-firewall && \
./build-with-docker.sh'

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uV_i4aXnJaw%3DnAumKqtXeKAWCBgnJD--NqXo4mit5pCw%40mail.gmail.com.

Re: [qubes-users] Unable to install templates in Qubes OS 4.1beta

[799]

Hello Steve,

thanks for the reply, can you provide more details what you mean by that:

On Mon, 11 Oct 2021 at 18:12, Steve Coleman 
wrote:

> [...] In any case you might try cleaning the cache with the --clean option
> and
> then rerunning the download/install.
>

do you mean 'sudo dnf clean all' in dom0 ?

one7two99

>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/6a480f40-df36-42bc-d0c5-26bfa9c19176%40gmail.com
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t6oyQsO%3DSLtRdyzyNKThmukcsXGQiWuhYgoXPmBGd%2BJA%40mail.gmail.com.

[qubes-users] Unable to install templates in Qubes OS 4.1beta

[799]

Hello,

I have setup Qubes 4.1 on my Surface and now I am running into issues
trying to install more templates.
sys-net is set as Dom0 Update VM and I am also able to search for packages
and they get listed correctly.

[user@dom0 ~]$ sudo qubes-dom0-update --action=search qubes-template-
Using sys-net as UpdateVM to download updates for Dom0; this may take some
time...

Strangely the output (listed packages) is not shown in dom0 but in the
sys-net in a windows with sh as shell.
The first line says: Converting database from bdb_ro to sqlite backend
Then I get a list of the templates.

... but if I try install via:
[user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-33

... I can see that it will download the package but I get:

Using sys-net as UpdateVM to download updates for Dom0; this may take some
time...
Last metadata expiration check: -1 day, 21:47:12 ago on Mon 11 Oct 2021
05:49:33 PM CEST.
No match for argument: qubes-template-fedora-33
Error: Unable to find a match: qubes-template-fedora-33

Any idea where I can look for the root cause as I am a bit desparate.

One7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tfAavmsuzJJ6bz3JV_kDjdxsXwB6Lt3UGvFiVUE%2B849w%40mail.gmail.com.

[qubes-users] Re: Using NextDNS in Qubes OS

[799]

Short Update after further testing how to setup NextDNS in Qubes.
I was able to change the DNS servers in my AppVM by editing
/etc/systemd/resolv.conf and adding the following lines:

DNS=dns1.nextdns.io
DNS=.dns1.nextdns.io
DNS=.dns2.nextdns.io
DNS=.dns2.nextdns.io
DNSOverTLS=yes

The exakt settings can be found in your NextDNS account under Setup for
systemd.

I had to restart the service after changing the config file:
systemctl restart systemd-resolved

DNS queries will now go via NextDNS as seen in the Live Log but if stop the
system-resolved service DNS is still working.
Most likely because /etc/resolv.conf in the AppVM is still pointing to the
default Qubes DNS IPs:

bash-5.0# cat /etc/resolv.conf
nameserver 10.139.1.1
nameserver 10.139.1.2

how can I make the DNS leakproof, so that DNS queries will only work via
the NextDNS nameservers and not via Qubes DNS?
Additionally what would be the best setup to place those DNS servers?
sys-net <- sys-vpn (expressvpn) <- sys-firewall <-- 
In each AppVM? Firewall-VM? VPN-VM?

regards

one7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vAjtviUd%3D69yHjhCR32wMCC-kTu8G2uk%3Du0OZbyMA2wQ%40mail.gmail.com.

[qubes-users] Using NextDNS in Qubes OS

[799]

Hello,

I use NextDNS to encrypt and filter my DNS request on windows / android.
I would also like to use it for some of my qubes VMs and tried it out but
run into issues.
I tried to change the DNS settings in /etc/systemd/resolved.conf but this
broke name resolution.

My setup:
sys-net <- sys-vpn (expressvpn) <- sys-firewall <-- 

all VMs are configured as disposable VMs, but I know how to edit
/rw/config/qubes-bind-dirs.d/ if I need to apply any persistent changes.
I also tried to enable the qubes-disable-dns-server option and set my DNS
serves manually in sys-vpn, but it didn't work.

Question:
where do I need to put in my custom DNS servers so that they will be used
by my AppVMs.

One7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2th81D8T0ibHWD8ZnwhMrggO5mNzfa3bLKzMmsfT8ddig%40mail.gmail.com.

Re: [qubes-users] Disposable sys-net >> wifi login

[799]

Hello,

I Am 51lieal  schrieb am Mo., 12. Juli 2021, 04:35:

> It's possible currently i'm using fedora-34 DispVMs on sys-net, what you
> have to do :
>
> ```
>
> nmcli device wifi list # scanning wifi
>
> nmcli device wifi connect  password  # example nmcli
> device wifi connect 51lieal password one7two99
>
> ```
>
super helpful, exactly what I was looking for.

One7two99

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sofCj-sb%2BhgRjwh%2B6xbO0AoD2KNWXB2iCxH0N1qUwkyQ%40mail.gmail.com.

Re: [qubes-users] Networking with debian10-minimal instead of fedora-33

[799]

Hello,

Steve Coleman  schrieb am Do., 1. Juli 2021

> I don't have any suggestion for the Debian issue, but what I do to limit
> the updates is clone the fedora-33-minimal to a template called
> fedora-33-net, strip out any apps not needed, and then use that for my
> networking AppVM's. With fewer apps there are far fewer updates to deal
> with.
>

Not sure if there is a big benefit using Debian over Fedora 33 but I would
like to hear if there is a benefit.
I am using my own "minimalized" Templates which are build from a
fedora-33-minimal template.
You can find more about my templates here:
https://github.com/one7two99/my-qubes/blob/master/my-qubes-templates/20%20template-sys-vms.md

The template will work for sys-net / sys-firewall / sys-usb and also for a
vpn-qube.
I don't see that updating my fedora-based template takes much longer than
my debian templates.

One7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2unSCN8HAKaK_zrYXNSoS5TKaoj67PD2%3D7NHr_eCZSKPQ%40mail.gmail.com.

[qubes-users] Disposable sys-net >> wifi login

[799]

Hello,

I switches my setup and I am using static disposable VMs for sys-usb and
sys-firewall (Based on an own template which has been cloned from a
fedora-33-minimal template + the bare minimal packages).

I also would like to make my sys-net a disposable VM but without the hazzle
to enter my wifi credentials each time when I am connecting to the wifi
network.

Is there a way to initiate a wifi connection via dom0 and passing the
credentials for the wifi network?
qvm-run --pass-io --auto sys-net 'command1 && commands && [...] command n'
with passing credentials via piping from Dom0 ?
Basically I am looking how I can initiate a new wifi connection from the
CLI.
If I know this, I can combine a script myself which will pass the relevant
information from Dom0 to the sys-net.

And one more question:
Wouldn't it be much better if we always use disposable.sys-Vms when this is
possible?

Kind regards

one7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tvAAiLjvLLnuwAFt8BquSoDE-WZDbZPyszZz%3D8orNs%2BQ%40mail.gmail.com.

[qubes-users] Updating templates via salt (update.qubes-vm) doesn't work

[799]

Hello,

I am trying to learn more about SALT in Qubes OS. In the past I have
written my setup scripts to setup "my qubes" from a fresh installation, now
I'd like to use SALT for it.

I have installed a default Qubes on which the sys-vms are based on the
fedora-32 template.

If I enter in dom0:

sudo qubesctl --targets fedora-32 update.qubes-vm

... which should update the template I get the following error:

'update.qubes-vm' is not available.
DOM0 configuration failed, not working

Any idea what went wrong?

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vE0dsjwiUm7Zh3ohHRvVxCqpxsCXqvnibt2efUbru-Gw%40mail.gmail.com.

[qubes-users] Audio / Video in Q4 Windows 10 HVM via USB possible?

[799]

Hello,

I have installed Windows 10 Pro in a Qubes 4 HVM and was very satisfied,
that the Installation was very easy (compared to the hazzle I had ~ 2 years
ago).
I just followed the "official" Qubes documentation and was also able to get
Qubes Windows Tools running.

Working for an IT solution provider and because of the Covid-19 situation I
need Audio within Windows.
Because it is not possible to pass USB devices via sys-usb to the Windows
HVM, what are best practises to do so?

My ideas so far:

1) buy a PCMCIA Express USB card and pass it over to the Windows Qube

2) pass the internal USB Controller (PCI device) to the Windows Qube (which
would also remove some other internal devices from sys-usb)

I could then connect my USB Headset to USB ports which are terminated in
the Windows Qubes.

Has anyone being able to get Audio working and are there any other approach
doing this?
Unified Communication/Audio is the only reason why I am not using Qubes as
my main OS for business use.

Regards

-799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uSavSqbU7tWCn34ZLtRu8Jhq-Vx2GhvVycqH%3Dnti2CyQ%40mail.gmail.com.

Re: [qubes-users] Install Google Chrome in Fedora 32 Template

[799]

Hello Frederic,

I found a much easier approach by enabling network connectivity during
template customization and using Google's package repository.
This is fine for me, because my multimedia-AppVM will be declared as
untrusted and is only used for specific "rich-media-tasks".

This is how I've setup my multimedia-AppVM from dom0:

Template=fedora-32-minimal
TemplateName=t-fedora-32-media
AppVMName=my-media
qvm-clone $Template $TemplateName

#Enable networking for template VM
qvm-prefs --set $TemplateName netvm sys-net

#Update Template
qvm-run --auto --pass-io --no-gui --user root $TemplateName \
  'dnf -y update'
qvm-run --auto --pass-io --no-gui --user root $TemplateName \
  'dnf -y install  qubes-usb-proxy pulseaudio-qubes
qubes-core-agent-networking'

# Install Chrome
qvm-run --pass-io --no-gui --user root $TemplateName \
  'dnf install -y fedora-workstation-repositories && \
   dnf config-manager --set-enabled google-chrome && \
   dnf install -y google-chrome-stable'

#Disable networking for template VM
qvm-prefs --set $TemplateName netvm sys-net
qvm-shutdown --wait $TemplateName

# Create AppVM
qvm-create --template $TemplateName --label orange $AppVMName

Google Chrome can now be started via google-chrome from a terminal in the
AppVM.
Of course you can also create a shortcut for the Qubes menu manually (it's
in the Qubes Docs) pointing to /usr/bin/google-chrome

regards

799


On Fri, 4 Sep 2020 at 16:37, Frédéric Pierret 
wrote:

>
>
> On 2020-09-04 16:33, 799 wrote:
> > Hello,
> >
> > I am trying to setup a multimedia AppVM based on a fedora-32-minimal
> template and want to install Chrome in the template VM.
> > Unfortunately I am unable to resolve dependencies to install the
> chrome.rpm-package.
> > I need to install libappindicator3.so.1()(64bit) and I am unable to find
> a way to install it from the default repo's.
> >
> https://rpmfind.net/linux/rpm2html/search.php?query=libappindicator3=Search+...==
> >
> > Any ideas how to do so?
>
>
> $ dnf search libappindicator
>
> Copr repo for fedy owned by kwizart
>
>
>
>
> 6.0 kB/s | 4.3 kB 00:00
> Copr repo for PyCharm owned by phracek
>
>
>
>
>   82 kB/s |  71 kB 00:00
> Fedora 32 openh264 (From Cisco) - x86_64
>
>
>
>
>  3.1 kB/s | 5.1 kB 00:01
> Fedora Modular 32 - x86_64
>
>
>
>
>  1.2 MB/s | 4.9 MB 00:04
> Fedora Modular 32 - x86_64 - Updates
>
>
>
>
>  2.0 MB/s | 3.7 MB 00:01
> Fedora 32 - x86_64 - Updates
>
>
>
>
>  4.7 MB/s |  22 MB 00:04
> Fedora 32 - x86_64
>
>
>
>
>   12 MB/s |  70 MB 00:05
> Qubes OS Repository for VM (updates)
>
>
>
>
>  135 kB/s | 108 kB 00:00
> ==
> Name Exactly Matched: libappindicator
> ==
> libappindicator.i686 : Application indicators library
> libappindicator.x86_64 : Application indicators library
> =
> Name & Summary Matched: libappindicator
> =
> libappindicator-devel.i686 : Development files for libappindicator
> libappindicator-devel.x86_64 : Development files for libappindicator
> libappindicator-docs.noarch : Documentation for libappindicator and
> libappindicator-gtk3
> libappindicator-gtk3-devel.i686 : Development files for
> libappindicator-gtk3
> libappindicator-gtk3-devel.x86_64 : Development files for
> libappindicator-gtk3
> libappindicator-sharp-devel.i686 : Development files for
> libappindicator-sharp
> libappindicator-sharp-devel.x86_64 : Development files for
> libappindicator-sharp
> ==
> Name Matched: libappindicator
> ==

[qubes-users] Install Google Chrome in Fedora 32 Template

[799]

Hello,

I am trying to setup a multimedia AppVM based on a fedora-32-minimal
template and want to install Chrome in the template VM.
Unfortunately I am unable to resolve dependencies to install the
chrome.rpm-package.
I need to install libappindicator3.so.1()(64bit) and I am unable to find a
way to install it from the default repo's.
https://rpmfind.net/linux/rpm2html/search.php?query=libappindicator3=Search+...==

Any ideas how to do so?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tVJ5rxhMfpv%3DFzQszjz_3mrvMmsPJ6WNyWK50Hrvh9vg%40mail.gmail.com.

Re: [qubes-users] Re: Unable to installes mirage-firewall: this version of runc doesn't work on cgroups v2

[799]

Hello,

On Sun, 23 Aug 2020 at 04:32, 54th Parallel 
wrote:

>
> On Sunday, 23 August 2020 at 07:51:11 UTC+8 one7...@gmail.com wrote:
>
>> [...]
>> I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into
>> the following error:
>> OCI runtime create failed: this version of runc doesn't work on cgroups
>> v2: unknown
>>
> [...]
>>
> Any ideas how to workarround this problem or if I need to use another
>> AppVM fedora-30 to build mirage
>>
>> Long story short: Docker doesn't install properly on Fedora versions >30
> because they have cgroups v2.
>
While it's possible to downgrade cgroups in Fedora >30, I think it's
> simpler to just use fedora-30 or its minimal version.
>

I run into a problem installing packages in fedora-30-minimal but was
successful using the fedora 30 template.
As others requested, I would love seeing it in the qubes repositories,
anyhow happy to have it working again.
In order to simplify the build process this are steps to setup everything
from dom0.
See also https://github.com/mirage/qubes-mirage-firewall

# Setup names & templates to be used.
MirageFWBuildVM=my-mirage-buildvm
TemplateVM=fedora-30
MirageFWAppVM=sys-mirage-fw

# create a new VM to build the Mirage kernel in that VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM

# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
  'mkdir /home/user/docker && \
   ln -s /home/user/docker /var/lib/docker'

# Install docker and git ~2min
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
  'qvm-sync-clock && \
   dnf -y install docker git'

# Launch docker
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
  'systemctl start docker'

# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
  'git clone https://github.com/mirage/qubes-mirage-firewall.git'

# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
   'cd /home/user/qubes-mirage-firewall && \
   sudo ./build-with-docker.sh'

# Copy the new kernel to dom0
cd /var/lib/qubes/vm-kernels
qvm-run --pass-io $MirageFWBuildVM 'cat
qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf -

# create a new mirage fw appvm
qvm-create \
  --property kernel=mirage-firewall \
  --property kernelopts=None \
  --property memory=32 \
  --property maxmem=32 \
  --property netvm=sys-net \
  --property provides_network=True \
  --property vcpus=1 \
  --property virt_mode=pv \
  --label=green \
  --class StandaloneVM \
  $MirageFWAppVM

# Change default NetVM to Mirage FW
qvm-start $MirageFWAppVM
qubes-prefs --set default_netvm $MirageFWAppVM

regards.

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sGQ1LxUTmRRjgC1ZBfzqh3BVrtC%2B4xQrvkpniKDTAWzw%40mail.gmail.com.

[qubes-users] Unable to installes mirage-firewall: this version of runc doesn't work on cgroups v2

[799]

Hello,

I'm trying to install mirage-fw with a Fedora-32 Build-AppVM and run into
the following error:

OCI runtime create failed: this version of runc doesn't work on cgroups v2:
unknown


Steps to reproduce:
MirageFWBuildVM=my-mirage-buildvm
TemplateVM=fedora-32
MirageFWAppVM=sys-mirage-fw

See also https://github.com/mirage/qubes-mirage-firewall

# create a new VM
qvm-create $MirageFWBuildVM --class=AppVM --label=red --template=$TemplateVM


# Resize private disk to 10 GB
qvm-volume resize $MirageFWBuildVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --pass-io --no-gui --user=root $MirageFWBuildVM \
  'mkdir /home/user/docker && \
   ln -s /home/user/docker /var/lib/docker'

# Install docker and git ~2min
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
  'qvm-sync-clock && \
   dnf -y install docker git'

# Launch docker
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
  'systemctl start docker'

# Download and build mirage for qubes ~11min
qvm-run --pass-io --no-gui $MirageFWBuildVM \
  'git clone https://github.com/mirage/qubes-mirage-firewall.git'


# build mirage for qubes
qvm-run --pass-io --no-gui --user=root $MirageFWBuildVM \
   'cd /home/user/qubes-mirage-firewall && \
   sudo ./build-with-docker.sh'

Then I am seeing the following error:

>sudo ./build-with-docker.sh'
Building Docker image with dependencies..
Sending build context to Docker daemon  169.5kB
Step 1/8 : FROM ocurrent/opam@sha256
:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde:
Pulling from ocurrent/opam
21c83c524219: Pulling fs layer
400d4928ba6e: Pulling fs layer
0e00d6ca042c: Pulling fs layer
21c83c524219: Download complete
21c83c524219: Pull complete
400d4928ba6e: Verifying Checksum
400d4928ba6e: Download complete
0e00d6ca042c: Verifying Checksum
0e00d6ca042c: Download complete
400d4928ba6e: Pull complete
0e00d6ca042c: Pull complete
Digest:
sha256:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
Status: Downloaded newer image for ocurrent/opam@sha256
:d30098ff92b5ee10cf7c11c17f2351705e5226a6b05aa8b9b7280b3d87af9cde
 ---> 6ff4f6014607
Step 2/8 : RUN cd ~/opam-repository && git fetch origin master && git reset
--hard e81ab2996896b21cba74c43a903b305a5a6341ef && opam update
 ---> Running in 32587cf55364
OCI runtime create failed: this version of runc doesn't work on cgroups v2:
unknown

Any ideas how to workarround this problem or if I need to use another AppVM
fedora-30 to build mirage

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vNRDX3o6jHyvYGcQz-98Xn2gYUscc-4853PfAde%2BRp-Q%40mail.gmail.com.

[qubes-users] Problem installing qubes-template-fedora-32

[799]

Hello,

I try to install fedora-32 on my other Laptop and run into problems:

[me@dom0 ~]$ sudo qubes-dom0-update --action=reinstall
qubes-template-fedora-32
[...]
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Reinstalling: qubes-template-fedora-32-4.0.1-202006110439.noarch
 1/2
fedora-32: Importing data
Traceback (most recent call last):
  File "/bin/qvm-template-postprocess", line 5, in 
sys.exit(main())
  File
"/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_template_postprocess.py",
line 310, in main
loop.run_until_complete(post_install(args))
  File "/usr/lib64/python3.5/asyncio/base_events.py", line 467, in
run_until_complete
return future.result()
  File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result
raise self._exception
  File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step
result = coro.send(None)
  File
"/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_template_postprocess.py",
line 235, in post_install
import_root_img(vm, args.dir)
  File
"/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_template_postprocess.py",
line 96, in import_root_img
vm.volumes['root'].import_data(stream=tar.stdout)
  File "/usr/lib/python3.5/site-packages/qubesadmin/storage.py", line 224,
in import_data
self._qubesd_call('Import', payload_stream=stream)
  File "/usr/lib/python3.5/site-packages/qubesadmin/storage.py", line 76,
in _qubesd_call
payload_stream=payload_stream)
  File "/usr/lib/python3.5/site-packages/qubesadmin/app.py", line 576, in
qubesd_call
return self._parse_qubesd_response(return_data)
  File "/usr/lib/python3.5/site-packages/qubesadmin/base.py", line 102, in
_parse_qubesd_response
raise exc_class(format_string, *args)
qubesadmin.exc.StoragePoolException: Import operation in progress on
qubes_dom0/vm-fedora-32-root
warning: %post(qubes-template-fedora-32-4.0.1-202006110439.noarch)
scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package qubes-template-fedora-32
Non-fatal POSTIN scriptlet failure in rpm package qubes-template-fedora-32
  Erasing : qubes-template-fedora-32-4.0.1-202006110439.noarch
 2/2
  Verifying   : qubes-template-fedora-32-4.0.1-202006110439.noarch
 1/2
  Verifying   : qubes-template-fedora-32-4.0.1-202006110439.noarch
 2/2

Reinstalled:
  qubes-template-fedora-32.noarch 4.0.1-202006110439


If I try to start the template I get the following error:
Qubes Status: fedora-32
Domain fedora-32 has failed to start: import operation in progress on
qubes_dom0/vm-fedora-32-root

Strangely it worked on my other laptop without a problem.

Any ideas what went wrong?

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uzYc7PkdG7osV-Gkdv3Y3%2B76aDS_9si8jCH7AbVMWnug%40mail.gmail.com.

Re: [qubes-users] File syncing between Qubes

[799]

Michael Haynes  schrieb am Do., 16. Juli 2020, 22:18:

> This got me wondering:
>
> *Question: Is there a simple way to setup a dedicated "server" VM*
> *using WebDAV to allow qubes to [automatically / periodically] exchange
> encrypted data even without Internet access?  If so, what are the security
> implications of doing this?  If not, what are some alternative ways of
> automating data transfers between qubes?*
>

You could look into sshfs which is able to mount a remote filesystem over
ssh.

799

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sy7GcrKWe2Ldu2v49Dsem0QWORE5w-KPn4NQ%3DxOUYWBQ%40mail.gmail.com.

Re: [qubes-users] Re: Security benefits of rootless template VMs

[799]

Hello,

 schrieb am So., 12. Juli 2020, 18:36:

> On Friday, July 10, 2020 at 4:18:30 AM UTC-4, Alex Lu wrote:
>>
>> Is having like 5 templateVMs 4 of which have no root is better than
>> having 1 templateVM
>> which have root and in charge of every appVM?
>>
>
> There is one potential disadvantage to this setup: Will you actually
> bother to keep all those templates updated? Especially if some of them have
> no root, some have sudo prompts, and some have sudo access without prompts,
> it starts to become a real pain. You have to keep in mind the human cost to
> managing this kind of complexity, even with nice new tools like Qubes
> Update.
>

The problem having to update several templates can easily be solved by
invoking a script in dom0.
It will update the template even if sudo is not installed because of the
option --user=root within the command line.

Try it out:
https://github.com/one7two99/my-qubes/blob/master/dom0-scripts/update-all.sh

 8< - snip -- --
#!/bin/bash
# update-all.sh - Update all Template-VMs
# Update dom0
sudo qubes-dom0-update

# Update all Fedora templates
echo "[ Updating Fedora Templates ]"
for i in `qvm-ls | grep Template | grep t-fedora | gawk '{ print $1 }'`;
do
echo
echo "Updating $i ..."
qvm-run --auto --user root --pass-io $i 'dnf -y update';
qvm-shutdown $i;
echo "... done."
done

# Update all Debian Templates
echo "[ Updating Debian Templates ]"
for i in `qvm-ls | grep Template | grep t-debian | gawk '{ print $1 }'`;
do
echo
echo "Updatung $i ..."
qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y
upgrade';
qvm-shutdown $i;
echo "... done."
done
# Update Whonix Templates
echo "[ Updating Whonix Templates ]"
for i in `qvm-ls | grep Template | grep whonix | gawk '{ print $1 }'`;
do
echo
echo "Updatung $i ..."
qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y
upgrade';
qvm-shutdown $i;
echo "... done."
done
 8< - snip -- --

Regards

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vXyNSYqa53VfSUZ6d7pTyGh4ETbK2ijDgsHW-5bSAqHA%40mail.gmail.com.

[qubes-users] Unable to install Google Chrom in my "media VM template" (fedora-32-minimal)

[799]

Hello,

because I want to be able to rebuild my system from scratch and to keep
track of my installation notes, all my templates can be rebuild from dom0
using scripts.
All templates are based on a fedora-xx-minimal templates.

I have one template which I use as template for a media-VM. which has
google chrome installed.
Strangely my script which was working before is unable to install chrome
using a fedora-32-minimal template.

I get the following error:
[...]
  Verifying: google-chrome-stable-83.0.4103.116-1.x86_64
 23/23Errors during downloading metadata for repository 'google-chrome':
  - Curl error (6): Couldn't resolve host name for
http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml
[Could not resolve host: dl.google.com]
Error: Failed to download metadata for repo 'google-chrome': Cannot
download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were
tried

the script which I use from dom0:
https://github.com/one7two99/my-qubes/blob/master/my-qubes-templates/50%20template-media-vms.md

-
Template=fedora-32-minimal
TemplateName=t-fedora-32-media
AppVMName=my-media
qvm-kill $TemplateName
qvm-remove --force $TemplateName
qvm-clone $Template $TemplateName
qvm-run --auto --pass-io --no-gui --user root $TemplateName \
'dnf -y update'


qvm-run --auto --pass-io --no-gui --user root $TemplateName \
 'dnf install -y pulseaudio-qubes qubes-core-agent-networking'

# Install Google Chrome
qvm-run --pass-io --no-gui --user root $TemplateName \
  'dnf install -y fedora-workstation-repositories && \
   dnf config-manager --set-enabled google-chrome && \
   dnf install -y google-chrome-stable'

qvm-shutdown --wait $TemplateName

qvm-create --template=$TemplateName --label=orange $AppVMName
-


Any idea what is wrong here or what needs to be changes in fedora-32 to be
able to install Google Chrome?

O799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2twD35kmEZdH5f8xm_ohFfy2bivsS%2BXr0V1HhANyv9Rjg%40mail.gmail.com.

[qubes-users] Fedora 32 ready to be used as customized sys-template ?

[799]

Hello,

is the fedora 32-minimal template ready to be used as minimal sys-template
if I follow the qubes documentation (
https://www.qubes-os.org/doc/templates/minimal/#distro-specific-notes ) ?
All my templated are based on custom build template, which are based on
fedora-xx-minimal template.

Unfortunately I had to use the old fedora-29 templates as I had trouble
with fedora-30, no I have seen that new version of fedora are in the
qubes-repo and I like to upgrade.

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uQeHPAenT7e9H8XxAsoVhQRmHdRHPe0TbScYeqLXd6LQ%40mail.gmail.com.

Re: [qubes-users] MAC Address Anonymization and NetworkManager Compatibility

[799]

Hello sf0IqXUyNLTP22nB3Lpt,


''sf0IqXUyNLTP22nB3Lpt via qubes-users 
schrieb am Mi., 26. Feb. 2020, 07:12:

I have recently set up a vpn gateway qube according to the instructions as
listed here . I have now gone to set up
the MAC Anonymization and have a question and a problem both.
Firstly the linked page wrote specifically not to include the network
manager. But at the same time the page on anonymizing the MAC address says
that you must begin by installing the network manager. Is this safe to do?


you can build a VPN Gateway without using network manager afaik.
You might want to look into my setup notes on GitHub how I've set it up:

>>How to use a ProxyVM to run all traffix through PIA<<
https://github.com/one7two99/my-qubes/blob/master/my-qubes-templates/27%20template-vpn-vms.md

https://github.com/one7two99/my-qubes/blob/master/my-qubes-templates/20%20template-sys-vms.md

Amazing name by the way ;-)

One7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uJVB52d_BsD40M%3Dpq-0OXHiOfGfuYr9OM0tuQVGX_CGA%40mail.gmail.com.

Re: [qubes-users] Mounting directories across VMs (losetup/block device solution for directories)?

[799]

Hello Johannes,


Johannes Graumann  schrieb am Mi., 26. Feb.
2020, 22:23:

> (...) I'm experimenting with creating a sys-dropbox vm that syncs with my
> dropbox account. I would love to be able to then mount defined
> subdirectories of the synced path to other vms (losetop/qvm-block-
> style, which only works for files).
> Is this possible? Where to find pointers?
>

I startee building something similar to be able to sync data with Microsoft
OneDrive.

The solutions consists of three AppVMs:
1) VM stores data (encfs or cryfs encrypted)
2) VM syncs (encrypted data) with the cloud
3) VM decrypts data

Data is shared between AppVMs via sshFS and sys-firewall'd to minimize
access options.

one7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vPWE1KLpry24o7o%3DgDYKKeu6ggBM7AqfDNmip91HLChQ%40mail.gmail.com.

[qubes-users] Improving Qubes firewall (GUI or pfSense)

[799]

Hello,

While I'm running Qubes for a few years now, I also have to work with
Windows 10 according to company standards.
So far I had problems setting up Windows 10 on Qubes (which I tried ~1,5y
ago) and then decided to work in a dual boot setup, which is ok for me, as
I am running Coreboot and my /boot is fingerprinted and I can compare all
files after booting into Qubes.

On windows I have a setup where my NICsnare "Auto-Bridged" to a virtual
pfSense Firewall VM (running in VMware Workstation) and the Laptop her's no
IP-adresses from this NICs but from a virtual ("Host-only") adapter which
has a connection to the virtual LAN interface of the pfSense Router.
This allows to filter very detailed what should leave the laptop and I can
work with Aliases etc.
The pfSense is also configured as OpenVPN Client and connects to a VPN
Provider.
Using the detailed firewall rules in pfSense (tagging/Policy Based Routing)
I am able to decide which traffic should go into the VPN and what should
pass the Firewall via the WAN Interface.

Using the Firewall Logs in the GUI I have been able to make sure that no
packages leave my laptops into the wrong direction.
If the VPN connection breaks no traffic which is tagged to go through the
VPN will pass the WAN gateway.

Long story cut short, I really (!) would love to have that much control and
also easy configuration on Qubes.

Currently I my setup involves using mirage-firewall and different VPN-VMs
and sys-firewall for Qubes  dom0 and template updates, but it is a bit
painful to administrate everything via CLI and I also like the GUI for
looking/searching through firewall logs.

Is there any way to use pfSense as HVM firewall which will then work as
central routing/firewall instance?

Or does someone has good recommendations adding management and/or Log
Analyzer GUIs for sys-firewall?

[one7two99]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tYF-8g%3DEyayyxUS1GfPaNjqpRk%3DCGwKJYr0LHDftH3nw%40mail.gmail.com.

Re: [qubes-users] Problem updating dom0

[799]

Hello Haaber,

On Sat, 25 Jan 2020 at 12:51, haaber  wrote:

> On 1/25/20 12:28 PM, 799 wrote:
> > I'm trying to upgrade dom0 but run into a SKIPPED message:
>
> This happens to me if I do not reboot after an upgrade and run the
> upgrade command once more. Is this your case?
>

 I have run the following commands several times in dom0:

sudo qubes-dom0-update
sudo dnf -y upgrade
sudo dnf -y upgrade

I still see the same message.when running qubes-dom0-update (sudo'd):


[...]
DNF will only download packages for the transaction.
Downloading Packages:
[SKIPPED] .rpm: Already downloaded
[SKIPPED] .rpm: Already downloaded
[...]
Complete!
The downloaded packages were saved in cache until the next successful
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Qubes OS Repository for Dom0

One7two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vO3DBT2aNdZoBw0ZmyYJmvsuN9OfBeJUjtmav4%3D1gwqA%40mail.gmail.com.

[qubes-users] Problem updating dom0

[799]

Hello,

I'm trying to upgrade dom0 but run into a SKIPPED message:

[...]
DNF will only download packages for the transaction.
Downloading Packages:
[SKIPPED] .rpm: Already downloaded
[SKIPPED] .rpm: Already downloaded
[...]
Complete!
The downloaded packages were saved in cache until the next successful
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Qubes OS Repository for Dom0

Any ideas how to work arround this problem?

This is the complete command & output:

[user@dom0 dom0-scripts]$ sudo qubes-dom0-update
Using sys-firewall as UpdateVM to download updates for Dom0; this may take
some time...
Last metadata expiration check: 14:01:13 ago on Fri Jan 24 22:22:42 2020.
Dependencies resolved.

 Package  Arch   Version   Repository
 Size

Reinstalling:
 libvirt-python3  x86_64 3.3.0-2.fc25  qubes-dom0-current
269 k
 python3-kickstartnoarch 1000:2.32-4.fc25  qubes-dom0-current
370 k
 qubes-anaconda-addon noarch 4.0.10-1.fc25 qubes-dom0-current
 34 k
 qubes-releasenoarch 4.0-8 qubes-dom0-current
 50 k
 qubes-release-notes  noarch 4.0-8 qubes-dom0-current
8.1 k
 xorg-x11-drv-ati x86_64 18.0.1-1.fc25 qubes-dom0-current
168 k
 xorg-x11-drv-intel   x86_64 2.99.917-32.20171025.fc25 qubes-dom0-current
696 k
 xorg-x11-drv-nouveau x86_64 1:1.0.15-4.fc25   qubes-dom0-current
 99 k

Transaction Summary


Total size: 1.7 M
Installed size: 6.7 M
DNF will only download packages for the transaction.
Downloading Packages:
[SKIPPED] libvirt-python3-3.3.0-2.fc25.x86_64.rpm: Already downloaded

[SKIPPED] python3-kickstart-2.32-4.fc25.noarch.rpm: Already downloaded

[SKIPPED] qubes-anaconda-addon-4.0.10-1.fc25.noarch.rpm: Already downloaded

[SKIPPED] qubes-release-4.0-8.noarch.rpm: Already downloaded

[SKIPPED] qubes-release-notes-4.0-8.noarch.rpm: Already downloaded

[SKIPPED] xorg-x11-drv-ati-18.0.1-1.fc25.x86_64.rpm: Already downloaded

[SKIPPED] xorg-x11-drv-intel-2.99.917-32.20171025.fc25.x86_64.rpm: Already
downloaded
[SKIPPED] xorg-x11-drv-nouveau-1.0.15-4.fc25.x86_64.rpm: Already downloaded

Complete!
The downloaded packages were saved in cache until the next successful
transaction.
You can remove cached packages by executing 'dnf clean packages'.
Qubes OS Repository for Dom0

- One7Two99

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2us%2BCh2XXJONNtR5P3bKsmX%2B6OQ3L4hB%3DdwKYKGPwvJhQ%40mail.gmail.com.

Re: [qubes-users] Copying text to/from Dom0

[799]

Hello

 schrieb am So., 22. Sep. 2019, 13:40:

>
> In the official documentation "Copying from (and to) dom0", there is no
> mention at all of how to copy text via the clipboard from a domain to
> dom0. What is the method to use?


Copying from dom0 to an AppVM is ok, as dom0 has to be trusted. The
opposite way you are moving data from a more untrusted source to dom0. This
includes a risk (from a "beeing reasonable secure perspective").

The way I do it, is to use "xclip" which is installed in the AppVM
(template).
Xclip can be used to copy the content of the clipboard to a file or the
other way around.
Therefore you could write a script in dom0 which will take the AppVM
clipboard content inside the appbm store it in a file and then use pass-io
or qvm-copy to move the data from the AppVM to dom0 and - if you install
xclip in dom0 - even to the clipboard of dom0.

I'm using xclip to move screenshots from dom0 to the AppVM, if you look
into the script you will be able to get an idea how xclip works.

https://github.com/one7two99/my-qubes/blob/master/dom0-scripts/qvm-screenshot-to-clipboard.sh

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v9PGtNqU%2BCpNtw2DNkfOA85OSQzAoKxMNQ7ph7WLv4Qg%40mail.gmail.com.

Re: [qubes-users] Qubes on Dell Vostro 5581?

[799]

Hello Tomas,

Tomáš Vondra  schrieb am Sa., 14. Sep. 2019, 12:07:

has anyone tried running Qubes on Dell Vostro 5581 laptop? I've been using
a different Dell laptop until now, but I may need a replacement and this
seems reasonable.


The Dell Vostro 5581 is not on the Qubes Hardware Compatible List (HCL)
https://www.qubes-os.org/hcl/

But it seems to work with Linux:
https://certification.ubuntu.com/hardware/201808-26383

Therefore I think it _should_ work fine with Qubes.
If you test Qubes on it, please submit a HCL Report, so that users might
get an answer to your question.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tdEo8cPcmDV1Ji3D0ve0Si0D9-OX6O2jdGbXF6Wo5SoA%40mail.gmail.com.

Re: [qubes-users] SSH to QUBES VM

[799]

Hello Aly

Aly Abdellatif  schrieb am Sa., 14. Sep.
2019, 11:21:

> (...)
> Could some please tell how can I configure a Vm in Qubes with SSH.
> I would like to be able to connect to this VM from another computer using
> ssh.
> (...)


Have you read the Firewall howto for Qubes OS.
https://www.qubes-os.org/doc/firewall/#port-forwarding-to-a-qube-from-the-outside-world

If not please do so and then come back if you need further help.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v7SOqVusYT83fS01kX6zSeOuMBRvj5AKx9SJZrg9qQEg%40mail.gmail.com.

Re: [qubes-users] Done with Qubes

[799]

O K  schrieb am Sa., 31. Aug. 2019, 15:17:

> Do you think using Qubes off a live usb would help bypass some of my
> hardware issues?
>

I think that it might help just to try it out, instead asking, if it would.
We don't know which hardware issues you are referring to and this list is
mainly about Qubes OS an not that much about helping finding an alternative
if the topic is already named with "Done" with Qubes.

I would just download some other possible option and give them a try.
Before I found out about qubes I was running a Debian minimal with a
customized x-windows which has Virtual Box installed, which was running my
virtual machines.
For disposable VMs I used VMs, which had snapshot and ten revert to the
snapshot.

Basically what you get is:
- a bit more security instead of a normal OS because you're using different
VMs for different tasks
- more overhead -> full OS + VirtualBox which is more complex and has a
larger attack surface and is therefore less secure
- much more manual overhead.

Therefore I would always go back to Qubes.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tsM9e2uErNXR2O0vULm%2BjAX2eedz%3DqXfqBTPyXWon8SA%40mail.gmail.com.

Re: [qubes-users] qvm-create-windows-qube Automatically creates

[799]

Hello Brendan,

Thanks for the improvement list. Some questions:

 schrieb am Do., 29. Aug. 2019, 15:27:

> - Increasing the device-stub VM priority from 256 to 1000 during install
> utilizing xl sched-credit. This dramatically increases the IO throughput
> for the installation.
>

How can this be done? what is the device-stub VM priority? Can this be set
via qvm-prefs?

- Increasing the run-time of the final boot cycle, and possibly overlapping
> that shutdown with the next creation. Utilize qvm-run shutdown.exe or
> qvm-run a script instead of qvm-shutdown.
>

How can this be done?

- Automate installation of xenvbd 8.2.2 or 8.2.1 after appropriate Windows
> 7 updates are installed.
>

xenvbd = Qubes Tools ?

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vG0KE214X86OzSN1pME%3DNRtsJ85zo9m_9Axva45beHWQ%40mail.gmail.com.

Re: [qubes-users] Qubes/class, Was: slightly off-topic: self-resetting OS idea

[799]

Hello,

panina  schrieb am Di., 27. Aug. 2019, 10:17:

>
>
>
> This is a view that I see quite a lot. It is a whole different discussion.
> Hence the re-subjecting.
> Firstly, this view completely lacks class analysis. Not everyone can
> afford to buy the newest shiny. A lot of us have to use whatever we can
> get our hands on.
>

Honestly I don't know what other people on this list use for hardware.
But if I look arround what my coworkers, customers, friends, family ..
everyone arround me is using, I am the one who is owning very old and very
cheap hardware (x230).
As such my assumption that most people are using newer and shinyer hardware
than me ;-)

Whenever a secure OS is mentioned, Qubes is the go-to. Everyone comes here.
> The approach that you have to buy new, specific hardware to have a
> functioning OS means anyone poor, or in a country with a poor dollar
> exchange rate, is left behind.
>

This is a constructed scenario. You will always find someone who will be
left behind.
If people who can afford to buy "shiny" new hardware would be used cheap
hardware which will likely do the same job, they can even buy 3 devices
instead of one and give it away for free. Win.
Also there is no need at all to buy new hardware if you want to run Qubes,
even more it makes sense to buy older hardware.
But even if you need to spent a few bucks it would not stop me and should
not stop you from investing into your security and privacy.

If Qubes was one of many options, this would cause less damage. But
> right now, there aren't many alternatives. So privacy and secure tech
> becomes an economic issue, a luxury
>

Why? As mentioned you can run Qubes on a very cheap laptop. I don't really
think that those "hardware" costs are really the reason why people are NOT
running Qubes.

>> I firmly claim that basic privacy should be a human right.

Yes, I agree.



> Furthermore, Qubes currently concentrates on Intel hardware.


Because it is easy to get and that's what most users are using. I think it
is rather unlikely that this will change in the near future.
But afaik I know it is also running on AMD CPUs.

I do not in any way feel that this is a sane choice right now. I feel it
> would be rather stupid to buy new hardware right now that has Intel
> processors.
>

You don't have to, but all alternatives (if there are any) would cost more
money or lead to the fact that I am unable to run qubes.

Too many security issues, and new ones popping up all the time.
>

What are you referring to and how are those security issues related to
Qubes or Qubes specific. If there is a problem with the Intel hardware,
with the xen hypervisor, or Linux bugs, this has nothing to do with Qubes.

So my second problem is: this approach would assume that I agree with
> every choice that the Qubes team does, which I don't.
>

You don't have to, but the good thing is that you can take the part you
like and tweak the part you don't like it improve on top of what you get.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vi_jaEUeUM-OwL02YSC5mRQoDHtEV-RgCzcwr3xE4j5w%40mail.gmail.com.

Re: [qubes-users] slightly off-topic: self-resetting OS idea

[799]

Hello

David Hobach  schrieb am Mo., 26. Aug. 2019, 11:22:

> On 8/26/19 10:24 AM, panina wrote:
> > Hi!
> >
> > This is not strictly Qubes-OS related, rather inspired by Qubes.
> >
> > I've been struggling with some parts of Qubes usage. Most of the time,
> > it is overkill for me, and putting some strain on my computer. The
> > bugginess is also quite annoying, whenever I just need to do some
> > everyday work.
> > I've been thinking I'd like some form of dual-boot solution, or possibly
> > a Live USB that could be used.
> > Most of the time I work with ssh and webapps, so the only persistent
> > data I need to work will fit on a smartcard.
> >
> > My thought is to have an installation that mounts most of the root
> > partition as readonly, and uses ramdisks wherever the system wants to
> > write (e.g /var/log). I'm also thinking it should be possible to get a
> > fingerprint or somesuch of the root partition, and use my TPM2 to check
> > this.
> >
> > The system should also have a possibility to update itself, that I can
> > choose to do in environments that I feel is safe.
> >
> > I am wondering if anyone knows of an OS that works like this? Or if
> > anyone knows of tools that might accomplish parts of this?
>
> Ehm... You're describing Qubes OS with disposable VMs there? The
> fingerprinting is essentially AEM?
>
> If you need to keep your data on an external disk (SDCard), you can use
> either a manual approach with qvm-copy, permanently attach the disk to a
> single disposable VM with a fixed name or use an automated solution such
> as [1]. You might also want to look into qvm-pool.
>
> [1] https://github.com/3hhh/qcrypt


I don't know why people are complaining about the "bugginess" and that it
needs more performance.

If you buy the right hardware you'll not run into lots of bugs and get
enough performance to run qubes. You can buy a Lenovo T530/430, W530, X230
for not much money, add a SSD some RAM and you'll not run into performance
problems (normal use).

As David mentioned Qubes will do exactly what you need if you're using
disposable VMs.
Regarding the fingerprinting, you can use AEM (Anti Evil Maid) or write
your own script.
I tried something which will fingerprint all files in /boot and gpg sign
the signature which is then stored in the LUKS encrypted root partition.

You can then free booting into Qubes check the current boot Partition
against the fingerprints.
https://github.com/one7two99/my-qubes/tree/master/docs/boot-protect

Not sure if this is really secure, would be nice to have this checked by
someone who knows more about security.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vkPZAv4pTQzTn9_W%2Bp_yC5_ZtOz3rmdvi59on60u88Qw%40mail.gmail.com.

Re: [qubes-users] unencrypted internet-browsing possible as well with QubesOS

[799]

Hello Josefh,

josefh.maier via qubes-users  schrieb am Sa.,
24. Aug. 2019, 14:53:

> [...]
> Does Qubes by default redirect all Internet-traffic over TOR/Whonix, or is
> "normal-Webbrowsing possible as well? How?
> [...]
>

You might want to start your Qubes OS journey here:
https://www.qubes-os.org/intro/

You can browse the internet like on every other Operating system, but at
the same time you can have other browser sessions which work via a VPN
provider like ExpressVPN,NordVPN,PIA and others, to hide your web traffic
from your ISP. you can also use TOR and of course connect to your corporate
VPN. All from the same operating system but with separated virtual machine.

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u7z7wwrbPHW8Mog%2BcC9AjwYJxUBO2Ns4ymMUNDPNtxFw%40mail.gmail.com.

Re: [qubes-users] Done with Qubes

[799]

Hello Oak,

O K  schrieb am Fr., 23. Aug. 2019, 02:39:

> Thanks for all the help but I've been trying to figure out how to get
> Qubes running for months and I've decided it's just a giant waste of my
> time because every time I get one bug fixed, two more show up to take it's
> place.  I think it's a brilliant idea but it needs a lot of work and
> streamlining before it's ready for public use.
>

Maybe it's helpful if you throw in a list of what hardware you was using
and which bugs was wasting your time.
This would allow two things:

1) warn other users, not use Qubes (sarcasm)
2) allow others to fix bugs

Or do mean you just want to run one (1) Standalone Ubuntu in Qubes?
Which shouldn't make a big difference vs a baremetal Ubuntu installation.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u1rNYmiHkyf5PKrXg3Zi%3D6JKmjFrxbiqN6qkNYc%2BrskQ%40mail.gmail.com.

Re: [qubes-users] Re: Which qube is most secure for internet use?

[799]

Hello Mark,

Mark Newman  schrieb am Mi., 21. Aug. 2019, 04:11:

> (...)
> Actually it is VERY easy to "acquire info about someone's computer from
> the internet".  Also unfortunately, while Whonix does a good job of
> masking your IP address (your location), it does NOT protect you against
> the website you visit from taking and keeping your browser
> "fingerprint".  For more information on your browser fingerprint see:
> https://panopticlick.eff.org/



Wouldn't a disposable whonix AppVM help against this fingerprinting?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s1XYbON_7%3D-FVO5bb4m3p4iKGL4H4vK-Do6W-7RkDq-Q%40mail.gmail.com.

Re: [qubes-users] qvm-create-windows-qube Automatically creates

[799]

Hello,

On Tue, 20 Aug 2019 at 21:34, 'awokd' via qubes-users <
qubes-users@googlegroups.com> wrote:

> 'crazyqube' via qubes-users:
> > I just made my solution for fully automatically creating and installing
> new Windows qubes from scratch public! It pre-installs Qubes Windows Tools
> and Firefox so now you don't even have to open Internet Explorer to
> download a good browser! (lol)
> >
> > It's currently ready for use at:
> > https://github.com/crazyqube/qvm-create-windows-qube
> >
> > If you have any issues or suggestions then by all means create an issue
> and I'll look into it.
> >
> > -crazyqube
> >
> > P.S. If you use it and find it good then please give it a well-deserved
> star!
>

if this works,it would be great.
I am trying to run through the process but want to do it by CLI from dom0
only.
This would even allow more automation as we can write a script which will
do the last manuell steps like creating the windows-mgmt qube etc.

You should be able to run all steps to setup, via dom0:

# create a new AppVM
qvm-create --class AppVM --template fedora-30 --label black windows-mgmt

# Increase storage capacity
qvm-volume extend windows-mgmt:private 20480M

# Install Git in the AppVM (will be gone on next reboot)
qvm-run --auto --pass-io --no-gui --user root windows-mgmt 'dnf install -y
git'

# Clone repository of qvm-create-windows-qube
qvm-run --auto --pass-io --no-gui windows-mgmt 'cd Documents && git clone
https://github.com/crazyqube/qvm-create-windows-qube'

# Run the script to download all files
qvm-run --auto --pass-io --no-gui windows-mgmt 'cd
Documents/qvm-create-windows-qube && ./download-windows.sh'

#  install windows tools
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
qubes-windows-tools

# copy script to dom0
qvm-run --pass-io windows-mgmt 'cat
$HOME/Documents/qvm-create-windows-qube/qvm-create-windows-qube.sh' >
qvm-create-windows-qube.sh


Feel free to add this to your script/repo.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v8ukZ%2BGud0B3yfDd%3DyEDbrwUs1A7W%2Bd3WNUYdcXkbJtQ%40mail.gmail.com.

Re: [qubes-users] How do I launch NetworkManager??!!

[799]

Hello

O K  schrieb am Di., 20. Aug. 2019, 01:39:

> I wanted to create a desktop shortcut or some sort of easy way to access
> NM but I forgot how to open it.  I thought it was some command in the
> sys-net terminal but I don't recall.  (...)
>

You can run nmcli in the VM which has network manager installed to control
the status and actions from network manager.
https://developer.gnome.org/NetworkManager/stable/nmcli.html

To make this easier you can write a script in dom0 and put this on your
desktop:

In dom0:
qvm-run --auto sys-net 'nmcli ...'

Not sure it nmcli needs root permissions, if so:

in dom0:
qvm-run --auto --user root sys-net 'nmcli ...'

I am not sitting in front of my Qubes, therefore can't write the exact
commands.
If you need further help, I can look up the details later on.

[799]

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2te3dSvOzReNesq1tVPzwM-TxjJ79XuJgBFBnpukez6_Q%40mail.gmail.com.

Re: [qubes-users] My Qubes 4.02-rc1 install notes: (with fixes, customizations)

[799]

Hello drokmed,

 schrieb am Do., 11. Juli 2019, 19:02:

> My Qubes 4.02-rc1 install notes: (with fixes, customizations)
> (...)
>

Thanks for the write-up, I am always interested to see how others have
setup their Qubes OS to get some ideas how to improve my own setup.

I would love to see something like a knowledge exchange where users share
their setup and also scripts how to setup templates etc.

My idea is to use GitHub to share this info, because ...
1) it's easy to maintain
2) you can get comments and answer
3) it's easy to read on/offline
4) you can easily grab code and include into your own setup
5) versioning

It would be great if we setup something like a default directory structure
so that it is oeasy to navigate for other/interested users.
Example:
/my-setup/ - directory to describe the general setup, which templates and
AppVM are used
/my-templates/ - directory which to store info/scripts to setup the
template VMs
/scripts/ - directory to store scripts which are used to work better with
Qubes
...

Let me know what you think.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2urbrEAJkhjNeFM3intz6Msk21q%2BYE2Ke-YcH42J8xY3g%40mail.gmail.com.

Re: [qubes-users] Getting bluetooth to run in appVM

[799]

Hello Max,

Maximilian Ehlers  schrieb am Mo., 19. Aug. 2019, 14:35:

> (...)
> Unfortunately my bluetooth device seems to be integrated in the wifi
> card (Intel Wireless 8260 rev 3a) and does not appear in `qvm-usb
> list`, so I can not use it outside of `sys-usb`.
>
> Is there a way to send the audio to `sys-usb` and use it as a proxy to
> the bluetooth speaker? Or another way to pass the bluetooth device to
> the appVM?
>

Not a solution for your question, but have you tried to use one of those
very small Bluetooth USB dongles? This should work via sys-usb.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s%3Di8aQquB5vE5ax0z3-iytNjhPPtPocmsHF4z_23dROg%40mail.gmail.com.

Re: [qubes-users] Can't find Debian 10/minimal template

[799]

Hello,

'username908' via qubes-users  schrieb am
So., 18. Aug. 2019, 19:50:

> sudo qubes-dom0-update qubes-template-debian-10
> Using sys-whonix-15 as UpdateVM to download updates for Dom0; this may
> take some time...
> qubes-templates-community   | 3.0 kB
> 00:00
> qubes-templates-itl | 3.0 kB
> 00:00
> No Match for argument qubes-template-debian-10
> Nothing to download
>
> Likewise, searching for it only gives Debian 9 and minimal.
>

I think you need to enable testing repositories.
As always the answer is somewhere in the excellent Qubes Docs ;-)

https://www.qubes-os.org/doc/software-update-vm/#testing-repositories

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uUJU5eirdH6AAGhVG21vFHyCW8ftKBYRnvnY319e%3D92Q%40mail.gmail.com.

Re: [qubes-users] The VPN avalibel in Qubes

[799]

Hello Chris,

On Sat, 17 Aug 2019 at 04:35, 799  wrote:

> Chris Laprise  schrieb am Di., 13. Aug. 2019, 23:10:
>
>> (...)
>> The easiest & most comprehensive/secure VPN config for Qubes is here:
>>
>> https://github.com/tasket/Qubes-vpn-support
>> [...]
>>
>
I thought about a way to simplify the installation of your VPN-Script & the
deployment of a VPN-Proxy VPN even further.
My Qubes-Installation & configuration is all done by scripts which I start
from dom0, this allowas to rebuild my complete Qubes system without much
work.

I have written a scripted install, which is building a VPN-ProxyVM based on
my own sys-template for sys-net / sys-usb / sys-firewall (which is itself
based on a  fedora-29-minimal template).

All steps to build the vpn-proxy VPN including configuration for
privateinternetaccess.com is done through the script. Only step has to be
done manually:

Adding vpn-handler-openvpn to the Qubes Setting / Services Tab.

QUESTION:
I know that this can also be done via dom0 CLI, but I am missing the right
command.
Can someone help?

[799]

PS: This is the script, which will build the VPN-ProxyVM.
(Hint: I like to keep my templates small and therefor packages which I only
need during setup will be installed in the AppVM (and be lost on reboot).
In this case git/unzip/wget are only used to setup everything - they're not
needed for running the ProxyVPN):

 start 
Template=t-fedora-29-sys
AppVM=sys-vpn2

qvm-create --template=$Template --label=blue $AppVM

qvm-prefs --set $AppVM provides_network True

qvm-run --auto --pass-io --no-gui --user root $AppVM \
  'dnf install -y git wget unzip && \
  mkdir -p /rw/config/vpn && \
  cd /root && \
  git clone https://github.com/tasket/Qubes-vpn-support.git && \
  cd Qubes-vpn-support && \
  bash ./install'

qvm-run --auto --pass-io --no-gui --user root $AppVM \
  'cd /rw/config/vpn && \
  wget https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip && \
  unzip openvpn-ip.zip && \
  # Link to your favorite VPN-Entry Point here I'm using Switzerland && \
  ln -s Switzerland.ovpn vpn-client.conf'

qvm-shutdown --wait $AppVM

# MANUAL step (at the moment):
# Add "vpn-handler-openvpn" to the Settings > Services Tab

qvm-start $AppVM
 end 

As mentioned above the AppVM is based on my own sys-template named
t-fedora-29-minimal.
If you want to rebuild, this is how you build this template from dom0.
It can be used for sys-net / sys-firewall / sys-usb):

 start 
template=fedora-29-minimal
systemplate=t-fedora-29-sys

#remove old template
qvm-kill $systemplate
qvm-remove -f $systemplate

#clone template
qvm-clone $template $systemplate
# update template
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf update -y'

# install a missing package for fedora-29-minimal
# without it, gui-apps will not start
# not needed in the latest fedora-29-minimal template (after april 2019)
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf install -y e2fsprogs'

# Install required packages for Sys-VMs
# Hint: you might need to add your own wifi-firmware-drivers here instead
of iwl6000g2a...
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install qubes-core-agent-qrexec qubes-core-agent-systemd \
  qubes-core-agent-networking polkit qubes-core-agent-network-manager \
  notification-daemon qubes-core-agent-dom0-updates qubes-usb-proxy \
  iwl6000g2a-firmware qubes-input-proxy-sender iproute iputils \
  NetworkManager-openvpn NetworkManager-openvpn-gnome \
  NetworkManager-wwan NetworkManager-wifi network-manager-applet'

# Optional packages you might want to install in the sys-template:
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install nano less pciutils xclip'

# Set new template as template for sys-vms
qvm-shutdown --all --wait --timeout 120
qvm-prefs --set sys-usb template $systemplate
qvm-prefs --set sys-net template $systemplate
qvm-prefs --set sys-firewall template $systemplate
 end 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sbWbACK0jddxgBGibRRPLzXO57ZLursddDs-bFYA7W8w%40mail.gmail.com.

Re: [qubes-users] The VPN avalibel in Qubes

[799]

Hello Chris,

Chris Laprise  schrieb am Di., 13. Aug. 2019, 23:10:

> (...)
> The easiest & most comprehensive/secure VPN config for Qubes is here:
>
> https://github.com/tasket/Qubes-vpn-support
>
> You can also try your luck with the VPN instructions on the Qubes
> website, but its more manual work (even if you use Network Manager) for
> less results.
>

I just tried your script and installation was straightforward.
Very nice work, thanks for sharing.

Should be included in Qubes by default or at least be highlighted in bold
in the Qubes docs:
https://www.qubes-os.org/doc/vpn/

I'll also take a look into your other scripts ;-)

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vcgi5OXtr_WY9t1N%2BbMgoDfB0njkX-sfv4ARhHbn6zdw%40mail.gmail.com.

Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

[799]

Hello,

On Fri, 16 Aug 2019 at 11:22, Stefan Leibfarth  wrote:

> [...]
> I'd guess it's not directly Qubes related, maybe this problem:
>
> https://help.nextcloud.com/t/nextcloud-client-asks-for-password-every-time-it-starts/28591/3
>

I tried nearly everything from this forum post, I also tried to use other
templates fedora-29, fedora-30, still the same problem.
I also tried to install gnome-keyring but it doesn't make a difference.

Anyelse has a Nextcloud CLIENT (not server) running in Qubes and give me a
hint, why I need to re-enter my credentials after boot and even after the
nextcloud client is not pocking up the sync again.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tTGtifnYKCRbq0sFa2EhmWEk%2BQb2h6mPxJ-fdAhWJwHQ%40mail.gmail.com.

Re: [qubes-users] Which qube is most secure for internet use?

[799]

O K  schrieb am Fr., 16. Aug. 2019, 18:17:

> Well I'm not as concerned about people monitoring/intercepting the content
> of my communications, just about identifying information about the hardware
> of my computer being accessible.
>

Why? If someone can't identify you, why should he make the effort to find a
way into your Qubes machine to get the hardware info? If it is an attack
which you're not the specific target, there are easier options, like
hacking your router or maybe one of your "smart" home devices.

I know it's not easy to acquire info about someone's computer from the
> internet, and if the computer's running Qubes I would imagine it's harder,
> but I think it can be done (definitely Mac address but possibly more info).
>

Yes. Using Qubes will increase your security to a reasonable secure level
(if you use it correctly).

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tjrAjUO3YZ6Caj1Fid2LRZykD%2BOs%2BB64D4Z418vhuXHA%40mail.gmail.com.

Re: [qubes-users] best and less expensive Lenovo think pad

[799]

On Fri, 16 Aug 2019 at 15:42,  wrote:

> Can coreboot be installed on T580, have you ever heard of such?
>

The following coreboot page will answer your question:
https://coreboot.org/status/board-status.html

additionally you might want to look into the FAQ:
https://www.coreboot.org/FAQ#Will_coreboot_work_on_my_machine.3F

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sQQhwq-%2BqOtgEUbyM_9-FHeNe0h9KxBoKq6v%2B0mrdfOg%40mail.gmail.com.

Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

[799]

Hello,

*Null* **  schrieb am Do., 15. Aug. 2019, 19:12:

> OCC commands:
>
>
> https://docs.nextcloud.com/server/16/admin_manual/configuration_server/occ_command.html#user-commands-label
>  (...)


Now I understand what you've meant, regarding the movement of directories.
This was related to running a Nextcloud Server within Qubes OS.
In my case I am connected from an AppVM (Qubes OS) to an external
Nextcloud-Server (not running Qubes OS).

As all Client-settings _should_ be safe in an AppVM I don't understand why
I need to login after the first boot of the AppVM and why even after login
in, the synchronization is not working again.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s1Gjyb2D7qEpxFnNhse1pyYRgiat94%3Dwr67ZuDvD%2BSzw%40mail.gmail.com.

Re: [qubes-users] How to change date and time format in Thunderbird

[799]

 schrieb am Do., 15. Aug. 2019, 18:25:

> I've installed thunderbird today and all is fine except that dates are
> shown in US format: MM/DD/YY. How can I change this to UK format: DD/MM/YY?
>
> I googled and found that thunderbird gets its setting from the OS.
>

Maybe this plugin helps:
https://addons.thunderbird.net/nl/thunderbird/addon/quick-locale-switcher/

?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tDNOmkkSftg_gqJEJ0uueZ0SQcX3KvcUM8P%3DKpC%2B_t-A%40mail.gmail.com.

Re: [qubes-users] Problem with NextCloud-Client App-VM (unable to login on 2nd boot)

[799]

Hello,

*Null* **  schrieb am Do., 15. Aug. 2019, 14:46:

> Sorry my initial reply was the wrong answer.
>
> To set up a login that is persistant you need to do it in the template
> with the occ commands. Any user made in the appvm will not survive a reboot.
>

What exactly is meant by "occ commands"?

The nextcloud storage area needs to be made persistant using the
> qubes-bind-dirs directory in the appvm, the qubes docs cover that.
>
> I am able to stay logged in with the nextcloud app and sync via webdav
> between reboots in this manner.
>

Thank you for the feedback, I don't understand why I need to make changes
regarding the storage area.
As far as I know the Nextcloud data is stored in /home/user which should
survive the a reboot as long as it is a normal AppVM.

Are you also trying to sync other appvms?


No I have just build a template (as describes) and build an AppVM from this
template.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tg-YoCHkmkwi9gW0y1UJ819%2BwHFbXNLAh2_cODLBCOZg%40mail.gmail.com.

Re: [qubes-users] best and less expensive Lenovo think pad

[799]

Hello Brendan,

 schrieb am Do., 15. Aug. 2019, 01:26:

> (...)
>
> 1. That first USB device, which does not state where it can be used is
> either:
> a) The USB 2.0 interface "available" via the expresscard interface (some
> "expresscard" devices are really just USB 2.0 devices).
> b) The USB 2.0 interface available via the docking connector.
>
> ...some experimentation should lead to clarification.
>

You are very likely right, I have always asked myself why there is an USB
Controller which has no internal devices attached and doesn't connect to
any of the external USB slots.
I have a docking station, so I will test this.


2. On my W520, I typically only attach the USB 2.0 controller to sys-usb
> (via PCI). That way, if I have to directly attach a storage device to a VM
> for IO-intensive uses, I can utilize a disposable HVM and attach the USB
> 3.0 controller directly to it.
>

The problem is, that the USB 3 Controller on the X230 has also the internal
WWAN Card connected, so of I attach it to an AppVM and not the sys-usb Qube
I am not able to pass the WWAN Card to my sys-net VM and use LTE, which I
need to rely on.

USB 3.0 Controller - Extended Host Controller Interface (xHCI)
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset
Family USB xHCI Host Controller (rev 04)

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 002: ID 0bdb:1926 Ericsson Business Mobile Networks BV 1 =
LTE/WAN-Card
connects to: Left USB-Port (next to VGA-Display-Out)
connects to: Left USB-Port (next Mini-DisplayPort-Out)


3. Lastly, for those worried about having a flexible USB controller PCI
> layout (the ability to assign different controllers to different HVMs),
> there's a secret I'll share: the expresscard port on both the X230 and the
> W520 is a PCI port! And there are expresscards that provide USB 3.0 ports!
> Granted expresscard's maximum signaling rate of 2500Mbps is not quite
> 6000Mbps maximum of USB 3.0...but definitely faster than 480Mbps! The W520
> puts PCI devices mounted via the expresscard slot in their own grouping
> (e.g. a USB 3.0 expresscard)...again, experimentation will show whether the
> X230 does as well.
>

Ok, I'll give the Expresscard Slot a try, need to buy an adapter first...

Any idea how I can test the speed of the interfaces afterwards?
I would get a Expresscard-to-USB3-Adapter.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sksFnL4Jr8mBgRFHYcwVXSSMtGEiGkxngdG7ykZt7DNg%40mail.gmail.com.

Re: [qubes-users] best and less expensive Lenovo think pad

[799]

Hello Steve,

Steve Coleman  schrieb am Di., 13. Aug. 2019,
20:07:

>
> I do have a few questions for anyone experienced with the x230
>
> Q1: Does the ThinkPad x230 have a separate USB controller available for
> use as a sys-usb?
>

I have documented the Layout of the USB controllers here:

https://github.com/one7two99/my-qubes/blob/master/docs/qubes-x230.md

It shows which USB Controllers connects to which external USB Port and
which internal USB Devices like Camera / Bluetooth / LTE-Card belongs to
which USB Controller.

Depending on which USB Controller you attach to a VM, you pass along all
attached internal USB Devices.
Therefore I am a using a sys-usb Qube ;-)

Regarding the other questions, I'll try to answer this later.

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uHZsdFaytm7X%3DHu1zo-E5Ap8a_k9KewcOexRWkERK_Tg%40mail.gmail.com.

Re: [qubes-users] best and less expensive Lenovo think pad

[799]

Hello

<27casanov...@gmail.com> schrieb am Di., 13. Aug. 2019, 10:53:

>
> https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md


Wrong link, I cleaned up the docs a few days ago, the correct link is now:

https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/README.md

Let me know if you need any help.

799






>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sbkJ16QyhXAsoC8Eg-Mg9S6jhAfXwULiPtu%2B3gT3qhjQ%40mail.gmail.com.

Re: [qubes-users] best and less expensive Lenovo think pad

[799]

<27casanov...@gmail.com> schrieb am Mo., 12. Aug. 2019, 23:55:

> Thats prity good advice :). Turns out thers a X240 modell (8GB) avalibel.
> will that one work as well?
> Altough its most likly not an option will all X1 Carbon work?
>
> And this is the latest recomended vertion of qubes? Seams as if many
> models are out dated now.
>

The X240 will NOT work with Coreboot.
If you need more performance you can look at a Lenovo W530 but those are
much bulkier devices and have a reduced battery runtime.
I also own a W540 (not Coreboot'able) and it has Qubes installed, but I am
not using it, just because the x230 feels much more portable and has twice
the battery runtime.

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t-K%2BFBmSK8Jm%3D%2BM0GveEZQ%3DvFPk5s_w_cNRD1wbC2zgQ%40mail.gmail.com.

Re: [qubes-users] best and less expensive Lenovo think pad

[799]

Hello,

<27casanov...@gmail.com> schrieb am Mo., 12. Aug. 2019, 09:26:

> What is the best and less expensive Lenovo think pad for new Qube?
>

As always ... It depends. The G505s is not a bad choice but it is not from
the Thinkpad line but a consumer laptop.
I would say the Lenovo X230 or T430 as you can install Coreboot on them,
you get USB3 and LTE. And you can add some cool things like illuminates
keyboards, an additional battery pack (Slice battery) which gives you lots
of battery runtime.
Additionally you can get a docking station (not sure if this is available
for a G505s) which gives you additional Display options.

I would go with the x230, 16GB RAM and a new SSD, then add Coreboot (I have
a specific howto covering this).

But as they are all so cheap: buy them all and test them, then sell the
ones you don't like to keep ;-)

799

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uxnmPnQQ1stctZq0WgENntyzkt8hE5DXKeVv_-mG9zmw%40mail.gmail.com.

Re: [qubes-users] using static dispVM for sys-net

[799]

Hello,

Jon deps  schrieb am Mi., 3. Juli 2019, 22:30:

> am curious if anyone actually does this , and how or would it make any
> sense instead to use a static sys-firewall ,  if I
> just have the default  sys-firewall  (which might be easier because
> there would not be a need for the PCI  setup  ?each time)


What would be the better choice regarding attack surface:
 disposable netvm+firewallvm vs. mirage-firewall?
If I understand it right the mirage firewall has no/less option to be
compromised.
I am using the mirage fw and are only using a fedora-30-minimal based
sys-firewall to get dom0-updates, which can't be done via the mirage
firewall.

But I'll also change this firewall to a static disposable FW.

Question:
Afaik the problem when using a static disposable sys-net VM is, that I need
to enter my Wifi Credentials each time, as the VM will be unable to
remember them.
Is there any way tweaking this behaviour?

799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vs1V9%2BwrF0frShC1_aaODcORDzFc9LQscx6Yzn-G79tg%40mail.gmail.com.

Re: [qubes-users] Coreboot?

[799]

Hello,

 schrieb am Di., 6. Aug. 2019, 00:42:

> So like installing coreboot should eliminate any malware installed at
> firmware levels, right?
>

I would not use the very strong claim "any", because I can't backup this
claim through knowledge (I am not a security specialist).
But using coreboot will offer the best approach protecting against firmware
malware/attacks. There are not much reasons, why you should not consider
running coreboot and if you buy most new hardware you are to install
coreboot.
Therefore I would say that coreboot will improve the "reasonable" security
;-)

-  O


>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ukAPNkkR3Fa2_QQtFiW08eJEUnu%3D61e8f-%2BtBE3hyL2A%40mail.gmail.com.

[qubes-users] Autoconnect to VPN not working in fedora based AppVM

[799]

Hello,

For my corporate work I am running a custom build AppVM which is based on a
fedora-30-minimal package with some additional packages.
I am using the gnome network manager applet with the openconnect plugin to
connect to our corporate VPN (Cisco Anyconnect).
This is working fine, but I would like to have the VPN started as soon as
the VM boots up.
Normally this can be done, by right clicking network manager icon, choose
"Edit Connection" then edit the settings for the Ethernet connection (VM
uplink eth0), open the "General Tab" and enable "[x] Automatically connect
to vpn" and choose the VPN connection which I have configured.

Unfortunately this setting will not survive the boot of the AppVM,
therefore I think the setting is saved somewhere where the AppVM has no
write possibility and therefore the setting will be forgotten when I
shutdown the AppVM.

QUESTION:
How can I make this change permanent or do you another idea how to launch
the VPN connection upon start of the AppVM?

- O.

PS: those are the steps to build my office AppVM (initiated from dom0):

basetemplate=fedora-30-minimal
worktemplatevm=t-fedora-30-work
WorkAppVM=my-office

qvm-clone $basetemplate $worktemplatevm

qvm-run --auto --user root --pass-io --no-gui $worktemplatevm \
  'dnf install -y emacs keepass libreoffice gedit gimp gnome-terminal
firefox \
  nano git mc terminus-fonts less unzip dejavu-sans-fonts pinentry-gtk \
  qubes-gpg-split qubes-core-agent-networking qubes-usb-proxy
pulseaudio-qubes \
  gstreamer gstreamer-plugins-base libffi libpng12 libXScrnSaver
libsigc++20 \
  pangox-compat xclip iputils iproute \
  # qubes-core-agent-qrexec qubes-core-agent-systemd polkit
notification-daemon qubes-input-proxy-sender'

### AnyConnect VPN - OpenConnect
qvm-run --auto --pass-io --no-gui --user root $worktemplatevm \
 'dnf -y install NetworkManager-openconnect network-manager-applet
qubes-core-agent-network-manager \
  NetworkManager-openconnect-gnome NetworkManager-vpnc-gnome
NetworkManager-openvpn-gnome NetworkManager-openvpn'

# Add network-manager to Qubes Settings > Services
qvm-service --enable $WorkAppVM network-manager

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vhk1WGQ9R8qr%2BycqTFhGy%2BVKGguyC0vLQ7NzDeqWJqHg%40mail.gmail.com.

Re: [qubes-users] Coreboot?

[799]

Hello,

On Mon, 5 Aug 2019 at 22:58,  wrote:

> I was told that buying an used laptop represents an extra risk since the
> previous owner could have used the laptop with Qubes and got dom0 infected.
> After a little bit of research, I was told that installing coreboot would
> eliminate/delete any malware that, in a hypothetical case, took control of
> dom0 when the previous owner used the laptop for Qubes but I’m not too sure
> if this is true, do you guys thinks it’s true?
>

I would always replace the storage media in a used laptop to get a fresh
SSD, as this is where your data is stored and you don't want to mess
arround with a used SSD or HDDs. And with todays low prices for SSDs it's
even more fun to do so.

If dom0 was "infected" you would not be affected if you use another ssd,
you could of course also reinstall Qubes on the used device, but as
mentioned above .. no reason to do so.
If the previous user has an infected or manipulated BIOS you can indeed
reflash with coreboot, in fact I would always suggest to run coreboot if
your laptop is able to do so - I would even reccomend to buy only devices
which support coreboot (for example Lenovo X230 / T430 / W530 ...).

Keep in mind that an attacker could always place a tiny spy device inside a
used laptop which can then be used to sniff your keyboard entries etc. But
as this is an attack which is more likely used if you are a high priority
target, I think that this scenario is quiet unlikely.

Therefore:
Buy a used Lenovo X/T/W x30, install coreboot and become a happy Qubes user.
If you need more information how to install coreboot, take a look here,
where I tried to document a whole run through for a X230:
https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t%2B2uiU4N6EOk47g48%3D0o1Fawb5qkQoX8K0tVrfo-81Qg%40mail.gmail.com.

[qubes-users] (very) portable Qubes OS on a Lenovo S730 - will it work?

[799]

Hello,

I'm interested running Qubes OS on a new day-to-day laptop which might be a
Lenovo S730 because of portability and USB-C charging (knowing that I am
unable to run Coreboot on it).

Question:
has someone successfully installed Qubes on this device?

Specs:
- Intel Core i5-8265U
- Intel UHD 620 on-Board Graphic
- 8 GB LPDDR3
- 256 GB PCIe-SSD

The Qubes Hardware Compatibility List (HCL) has not listed this device:
https://www.qubes-os.org/hcl/

regards

- O.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t%3D2FojAWxhqf%3DdmaVR%2BLErGjDENe6xt2nS8ZPFB1uQpQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Make files in AppVM persistent

[799]

Hello,

unman  schrieb am So., 21. Apr. 2019, 02:29:

> (...)
> Don't make the changes in the template.
> bind-dirs is intended to work in the AppVM, (as I think you originally
> tried).
> You need to configure bind-dirs and restart the qube, *then* make any
> changes that you want to make in /etc/openvpn.
> You can check that the changes are there in /rw/bind-dirs/etc/openvpn.
>

Sorry, my mistake ... With your hint, the documentations says it already:

(...) Inside your TemplateBasedVM (...)

Maybe it would be good to change this into:

(...) Inside your AppVM which is based on a Template (...)

Additionally it seems that you need to run 6 steps, the numeration seems to
be fixed, now it has two times 3 steps - I'll try to fix this in the GitHub
repo.

O/799.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ub1Zx0yS_ZuhHj%3D2cMcRkoc9ASG-Lw0r90PFgP94W8fA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Make files in AppVM persistent

[799]

Hello,

rogertobler via qubes-users  schrieb am Sa.,
20. Apr. 2019, 22:07:

> I am trying to make my vpn config and password file in /etc/openvpn
> persistent (...)
>
> I tried as described here (Qubes 4):
> https://www.qubes-os.org/doc/bind-dirs/
>
> ..unfortunately the files disappear after the reboot.
>

You have applied the change in the template VM?
then shutdown the template?
And then restarted the AppVM?

The last step is important as only then changes to the template VM are
picked up from the AppVM.

O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u198xRSWfQa38U3kSJKj%3Dqx8B51e22Ruosud8yhKXD8w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] minimal Fedora template as base for sys-net and sys-firewall

[799]

Hello Tim,

Tim Wolf  schrieb am Sa., 20. Apr. 2019,
04:44:

> (...)
> I need to save some space on my harddisk, why I would like to use a
> Fedora-29-minimal template as base for system and security related VMs.
>

An AppVM will not take much space, even if the template is very back as it
only stores the delta? As such you won't save a single byte if the old
template VM of the sys-VMs, which is likely fedora-28/fedora-29 is still in
use.

Is there a list, what packages have to be added for this task?


See through the links others have provided, this was a good starting point
for me to create my own template.

You can also look into my notes here:
https://github.com/one7two99/my-qubes/blob/master/docs/history.txt

This covers how I have setup my templates, you can just run all commands
from dom0:

Hint: you need to make sure that you have the right wifi drivers in your
sys-net VM.
I am using the iwl6000g2a-firmware package, which is for my Lenovo x230,
you might need another package depending on your wifi card.
If you have trouble finding the right driver, ask here.


# Install Fedora minimal template
sudo qubes-dom0-update qubes-template-fedora-29-minimal


# 
#  t-fedora29-sys
# 
template=fedora-29-minimal
systemplate=t-fedora-29-sys

#clone template
qvm-clone $template $systemplate
# update template
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf update -y'

# install a missing package for fedora-29-minimal
# without it, gui-apps will not start
# not needed in the latest fedora-29-minimal template (april 2019)
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf install -y e2fsprogs'

# Install required packages for Sys-VMs
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install qubes-core-agent-qrexec qubes-core-agent-systemd \
  qubes-core-agent-networking polkit qubes-core-agent-network-manager \
  notification-daemon qubes-core-agent-dom0-updates qubes-usb-proxy \
  iwl6000g2a-firmware qubes-input-proxy-sender iproute iputils \
  NetworkManager-openvpn NetworkManager-openvpn-gnome \
  NetworkManager-wwan NetworkManager-wifi network-manager-applet'

# Optional packages you might want to install in the sys-template:
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install nano less pciutils xclip'

qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install qubes-core-agent-passwordless-root'

# Nice(r) Gnome-Terminal compared to xterm
qvm-run --auto --user root --pass-io --no-gui $systemplate \
  'dnf -y install gnome-terminal terminus-fonts dejavu-sans-fonts \
   dejavu-sans-mono-fonts'

# Set new template as template for sys-vms
qvm-shutdown --all --wait --timeout 120
qvm-prefs --set sys-usb template $systemplate
qvm-prefs --set sys-net template $systemplate
qvm-prefs --set sys-firewall template $systemplate
#qvm-prefs --set sys-vpn template $systemplate

--- 8< ---

Regards

O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ujAo5UeN7KKUTE54M-AacnaPja2KMAV%3Dp_-LHx4mU-Jw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes using cpu with 8 cores

[799]

Hello,

katmai karbonellenc  schrieb am Fr., 19. Apr. 2019,
02:29:

> > You almost certainly dont have 8 cores - you probably have a 4 core CPU
> > with hyperthreading.
> > By default Qubes disables hyperthreading for security reasons.
>

I have looked at the output of the commands:

model name : Intel(R) Core(TM) i7-7700K CPU
(...)
cpu cores : 4

and you are referring to the right CPU spec sheet

The specifications of this CPU:
>
> https://www.intel.co.uk/content/www/uk/en/products/processors/core/i7-processors/i7-7700k.html


There you can find the information:

# of Cores = 4
# of Threads = 8
(...)
Intel Hyper-Threading Technology = Yes

As such you only have 4 real cores and Qubes is correct telling you this
information.

Why deactivate Hyperthreading?

QSB #43: L1 Terminal Fault speculative side channel (XSA-273)
https://www.qubes-os.org/news/2018/09/02/qsb-43/

(...) Part of the mitigation is to disable hyper-threading. This halves the
number of CPU cores that the system sees compared to having
hyper-threading enabled, thus reducing system performance.  Since Qubes OS
4.0 uses both PVH and HVM qubes, it is _not_ safe to re-enable
hyper-threading.  If you have previously modified the number of virtual
CPUs assigned to any qube (the "vcpus" property), it may be necessary to
adjust this value in order to account for reduced system performance. (...)

If you are interested in Hyperthreading performance tests, you might be
interesting looking into this article:

Intel Hyper Threading Performance With A Core i7 On Ubuntu 18.04 LTS
https://www.phoronix.com/scan.php?page=article=intel-ht-2018=1

Regards

- O/799

t <https://groups.google.com/d/optout>.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s5isb_TdTTgxPPvyjzeD-OY67e89ufFtthbMms8brmYw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes using cpu with 8 cores

[799]

Hello,

katmai karbonellenc  schrieb am Fr., 19. Apr. 2019,
01:55:

> I installed QubesOS on new PC, that his CPU have 8 cores but I only can be
> see 4 cores available.
> How I can solve it?
>

To solve it, it would be helpful to get some more information:
- what modell is the CPU?
- which Qubes version are using?
- are you looking into the AppVM or into the Hypervisor

Please post the output of:
cat /proc/cpuinfo
xl vcpu-list

Could it be that you mix up the total cores yout system have, against what
you can see in an AppVM?
AFAIK dom0 is also just an AppVM on top of Xen and therefore you might see
only the cores which are assigned to dom0?
The xl commands should help you.

- O/799

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9FJ765hKpcGoeSkMK-t4%3DgZU%3DRFK91ojzF3xMOJ%3D1cw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Installing Mirage Firewall

[799]

Hello Claudio

Claudio Chinicz  schrieb am Mi., 17. Apr. 2019, 15:39:

> Hi All,
>
> I'm trying to install/test/play with Mirage, following instructions from
> https://github.com/mirage/qubes-mirage-firewall.
>
> Honestly, I've got entirely lost, since I'm not a pro and not proficient
> with Linux.
>
> Can anyone provide a step-by-step recipe how to install the unikernel?
>

I was also struggling with the installation, therefore (and to save time
for the Mirage Pros to develop the firewall not helping newbies like
myself) I have created a howto:

https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

You can run all steps from dom0 ;-)
If you need further help, to not hesitate to ask.
I'd like to hear your feedback, if we can improve the howto.

- O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uKdGKCV6fxZrT53s7qs7KMpyyYPdundjkJ8o_DEyM9UQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Looking to edit rules.ml of my mirage-firewall VM but since I cannot run shell, IDK what to do

[799]

Hello Thomas.

On Thu, 11 Apr 2019 at 14:02, Thomas Leonard  wrote:

> [...]
> I've added some examples at
> https://github.com/mirage/qubes-mirage-firewall/pull/54 (see the changes
> to rules.ml).
>

Thanks a lot for your excellent work and adding more information to
mirage-firewall, greatly appreciated.
Regarding the example rules:

| { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22
} } -> `Accept
| { dst = `External `GoogleDNS } -> `Drop "block Google DNS"

these two rules are easy to understand and will help me setting up rules
between the AppVms


| { src = `Client _; dst = `Client _; proto = `TCP _; packet }
when not (is_tcp_start packet) -> `Accept

Can you add more details about this rules, its an any-to-any rule, but what
is "when not (is_tcp_start packet) ?

- O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2toeBCspFeA48WQstqpZoC_0NsagjJZ0XoB%3DaWFY28V1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Alt+Tab not redirected in AppVM

[799]

Hello,

On Wed, 10 Apr 2019 at 22:43, awokd  wrote:

> 799 wrote on 4/10/19 8:37 PM:
> > 'awokd' via qubes-users  schrieb am Mi.,
> 10.
> > Apr. 2019, 22:30:
> >
> >> 799 wrote on 4/10/19 8:12 PM:
> >>
> >>>I tried edting the shortcut file in
> >>> ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-keyboard-shortcuts.xml
> >> (...)
> >>
> (...)
> I'm guessing XFCE only reads that config file once on startup. There's
> probably a more subtle way to trigger it. Does it work now?
>

I tried to change it from Alt+Tab to Primary-Tab, rebooted, but no changes
have been made.
I'll try to do the opposite and will use autohotkey (
https://www.autohotkey.com) in windows to set a new key-sequence for
application switching.

- O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sXC6Y4QbMPRQ5iCsX3JRJuC%2B%2B7LQ9U-9w7SYJMGFEdDQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Alt+Tab not redirected in AppVM

[799]

'awokd' via qubes-users  schrieb am Mi., 10.
Apr. 2019, 22:30:

> 799 wrote on 4/10/19 8:12 PM:
>
> >   I tried edting the shortcut file in
> > ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-keyboard-shortcuts.xml
> (...)
> > ... but those settings didn't work, nothing changed.
> >
> > I also tried to a new shortcuts via the Qubes Menu > Keyboard but also
> > there not changes are working.
> >
> > Any other suggestions?
>
> Did you reboot after? Also, did you see Vit's suggestion?
>

I didn't know that a reboot needs to be done


- O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sMpMWdZ6JoSLZYXJvcQqh_rSG0VF-UBUfzQkt7_iLcEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Alt+Tab not redirected in AppVM

[799]

Hello,

On Tue, 9 Apr 2019 at 19:39, awokd  wrote:

> 799 wrote on 4/9/19 7:28 AM:
>
> > I think the easiest way is 1) switching Alt+Tab against Windows+Tab.
> > Can this be done?
>
> Maybe
>
> https://superuser.com/questions/458846/how-to-map-alttab-behavior-to-another-keyboard-combination
> ?
>

 I tried edting the shortcut file in
~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-keyboard-shortcuts.xml
from:  
to:  
and I tried also:


... but those settings didn't work, nothing changed.

I also tried to a new shortcuts via the Qubes Menu > Keyboard but also
there not changes are working.

Any other suggestions?

- O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u_M7i%3DY84dFht2aSgJRoLtXnTT2HxdCbitmj%2BaH1C8_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Looking to edit rules.ml of my mirage-firewall VM but since I cannot run shell, IDK what to do

[799]

Hello,

Thomas Leonard  schrieb am Mi., 10. Apr. 2019, 20:42:

> (...)
> To change the rules, you edit rules.ml, rebuild and redeploy (this should
> only take a couple of seconds after the first build).

(...)
>

Can you or someone from the mirage fw for Qubes team give some examples how
to write rules for mirage?

Examples:

1)  can access  via ssh
2)  can reach  using  via TCP
3) Block access from  to 

I think some example rules will make it easier to understand how to write
rules.

Regarding rebuilding and redployment:
Maybe we can write a small script that will do the following:

- launch mirage build VM
- apply changes to rules.ml
- rebuild
- copy new kernel files back to dom0
- shutdown mirage build VM
- restart mirage firewall proxyVM

The easiest procedure would be to keep the rules.ml in dom0, edit it there
and then qvm-copy or qvm-run --pass-io cat ... it to the mirage build VM.

-O/799

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tc-261BhTzDX6FTZfTW1WoqcrUk-7d3%3Di--W7v8XnxxQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How risky is GPU pass-through?

[799]

Hello throwaway42,

 schrieb am Di., 9. Apr. 2019, 21:17:

> (...)
> Just for information:
> I have a gaming VM inside Qubes OS
> It is a windows 7 HVM, with a dedicated GPU.
> Performance are very good.
> I referenced some useful links here https://neowutran.ovh/qubeos.pdf


Nice write-up ... Thanks.
Why don't you add this information to the Qubes Community Docs, so that it
can be rea(che)d by a broader audience?

Hypertext is such a great invention compared to PDFs ;-)

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uCvAbw5FRCk%2BzaZBPdWLThUbedhfd4mgUkcUhcVcz98w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Alt+Tab not redirected in AppVM

[799]

Hello,

I am using a fedora-29 based AppVM ("my-office") to connect to my corporate
virtual desktop using VMware Horizon View.
Unfortunately the Alt+Tab key sequence is not forwarded into the virtual
desktop.
I totally understand that his has been done to improve security, so that no
AppVM can "catch" the mouse, but in this use case it is very annoying as I
need to switch application within the virtual desktop very often.

I have three ideas how to work arround this problem:

1) Switch the Alt+Tab sequence in qubes to something like Windows+Tab, so
that Alt+Tab can be used in an AppVM

2) Disable Alt+Tab in a specific AppVM (not sure if this can be done)

3) Disable Alt+Tab if an AppVM goes into fullscreen mode (as it is always
possible to use Alt+Space to get out of fullscreen mode) when I work in my
corporate virtual windows desktop there is no danger, that I mess up and
getting lost between different AppVM window sessions.
(also not sure if this can be done, disabling Alt+Tab depending on the
fullscreen state).

I think the easiest way is 1) switching Alt+Tab against Windows+Tab.
Can this be done?

I looked into the Qubes Menu > Keyboard > Application Shortcut,  but
Alt+Tab is not present there.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2udu9e8vHLGXa%2BROJZW%3DaWtn0uAnr%2BpcFkT9fy%2B%2BZjimA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

[799]

Hello qmirfw,

'qmirfw' via qubes-users  schrieb am Di., 9.
Apr. 2019, 00:51:

> On Monday, April 8, 2019 11:40 PM, 799  wrote:
> > Any ideas what I am missing?
>
> I don't know. I just did a build using fedora (based on unmodified Qubes
> fedora-29 template) and got no error, final checksum checks out. This is
> what I did:
> (...)
>

Thanks for the summary, this is what I was looking for. I am using
fedora-29-minimal for all my AppVM's, therefore I didn't thought that the
problem might be template related.
I'll run the same steps you did tomorrow.

As far as I have understand the VM is just for the building process and
that I can find the result a file called mirage-firewall.tar.bz2 in the
_build folder afterwards and that I need to transfer this folder to dom0
and unpack it to /var/lib/qubes/vm-kernels
Then I can use the new kernel.

Maybe a stupid question, but ...
As the AppVM including docker is just needed to build the kernel, wouldn't
it be much easier if the mirage-firewall can be added via a sudo
qubes-dom0-update like any other package?

Maybe only in the testing or a community repository?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u-EACnBrTKuzy3zgMAjoTv5VM80_2kHMwHWPGteFB83Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

[799]

Hello,

I've created a howto page in the Qubes Community docs to collect all
information which is needed to build/install the mirage firewall for qubes
OS.
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md

I tried to build mirage in a new template VM which is based on
fedora-29-minimal, but run into an error.
Can you take a look and give me a hint what I am missing?

--- --- 8< --- --- --- ---

MirageTemplateVM=t-fedora-29-mirage
# create a new template VM
qvm-clone fedora-29-minimal $MirageTemplateVM

# Resize private disk to 10 GB
qvm-volume extend $MirageTemplateVM:private 10GB

# Create a symbolic link to safe docker into the home directory
qvm-run --auto --user root --pass-io --no-gui $MirageTemplateVM \
  'ln -s /var/lib/docker /home/user/docker'

# Install docker and git
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'dnf -y install docker git'

# To get networking in the template VM
qvm-run --auto --user root --pass-io --no-gui $MirageTemplateVM \
  'dnf install qubes-core-agent-networking'
qvm-shutdown --wait $MirageTemplateVM
qvm-prefs $MirageTemplateVM sys-firewall
qvm-start $MirageTemplateVM

# Launch docker
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'systemctl start docker'

# Download and build mirage for qubes
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \
  'cd /home/user && \
   git clone https://github.com/mirage/qubes-mirage-firewall.git && \'
   cd qubes-mirage-firewall && \
   ./build-with-docker.sh'

--- --- 8< --- --- --- ---

Unfortunately I run into an error during the build process:

[...]
Building Firewall...
error while executing ocamlbuild -use-ocamlfind -classic-display -tags
bin_annot -quiet -Xs _build-solo5-hvt,_build-ukvm
-pkgs mirage config.cmxs
+ mkdir /home/opam/qubes-mirage-firewall/_build
mkdir: cannot create directory
'/home/opam/qubes-mirage-firewall/_build': Permission denied
Command exited with code 1.
Failure:
  Error during command "mkdir
/home/opam/qubes-mirage-firewall/_build":
Ocamlbuild_pack.My_std.Exit_with_code(10)


Maybe because there is no folder /home/opam/... ??

I have also integrated pull request 52 via:
qvm-run --user root --pass-io --no-gui $MirageTemplateVM \  'git pull
origin pull/52/head && \
   rm -rf _build && \
   sudo ./build-with-docker.sh'

And I have manually created the missing folder above via

qvm-run --user root --pass-io --no-gui $MirageTemplateVM \  'mkdir
/home/opam/qubes-mirage-firewall/'

Even then I still run into the same error.

Any ideas what I am missing?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u9BpTd93vgjZ5NL7q%2BMaB49TDE%2BY2uRmJ50CgTuEws7Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

[799]

Hello,

'qmirfw' via qubes-users  schrieb am Mo., 8.
Apr. 2019, 16:08:

> (...)
> This is what I do:

(...)
>

Unfortunately I don't understand all steps, for example what ...
# Fix the reproducible build
git pull origin pull/52/head
... means.

As the firewall is very (!) important to keep Qubes OS/more specific the
AppVM separation safe, I will only use it, if there is a clear procedure
what needs to be done.

Will it only work with Debian 10 (which doesn't seem to be consider stable,
AFAIK it's not in the Qubes 4 productive repositories yet)?

I would like to see an document which takes the user from a default Qubes 4
installation and ends in working mirage firewall.

Can we build it from a fedora-29 based template?

Also it would be great if we put up the howto on the Qubes Community Docs
so that we can improve it there for future use(ers).
As mentioned I would be happy contributing to the documentation but a
better starting point would be great.

I think a good howto would also include that all steps can be done from
dom0 (via qvm-run) to make scriptable for future and simpler usage.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2u%3DQTQxjKoWZXH7a58JrD4GMdqTEKjUXuAuK6y-7WYguQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: qubes-mirage-firewall 0.5

[799]

Hello haaber,

As you have at least some more progress and are currently busy resolving
issues with the build process, maybe you can help me coming to this point.

haaber  schrieb am Mo., 8. April.

> (...) So: I did it, actually
> three times, more and more frustrated.


Arezo using a standalone Debian VM to build the docket image?
Additionally, does it have to be a Debian 10?
As far as I know debian-10 is in testing (?).

I would like to use fedora-29 as my base image, as all my other templates
are also fedora based - will this work?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vhkU7oveQxJKefsDp6R8MqZ8S5fa01CAFrgwfbVd4MtQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes-mirage-firewall 0.5

[799]

Hello Thomas,

Thomas Leonard  schrieb am Do., 4. Apr. 2019, 12:27:

> I'd like to announce the release of qubes-mirage-firewall 0.5:
> https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.5
> (...)
> For installation instructions, see:
> https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md,


thanks for the work you put into your mirage-firewall, as I have read your
announcement several times in the past, I'd like to give it a try, but I
would like to see some more information which is targeted towards newbies.
To me it is not clear how I can setup the mirage-firewall.
It seems that your suggestion is to build a docker image and while this
covered in the installation howto (
https://github.com/mirage/qubes-mirage-firewall/blob/master/README.md) the
docker building must be started within an AppVM ... should this be a
template VM? a dedicated HVM? And should it be debian or fedora?
I'd like to have a step for step instruction which takes a standard Qubes
Installation as baseline and then ends in a working mirage firewall.
As mentioned I would be more than happy o contribute to the documentation,
but can you clarify the starting point?

So in which VM (and VM type) should I run those first steps:

[...]
Build from source
Clone this Git repository and run the build-with-docker.sh script:

sudo ln -s /var/lib/docker /home/user/docker
sudo dnf install docker
sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
sudo ./build-with-docker.sh
[...]

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tBH%2B25qJ-fomn786NGNHe2rF_8EBVrsh-qcSMtR2gAAA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] sys-usb based on fedora-29-minimal >> what am I missing?

[799]

Hello Unman,

On Wed, 27 Mar 2019 at 01:49, unman  wrote:

> The obvious question is, IS it attached to the qube? and HOW?
> Check what the widget says (I assume that's what you mean by GUI), then
> open a konsole in dom0 and run qvm-usb. Try to attach the device at the
> command line. Run qvm-usb again.
> Then in qube, run lsusb - what do you see?
>
> Incidentally, what happens if you use qvm-block to attach partition
> from the harddrive ? Does the drive appear in nautilus in the qube then?
>

I  run some additional tests with my custom sys-usb VM.
To summarize so far:
- sys-usb is working fine, but I am unable to mount usb storage devices
when I use my custom build image
- if I use the default fedora-28 (fat) template for sys-usb connecting usb
storage devices will work, there for the root cause must be in the template
I am using for sys-usb.

Additionally I am able to mount the USB-drive manually from my sys-usb via
mount in the cli as root (in sys-usb).
Mounting it via GUI or attaching it to other AppVMs will not work.

-- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tfAftZkXWrEnA2WapX1NPLjHGZFpjRXbo9SXjDNi2-1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Problem buildung a fedora-29-minimal-based sys-usb AppVM

[799]

Hello Awokd,

On Sat, 30 Mar 2019 at 16:32, awokd  wrote:

> > [...]
> > QUESTION:
> > Any idea what I am missing, to get a sys-usb AppVM which is based on a
> > custom build fedora-29-minimal based template?
>
> This worked first try for me using your package list. I was able to use
> both qvm-block to attach and browse a USB drive's partition, as well as
> qvm-usb to pass the entire device. Could you be missing firmware for
> your USB controller?
>

I did some more tests and it is possible to mount my USB harddrive in the
sys-usb VM which is based on my custom build fedora-29-minimal template.
Therefor I don't think that I am missing any drivers, additionaly I can use
my mouse when it is attached to the USB port, which would likely also not
work, if I am missing drivers.
The problem is that I am unable to connect a partition or the whole usb
device to another AppVM.
>From dom0 it looks like it is connected, but the device will not be visible
in the other AppVM.
Another thing I have discovered is, that with the fedora-28 (fat template)
nautilus will show the partitions of an attached USB drive and clicking on
it will mount those partitions. If I use sys-usb with my custom built
template nautilus doesn't show the partitions (neither in sys-usb / nor in
the AppVM).

As mentioned I am able to mount the harddrive manually in my sys-usb, but
not via the GUI.
Can you tell me if this is working for you?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2scQsdJCK-u3wUfWCa-moKoDtV%3Dgx_BjCbxSBqO8QQ89w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Boot Qubes into CLI

[799]

Hello,

Is it possible to boot into Qubes without launching a desktop environment
while still being able to work in the CLI of an AppVM.
As my some part of my work can be done in emacs/mu4e and org-mode I'd like
to give Qubes a try without using a desktop environment and see how big the
gain is regarding battery runtime.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2upi1VVBiPvjiz0aBEhO6rHFc%3DEiXrwf-k61XsnANj72A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] coreboot on modern hardware?

[799]

Hello,

 schrieb am Mo., 25. März 2019, 02:15:

> That was one of the first places I looked. Maybe I’m just a hardhead, but
> I found it difficult to believe that there really was no support for
> coreboot in any form for modern hardware.
>

The problem seems to be that on modern hardware it is not possible to run
unsigned Firmware because of a feature on newer hardware called "boot guard"

https://www.phoronix.com/scan.php?page=news_item=Intel-Boot-Guard-Kills-Coreboot

What Intel is saying about this "feature":
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sM6cnCR6stTiwj%3DNfn_cug0gvtqiFVKSdtO64h%3DE%2BZvw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] coreboot on modern hardware?

[799]

Hello,

 schrieb am So., 24. März 2019, 10:11:

> On 2019-03-23 19:03, jrsmi...@gmail.com wrote:
> > Spent several hours yesterday trying to track down what I would need
> > to do to install coreboot on all of my computers, starting with my
> > Qubes box: a Levnovo Thinkpad T480.

[...]
> I'd suggest visiting https://coreboot.org/status/board-status.html to
> see if your box is compatible with coreboot. From what I can see, the
> T480 is not coreboot friendly.
>

The provided link is the right place to see, I have also invested some time
for the research before flashing my X230 with Coreboot and again when I
tried to flash my W540.
It seems that everything after the X230/T430/W530 is not corebootable.
On the other hand the ?30-Series offers enough performance for most
workloads.

Newer hardware will (very likely) not work with Coreboot (if you look into
Lenovo) and NOT buying Lenovo and talk about it why you are not buying it,
might be the only way to convince companies to change (even when this is
very (!) unlikely).

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tbvSzCisSdbdKS4fvNe1Lf0yofGdQN_deNt4xzbtST%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Shrinking a private volume

[799]

Hello Unman,

unman  schrieb am So., 24. März 2019, 03:17:

> [...]
> We're all working on the assumption that you  have Qubes 4.0 - can you
> confirm that?
>

Yes, of course - sorry for not mentioning this, but I don't see why someone
would run Q3.2, I have switched to 4.0 shortly after the release and never
looked back.

You can see what size is actually used on disk by using s flag to ls:
> so 'ls -lsS' will show you the apparent size and the actual size.
>

Thanks, I wasn't aware of this command option and will review the man page
for ls, to see it there are more interesting options

In 3.2, to attach a private.img try:
> qvm-block -A  dom0:/var/.
>

Will this also work under Qubes 4, as you are mentioning 3.2 specifically.
What are the command to do so in 4.0?

- O

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uqMgniDVmMQidau0ij2a1z0BkxTED_UeNLg1CQNXF0tA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Re[2]: [qubes-users] Responding to the Whonix trolls...

[799]

cooloutac  schrieb am Sa., 2. März 2019, 22:16:

> [...]
> Stop being a nazi.
>

Please don't write such quotes in a public forum, as someone who might
argue that he wants to silence the discussion (which don't have to be ok)
is something completely different from someone who was involved in
something like the holocaust.
Making such a comparison is totally unacceptable.

"As an online discussion grows longer, the probability of a comparison
involving Nazis or Hitler approaches 1"
(...) that is, if an online discussion (regardless of topic or scope) goes
on long enough, sooner or later someone will compare someone or something
to Adolf Hitler or his deeds, the point at which effectively the discussion
or thread often ends.

https://en.m.wikipedia.org/wiki/Godwin%27s_law

And no, I will not refresh the discussion at this point as it is not Qubes
related (anymore).

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tRwKA9SHn_Yjj0%3Dbnbu_6RH8YaUDTb65vHiGQAYhRQMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Shrinking a private volume

[799]

Hello Stuart,


On Wed, 27 Feb 2019 at 01:57, Stuart Perkins 
wrote:

>
> On Tue, 26 Feb 2019 22:30:35 +0100
> 799  wrote:
> >Honestly I don't understand why it is not possible to shrink a volume as
> >this is something which can done in linux.
> >Does someone has an idea how to "reclaim" the free capacity from an AppVM?
>


> [...]
> Can you mount an additional "drive" in the storage qube?  Copy all the
> files with cp -r or rsync then rearrange things so the new disk image is
> the main one and delete the overgrown one?  Or, conversely, mount the
> storage qube's main drive in a regular appVM and do the same thing there?
>

Of course I could copy data from the Old AppVM to an external HDD, create a
smaller Qube and then copy the data back.
But this doesn't feel like how it should be done in 2019 ;-)
I thought that there might something like using resize2fs to make the mage
smaller from within the AppVM and then use some magic to tell Qubes that it
can free up space.
But, maybe another good idea which you have brought up is, to mount the old
private.img and copy data to the new private.img of the new qube:

mkdir /tmp/old-private.img
sudo mount /var/lib/qubes/appvms//private.img
mkdir /tmp/new-private.img
sudo mount /var/lib/qubes/appvms//private.img

Then I could copy data from /tmp/old-private.img to /tmp/new-private.img

While this could be done from dom0, I don't want to do it from there, but
I'd prefer to mount the old private.img into the new AppVM.
I think this something which can be done, from the new AppVM Qubes, to
which I mount the old private.img additionally.
I just have to figure out how to do so, haven't found something yet, but
afaik I've read it some time ago.
If someone has guidance, this would be helpfull and could work as a "poor
man's" reduce disk alternative  ;-)

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vSsUapVWLuH0LjpwE6nZSk%3DdwkhPtbfgUHCjToGyaXcg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Android-x86 7.1-r2 with GAPPS installation guide

[799]

Hello awokd,

>> [...]
>> You might want just the 800x600 setting, and maybe not Cirrus...
>> [...]

I was able to change the resolution, so that the android AppVM can run on
my lowres x230:
On launch I added the follwing line to grub: video=800x600-32

Unfortunately I have to do this on each run, as I don't know how and if I
can push those setting into the Android Qube.
I tried to find something like /boot from within the Android AppVM using
the Terminal Emulator, but I didn't succeed.
So how can I update grub of the Android AppVM?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vW7kShiNW6gVuSrJPnFSBauGfAPXa12-G2a8-uQKXJuA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Running Qubes on X230 with the FullHD Mod - someone tried this before?

[799]

Hello,

for me the lenovo x230 is the perfect laptop to run qubes as it has a core
i7, SSD, 16GB RAM, working LTE-WWAN and can be "coreboot'ed" and using the
external slice battery pack it has a great battery runtime (even when
running Qubes).
The only problem I have is the low screen resolution from the stock display.

Some people have mod'ed their x230 adding a Full HD Display, as described
here:
https://forum.thinkpads.com/viewtopic.php?t=122640

As this process involves some working I'd like to know if someone within
the Qubes Community has tried this and how the success was when using the
machine with Qubes.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ub%3DusASO53tOY3O-on6U5hA5wQNZCzDb18gYY%3DF-F3Nw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Problem buildung a fedora-29-minimal-based sys-usb AppVM

[799]

Hello,

since the first days using Qubes I made notes how I setup my templates and
AppVMs to able to rebuild my system from scratch if parts of it get
compromised or if I migrate the system to other hardware.

I have been able to rebuild all my Sys-VMs (sys-net / sys-firewall /
sys-usb) from a fedora-26-minimal and fedora-28-minimal template but I am
struggling to do the same from a fedora-29-minimal template:
I am unable to get a working sys-usb AppVM.

Steps to reproduce:

#base template
template=fedora-29-minimal
#name of the new custom build template
systemplate=t-fedora-29-sys
#clone template
qvm-clone $template $systemplate
# update template
qvm-run --auto --user root --pass-io --no-gui $systemplate 'dnf update -y'
# install a missing package for fedora-29-minimal without it, gui-apps will
not start
qvm-run --auto --user root --pass-io --no-gui $systemplate 'dnf install -y
e2fsprogs'
# Install required packages for Sys-VMs
qvm-run --auto --user root --pass-io --no-gui $systemplate \
'dnf -y install qubes-core-agent-qrexec qubes-core-agent-systemd \
 qubes-core-agent-networking polkit qubes-core-agent-network-manager \
 notification-daemon qubes-core-agent-dom0-updates qubes-usb-proxy \
 iwl6000g2a-firmware qubes-input-proxy-sender iproute iputils \
 NetworkManager-openvpn NetworkManager-openvpn-gnome \
 NetworkManager-wwan NetworkManager-wifi network-manager-applet'

I use this new template as base for my sys-net and sys-firewall AppVms
everything works, but sys-usb will not work as USB devices can't be
mounted, even within the sys-usb VM.

QUESTION:
Any idea what I am missing, to get a sys-usb AppVM which is based on a
custom build fedora-29-minimal based template?

If I use the default (fat) fedora-29 AppVM from the Qubes Repository as
Template for sys-usb, it is working fine.
So it is possible to use fedora-29 for sys-usb, but it seems that I am
missing some part to get it work when building a template from the ground
up Uusing fedora-29-minimal as base template)

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uT6Nxwmj%3DyM8KW277bYOmxbBryt6KmaiOhFbKU7xRPkw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Shrinking a private volume

[799]

Hello,

I've migrated ~150gb of data into a Qubes Storage Qube.
After cleaning up older files I have reduced the data to 100gb.
Now I'd like to free the additional 50gb so that dom0 can use this capacity
for other qubes.

Unfortunately I found out that shrinking volumes is not possible according
to the Qubes Docs:
--- --- ---
From: Qubes Docs > Resize Disk Image
https://www.qubes-os.org/doc/resize-disk-image/

[...] ext4 and most other filesystems do not support online shrinking [...]

   1. Create a new qube with smaller disk using Qube Manager or qvm-create
   2. Move data to the new qube using qvm-copy, backup & restore, or OS
   utilities
   3. Delete old qube using Qube Manager or qvm-remove

--- --- ---

As I have several files and subdirectories in the Storage Qubes, I can't
run qvm-copy but as I don't have enough free space I am also unable to zip
everything into one big file, qvm-copy this file to a new (smaller) storage
qube and then delete the old qubes.
Is there a better to shrink the volume or migrate the data to another Qube?

Honestly I don't understand why it is not possible to shrink a volume as
this is something which can done in linux.

Does someone has an idea how to "reclaim" the free capacity from an AppVM?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tfyDKS9j3WoDCdeLapnbhzw0Z8j0tkHY7NTzbE6TzCtg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Android-x86 7.1-r2 with GAPPS installation guide

[799]

Hello,

 schrieb am Mo., 25. Feb. 2019, 03:17:

> (...)
> Hi, please note that Alex's guide was created just before Android-x86 Oreo
> was released. If you change 'repo init -u git://
> git.osdn.net/gitro,ot/android-x86/manifest
>  -b android-x86-7.1-r2'
> to 'repo init -u git://git.osdn.net/gitroot/android-x86/manifest -b
> oreo-x86', you'll have no mouse issues. Just rememeber not to do Alex's
> steps on fixing the mouse if you do, as you'll just recreate the mouse
> problem.
>

Would you mind sharing your ISO, so that I can use it for testing? I want
to know before what is working before going through the hazzle and build an
own ISO.

When you rebooted the appvm, and shut down the builder VM, the iso should
> have detached from the android appvm. Reboot Qubes if it hasn't.
>

Ok, thanks - I will try this.

I've been changing resolution by affixing 'vga=(desired resolution code)'
> to the end of the kernel. You can type vga=ask to get a list of resolution
> codes.


Very good idea, haven't thought about this myself - is it also possible to
change the Grub Options from within Android to make the change persistent,
if I found a working Resolution?

One question that has not been answered so far is, if there is already a
setup howto in Qubes Docs or the Community Docs.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uxqNCu_ZGXwXN8z%3Dgr6Jg_Qb5wWAFtGqgCCnwrRZ6gGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Android-x86 7.1-r2 with GAPPS installation guide

[799]

Hello Alex,

I have succesfully used your .ISO to build a test-android AppVM, following
your howto.

> Create android VM in dom0:
> qvm-create --class StandaloneVM --label green --property virt_mode=hvm
android
> qvm-prefs android kernel ''
> qvm-prefs android 'sys-android'
I think this is a typo and should be:
qvm-prefs android netvm 'sys-android'
(while I have used sys-firewall as netvm)
> qvm-prefs android memory '2048'
> qvm-prefs android maxmem '2048'
> qvm-volume extend android:root 20g
> Start the android VM with iso:
> qvm-start android
--cdrom=android-builder:/home/user/android-x86/out/target/product/x86_64/android_x86_64.iso
> Install android-x86 on xvda and reboot.
> Start android VM without iso:
> qvm-start android
> When it'll start, kill the VM and wait for it to halt.
> Configure android VM to use the mouse in dom0:
> sudo mkdir -p /etc/qubes/templates/libvirt/xen/by-name/
> sudo cp /etc/libvirt/libxl/android.xml
/etc/qubes/templates/libvirt/xen/by-name/android.xml
> sudo sed -i -e 's/tablet/mouse/g'
/etc/qubes/templates/libvirt/xen/by-name/android.xml
> Start android VM without iso and it should work fine:
> qvm-start android

Two Questions:
1) Is there any way to change the display resolution of the Android AppVM,
as I am running it on a LowRes x230 and the window is slightly to high.
2) Even after launching the android AppVM without the ISO, the ISO-Boot-Up
windows comes and I need to choose Other Options and then Boot from local
harddisk to continue booting the AppVM - any idea how to change this?
3) The mouse seems strange, as I see two mouse pointers, the one in dom0
and the one in android and they are not synchronized.
While it is possible to use the mouse, it would be nice if there is only
one mouse pointer. Can this be done?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sjB1g7W6-MmHhz%3D%2BJ9YaYJRegghitjFS77JW7YY0OMjw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Android-x86 7.1-r2 with GAPPS installation guide

[799]

On Sat, 1 Dec 2018 at 17:33,  wrote:

> On Saturday, December 1, 2018 at 5:47:52 AM UTC, alex.b...@gmail.com
> wrote:
> > [...]
> > Do you mind sharing the resulting images for testing? I'll have hard
> time compiling this myself on old Core m3/8Gb machine...
>
> You can try this image, but I advise to build your own image for security
> reasons:
> https://drive.google.com/open?id=1KGDRe9iJgjb3nSBjFlK74Sa_nn08qYiq


I agree that building an own ISO would be good, but to make a test (if
Android really works) I think it's ok to use a prebuild ISO.
Even better, if it would be possible to download and install it as a
template, like "qubes-testing-android-7.1-unofficial" from the testing
repositories.
Is this something that is possible (technically and also from the qubes
perspective, how the testing repo's can be used) or do we need something
like a qubes-community-repository to separate packages better (something I
would prefer)

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2twfK4SYKUj4RYZKTS-6V-jyu2js2ONVWUawdXNRu5ppQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] disposible vms for sys-net, firewall, usb?

[799]

Hello Chris,

On Sun, 24 Feb 2019 at 00:22, Chris Laprise  wrote:

> [...]
> As you may already know, I created a Qubes service that provides most of
> the benefits of a dispVM by removing, hash checking, repopulating or
> whitelisting the contents of a VM's private volume:
>
> https://github.com/tasket/Qubes-VM-hardening
>  [...]


I'd like to test your script, but I need some more information how to start.
As far as I understand, I need to deploy your scripts in a template VM and
your script will do some magic, that the AppVM (made from this template)
starty in a fresh way (like a disposable VM) but it is possible to add
changes which survives between reboots?

Can you give some more details for a complete walkthrough?
For example how to I enable a service? Via the Qubes Settings > Services
Tab?

Also I haven't fully understand what happens when I enable the
*vm-boot-protect service*

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vRJc4ynPtq4zxgq55-VcOd8xfxQ1spoS%2BoiSYkZNaTnQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Android-x86 7.1-r2 with GAPPS installation guide

[799]

Hello,

 schrieb am Fr., 30. Nov. 2018, 16:22:

> I've successfully build android-x86 7.1-r2 with gapps in whonix-14-ws
> AppVM.
> (...)


As far as I understand following the guide from Alex will result in a self
compiled Android ISO, which can be used to create an Android AppVM.

Has someone ported this information over to the Qubes Docs or at least
Qubes Community Docs, so that this valuable information doesn't get lost
and we have one place to collect all feedback and improve it?

One more thing:
Is it also possible to use a regular fedora or Debian based AppVM as
Build-VM, I don't understand why whoonix has been used.

- O

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v%2BEU%2BwwF%3DmnFHDVSZ4NFfoCzA5cFmj6iVmRmLdy4wwyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] disposible vms for sys-net, firewall, usb?

[799]

Hello,

Stumpy  schrieb am Sa., 23. Feb. 2019, 17:58:

> (...) dvms could be used for things like sys-net usb and firewall which
> had never occured to me.
> I may not be thinking about it right but that seemed like a really good
> security idea, so my question is, why is that not the default? (...)


I am also heavily interested in running "named" disposable VMs as sys-VMs
with one enhancement, that I am able to store the Wifi-Credentials in a
Vault-VM and that I can "push" the credentials into the sys-net VM when
launching it (maybe by some custom scripts which use qvm-run --pass-io from
dom0 to copy data from Vault-VM to the Sys-Net-VM).

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tsoyNd4ksiXAZV1TP%3Dc9F1wU%2BUd%2BNuEg0BPOGBWEChhQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Best ideal laptop for Qubes?

[799]

 schrieb am Sa., 23. Feb. 2019, 14:35:

>
> Not quite sure why people try use Qubes with laptops. I found far better
> performance on desktops. Laptops are the opposite of flexible. PC's you can
> upgrade to your hearts content.
>

Maybe because for 90% a laptop offers enough performance, has much lower
space & power requirement and can be used flexible?
And because maybe more people "have to use" computers than they "like to
build" them thereselves.
Just a guess ;-)

I was asking the other question:
Who is buying those desktop PCs today?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tpO6odOyvObqC6cqdFZ84pE4_vjgZpTwrJtuOuD022gA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] dom0 command to update multiple templates?

[799]

Hello,


Am Fr., 8. Feb. 2019, 03:52 hat Stumpy  geschrieben:

> I tried a variation or two of:
> sudo qvm-run -u root fedora-29 dnf update && sudo qvm-run -u root
> debian-8 apt-get update
> but none of them worked.
> The little sun icon/updater doesnt seem to be working completely yet
> though it be nice to just have everything check for then update with one
> neat little script, possible?
>

I have a very simple solution which is based on how I name my templates.

All AppVMs are based on my own templates, which I build from a minimal
image.
This is a script which will update all templates:

My templates are all named t---
Example: t-fedora-29-mail
This is a fedora 29 based template VM which has all packages installed I
need for my mail-AppVMs.

It's very simple but does the job, but it depends on how you name your
templates.
The other solution which has been send to this list maybe better if you
have another template naming.
Look here:
https://github.com/tasket/Qubes-scripts/blob/master/README.md

My (poor man) solution
https://github.com/one7two99/my-qubes/blob/master/dom0/update-all.sh

#!/bin/bash
# update-all.sh - Update all Template-VMs

# Update dom0
sudo qubes-dom0-update


# Update all Fedora templates
echo "[ Updating Fedora Templates ]"
for i in `qvm-ls | grep Template | grep t-fedora | gawk '{ print $1 }'`;
  do
echo
echo "Updating $i ..."
qvm-run --auto --user root --pass-io $i 'dnf -y update';
qvm-shutdown $i;
echo "... done."
done


# Update all Debian Templates
echo "[ Updating Debian Templates ]"
for i in `qvm-ls | grep Template | grep t-debian | gawk '{ print $1 }'`;
  do
echo
echo "Updatung $i ..."
qvm-run --auto --user root --pass-io $i 'apt-get update && apt-get -y
upgrade';
qvm-shutdown $i;
echo "... done."
done

# Update Whonix
#qvm-run --auto --user root --pass-io --no-gui whonix-gw-14 'apt-get -y
update' && qvm-shutdown whonix-gw-14
#qvm-run --auto --user root --pass-io --no-gui whonix-ws-14 'apt-get -y
update' && qvm-shutdown whonix-ws-14

# Update Whonix Templates
echo "[ Updating Whonix Templates ]"
for i in `qvm-ls | grep Template | grep whonix | gawk '{ print $1 }'`;
  do
echo
echo "Updatung $i ..."
qvm-run --auto --user root --pass-io  $i 'apt-get update && apt-get -y
upgrade';
qvm-shutdown $i;
echo "... done."
done

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2smu_FEjSJFM%3DpT6u7x-2U76FBuz2cYqco-tf5g%3Da7qiA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Hijacking Threads

[799]

Hello

Am Sa., 2. Feb. 2019, 12:31 hat  geschrieben:

> (...)
> Many times hijacking is used by a minority, as tactic to deflect
> attention away from or avoid answering the original question/comment/query.


Do you have any example where users do so and why should someone do this on
purpose?

So far I have seen the Qubes Community as very helpful.
I have learned a lot just because a discussion has evolved from a question
someone asked and while providing a solution new ideas come to mind.

(...)
> Me thinks the qubes user community works better if they control tighter
>

I think it's working very well and as we are not robots I like to keep
control as low as possible.
I think that strict control will not only put of users but also generate
more traffic and lead to stupid discussion what is off topic and not.
Also who should make the decision?

- O.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vL4RfQiV0SPQkUSc2wzD2N3SqyA_B3cNHtxXPUp2-gGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Help installing package in template VM via snap

[799]

Hello,

I am trying to update my multimedia howto for Qubes and would like to use
a  fedora-29--minimal template instead of debian.

I try to install a package via snap but the template VM is not allowed to
access the repository:

snap install , results in:
api.snapcraft.io ... read: connection refused.

Question:
What are the correct steps to allow internet access for the template VM?
If possible only to api.snapcraft.io?

I looked at the Qubes docs https://www.qubes-os.org/doc/software-update-vm/
but couldn't find a solution, can someone point me into the right direction?

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uYQuuT3B5AevFEzPA82kvd5TY5EL7S9q_-ZOo_51B1Og%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: looking for quickest way to copy text from dom0-Terminal to another VM

[799]

Am Sa., 26. Jan. 2019, 04:33 hat Andrew David Wong 
geschrieben:

>
> Please take a look at this issue:
>
> https://github.com/QubesOS/qubes-issues/issues/3571



Happy to see that this topic (no clipboard from dom0) is at least known.
I don't agree that copying from dom0 is dangerous because "The user could
have secrets in dom0, e.g., keyfiles".


My passwords are in a vault VM and if someone messes up handling from dom0
it is very likely that he/she didn't understand the security concept behind
Qubes and therefore the user is likely the biggest attack surface NOT the
clipboard.

Please offer a solution where the user can choose (free software!!) to
enable/disable the clipboard (choosing means freedom).

It seems there is a workaround, can this be bound to a key (maybe also
using xclip in dom0)?
echo -n dom0 > qubes-clipboard.bin.source .

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t-o6x7bHazw6kY7uSXd2s7Z3Gn4BTsTih_pKrvPY-Vfw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] looking for quickest way to copy text from dom0-Terminal to another VM

[799]

Hello,

Am Fr., 25. Jan. 2019, 21:04 hat gone  geschrieben:

> 1st of all, I have read this:
> https://www.qubes-os.org/doc/copy-from-dom0/
>
> Maybe I just draw a mental blank but I can't find a really
> quick way to copy text (not files) from dom0-Terminal to
> another VM (into a post like this for instance). I thinking
> of some easy and logical keyboardcshortcuts like the ones
> that exist for copying text between domUs.
>

Feel free to use this script, which needs xclip to be installed in dom0 and
also the AppVM.
https://github.com/one7two99/my-qubes/blob/master/home/bin/qvm-xclip-from-vm

There is also a never version which can copy from/to dom0 in one command.
Haven't uploaded it to GitHub yet.
Not that nice as the qubes clipboard but it does its job and I have always
a dom0 terminal open.

- O

>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vqwM2jx2DtB5cW-%2BXf83vDS%3DiGswTnxaD%2B4gCrySV6FA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Can't open xterm from default fedora-29-minimal template

[799]

Hello TonyT,

Am Mo., 14. Jan. 2019, 01:36 hat Tonyt 
geschrieben:

> [...]
> This sounds like this:
> https://github.com/QubesOS/qubes-issues/issues/4671
>
> Which I solved with this:
> The problem: missing e2fsprogs, so /rw cannot be prepared.
> quick workaround: qvm-run -u root --no-gui -p fedora-29-minimal 'dnf
> install -y e2fsprogs'
>

Amazing, this did the trick, I was able to get the fedora-29-minimal based
sys-vms running.
Thanks.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vUQ5VwYdHDiacM6FfwkAwZiBxhgHTvju1aRwpS8cUxtA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.