Re: [qubes-users] Re: Qubes 4.2 installation problems due to Salt alone - what to do?
Thank you! The hardware clock had the wrong date. Therefore the error with salt. Hmm, You might find it more useful to join the Qubes Forum, https://forum.qubes-os.org/ I wanted to reply, so you felt someone will help. Perhaps Clarify some things. Seems from your discussion of SALT, you know something of Linux. If the standard install did not finish correctly. I am not thinking whatever is going on with SALT is the problem. But SALT commands might reveal to some what is happening? So, for me in your situation, I would go through the detail of what I assumed was true, but might not be. Can you clarify. Why are you sure the computer in question is compaitble with Qubes? Have you used Qubes on it before? Did you install UEFI or Legacy? I use Legacy, UEFI is a different set of problems. Does your computer have one or two drives? (I have one computer, with two drives, that will only let me install Qubes to one drive, and the other drive must not have anything on it. Other computers don't care. and I did not say it made sense) Are you trying to accomplish a dual boot? (Qubes wants to be alone on the drive. Some folks have gotten dual boot to work. I have not tried) Did you try to install Qubes on a drive that already had -something? (I have discovered that sometimes Qubes does not like to installed over something else. Sometimes does not care.) Can you devote this computer to using Qubes right now? Or is it a computer you use daily with another OS? (helps to limit suggestions to something that is more reasonable for you to try) I think someone more knowledgeable than myself will come by and recognize your symptoms, and you don't have to worry about answering this. But it can't hurt. In a coupla days, If you have not gotten it going, I will come back and add more suggetions. More confusion. but someone might recognize symptoms and make an easier fix. Cheers. On Sunday, April 14, 2024 at 12:58:26 PM UTC-4 Michael Singer wrote: Dear Qubes Community, I am trying to install Qubes 4.2. in vain, not because the hardware is incompatible, but because of Salt problems. I verified the downloaded ISO according to the instructions, burned the ISO with various programs on a USB stick, among others with the DD command: dd if="./Qubes-R4.2.1-x86_64.iso" of="/dev/sda" status="progress" conv="fsync" I have checked the result and it shows that the hash sum of the USB stick under /dev/sda is the same as the downloaded file: sudo dd if=/dev/sda bs=1M count=$(stat -c %s /home/user/QubesIncoming/XXX/Qubes-R4.2.1-x86_64.iso) iflag=count_bytes | sha256sum a942911a3a4975831324a064f70b34c6965c4e9f6c95afbc531f04d55f947376 When I start the computer with the USB stick and test the medium, the following appears first: Fragment sums: 2695f8d1(...) supported iso: no Then, when the test has run 100 percent, the following appears: [FAILED] If I install anyway, I have to cancel the automatic creation of sys-net, sys-usb and personal AppVMs, because otherwise I get an installation error because the installer does not set the PCI devices to disable strict reset. At the end of the setup it still says: "initial config failed", see /var/log/salt/minion The log there says: Specified ext_pillar interface qvm_prefs unavailable And when I try to update dom0, it fails. The reason is noted in the same log file: Unable to detect release version Cannot prepare internal mirror list: SSL peer certificate or SSH remote key was not OK for https://mirrors.fedora(...) Everything otherwise works according to the HCL report, including Suspend, Ethernet, USB, Speaker. Strange thing was that no default-mgmt-dvm seemed to be present and was not started during update attempts. I have already tried the installation with 4.2.0 and 4.2.1, with standard kernel and with the latest kernel. How could I solve the problem? Thank you, Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/04644821-831b-4657-990d-84ab2c56309f%40posteo.de.
[qubes-users] Qubes 4.2 installation problems due to Salt alone - what to do?
Dear Qubes Community, I am trying to install Qubes 4.2. in vain, not because the hardware is incompatible, but because of Salt problems. I verified the downloaded ISO according to the instructions, burned the ISO with various programs on a USB stick, among others with the DD command: dd if="./Qubes-R4.2.1-x86_64.iso" of="/dev/sda" status="progress" conv="fsync" I have checked the result and it shows that the hash sum of the USB stick under /dev/sda is the same as the downloaded file: sudo dd if=/dev/sda bs=1M count=$(stat -c %s /home/user/QubesIncoming/XXX/Qubes-R4.2.1-x86_64.iso) iflag=count_bytes | sha256sum a942911a3a4975831324a064f70b34c6965c4e9f6c95afbc531f04d55f947376 When I start the computer with the USB stick and test the medium, the following appears first: Fragment sums: 2695f8d1(...) supported iso: no Then, when the test has run 100 percent, the following appears: [FAILED] If I install anyway, I have to cancel the automatic creation of sys-net, sys-usb and personal AppVMs, because otherwise I get an installation error because the installer does not set the PCI devices to disable strict reset. At the end of the setup it still says: "initial config failed", see /var/log/salt/minion The log there says: Specified ext_pillar interface qvm_prefs unavailable And when I try to update dom0, it fails. The reason is noted in the same log file: Unable to detect release version Cannot prepare internal mirror list: SSL peer certificate or SSH remote key was not OK for https://mirrors.fedora(...) Everything otherwise works according to the HCL report, including Suspend, Ethernet, USB, Speaker. Strange thing was that no default-mgmt-dvm seemed to be present and was not started during update attempts. I have already tried the installation with 4.2.0 and 4.2.1, with standard kernel and with the latest kernel. How could I solve the problem? Thank you, Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba7c6888-12ce-4ccc-87d5-38b8b80e9569%40posteo.de.
[qubes-users] Kernel 5.15.XXX
Hi, since a dom0-update at the beginning of July 2023 I get a black screen after the bootloader. I can only boot Qubes if I select Xen 4.14.5 with Linux kernel 5.15.103 in the bootloader instead of the default (Xen 4.14.5 with Linux kernel 6.1.35). See here: https://github.com/QubesOS/qubes-issues/issues/8354 Questions: 1) Will the kernel 5.15.103 be automatically deleted during the next dom0-update or do I not need to worry? 2) Is it possible to set the kernel 5.15.103 as default? Kind regards, Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9eda3f72-5b78-4be9-81c2-8e910b764fc2%40posteo.de.
[qubes-users] Before I switch to Qubes 4.1: get clarity on some questions
Dear List, Qubes 4.1 has been released. Before I dare to reinstall Qubes, I would like to get clarity on the following questions: A) If I restore the backup of a debian standalone qube from Qubes 4.0 to Qubes 4.1, will it work? Will this qube then automatically use the Qubes 4.1 repository instead of Qubes 4.0 repository after an in-place upgrade of the standalone qube from debian 10 to debian 11 in Qubes 4.1? B) If I restore the backup of an AppVM from Qubes 4.0 to Qubes 4.1, will that work if Debian 10 is no longer available as a template in Qubes 4.1? C) Will the firewall configuration of a restored AppVM still work in Qubes 4.1? In Qubes 4.0 I had created rules on command line according to the following pattern: qvm-firewall untrusted add --before 0 accept 123.45.67.890/32 proto=tcp 465 Have a great day! Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5ec000d6-7064-7cae-8eba-a70ea4a2f4af%40posteo.de.
Re: [qubes-users] Preventing opening windows of an AppVM from becoming the active window on the desktop
On 2/3/22 19:54, Sven Semmler wrote: On 2/3/22 11:02, Michael Singer wrote: Standard in the operating system Qubes is that an opening window automatically becomes the active window on the desktop. Maybe this is an XFCE thing? Have you tried: a) unchecking the "Honor standard ICCCM focus hint" b) selecting "Do nothing" for "When a window raises itself:" See "Focus" in "Window Manager Tweaks" using the XFCE settings app. /Sven Dear Sven, thank you so much. This works for me. In addition, you still have to right click on the top of the frame of the window you are working in and select "Always on Top" there. Then everything works perfectly. See you! Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3cdb455f-81ad-aa36-2068-2fd7374eaf40%40posteo.de.
[qubes-users] Preventing opening windows of an AppVM from becoming the active window on the desktop
Dear list, I have a script running in an AppVM where the command "xdotool key" occurs frequently. The problem is that I cannot use the computer for other purposes while the script is running. Windows keep popping up while the script is running, and "xdotool key" does something to them. Standard in the operating system Qubes is that an opening window automatically becomes the active window on the desktop. I am looking for a way to prevent exactly that for a specific app VM. Would anyone know how to implement this? Either in a way that windows of this App-VM only become active when I actively click on them, or in a way that it is not possible to work with the windows of this AppVM at all until I revoke this setting? Have a great day Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6fdbf69b-dd7c-71f2-5510-66d81faa4814%40posteo.de.
[qubes-users] Keep hard disk mounted when PC goes into suspend mode
Dear Qubes community, I am trying to permanently mount a hard drive in such a way that it will not be removed when I put the computer into suspend mode. Unfortunately, it does not work when I do the following: 1) dom0: qvm-usb attach --persistent example-VM sys-usb:3-3 2) Open Nautilus in the example-VM and mount the harddisk. 3) Put the PC into suspend mode. When the PC wakes up again, the hard disk is no longer accessible as sys-usb:3-3, but suddenly as sys-usb:5-3. Accordingly, the Nautilus window no longer shows the folders on the hard disk and the hard disk has disappeared from the Qube. If you then mount the hard disk again in the example VM and put the PC into suspend mode and wake it up again, then it remains with sys-usb:5-3. The hard disk is then still assigned to the example VM, but is no longer mounted there. Accordingly, it is again the case that Nautilus displays an empty window. I have experienced this with Qubes 4.0 and Gnome Debian. Does anyone have an idea how to set it up so that the hard disk is still mounted after suspend mode? Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/955e2890-a992-7ce5-53e2-366e3f1c0df2%40posteo.de.
Re: [qubes-users] Qubes does not boot any more. Very abruptly. Who can help?
Am 25.10.2021 12:12 schrieb Michael Singer: Dear Qubes community, my qubes r4.0 legacy installation does not boot any more. Very abruptly, because I hadn't done any updates or changed anything in dom0 lately. There was also no power loss or anything. And I didn't move any larger files the last time I successfully used Qubes. Whenever I try to boot, this happens: the boot loader appears normally and then I can enter the hard drive password as usual. After entering, the progress bar moves very slowly and the status LED on the PC suggests that the processor has nothing to work with. After a while the following appears: [ 215.211434] dracut-initqueue[396]: dracut-initqueue timeout - starting timeout scripts [ 215.314434] dracut-initqueue[396]: Warning: could not boot. [ 215.451434] dracut-initqueue[396]: Warning: /dev/qubes_dom0/swap does not exist Starting Dracut Emergency Shell... Warning: /dev/qubes_dom0/swap does not exist Generating "/run/initramfs/rdsosreport.txt" Entering emergency mode. After that lines it asks if I want to save the error report to a USB stick or to /boot. I also tried what happens if I enter a wrong password at startup: Then it prompts to enter it again - so the system still knows which is the correct password. I checked the bios settings, but nothing changed there. I have not tried what happens if I - remove the hardware battery, - select any option in the Advanced Options for Qubes in the boot loader, e.g. booting from another kernel, - clone the SATA SSD to another SATA SSD and try to boot from that one, - remove the PCIe card with the NVMe SSD from the computer, on which I recently tried unsuccessfully to install qubes (maybe the SATA installation of qubes is bothered by this?). I have never had the problem that qubes does not start. Also the initial installation had worked immediately. All hardware dependencies that qubes has are fulfilled. The above dracut-initqueue error text I knew so far only from the occasion where I had entered the password 2 times wrong. Then it had been reported that /dev/mapper/qubes_dom0-root as well as /dev/qubes_dom0/root and /dev/qubes_dom0/swap would not exist. But now the system just complains that /dev/qubes_dom0/swap would not exist. So maybe not a big error? Could someone give me a tip on how to get the system working again or backup the important AppVMs to be able to move them to a new installation? All the best and thank you in advance Michael Singer I have just solved the problem; the system starts up normally again. The solution was to overwrite the second and faulty installation on the pcie nvme disk. I do not understand why my working sata installation scans the pci mass storage device at startup. Wait, I just remembered that I read a long time ago that something like this can happen with Qubes and Xen. Is there maybe a way to prevent pci mass storage devices from being automatically scanned and mounted in dom0 afterwards? All the best, thank you Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ed5e0c7ee548d0d9dd4f11c16ed1210%40posteo.de.
[qubes-users] Qubes does not boot any more. Very abruptly. Who can help?
Dear Qubes community, my qubes r4.0 legacy installation does not boot any more. Very abruptly, because I hadn't done any updates or changed anything in dom0 lately. There was also no power loss or anything. And I didn't move any larger files the last time I successfully used Qubes. Whenever I try to boot, this happens: the boot loader appears normally and then I can enter the hard drive password as usual. After entering, the progress bar moves very slowly and the status LED on the PC suggests that the processor has nothing to work with. After a while the following appears: [ 215.211434] dracut-initqueue[396]: dracut-initqueue timeout - starting timeout scripts [ 215.314434] dracut-initqueue[396]: Warning: could not boot. [ 215.451434] dracut-initqueue[396]: Warning: /dev/qubes_dom0/swap does not exist Starting Dracut Emergency Shell... Warning: /dev/qubes_dom0/swap does not exist Generating "/run/initramfs/rdsosreport.txt" Entering emergency mode. After that lines it asks if I want to save the error report to a USB stick or to /boot. I also tried what happens if I enter a wrong password at startup: Then it prompts to enter it again - so the system still knows which is the correct password. I checked the bios settings, but nothing changed there. I have not tried what happens if I - remove the hardware battery, - select any option in the Advanced Options for Qubes in the boot loader, e.g. booting from another kernel, - clone the SATA SSD to another SATA SSD and try to boot from that one, - remove the PCIe card with the NVMe SSD from the computer, on which I recently tried unsuccessfully to install qubes (maybe the SATA installation of qubes is bothered by this?). I have never had the problem that qubes does not start. Also the initial installation had worked immediately. All hardware dependencies that qubes has are fulfilled. The above dracut-initqueue error text I knew so far only from the occasion where I had entered the password 2 times wrong. Then it had been reported that /dev/mapper/qubes_dom0-root as well as /dev/qubes_dom0/root and /dev/qubes_dom0/swap would not exist. But now the system just complains that /dev/qubes_dom0/swap would not exist. So maybe not a big error? Could someone give me a tip on how to get the system working again or backup the important AppVMs to be able to move them to a new installation? All the best and thank you in advance Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26b0083969da578693753f1d7c145213%40posteo.de.
[qubes-users] How to edit the NetworkManager settings of a named sys-net DispVM?
Dear Qubes community, I have created a named sys-net debian DispVM. Then I wanted to change the network settings (disable ipv6, require ipv4, set dns server, spoof mac address etc). For this I put a ready configuration, the "Wired connection 1.nmconnection", under /rw/config/NM-system-connections in the template on which the named dispVM is based. After I started the sys-net DispVM, I noticed that the configuration was present in /rw/config/NM-system-connections and in /etc/NetworkManager/system-connections, but it was apparently not used, because when I tried to edit the connection via the NetworkManager tray icon, my settings were not visible there. Maybe this is because when starting the Qube first the network is booted before /rw is considered. Do you have any ideas how this can be solved? All the best Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/706280a7-8a43-6d40-d9e3-16dabf64875f%40posteo.de.
Re: [qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 17, 2021 at 12:29PM +0700, unman wrote> On Thu, Jul 15, 2021 at 06:07:59PM +0000, Michael Singer wrote: >> On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: >> >>> On Wed, Jul 14, 2021 at 04:35:42PM +, Michael Singer wrote: >> >>>> >>>> Would you let my Qube, which is supposed to connect to only one IP address >>>> on >>>> the internet, be based on an extra firewall-vm? Would that more secure? >> >>> You could do this: it would have one particular advantage, in that you >>> could set custom rules in sys-net to restrict access from that >>> sys-firewall to the specified IP address. >> >> Do you have an example of the command line commands you use to set such >> custom rules in an ordinary debian or fedora sys-net? > > Qubes uses NAT, so sys-net sees all traffic coming from the IP address > of sys-firewall. > If you new fw has IP - 10.137.0.200 > And target is 195.10.223.181 > > `nft insert rule filter FORWARD index 1 ip saddr 10.137.0.200 ip daddr > 195.10.223.181 tcp dport https accept` > `nft insert rule filter FORWARD index 2 ip saddr 10.137.0.200 drop` > > Would do it. > Adjust for your case, of course Many thanks, unman! This is well explained. Allow one more question: How would you do the same if sys-net is based on a OpenBSD template? Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6dd537a2-854d-73fa-4d31-595a72638212%40posteo.de.
[qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
On Thu, Jul 15, 2021 at 04:50:29PM +0700, unman wrote: > On Wed, Jul 14, 2021 at 04:35:42PM +0000, Michael Singer wrote: >> >> Would you let my Qube, which is supposed to connect to only one IP address on >> the internet, be based on an extra firewall-vm? Would that more secure? > You could do this: it would have one particular advantage, in that you > could set custom rules in sys-net to restrict access from that > sys-firewall to the specified IP address. Do you have an example of the command line commands you use to set such custom rules in an ordinary debian or fedora sys-net? >> In the Qube settings for the services there is the service >> "disable-default-route". I have not found anything about what it does. In my >> case, would it be better to leave it on or turn it off? > man qvm-service - this service will remove the default gateway entry. So > a qube would be able to access immediate neighbours but not step beyond. > It's not what you want here. What are the immediate neighbors of a qube? Can both a qube using the default route and a qube with the disable-default-route service turned on access its immediate neighbors, or only a qube with the disable-default-route service turned on? In what situation is it useful for a qube to be able to access its immediate neighbors? All the best Michael -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f04a944-d8df-cfd8-106d-faf03798fc84%40posteo.de.
[qubes-users] Re: Safely set up a Qube to connect to only one IP address on the Internet
> On Wed, Jul 14, 2021 at 04:40:29, unman wrote: > Disable all unnecessary services in the qube - that means almost all of > them. Where would you look for such services? Would you let my Qube, which is supposed to connect to only one IP address on the internet, be based on an extra firewall-vm? Would that more secure? In the Qube settings for the services there is the service "disable-default-route". I have not found anything about what it does. In my case, would it be better to leave it on or turn it off? Thank you for your reply and all the best Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b9f0c87-0df3-97ce-3337-37ed0e962706%40posteo.de.
[qubes-users] Safely set up a Qube to connect to only one IP address on the Internet
Dear Qubes community, i am interested in your ideas on how you would set up a Qube as secure as possible to connect to a single ordinary internet site (not a VPN network) accessed directly via its IP address. My ideas are: 1) Edit the Qube's firewall via dom0 as follows: $dom0: qvm-firewall NAME-OF-QUBE del --rule-no 0 $dom0: qvm-firewall NAME-OF-QUBE add --before 0 drop $dom0: qvm-firewall NAME-OF-QUBE add --before 0 accept 127.127.127.127/32 proto=tcp 443 2) Go into the dom0-Qube settings and turn on the disable-dns-server service. With these two settings, there should really be no DNS traffic anymore, right? What else would you do? Best wishes Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a836d9db-51c0-8f4b-cfc0-ea7eab3a5d55%40posteo.de.
Re: [qubes-users] The safest way to search in files on an external hard drive
On 7/9/21 12:01 PM, Michael Singer wrote: After decryption, my file system presents itself to me as an ordinary directory that I find somewhere under /media/xy. The encryption program used works in a way that the device in /dev/xvdi is always encrypted. Only what is currently accessed in the /media/xy folder is decrypted. Consequently, it does not work if I use the following command to create a loop that I then mount in another qube, because it will not be decrypted there: $disp1: sudo losetup -r /dev/loop0 /dev/xvdi On 7/9/21 18:04 PM, haaber wrote: Why not sudo losetup -r /dev/loop0 /media/xy ?? That is what I do alwys, at works fine. After that, the widget (for example) allows to attach /dev/loop0 to other qubes. Best Dear Bernhard, this way it works only, if /media/xy would be a device. But it is an ordinary directory and losetup says: invalid argument. Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6e947474-e3d5-fc13-97c9-c4f31425eeb6%40posteo.de.
Re: [qubes-users] The safest way to search in files on an external hard drive
Am 19.06.21 um 15:00 schrieb Rusty Bird: > >> [disp1]# (somehow decrypt /dev/xvdi, yielding a device /dev/mapper/something) >> [disp1]# readlink /dev/mapper/something >> ../dm-0 > >> [dom0]# qvm-block attach --ro disp2 disp1:dm-0 > >> [disp2]# (mount /dev/mapper/xvdi) > > Rusty > Dear Rusty Bird, thank you for your help. I tried to get it done, but there is a problem: After decryption, my file system presents itself to me as an ordinary directory that I find somewhere under /media/xy. The encryption program used works in a way that the device in /dev/xvdi is always encrypted. Only what is currently accessed in the /media/xy folder is decrypted. Consequently, it does not work if I use the following command to create a loop that I then mount in another qube, because it will not be decrypted there: $disp1: sudo losetup -r /dev/loop0 /dev/xvdi Unfortunately, I have not been able to mount or loop a directory to another qube via dom0 and the qvm-block command. I can mount a directory somewhere in the same qube using the mount tool, but I cannot make it available to dom0: sudo mount -r -o bind /media/xy /home/user/xy How could I solve this? What commands are necessary in disp1? Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c751e8a5-2eec-a7de-639b-4bc6263b87cc%40posteo.de.
[qubes-users] Re: How to assign keyboard shortcuts to a VM?
Dear unman, thank you very much for your help (and thank you Sven for being so cooperative). It works fantastic. So, for example, if we wanted to give a user instructions on how to start the screenshot tool via keyboard shortcut in any active Qube (assuming the tool is installed there), it would be like this: 1) Open xterm in dom0 2) Type "cd /home/USERNAME/Documents" and hit enter if you want your script to be saved there. 3) Type "nano Screenshot.sh" and press enter. 4) Type the following script: #!/bin/bash ID=`xdotool getwindowfocus` QUBE=`xprop _QUBES_VMNAME -id $ID|cut -f2 -d\" ` if [[ "$QUBE" == "_QUBES_VMNAME: not found." ]]; then exit else qvm-run $QUBE "gnome-screenshot -a" fi 5) Press Ctrl+x, then y, then Enter. 6) Make the script executable by typing "chmod +x /home/USERNAME/Documents/Screenshot.sh" and pressing Enter. 7) Open System Tools > Keyboard > Application Shortcuts (this works in this way as long as you don't have the KDE desktop installed in dom0). Click "add". Type the path to your script: /home/USERNAME/Documents/Screenshot.sh Click "OK" and press a keyboard shortcut. 8) Now you are able to invoke the screenshot tool with your keyboard shortcut in the Qube you are working with and drag a frame with the mouse over what you want to take a picture of.* The pictures will be automatically saved in the folder "Pictures" in the home directory of the Qube. *If you want the whole screen to be photographed automatically instead, change the line "qvm-run $QUBE "gnome-screenshot -a" to "qvm-run $QUBE "gnome-screenshot" You can find out more possibilities in the terminal of the Qube with the command "gnome-screenshot --help". If it does not work, the program "gnome-screenshot" is not installed. Open a terminal of the template and install the program with "sudo dnf install gnome-screenshot" if it is a normal fedora template. If it is a Debian template, type "sudo apt-get install gnome-screenshot". After installation, shut down the template and restart the Qubes based on the template. All the best Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/278c20b0-2f1a-5f34-803a-120a0c9d4b7c%40posteo.de.
[qubes-users] How to assign keyboard shortcuts to a VM?
Dear Qubes community, I am looking for a way to execute a command with a keyboard shortcut. For example, the command "screenshot" should start the screenshot program within the respective VM or the command "nautilus" should pop up a file browser window of the VM that is currently being worked with. If I set up a keyboard combination for this in dom0 in the xfce keyboard settings, then I would have to set a different keyboard combination for each Qube: Ctrl+Alt+1 for Qube1: qvm-run Qube1 nautilus Ctrl+Alt+2 for Qube2 qvm-run Qube2 nautilus So, how can I do the same thing at the qube level instead of in dom0? You can install the autokey program, but it requires me to write a python script, and I don't know how to express a simple shell command in python. All the best Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67cc8511-0717-10b0-8c66-44de68261cbe%40posteo.de.
Re: [qubes-users] The safest way to search in files on an external hard drive
> Michael Singer: > >> I am looking for a really secure way to use Qubes for searching not >> only a hard drive for file names, but for text that is in files. > >> The goal is to avoid an exploit in the searched files leading to a >> takeover of the hard drive by malware. > >> The total size of all my files is too large for me to put them all >> in one qube before searching for text in them. > >> Would it perhaps be possible to mount only a single partition of the >> hard drive into a qube, but not with write permissions, only read >> permissions? > > Yes, e.g. like this: > > $ qvm-block attach --ro destinationvm sys-usb:sda1 > > Then you can decrypt and mount the read-only /dev/xvdi in the > destination VM. > >> I would do the search on command line, using "grep" for plain text >> files, "pdfgrep" for PDFs, and something for table files, databases, >> etc. > >> Is my idea feasible? And how secure would it be? > > Sounds fine to me. But malicious content could still exploit the > destination VM, so consider attaching to a DisposableVM (after > switching off its networking). > > If your partition is LUKS1[1] encrypted, Split dm-crypt[2] might be > convenient. Its default behavior is to attach the decrypted partition > to an offline DisposableVM: > > $ qvm-block-split attach --ro sys-usb:sda1 > > [1] TODO: LUKS2 support > [2] https://github.com/rustybird/qubes-split-dm-crypt > > Rusty> Dear Rusty Bird, thank you very much for your advice. I had to find a way to mount the read-only volume in the destination qube. I discovered the page https://www.qubes-os.org/doc/block-devices/ But it doesn't say how to mount it either. The normal way with "$ sudo mount /dev/xvdi /mnt" does not seem to work for read-only. You have to tell the mount tool that it is a read-only device: "$ sudo mount -o ro,noload /dev/xvdi /mnt" This way it works. Perhaps this should be added to the documentation. I read the notes about your split-dmcrypt-tool. Good work! Let's assume I would not work with LUKS. Suppose I mount sda1 with read-only option set in a DispVM (after switching off its network), decrypt it there and search in the files. An exploit bug occurs and the VM is taken. Now it could happen that someone leaks the partition password to the internet via a covered channel. So would it be safer to mount the decrypted volume again in another DispVM before we search it? And how would that be done? With the loopdevice method? What commands would you use in the terminal? Many thanks Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/96770ef1-06d1-920c-7bb8-cf22e23a0190%40posteo.de.
[qubes-users] The safest way to search in files on an external hard drive
Dear Qubes community, I am looking for a really secure way to use Qubes for searching not only a hard drive for file names, but for text that is in files. The goal is to avoid an exploit in the searched files leading to a takeover of the hard drive by malware. The total size of all my files is too large for me to put them all in one qube before searching for text in them. Would it perhaps be possible to mount only a single partition of the hard drive into a qube, but not with write permissions, only read permissions? I would do the search on command line, using "grep" for plain text files, "pdfgrep" for PDFs, and something for table files, databases, etc. Is my idea feasible? And how secure would it be? Best regards Michael Singer -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6729a52-4558-8c62-3df7-fc33563940ea%40posteo.de.