Re: [qubes-users] Disposable service VMs in 4.0rc1
On 10/13/2017 03:27 PM, Marek Marczykowski-Górecki wrote: On Fri, Oct 13, 2017 at 02:48:59PM +0200, David Hobach wrote: On 10/13/2017 02:24 PM, David Hobach wrote: The second instance will not start. The point is in Qubes 4.0 you can create DisposableVM, which have no persistent data (like private.img or root.img), but is persistent in terms of metadata (name, devices etc). I'm also curious whether starting a VM with a dependency to a stopped dvm-template will start a dvm or the template itself? What about VM autostart during boot? This all should work like with any other VM. The only difference is that VM restart revert VM data to the original state. I haven't tried exactly this configuration, but it should be something like this: # allow to create DispVMs based on sys-net; you can also use other VM # here, like fedora-25-dvm qvm-prefs sys-net template_for_dispvms true # create disposable netvm; all properties will be inherited from # sys-net (including 'autostart', 'provides_network' etc) qvm-create --class DispVM --template sys-net -l red disp-sys-net # detach network devices from sys-net and attach to disp-sys-net qvm-pci del sys-net dom0:02_00.0 qvm-pci add disp-sys-net dom0:02_00.0 # and set disp-sys-net as netvm, wherever you want qvm-prefs sys-firewall netvm disp-sys-net Thanks for the explanations! So basically with 4.0rc1 uniquely named & single instance dispVMs were introduced. That's awesome & quite some news by itself, thanks! At first sight I hadn't noticed it as the term dispVM may refer to generic dispVM instances disp[XYZ] or their templates as well. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d6c6ba0a-3258-cf69-415e-f1ce14d93590%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Disposable service VMs in 4.0rc1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Oct 13, 2017 at 02:48:59PM +0200, David Hobach wrote: > On 10/13/2017 02:24 PM, David Hobach wrote: > > Hi all, > > > > did anyone test disposable VMs for sys-net, sys-firewall and sys-usb in > > 4.0rc1 yet? > > > > Especially since the installed defaults appear to be non-disposable if I > > recall correctly. > > > > According to [1] this is meant to be working though for at least sys-net > > & sys-usb. It doesn't say anything about sys-firewall, i.e. I'm not so > > sure whether that will break some Qubes core mechanics... This should work, but of course all changes in made directly there will be lost after restart. So, for example setting wifi password using network manager. This is one of the reasons why default setup still use non-disposable VMs there. > Plus what happens with your network card when you start the second instance > of a sys-net dvm? The second instance will not start. The point is in Qubes 4.0 you can create DisposableVM, which have no persistent data (like private.img or root.img), but is persistent in terms of metadata (name, devices etc). > > I'm also curious whether starting a VM with a dependency to a stopped > > dvm-template will start a dvm or the template itself? What about VM > > autostart during boot? This all should work like with any other VM. The only difference is that VM restart revert VM data to the original state. I haven't tried exactly this configuration, but it should be something like this: # allow to create DispVMs based on sys-net; you can also use other VM # here, like fedora-25-dvm qvm-prefs sys-net template_for_dispvms true # create disposable netvm; all properties will be inherited from # sys-net (including 'autostart', 'provides_network' etc) qvm-create --class DispVM --template sys-net -l red disp-sys-net # detach network devices from sys-net and attach to disp-sys-net qvm-pci del sys-net dom0:02_00.0 qvm-pci add disp-sys-net dom0:02_00.0 # and set disp-sys-net as netvm, wherever you want qvm-prefs sys-firewall netvm disp-sys-net - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJZ3y3iAAoJENuP0xzK19csjlYIAIAZ42rTS8pQucjPCGRKdqx0 zq0TeDpFnbprfVhWKhjqpunwcycTYh+iNe/RaDUBF6gp07J2E6PKu1OYWGBLPuXx pdh8LDXu9rldNkRAlc+oeFacnH6cK5lo46qwr90uD59SfXaJ36eTMJavwnHqDbE+ gvxJ3YzbtEM3NMl+IT4zm7jLMD78KG9LyttlWusibElEGPj0EL/+AKg74QzzI+qw DPa5+uaBpEfjPKg6C9XVXgGri7CuqKrSQsZ0XmHL6F36ardMjLKztP1fJhyL426w 8Nfs3wvfyac+zOXezMEV4bP6TwdF9EeTUnjTJ1VI5kyPZLaRJsQDQEnN65l4Jb0= =Am1Y -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171013132717.GC10749%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Disposable service VMs in 4.0rc1
On 10/13/2017 02:24 PM, David Hobach wrote: Hi all, did anyone test disposable VMs for sys-net, sys-firewall and sys-usb in 4.0rc1 yet? Especially since the installed defaults appear to be non-disposable if I recall correctly. According to [1] this is meant to be working though for at least sys-net & sys-usb. It doesn't say anything about sys-firewall, i.e. I'm not so sure whether that will break some Qubes core mechanics... Plus what happens with your network card when you start the second instance of a sys-net dvm? I'm also curious whether starting a VM with a dependency to a stopped dvm-template will start a dvm or the template itself? What about VM autostart during boot? KR David [1] https://blog.invisiblethings.org/2017/10/03/core3.html "This provides lots of flexibility, e.g. it’s easy to create a customized DispVM for signing PDF documents, or various disposable service VMs, such as Net- and VPN- VMs. One just creates a normal AppVM, sets everything up there, e.g. loads keys, configures VPNs, connects to known WiFi networks, and then shuts down the AppVM and in place of it starts a DispVM based on that AppVM." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e47f5b1b-4897-de22-7a3d-757705c8b302%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
[qubes-users] Disposable service VMs in 4.0rc1
Hi all, did anyone test disposable VMs for sys-net, sys-firewall and sys-usb in 4.0rc1 yet? Especially since the installed defaults appear to be non-disposable if I recall correctly. According to [1] this is meant to be working though for at least sys-net & sys-usb. It doesn't say anything about sys-firewall, i.e. I'm not so sure whether that will break some Qubes core mechanics... I'm also curious whether starting a VM with a dependency to a stopped dvm-template will start a dvm or the template itself? What about VM autostart during boot? KR David [1] https://blog.invisiblethings.org/2017/10/03/core3.html "This provides lots of flexibility, e.g. it’s easy to create a customized DispVM for signing PDF documents, or various disposable service VMs, such as Net- and VPN- VMs. One just creates a normal AppVM, sets everything up there, e.g. loads keys, configures VPNs, connects to known WiFi networks, and then shuts down the AppVM and in place of it starts a DispVM based on that AppVM." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc278a29-4d57-e116-c19f-8c35ce392785%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature