Re: [qubes-devel] Safe Arch install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 24, 2020 at 04:12:27PM -0400, Demi M. Obenour wrote: > On 2020-05-24 15:58, Marek Marczykowski-Górecki wrote:>> That makes sense. > Writing to a qube’s root volume from dom0 is a > >> safe operation, since it doesn’t do anything that the qube could > >> not already do itself. It would be nice if that could be done by > >> `qvm-block import`, though. > > > > You can do that with `qvm-volume import`. And with some adjustments to > > the qrexec policy, you can do that even from your buildvm. > > Something like > > buildvm arch ask,target=dom0 > > in `/etc/qubes-rpc/policy/admin.vm.volume.Import+root`? Yes. In practice, qvm-volume may want also: - - admin.vm.volume.Resize+root - - admin.vm.volume.Info+root - - admin.vm.List (unfortunately...) and possibly few more. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7K4K0ACgkQ24/THMrX 1yyKXQf/U0YrjZAcxmRTZUmYi/C19V7hi8eGv/8i2KP6Xx0Ns9Ri7No5UB428Eo5 ItnNWpMTkLEJRcSXCjsQQjERx/wiNpF/PujF8pEA70ZBZ7nRXZROXkXlhfGK2kW9 P9OEtCeKxsAooXEZD69BIA0KifvR5fILyRNlkyW578W6AFilZcMaeVq+BykbKAZM Z03iE6F6hWVl2xgsm7niDUlpD/C7mJ4QRTGnoiRpcWOTdcUw8Od6YhrGXtvTKejS 2ofkVh5Yo9reSwSXkwlGPpUMw/vFoKhi9Rv6V0Ie4tB+Ffhpuq6V/r6ZEIVkqDRz HnrUjG8HY6EHqUAlPfkGrtwpihYz/Q== =W/KE -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524210131.GX98582%40mail-itl.
Re: [qubes-devel] Safe Arch install
On 2020-05-24 15:58, Marek Marczykowski-Górecki wrote:>> That makes sense. Writing to a qube’s root volume from dom0 is a >> safe operation, since it doesn’t do anything that the qube could >> not already do itself. It would be nice if that could be done by >> `qvm-block import`, though. > > You can do that with `qvm-volume import`. And with some adjustments to > the qrexec policy, you can do that even from your buildvm. Something like buildvm arch ask,target=dom0 in `/etc/qubes-rpc/policy/admin.vm.volume.Import+root`? Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/82ff499c-7c84-17e2-518d-b9d7de894cc6%40gmail.com. signature.asc Description: OpenPGP digital signature
Re: [qubes-devel] Safe Arch install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 24, 2020 at 03:53:24PM -0400, Demi M. Obenour wrote: > On 2020-05-24 15:13, dhorf-qriry.020b9...@hashmail.org wrote: > > On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote: > > > >>> https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh > >>> > >>> can be run in either dom0 or (with a lot of policy adjustments > >>> or a bazillion manual approvals and minor changes) an adminapi-vm. > >>> > >>> it is also mostly trivial to install the template-root right > >>> from the buildvm. (skipping the "rpm" part entirely) > >> > >> How does one do that? That sounds promising. > > > > > > see above shellscript for the general basic outline of "how to turn > > a template rpm into a template vm". > > > > most of the qvm-something steps are also avail in appvms through > > the adminapi these days. (== can be called from a buildvm) > > > > for "skipping the rpm part" prototype see > > https://github.com/QubesOS/qubes-builder/pull/87 > > and related PRs/diffs. > > > > both the shellscript and builder integration are fully functional, > > but need cleanup before they can be merged. > > the main open issue is how to integrate a template-specific > > settings-file (the "tplspec" parts) with the build process. > > this is mostly needed for the mirage templates. > > That makes sense. Writing to a qube’s root volume from dom0 is a > safe operation, since it doesn’t do anything that the qube could > not already do itself. It would be nice if that could be done by > `qvm-block import`, though. You can do that with `qvm-volume import`. And with some adjustments to the qrexec policy, you can do that even from your buildvm. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7K0fMACgkQ24/THMrX 1yzLFQf9FUU670LSbL8EOQYADryVyxxisnzeExfeMq0EpbprYys0Alv33JeeVQ7n GwFyC5KavAVWYB6dya92PBNp1lOt+znl016+dNAFXBQ2PMSn2WGDdJLYkC0Ld03r 2Pv0wyYzkNuicX9EYmeitHN+EFzNX0NTDo+jqupYaHkBCd8wjtx3LjaZ/h5hgmwD ecyTbYHYRvrVXkmGM2DPxUd1UMsL9ZSAaMLwfId0rctoj6uUt7Xrp/XIKbRjGuwB r6bvuBdT+Sq/YSYmulqxyKxjstImgJ/8aFJTBPA8zia/8b+U7mS0YDD10YUzrbXK 01swbNokTRbO7kqRLHrI72HrQyiJTg== =2C1r -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524195843.GW98582%40mail-itl.
Re: [qubes-devel] Safe Arch install
On 2020-05-24 15:13, dhorf-qriry.020b9...@hashmail.org wrote: > On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote: > >>> https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh >>> >>> can be run in either dom0 or (with a lot of policy adjustments >>> or a bazillion manual approvals and minor changes) an adminapi-vm. >>> >>> it is also mostly trivial to install the template-root right >>> from the buildvm. (skipping the "rpm" part entirely) >> >> How does one do that? That sounds promising. > > > see above shellscript for the general basic outline of "how to turn > a template rpm into a template vm". > > most of the qvm-something steps are also avail in appvms through > the adminapi these days. (== can be called from a buildvm) > > for "skipping the rpm part" prototype see > https://github.com/QubesOS/qubes-builder/pull/87 > and related PRs/diffs. > > both the shellscript and builder integration are fully functional, > but need cleanup before they can be merged. > the main open issue is how to integrate a template-specific > settings-file (the "tplspec" parts) with the build process. > this is mostly needed for the mirage templates. That makes sense. Writing to a qube’s root volume from dom0 is a safe operation, since it doesn’t do anything that the qube could not already do itself. It would be nice if that could be done by `qvm-block import`, though. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ec021f93-d6f9-61d2-5713-455307de6cdf%40gmail.com. signature.asc Description: OpenPGP digital signature
Re: [qubes-devel] Safe Arch install
On Sun, May 24, 2020 at 03:01:50PM -0400, Demi M. Obenour wrote: > > https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh > > > > can be run in either dom0 or (with a lot of policy adjustments > > or a bazillion manual approvals and minor changes) an adminapi-vm. > > > > it is also mostly trivial to install the template-root right > > from the buildvm. (skipping the "rpm" part entirely) > > How does one do that? That sounds promising. see above shellscript for the general basic outline of "how to turn a template rpm into a template vm". most of the qvm-something steps are also avail in appvms through the adminapi these days. (== can be called from a buildvm) for "skipping the rpm part" prototype see https://github.com/QubesOS/qubes-builder/pull/87 and related PRs/diffs. both the shellscript and builder integration are fully functional, but need cleanup before they can be merged. the main open issue is how to integrate a template-specific settings-file (the "tplspec" parts) with the build process. this is mostly needed for the mirage templates. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524191305.GS1079%40priv-mua.
Re: [qubes-devel] Safe Arch install
On 2020-05-24 14:49, dhorf-qriry.020b9...@hashmail.org wrote: > On Sun, May 24, 2020 at 02:36:00PM -0400, Demi M. Obenour wrote: >> Is it possible to build an Arch install ISO in addition to the >> TemplateVM RPMs? I would prefer to avoid copying the RPMs into >> my dom0, whereas installing from an ISO has no such problems. > > that is actualy worse than copying a rpm to dom0. I meant installing a qube from an ISO image in another qube. >> Alternatively, is it possible to extract a root filesystem image >> from an RPM and safely (without compromising dom0) import it into a >> fresh TemplateVM? > > https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh > > can be run in either dom0 or (with a lot of policy adjustments > or a bazillion manual approvals and minor changes) an adminapi-vm. > > it is also mostly trivial to install the template-root right > from the buildvm. (skipping the "rpm" part entirely) How does one do that? That sounds promising. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/2231e506-421c-6b85-33d7-f40e0b9ae76e%40gmail.com. signature.asc Description: OpenPGP digital signature
Re: [qubes-devel] Safe Arch install
On Sun, May 24, 2020 at 02:36:00PM -0400, Demi M. Obenour wrote: > Is it possible to build an Arch install ISO in addition to the > TemplateVM RPMs? I would prefer to avoid copying the RPMs into > my dom0, whereas installing from an ISO has no such problems. that is actualy worse than copying a rpm to dom0. > Alternatively, is it possible to extract a root filesystem image > from an RPM and safely (without compromising dom0) import it into a > fresh TemplateVM? https://github.com/xaki23/rzqubes/blob/master/misc/installtemplate.sh can be run in either dom0 or (with a lot of policy adjustments or a bazillion manual approvals and minor changes) an adminapi-vm. it is also mostly trivial to install the template-root right from the buildvm. (skipping the "rpm" part entirely) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20200524184902.GR1079%40priv-mua.
