[qubes-users] Connect to the AppVM with VNC using Xen capabilities

2017-10-14 Thread msgheap
Hello.

I want to connect to one of my AppVMs with VNC from remote host using Xen 
capabilities.
I wanted to do it with the custom Xen config, but I can't figure out how to 
change the default Xen config or use custom Xen config to start my AppVM. I 
think it was possible in Qubes OS 3.2 with "qvm-start 
–custom-config=CUSTOM_CONFIG", but I've installed Qubes OS 4.0 
(current-testing) and there is no such option now.
I've found the location of the Xen configs used for VMs in 
/etc/libvirt/libxl/vmname.xml and tried to change the graphics type parameter 
from 'qubes' to 'vnc' in my AppVM config with virsh and then start the AppVM, 
but the Xen config keep reverting back to its original state after I start 
AppVM. Is it hardcoded for Qubes OS to overwrite this file every time when I 
start VM?
How can I enable vnc in Xen config for Qubes OS VM?
Rdp/x11vnc and other services that can be installed in the quest OS are not an 
options, because I need to access the VM even if the network is broken in the 
VM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97fb90a5-e16a-4998-9b32-0ab29ead74bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to export (H)VMs from Qubes/Xen to VMware vSphere

2017-10-14 Thread Unman
On Sat, Oct 14, 2017 at 11:28:31PM +0100, Unman wrote:
> On Sat, Oct 14, 2017 at 03:22:36PM -0400, '[799]' via qubes-users wrote:
> > Hello,
> > 
> > as mentioned in the other thread, I was able to successfully create a cent 
> > os minimal HVM.
> > There are still same smaller problems, as for example the time from grub 
> > selection menue to the login prompt is ~10min, but at least I get a login 
> > prompt and can login.
> > 
> > *** Converting QEmu/Qubes disk to a VMware .vmdk image ***
> > >> Me: How can I get a (H)VM out of Qubes into a VMware VM.
> > > I assume you use Qubes 3.2. You can get VM"s disk image from
> > > /var/lib/qubes/appvms//root.img. This is raw disk image in
> > > sparse file. You can convert it to vmdk using qemu-img tool, like this:
> > > qemu-img convert -f raw -O vmdk /path/to/root.img /path/to/root.vmdk
> > 
> > [USER@dom0 ~]$ ls -lah /var/lib/qubes/appvms/my-test/ | grep .img
> > -rw-rw-r-- 1 USER qubes 2.0G Oct 14 16:07 private.img
> > -rw-rw-r-- 1 USER qubes  20G Oct 14 17:26 root.img
> > -rw-rw-r-- 1 USER qubes  22G Oct 14 16:07 volatile.img
> > 
> > During the installation of Cent OS, I choosed to only use the 20GB root 
> > image, not the private 2GB image, as such I didn't understand the size ls 
> > is reporting.
> > 
> > [USER@dom0 home]$ du -sh /var/lib/qubes/appvms/my-test/* | grep .img
> > 0 /var/lib/qubes/appvms/my-test/private.img
> > 1.3G /var/lib/qubes/appvms/my-test/root.img
> > 0 /var/lib/qubes/appvms/my-test/volatile.img
> > 
> > this filesizes make more sense to me.
> > As Marek suggested I tried to convert the image using qemu-img, but as this 
> > is not available in dom0 I used qemu-img-xen:
> > (my-test is my newly created Cent OS HVM, created from a CentOS minimal ISO)
> > 
> > cd /var/lib/qubes/appvms/my-test
> > qemu-img convert -f raw -O vmdk root.img root.vmdk
> > 
> > this throws an error direct after starting:
> > qemu-img: error while writing
> > 
> > I have also looked at
> > https://www.howtoforge.com/how-to-convert-a-xen-virtual-machine-to-vmware
> > but this uses another syntax (which I also tried but didn't work).
> > 
> > Strangely trying to get informatiom from my root.img via...
> > qemu-img-xen info root.img
> > .. results in an error:
> > qemu-img: Could not open 'root.img'
> > While I am in the folder and I can see the file with ls.
> > 
> > Any idea where to go from here?
> > Can someone try to run qemu-img-xen on their system to see if they can get 
> > any information out of their image files?
> > 
> > [799]
> 
> For info to work specify '-f raw'
> 
> I've never got qemu-img-xen in dom0 to work properly for conversion.
> A reasonable workaround is to install qemu-img in a qube, and then
> attach the root.img using qvm-block -A .
> 
> Then you can run qemu-img convert in the qube, and export it from there
> as you wish. Works reasonably well.
> 
> unman

Also, for completeness I should say that while nested virtualisation
is not supported, it IS possible.
I've run both virtualbox and vmware from within qubes in the past - the
performance isn't great and the security considerations might put you
off, but it is possible.
You will have to do some hacking about to get the kernel modules
working, and I wouldn't generally recommend it. Vmware I couldn't get
working on Debian at all.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014235950.5tgn5nhnt6cfhuyn%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Idea for (resonable secure) cloud-storage usage with Qubes

2017-10-14 Thread '[799]' via qubes-users
Hello,
I thought about how to work with cloud storage under Qubes OS and I'd like to 
share my idea with you, to provide feedback.
I have already build a prototype that works "reasonable" well, but I am far 
away from being a security professional, as such I'd like to hear your opion 
about it.
Assumptions:
You are using cloud storage like Microsoft OneDrive and you would like to do so 
under Qubes in a more secure way.
Goals:
- all files within onedrive should be encrypted
- files should still be accessible/decryption from other Operating systems
- decrypted data storage and cloud storage access should be separated into two 
AppVMs
- different AppVMs should have access to data in the cloud storage, but it's 
impossible for an AppVM to read the data which should be read by other AppVMs 
(meaning you have the option to create individuall encrypted directories)
- solution should be easy to use and relying on scripts to provide good 
automation and a good tradeoff between security and user experience.

Idea:
In order to reach the goals, the idea is to work with two AppVMs:
1. "Access+Transfer AppVM" this VM will access the cloud storage provider, 
provide synchronisation and will always see encrypted data
2. "Storage-AppVM" this VM will receive the encrypted files from the 
Access+Transfer AppVM and store the files. It will also work as a data-hub to 
provide access to data to your other AppVMs which you use to manipulate the 
data within this VM.

As such we have separated:
- Access & Transfer of data from cloud storage provider
- Local data storage
- Data manipulation

Solution Design:
[Access+Transfer AppVM]
Template: fedora-25-minimal
Additional packages:
- OneDrive Freeclient 
([https://github.com/skilion/onedrive)](https://github.com/skilion/onedrive)
- sudo dnf -y install nfsutils
Will be configured to mount a NFS-share from the Storage AppVM and to access 
OneDrive to synchronize the files
Data will be downloaded and storad in the mounted NFS-Share of the Storage AppVM

[Storage App-VM]
Template: fedora-25-minimal
Additional packages:
- sudo dnf -y nfs-utils encfs
This machine has been setup as a NFS Server.
The /etc/exports file and also the iptables Firewall of this AppVM has been 
setup, so that the [Access+Transfer AppVM] kann access a certain location.
Within this location all files ENCFS-encrypted.
As such the Access+Transfer AppVM but also the Cloud Storage provider will only 
see encrypted files.
Additional AppVMs can also mount the main NFS Share/directory.
Those AppVMs can access certain subfolders and mount them via ENCFS to get the 
unecrypted data.
So the ENCFS decryption are done in those AppVMs.
You could setup various subfolders within your Onedrive directory and each 
folder could be encrypted within the different AppVMs.
Example:
onedrive\photos --> NFS Share to --> my-photo-appvm
onedrive\work --> NFS Share to --> my-work-appvm
onedrive\media --> NFS Share to --> my multimedia-appvm

Let's look at one AppVM (example my-work-appvm = 10.137.2.25 // storage-appvm = 
10.137.2.20)
On sys-firewall there is a rule, so that the work-appvm can access the 
storage-appvm:
[user@sys-firewall ~]$ sudo iptables -I FORWARD 2 -s 10.137.2.25 -d 10.137.2.20 
-j ACCEPT

On the storage appvm:
[user@my-storage ~]$ sudo iptables -I INPUT 5 -i eth0 -s 10.137.2.25 -d 
10.137.2.20 -j ACCEPT
The NFS Exports file:
[...]
# 10.137.2.15 = Access+Transfer AppVM
/var/nfs 10.137.2.15(rw,sync,no_subtree_check)
# 10.137.2.25 = Work AppVM
/var/nfs/work 10.137.2.25(rw,sync,no_subtree_check)
[...]

In the Work AppVM you are mounting the NFS Share from the Storage AppVM:
sudo mount 10.137.2.20:/var/nfs/work /mnt/onedrive-work.encfs

In Order to access the files, the NFS share is encfs-mounted:
encfs /mnt/onedrive-work.encfs ~/work

the unencrypted files can be accessed in ~/work.
If saved they will be encfs-encrypted and stored to NFS share of the Storage 
AppVM.
The Storage AppVM is connected to the Access-Transfer-AppVM which will 
recognize that an (encrypted) file has changed and will upload it to Onedrive.

As you can guess, you can use different AppVMs, which access different 
subfolders with different ENCFS-Keys.
For additional security you can also choose to shutdown the Access+Transfer 
AppVM and disable the NFS Server in the Storage AppVM if you don't need access 
to the files.

Script to start the NFS Server from dom0
#!/bin/bash
qvm-run my-storage 'xterm -e "sudo systemctl start nfs"'
sleep 2

Scripts to unencrypt the data in an AppVM from dom0:
#!/bin/bash
qvm-run my-work 'xterm -e "encfs /mnt/onedrive-work.encfs ~/work"'

Script to unmount the unencrypted share in an AppVM:
#!/bin/bash
qvm-run my-untrusted 'xterm -e "fusermount -u ~/work"'

I have already a working prototype, regarding the NFS server and ENCFS-part and 
will now add the onedrive part.

What's your opinion about this approach (I hope I could make clear what the 
idea is) - am I opening to much attack possibilities because I need to have NFS 

Re: [qubes-users] Ubuntu Template

2017-10-14 Thread Unman
On Sat, Oct 14, 2017 at 10:06:01PM +0200, rysiek wrote:
> Hey all,
> 
> got the build environment up and running, tried building Ubuntu Xenial and 
> Zesty images, both failed with:
> 
>debian/rules override_dh_install
> make[1]: Entering directory '/home/user/qubes-src/core-agent-linux'
> dh_install --fail-missing
> dh_install: qubes-core-agent missing files: lib/systemd/system/avahi-
> daemon.service.d/30_qubes.conf
> dh_install: qubes-core-agent missing files: lib/systemd/system/
> exim4.service.d/30_qubes.conf
> dh_install: qubes-core-agent missing files: lib/systemd/system/netfilter-
> persistent.service.d/30_qubes.conf
> dh_install: usr/lib/python2.7/dist-packages/qubesxdg.pyc exists in debian/tmp 
> but is not installed to anywhere
> dh_install: usr/lib/python2.7/dist-packages/qubesxdg.pyo exists in debian/tmp 
> but is not installed to anywhere
> dh_install: missing files, aborting
> debian/rules:28: recipe for target 'override_dh_install' failed
> make[1]: *** [override_dh_install] Error 2
> make[1]: Leaving directory '/home/user/qubes-src/core-agent-linux'
> debian/rules:12: recipe for target 'binary' failed
> make: *** [binary] Error 2
> dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 
> 2
> /home/qubes/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:200: 
> recipe for target 'dist-package' failed
> make[2]: *** [dist-package] Error 2
> 
> Using git://github.com/marmarek/qubes-builder.git master branch. What am I 
> missing?
> 
> -- 
> Pozdrawiam,
> Michał "rysiek" Woźniak
> 
> Zmieniam klucz GPG :: http://rys.io/pl/147
> GPG Key Transition :: http://rys.io/en/147
> 

It's the same error resported by OP.
Ubuntu template build hasnt yet been updated to 4.0

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014223015.sltycr3hq2s7pali%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to export (H)VMs from Qubes/Xen to VMware vSphere

2017-10-14 Thread Unman
On Sat, Oct 14, 2017 at 03:22:36PM -0400, '[799]' via qubes-users wrote:
> Hello,
> 
> as mentioned in the other thread, I was able to successfully create a cent os 
> minimal HVM.
> There are still same smaller problems, as for example the time from grub 
> selection menue to the login prompt is ~10min, but at least I get a login 
> prompt and can login.
> 
> *** Converting QEmu/Qubes disk to a VMware .vmdk image ***
> >> Me: How can I get a (H)VM out of Qubes into a VMware VM.
> > I assume you use Qubes 3.2. You can get VM"s disk image from
> > /var/lib/qubes/appvms//root.img. This is raw disk image in
> > sparse file. You can convert it to vmdk using qemu-img tool, like this:
> > qemu-img convert -f raw -O vmdk /path/to/root.img /path/to/root.vmdk
> 
> [USER@dom0 ~]$ ls -lah /var/lib/qubes/appvms/my-test/ | grep .img
> -rw-rw-r-- 1 USER qubes 2.0G Oct 14 16:07 private.img
> -rw-rw-r-- 1 USER qubes  20G Oct 14 17:26 root.img
> -rw-rw-r-- 1 USER qubes  22G Oct 14 16:07 volatile.img
> 
> During the installation of Cent OS, I choosed to only use the 20GB root 
> image, not the private 2GB image, as such I didn't understand the size ls is 
> reporting.
> 
> [USER@dom0 home]$ du -sh /var/lib/qubes/appvms/my-test/* | grep .img
> 0 /var/lib/qubes/appvms/my-test/private.img
> 1.3G /var/lib/qubes/appvms/my-test/root.img
> 0 /var/lib/qubes/appvms/my-test/volatile.img
> 
> this filesizes make more sense to me.
> As Marek suggested I tried to convert the image using qemu-img, but as this 
> is not available in dom0 I used qemu-img-xen:
> (my-test is my newly created Cent OS HVM, created from a CentOS minimal ISO)
> 
> cd /var/lib/qubes/appvms/my-test
> qemu-img convert -f raw -O vmdk root.img root.vmdk
> 
> this throws an error direct after starting:
> qemu-img: error while writing
> 
> I have also looked at
> https://www.howtoforge.com/how-to-convert-a-xen-virtual-machine-to-vmware
> but this uses another syntax (which I also tried but didn't work).
> 
> Strangely trying to get informatiom from my root.img via...
> qemu-img-xen info root.img
> .. results in an error:
> qemu-img: Could not open 'root.img'
> While I am in the folder and I can see the file with ls.
> 
> Any idea where to go from here?
> Can someone try to run qemu-img-xen on their system to see if they can get 
> any information out of their image files?
> 
> [799]

For info to work specify '-f raw'

I've never got qemu-img-xen in dom0 to work properly for conversion.
A reasonable workaround is to install qemu-img in a qube, and then
attach the root.img using qvm-block -A .

Then you can run qemu-img convert in the qube, and export it from there
as you wish. Works reasonably well.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014222831.apu5fd4776w3p3xv%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Ubuntu Template

2017-10-14 Thread rysiek
Hey all,

got the build environment up and running, tried building Ubuntu Xenial and 
Zesty images, both failed with:

   debian/rules override_dh_install
make[1]: Entering directory '/home/user/qubes-src/core-agent-linux'
dh_install --fail-missing
dh_install: qubes-core-agent missing files: lib/systemd/system/avahi-
daemon.service.d/30_qubes.conf
dh_install: qubes-core-agent missing files: lib/systemd/system/
exim4.service.d/30_qubes.conf
dh_install: qubes-core-agent missing files: lib/systemd/system/netfilter-
persistent.service.d/30_qubes.conf
dh_install: usr/lib/python2.7/dist-packages/qubesxdg.pyc exists in debian/tmp 
but is not installed to anywhere
dh_install: usr/lib/python2.7/dist-packages/qubesxdg.pyo exists in debian/tmp 
but is not installed to anywhere
dh_install: missing files, aborting
debian/rules:28: recipe for target 'override_dh_install' failed
make[1]: *** [override_dh_install] Error 2
make[1]: Leaving directory '/home/user/qubes-src/core-agent-linux'
debian/rules:12: recipe for target 'binary' failed
make: *** [binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 
2
/home/qubes/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:200: 
recipe for target 'dist-package' failed
make[2]: *** [dist-package] Error 2

Using git://github.com/marmarek/qubes-builder.git master branch. What am I 
missing?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6060751.WfBia4mgdj%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] How to export (H)VMs from Qubes/Xen to VMware vSphere

2017-10-14 Thread '[799]' via qubes-users
Hello,

as mentioned in the other thread, I was able to successfully create a cent os 
minimal HVM.
There are still same smaller problems, as for example the time from grub 
selection menue to the login prompt is ~10min, but at least I get a login 
prompt and can login.

*** Converting QEmu/Qubes disk to a VMware .vmdk image ***
>> Me: How can I get a (H)VM out of Qubes into a VMware VM.
> I assume you use Qubes 3.2. You can get VM"s disk image from
> /var/lib/qubes/appvms//root.img. This is raw disk image in
> sparse file. You can convert it to vmdk using qemu-img tool, like this:
> qemu-img convert -f raw -O vmdk /path/to/root.img /path/to/root.vmdk

[USER@dom0 ~]$ ls -lah /var/lib/qubes/appvms/my-test/ | grep .img
-rw-rw-r-- 1 USER qubes 2.0G Oct 14 16:07 private.img
-rw-rw-r-- 1 USER qubes  20G Oct 14 17:26 root.img
-rw-rw-r-- 1 USER qubes  22G Oct 14 16:07 volatile.img

During the installation of Cent OS, I choosed to only use the 20GB root image, 
not the private 2GB image, as such I didn't understand the size ls is reporting.

[USER@dom0 home]$ du -sh /var/lib/qubes/appvms/my-test/* | grep .img
0 /var/lib/qubes/appvms/my-test/private.img
1.3G /var/lib/qubes/appvms/my-test/root.img
0 /var/lib/qubes/appvms/my-test/volatile.img

this filesizes make more sense to me.
As Marek suggested I tried to convert the image using qemu-img, but as this is 
not available in dom0 I used qemu-img-xen:
(my-test is my newly created Cent OS HVM, created from a CentOS minimal ISO)

cd /var/lib/qubes/appvms/my-test
qemu-img convert -f raw -O vmdk root.img root.vmdk

this throws an error direct after starting:
qemu-img: error while writing

I have also looked at
https://www.howtoforge.com/how-to-convert-a-xen-virtual-machine-to-vmware
but this uses another syntax (which I also tried but didn't work).

Strangely trying to get informatiom from my root.img via...
qemu-img-xen info root.img
.. results in an error:
qemu-img: Could not open 'root.img'
While I am in the folder and I can see the file with ls.

Any idea where to go from here?
Can someone try to run qemu-img-xen on their system to see if they can get any 
information out of their image files?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/rNSGEa5I1T-hmCvGdH681dALa6ddM89Bx41o-WF_Q_mbLtytQ9d7KB5f1tYFKqZ3PJTkdGhsdyFDT8cQQjBpMIktF3LLHLmyeObr0w5x0SU%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Mac-Spoofing Doesn’t Work

2017-10-14 Thread Person
I somehow still am not allowed to install Fedora 25. Every time I restart it, 
Fedora makes me download the update again, but the install button still lags.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d5ca694f-90cf-4173-b3f4-8e80f7d06211%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] After updating Debian Kernel in VM, initramfs can't init

2017-10-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Feb 08, 2017 at 03:58:57PM -0800, nicholas roveda wrote:
> I've just update the Kernel inside of the Debian Template to the 4.9.2 
> version and now, the machine can't start.
> 
> 
> - I installed grub2-xen in dom0
> 
> - I installed 'qubes-kernel-vm-support', 'kernel-package' and 'grub2-common' 
> inside the Template VM
> - I downloaded the Debian Kernel Sources (4.9.2)
> - I ran 'make menuconfig' and activate all virtualization and xen support, 
> mantaining the related configs present in the dom0 Kernel
> - I created a Kernel .deb packages with 'make-kpkg --initrd -- linux-headers 
> linux-image' and I installed them
> - I update the GRUB2 with 'update-grub'
> 
> - I set 'pvgrub2' as Kernel in Qubes VM Manager
> 
> 
> 
> The machine manages to boot the VM GRUB2 and the GRUB2 can load the Kernel 
> and the initramfs,
> the initramfs can mount root, but can't complete init and the console remains 
> in the initramfs shell.
> 
> 
> 
> Console Logs:
> 
> Loading, please wait...
> error getting socket: Function not implemented
> error initializing udev control socketerror initializing udev control socket
> Begin: Loading essential drivers ... done.
> Begin: Running /scripts/init-premount ... done.
> Begin: Mounting root file system ... Begin: Running /scripts/local-top ... 
> Begin: Waiting for /dev/xvda* devices... ... done.
> Begin: Qubes: Doing R/W setup for TemplateVM... ... [1.402524]  xvdc: 
> xvdc1
> Partition #1 contains a swap signature.
> [1.404605]  xvdc: xvdc1
> Setting up swapspace version 1, size = 1073737728 bytes
> UUID=ae1bbd47-1b98-4502-818a-ac18b6ccbc73
> [1.415272] dmsetup (687) used greatest stack depth: 13688 bytes left
> done.
> done.
> Begin: Running /scripts/local-premount ... done.
> error getting socket: Function not implemented
> Begin: Will now check root file system ... fsck from util-linux 2.29.1
> [/sbin/fsck.ext4 (1) -- /dev/mapper/dmroot] fsck.ext4 -a -C0 
> /dev/mapper/dmroot 
> /dev/mapper/dmroot: clean, 453037/655360 files, 2474697/2621440 blocks
> done.
> [1.468729] EXT4-fs (dm-0): mounted filesystem with ordered data mode. 
> Opts: (null)
> done.
> Begin: Running /scripts/local-bottom ... done.
> Begin: Running /scripts/init-bottom ... error getting socket: Function not 
> implemented
> done.
> [1.496400] mount (718) used greatest stack depth: 13528 bytes left
> run-init: opening console: No such file or directory
> Target filesystem doesn't have requested /sbin/init.
> run-init: opening console: No such file or directory
> run-init: opening console: No such file or directory
> run-init: opening console: No such file or directory
> run-init: opening console: No such file or directory
> run-init: opening console: No such file or directory
> No init found. Try passing init= bootarg.
> 
> 
> BusyBox v1.22.1 (Debian 1:1.22.0-19+b1) built-in shell (ash)
> Enter 'help' for a list of built-in commands.
> 
> (initramfs) 

I wonder what those "error getting socket: Function not implemented"
are? Maybe you didn't enabled something needed by udev/mdev in kernel
config?


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZ4KXJAAoJENuP0xzK19cs/QsH/2XdP8UqfU2XEyDeMTUoYf4u
0GkP0J2ULMcPCeCOcSvv6+ES/pSRm/qmPcBxpvt8z9x/bDZ4povyG3a38KgbrW0g
iBRUyAp6MS8VjyoI7coGgl3C0xckiKn/GqeGHrLm84zyaJCWaEuv9At83wOTQH48
3vczi4st2cHoO0TPNgwVuLmj5fOJuA5jeAAkY5O7BtTBJiAQlpPMS24Fi+PhafNG
PDF4HTLUEvIft/zh0VoHwFRYzHH5ktbEFJLT6SfB6WZKQkwXHeKl3rzynZqmn28M
0J/Ha6L7qt2MBIPwjDVZnkhVfsHt57Lb0PDlq3wHIAQEA5XZ7LBZgu4yYYm0v3A=
=QaXZ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014161105.GI10749%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] After updating Debian Kernel in VM, initramfs can't init

2017-10-14 Thread Holger Levsen
On Sat, Oct 14, 2017 at 03:03:39PM +, Holger Levsen wrote:
> I've done the same… just with a slightly different result, though the same 
> outcome, the VM
> in question doesnt boot :(

running "sudo update-initramfs -c -k all" fixed this for me…


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014154229.2ykamfugphks4t7b%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature


Re: [qubes-users] Install a CentOS HVM with a debug-window = mo seamless mode

2017-10-14 Thread '[799]' via qubes-users
Hello Marek,

as the original question has been answered (what needs to be done to get 
seamless mode) has been answered, I think we should cover the other topic in a 
separate thread.
I'll answer to your feedbackthere.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/qVDNFNMj5-FsaksqEgtOhT9CkLg1wkXow4KhH8nL4EPwBaVIk0etnchj7pgWe2quvQvs9F2zBA6xnCe0V9PHWLBtj3uo_WLXH-ekCwypv7g%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] After updating Debian Kernel in VM, initramfs can't init

2017-10-14 Thread Holger Levsen
On Wed, Feb 08, 2017 at 03:58:57PM -0800, nicholas roveda wrote:
> I've just update the Kernel inside of the Debian Template to the 4.9.2 
> version and now, the machine can't start.
> 
> - I installed grub2-xen in dom0
> 
> - I installed 'qubes-kernel-vm-support', 'kernel-package' and 'grub2-common' 
> inside the Template VM
> - I downloaded the Debian Kernel Sources (4.9.2)
> - I ran 'make menuconfig' and activate all virtualization and xen support, 
> mantaining the related configs present in the dom0 Kernel
> - I created a Kernel .deb packages with 'make-kpkg --initrd -- linux-headers 
> linux-image' and I installed them
> - I update the GRUB2 with 'update-grub'
> 
> - I set 'pvgrub2' as Kernel in Qubes VM Manager

I've done the same… just with a slightly different result, though the same 
outcome, the VM
in question doesnt boot :(

this is what I got:

  Booting `Debian GNU/Linux'

Loading Linux 4.9.0-4-amd64 ...
Loading initial ramdisk ...   [ vmlinuz-4.9.0-4-amd6  3.64MiB  90%  2.27MiB/s ]
[0.104118] dmi: Firmware registration failed.a  18.40MiB  100%  1.49MiB/s ]
[1.399131] dmi-sysfs: dmi entry is absent.
[1.399653] mce: Unable to init device /dev/mcelog (rc: -5)
Gave up waiting for suspend/resume device
Gave up waiting for root file system device.  Common problems:
 - Boot args (cat /proc/cmdline)
   - Check rootdelay= (did the system wait long enough?)
 - Missing modules (cat /proc/modules; ls /dev)
ALERT!  /dev/mapper/dmroot does not exist.  Dropping to a shell!


BusyBox v1.22.1 (Debian 1:1.22.0-19+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.

(initramfs) 

any hints welcome.


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014150339.v7uwvwdvj6me5xmu%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature


Re: [qubes-users] Re: Unable to uninstall or reinstall Whonix

2017-10-14 Thread Person
I believe I’m going to ask the Whonix forums, then. 

Thank you all for your input.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/89cce301-e5f6-4e40-b63c-111079c1fc34%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Install a CentOS HVM with a debug-window = mo seamless mode

2017-10-14 Thread '[799]' via qubes-users
Sorry for reposting shortly, but I need to add something more:

>>> is it possible to create a standalone HVM based on an existing Qubes 
>>> template?
>> Yes, qvm-create --standalone --template TEMPLATE_NAME ...
> Wow, I didn't know that, I think this is the best approach, as I have the 
> benefits from both worlds

I tried to follow your suggestion and created new VM based on an existing 
template:

qvm-create --standalone --template=t-fedora-25-minimal --label=blue --mem=2048 
--vcpus=2 my-test

But this will create an AppVM not a HVM which is based on the choosen template.
I've installed some packages, rebooted and the changes where persistent, but we 
were talking about HVMs not AppVMs - as far as I understand (reading from the 
Qubes docu):

HVM (Hardware Virtual Machine) =  fully virtualized, or hardware-assisted, 
[VM](https://www.qubes-os.org/doc/glossary/#vm) utilizing the virtualization 
extensions of the host CPU
Whereas the AppVM is a paravirtualized VM.

Strangely I don't see the Enable Seamless Mode button in Qubes Manager with the 
VM I have created with the above command.
When enabling Debug-Mode there is also now Boot-Up/Full VM-window, the 
(standalone App)VM is a seamless VM. If I use qvm-run to open applications the 
appear without any problems.
So what is the benefit of using Debug Mode?

There are no options "qrexec_installed" and "guiagent_installed", these seem to 
exist only with HVMs.

*** Question ***
Is it also possible to migrate a standalone AppVM to vsphere with the hint you 
gave me?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/uhXCdNn6Xm-wAars7oZM6rSRmejmZCNhYZBsZHwwq5AA5b8DA_Xn6tLfLckkGmlQQ2-mxmt7OMSXCUeiulfZ9QVjtjJrc7riyloPdpZGJdM%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Install a CentOS HVM with a debug-window = mo seamless mode

2017-10-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Oct 14, 2017 at 09:39:20AM -0400, [799] wrote:
> Hello Marek,
> 
> first of all thanks for all your qualified answers (not only in my but also 
> other threads).
> 
> > Did you switched "guiagent_installed" and/or "qrexec_installed"
> > properties? Both should be set to "false", unless you really installed
> > those components inside.
> 
> Ok, now I understand, I've read something about qrexec_installed somewhere in 
> the documentation, but I didn't understand in which context this was meant.
> Yes, I've verified quiagent_installed and qrexec_installed and both are set 
> to False.
> 
> >> b) can I install the missing Qubes parts later on to get seamless mode
> >> working and to launch applications from dom0 (qrexec...)
> 
> > Not easily. Theoretically both qrexec and gui agent should just work
> > but in practice packages shipping them depends on specific system
> > configuration [...]
> > This is improved for Qubes OS 4.0 - packages are split into
> > smaller parts and it is possible to install just parts you want, without
> > the whole system reconfiguring stuff.
> 
> I tried to run Qubes 4.0rc1 on my X230 but ran into problems, as I am now 
> addionally running Coreboot I don't know if this adds even more complexity 
> and thought about waiting until Qubes 4.0rc2 comes out.
> 
> >> c) is it possible to create a standalone HVM based on an existing Qubes 
> >> template?
> 
> > Yes, qvm-create --standalone --template TEMPLATE_NAME ...

Oh, sorry, I've mixed Qubes 4.0 and 3.2 feature set.
In Qubes 3.2 it is slightly more complex:
qvm-create --hvm --root-copy-from
/var/lib/qubes/vm-templates/TEMPLATE_NAME/root.img ...

But for that to work, you need to install grub and kernel in the
template first. Because of lack of partition table on such root.img, you
need `grub2-install --force /dev/xvda` there. See here for additional
steps:
https://www.qubes-os.org/doc/managing-vm-kernel/#using-kernel-installed-in-the-vm

Then set qrexec_installed and guiagent_installed to true.

> Wow, I didn't know that, I think this is the best approach, as I have the 
> benefits from both worlds:
> 1) all qubes part to be able to run seamless mode (if needed)
> 2) all flexibility of a HVM to add additional packages etc.
> 
> As I want to migrate the HVM later on to vsphere (see my other thread which 
> you have also answered :-) it might be a good idea to remove all specific 
> qubes packages after the HVM has been migrated.

This will not be that easy. When you base your VM on a Qubes template,
it will have a lot of Qubes-related packages installed. It will probably
not work outside of Qubes...

> *** Question ***
> Which packages should/can I uninstall to remove the specific Qubes parts 
> (which are not needed after the VM has been migrated)?

Short answer is: everything named qubes-*. But then you'll need to
recreate at least /etc/fstab. And probably some networking settings.
Maybe something more...

> My HVM which I've build with a standard centos-minimal ISO is now booting up 
> in a window, which is great unfortunately it seems to stuck at boot.
> I have removed rhgb quiet from GRUB when starting up to see what is going on 
> and the VM is booting up very slowly and is then stucked with the last 
> message:
> 
> [1.443023] [TTM] Initializing DMA pool allocator
> 
> I've waited for ~5 min but nothing happens after this.

See what you have on emulated serial console:
sudo xl console NAME_OF_VM
(if that doesn't work, try adding `-t pv` option)

If nothing, add `console=hvc0` to kernel command line and try
again.
What kernel version you have there?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZ4IaJAAoJENuP0xzK19csRGsH/0KSkjsbAobL2tf8sFjNMn3y
HlkFZtvShsV850HxnW6AcBI4/NvXug0u+8jg0ePjUvJvCDlkoTYMC0g4zmQhO3sl
t1eAdk9341XfNH3vQrZ3GFCSNBJ3E5Px5BYQN3O5o671suFyG+HbOBasgx10LBsG
GoPOYRQRyGd/fYy6VPniyKSTx/TJFcJCBcCdeuXS0cFg2wdjiA810/b3+LLIE6Jz
550QjhuxnD4xiTLCJOgOelHkSwKmsua8r8T/EiAAbtcZWHQw7QpuVjqdxa07yaeb
beKesjgzebPstvWiyaCx2MzddWR6G69K877KI+qthKLEHmWD+Ne/hpG0Ahotg8U=
=F84m
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171014135745.GS1059%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Install a CentOS HVM with a debug-window = mo seamless mode

2017-10-14 Thread '[799]' via qubes-users
Hello Marek,

first of all thanks for all your qualified answers (not only in my but also 
other threads).

> Did you switched "guiagent_installed" and/or "qrexec_installed"
> properties? Both should be set to "false", unless you really installed
> those components inside.

Ok, now I understand, I've read something about qrexec_installed somewhere in 
the documentation, but I didn't understand in which context this was meant.
Yes, I've verified quiagent_installed and qrexec_installed and both are set to 
False.

>> b) can I install the missing Qubes parts later on to get seamless mode
>> working and to launch applications from dom0 (qrexec...)

> Not easily. Theoretically both qrexec and gui agent should just work
> but in practice packages shipping them depends on specific system
> configuration [...]
> This is improved for Qubes OS 4.0 - packages are split into
> smaller parts and it is possible to install just parts you want, without
> the whole system reconfiguring stuff.

I tried to run Qubes 4.0rc1 on my X230 but ran into problems, as I am now 
addionally running Coreboot I don't know if this adds even more complexity and 
thought about waiting until Qubes 4.0rc2 comes out.

>> c) is it possible to create a standalone HVM based on an existing Qubes 
>> template?

> Yes, qvm-create --standalone --template TEMPLATE_NAME ...

Wow, I didn't know that, I think this is the best approach, as I have the 
benefits from both worlds:
1) all qubes part to be able to run seamless mode (if needed)
2) all flexibility of a HVM to add additional packages etc.

As I want to migrate the HVM later on to vsphere (see my other thread which you 
have also answered :-) it might be a good idea to remove all specific qubes 
packages after the HVM has been migrated.

*** Question ***
Which packages should/can I uninstall to remove the specific Qubes parts (which 
are not needed after the VM has been migrated)?

My HVM which I've build with a standard centos-minimal ISO is now booting up in 
a window, which is great unfortunately it seems to stuck at boot.
I have removed rhgb quiet from GRUB when starting up to see what is going on 
and the VM is booting up very slowly and is then stucked with the last message:

[1.443023] [TTM] Initializing DMA pool allocator

I've waited for ~5 min but nothing happens after this.

*** Question ***
Do you have any idea why the boot is stucket after/at: "[1.443023] [TTM] 
Initializing DMA pool allocator"

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/nnwD-CjqeaGacyp1wZ2EbdD6HfeG9-cae8wJcmUnl0YQ5fX19cu2fMk2fsxueABrfQLraqm4If7s-sq6zNG-Fh9rIK_PiS120TFFBh11uwU%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Making Your Own Sys-VMs

2017-10-14 Thread '[799]' via qubes-users
Hello Sam,

> Thanks for those scripts! After reading through the create-my-sysvms.sh
> script, I am a little more confused as to why my templates aren"t
> working.
> [...]
> When I start up mine it shows the ethernet interface, but it can"t find
> the wireless interface.

I guess you are missing some neccesary drivers in your (new minimal) sys-net VM.
I suggest the following:
Just switch the template of your new sys-net VM, which is currently using the 
fedora-25-minimal template with the ("full size") fedora image:

#kill all VMs
qvm-kill sys-usb
qvm-kill sys-firewall
qvm-kill sys-net

#Show current template
qvm-prefs -l sys-net | grep template

# Switch template
qvm-prefs -s sys-net template fedora-25

Then start all VMs and check if you can see the wifi card.
If so this means that there is just some driver or module missing in your 
minimal sys-net VM.

An easy approach might to just keep the fedora-25 instead of the 
fedora-25-minimal template.
But solving thing is better than living with workarrounds :-)
Can you enter the lspci or comannd in dom0 and look which Wifi adapter you are 
using?
using lspci | grep Network might be easier to find your wifi card.
Please send the full line of what is shown there, in my case for example:

[USER@dom0 ~]$ lspci | grep Network
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network 
Connection (rev 04)
02:00.0 Network controller: Intel Corporation Centrino Advanced-N 6205 [Taylor 
Peak] (rev 34)

We'll look from there what needs to be done to get wifi working in your sys-net 
VM when you choose the minimal template.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2mYtFr04PrbvoZJa7krk-DL90J-bnIpEjWyNWAteGu5x2sRbWB6xXP0IuN7GTs9D-b0ww9Ar2VTt9Rw2fkbhGkE6EgdjMZ0Gwd3V8VKX-AY%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.