Re: [qubes-users] Recovering TemplateVM from boot failure caused by incorrect /etc/fstab

[Ivan Mitev]

Hi Fabio,

On 11/27/18 2:33 AM, 'Fabio' via qubes-users wrote:

Thanks for the reply Ivan.

I was able to mount `dom0:/dev/qubes_dom0/vm-...-private vmname` successfully, 
however when trying to mount `dom0:/dev/qubes_dom0/vm-...-root vmname`, I still 
get the `wrong fs type, bad option, bad superblock...` error.


You're probably mounting the wrong partition or you are trying to mount 
the whole disk.


The following steps work for me:

in dom0:

sudo losetup /dev/loop3 /dev/qubes_dom0/vm-fedora-26-medium-bkp-root

then, attach the device to some VM like you did. In that  VM run `sudo 
dmesg` and you should see a line like


[timestamp_here]  xvdi: xvdi1 xvdi2 xvdi3

Note: it could also be xvdj, xvdk, ... if you have other devices 
attached to the VM.


There are thus 3 partitions in the device/volume you attached. You can 
see what they are with `sudo sfdisk -l /dev/xvdi`:


Device  Start  End  Sectors  Size Type
/dev/xvdi1   2048   411647   409600  200M EFI System
/dev/xvdi2 411648   415743 40962M BIOS boot
/dev/xvdi3 415744 20971486 20555743  9.8G Linux filesystem

Trying to mount the first two partitions will return a "bad superblock" 
error because there isn't any recognised fs on those. Trying to mount 
the whole device (/dev/xvdi) will fail for the same reason.


Mount the third partition:

sudo mount /dev/xvdi3 /mnt

And you should be able to fix fstab there:

ll /mnt/etc/fstab

-rw-r--r-- 1 root root 851 May 11  2018 /mnt/etc/fstab

Then, reverse the instructions: sudo unmount /mnt, detach the device in 
the tray and remove the loopback device in dom0 (losetup -d /dev/loop3).


Hope this helps...




I can confirm that I get this same error message when trying to mount any 
`--root` suffixed volume nested under `/dev/qubes_dom0`.

To confirm, I am running Qubes v4.0.

Any reason why the `--root` volumes in particular aren't mounting? Those are 
where `/etc/fstab` would be located, right?

Thanks again for your help!


Fabio


‐‐‐ Original Message ‐‐‐
On Monday, November 26, 2018 12:11 PM, Ivan Mitev  wrote:


On 11/26/18 1:46 PM, 'Fabio' via qubes-users wrote:


I made an accidental edit to /etc/fstab which is causing my TemplateVM to 
timeout on boot with error Cannot connect to qrexec agent for 60 seconds
Is there a way to edit a particular VM's etc/fstab without booting it up? Can I 
perhaps mount it's root filesystem?


for R4:

https://groups.google.com/forum/#!searchin/qubes-users/losetup|sort:date/qubes-users/rWRNIt0NOc4/VaFHp42rBgAJ

Alternatively the following command will configure a loopback device
automatically:

qvm-start --hdisk dom0:/dev/qubes_dom0/vm-...-root vmname

R3.2 uses files by default instead of LVM volumes, I can't remember
where they were located (/var/lib/qubes/ or something like that) but the
procedure should be more or less the same.


Attempted solutions

1.  I've tried adding init=/bin/bash to the kernel opts, starting the 
templateVM and then running sudo xl console TEMPLATE_NAME from Dom0 but I did 
not reach a command-prompt before fstab was read and executed.

2.  I tried mounting the root filesystem for the TemplateVM from Dom0 with: 
sudo mount /dev/qubes_dom0/vm-fedora-26-root mnt but got error wrong fs type, 
bad option, bad superblock...



It's not recommended to access VMs' files in dom0. Once you set up a
loopback device and the volume pops up in the device tray, attach it to
a trusted VM and fix fstab there.

-

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a303a7f7-6b8f-5ff3-7e46-13154b8edda4%40maa.bz.
For more options, visit https://groups.google.com/d/optout.





--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9770a421-70a9-6f8e-ce03-361cb8afdee9%40maa.bz.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] One PCI slot does not work in Qubes

[s . w . i . m . on . qubes]

I have two network cards, both are on PCIx1 slots in a gigabyte H110m-a 
motherboard. On the top PCIx1 slot this network card works fine using Realtek 
8111 nics. 

The lower slot does not work in that Qubes sees the nics with lspci, will pass 
them through to a VM and the VM sees the nics, but no network activity occurs. 
At first I thought it was a hardware issue because card 2 was using an Intel 
82576 nic so I tried with another realtek card and had the same result. 

I swapped cards and again, the top PCIx1 slot works with either nic, while 
nothing works in the second slot.

With other operating systems all pci slots work fine. 

Is there some way of diagnosing what is going on here? I kind of think this is 
a Qubes thing since everything seems to work in other operating systems.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce4c183f-b475-4f49-a227-019d111a567d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Recovering TemplateVM from boot failure caused by incorrect /etc/fstab

['Fabio' via qubes-users]

Thanks for the reply Ivan.

I was able to mount `dom0:/dev/qubes_dom0/vm-...-private vmname` successfully, 
however when trying to mount `dom0:/dev/qubes_dom0/vm-...-root vmname`, I still 
get the `wrong fs type, bad option, bad superblock...` error.

I can confirm that I get this same error message when trying to mount any 
`--root` suffixed volume nested under `/dev/qubes_dom0`.

To confirm, I am running Qubes v4.0.

Any reason why the `--root` volumes in particular aren't mounting? Those are 
where `/etc/fstab` would be located, right?

Thanks again for your help!


Fabio


‐‐‐ Original Message ‐‐‐
On Monday, November 26, 2018 12:11 PM, Ivan Mitev  wrote:

> On 11/26/18 1:46 PM, 'Fabio' via qubes-users wrote:
>
> > I made an accidental edit to /etc/fstab which is causing my TemplateVM to 
> > timeout on boot with error Cannot connect to qrexec agent for 60 seconds
> > Is there a way to edit a particular VM's etc/fstab without booting it up? 
> > Can I perhaps mount it's root filesystem?
>
> for R4:
>
> https://groups.google.com/forum/#!searchin/qubes-users/losetup|sort:date/qubes-users/rWRNIt0NOc4/VaFHp42rBgAJ
>
> Alternatively the following command will configure a loopback device
> automatically:
>
> qvm-start --hdisk dom0:/dev/qubes_dom0/vm-...-root vmname
>
> R3.2 uses files by default instead of LVM volumes, I can't remember
> where they were located (/var/lib/qubes/ or something like that) but the
> procedure should be more or less the same.
>
> > Attempted solutions
> >
> > 1.  I've tried adding init=/bin/bash to the kernel opts, starting the 
> > templateVM and then running sudo xl console TEMPLATE_NAME from Dom0 but I 
> > did not reach a command-prompt before fstab was read and executed.
> >
> > 2.  I tried mounting the root filesystem for the TemplateVM from Dom0 with: 
> > sudo mount /dev/qubes_dom0/vm-fedora-26-root mnt but got error wrong fs 
> > type, bad option, bad superblock...
> >
>
> It's not recommended to access VMs' files in dom0. Once you set up a
> loopback device and the volume pops up in the device tray, attach it to
> a trusted VM and fix fstab there.
>
> -
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/a303a7f7-6b8f-5ff3-7e46-13154b8edda4%40maa.bz.
> For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/k52edUS5PM_HN2UXz1wUpQLUbchZ7mgYjDTY0AK2XVp1USzaOrePYk0ll-XiliAo_WRzK_zMCa_pZQtz4IdIttHoTZ7kbcgA9AkS5bYTvac%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Setup NextCloud in Qubes

[pr0xy]

On 2018-11-26 11:46, Achim Patzner wrote:
> Am Sonntag, den 25.11.2018, 14:44 -0800 schrieb pr0xy:
> 
>> Looking through past messages here it seems that others have got
>>
>> OwnCloud and NextCloud working. I wonder if they were able to do
>> this
>>
>> with bind-dirs, or whether they had to use a StandaloneVM.
> 
> Again: What do you want to gain? Having access to the same files on
> multiple VMs? Having copies on all of them (plus the copy on the
> storage VM) seems like a bit of overkill to me.
> 
>> There are some other aspects of NextCloud aside from the file
>> sharing
>>
>> like Calendar, Contacts, Notes and others that might also me nice to
>>
>> have internally.
> 
> And to be honest: I do not trust all those plugins that far. They are
> complicating things and complicated things cannot be easily verified.
> Why not do everything on the same VM (which would be a risk you could
> at least try to assess)? And where would be the limit? The Password
> application? Giving external users access because you need to share
> files?
> 
> I'm not against a centralized "file service and storage VM" but it
> would take considerable work to really find a secure way to do it;
> access would likely have to use an RPC mechanism like current file
> copying. It might be better to find out if it was possible to
> implement something like WebDAV on top of a Qubes RPC services with a
> fuse front end.
> 
> Achim Patzner


Honestly the first idea was to do some testing to see if I could get
NextCloud to work in Qubes. The idea of easier sharing of files among
VMs was interesting. For example, I have a huge directory of images on a
USB drive that I use in a number of different VMs. The gallery of
NextCloud lets me easily see and select them. Now I have to manually
connect the drive to whatever VM needs them. I thought NextCloud could
help my workflow in that regard.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e4ae0866de7acc93a8fb7f484261a99e%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Manjaro Spitfire laptop with Qubes 4.x?

[Achim Patzner]

Am Montag, den 26.11.2018, 17:00 -0500 schrieb taii...@gmx.com:
> What they state they will do is impossible and they are setting the
> freedom computing movement back by years by brainwashing people in to
> thinking that modern x86 hardware can be free.

And I'm feeling the same about the Librem and similar hardware. It's
misleading to the point of cheating the customer.

> They could have made an OpenPOWER laptop that is actually owner
> controlled and libre from the factory but they simply refuse to do
> anything like that.

I just ordered the cyborg monday offer from Raptor CS. I'm just
wondering if I can get a real hypervisor running on this hardware. I
would of course like to get Qubes on top of LPARs but don't really see
this coming in the near future...


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f79c64542563568786c097f1299d09f118087af1.camel%40noses.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Failed to synchronize cache for repo 'updates' in fedora-28 template

[pixel fairy]

$ sudo dnf -y update
Error: Failed to synchronize cache for repo 'fedora-cisco-openh264'

tried disabling fedora-cisco-openh264 and got

Error: Failed to synchronize cache for repo 'updates'

same error on the distro template, which only has updates applied, and my clone 
of it, which i use.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61ce38a3-9cbf-4ce9-b25c-ebab0c424327%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Razor Blade 15

[taii...@gmx.com]

On 11/02/2018 05:58 AM, claudas...@gmail.com wrote:
> Has anyone sampled the new super machine razor blade 15 with qubes 4.0?
> What were your barriers? can you get close to getting full use out of the 
> laptop with qubes?
> 
> I have already checked the hardware-compatability list and there's no input 
> yet. So chancing it here =)
> 
> Thanks
> 

I wouldn't buy a machine stuck with ME and proprietary firmware, get a
g505s instead (no me/psp, open cpu/ram init via coreboot) or a W520
(open cpu/ram init, can nerf the ME via mecleaner - note ME/PSP can
never be disabled on a modern PC no matter what)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42a9111a-c904-807b-244f-90bf576400e9%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] Manjaro Spitfire laptop with Qubes 4.x?

[taii...@gmx.com]

On 11/11/2018 09:19 PM, Stumpy wrote:
> On 11/11/18 9:15 PM, 22...@tutamail.com wrote:
>> Interesting and very coolEuro laptop! Seems intriguing but I could
>> not find some of the questions I was wondering:
>>
>> 1) Are the BIOS proprietary? Same as Librem..

>> 2) Has the manufacturer said it is compatible with Qubes? Seems they
>> would want to test this themselves.
>>
>> Have you reached out to them? Was tempted to do it myself...
>>
> good questions, but:
> 1) Dont know, but good question.
> 2) Didnt reach out, but they had a bunch of different distros as an
> option to install, including fedora and debian if I remember correctly
> (though I am sure not Qubes nor xen).
> 
> While I am not holding my breath on the BIOS, I am happy enough that at
> least some comptuers (purism and sy76) are inching thier way towards
> non-prop firmware.

What they state they will do is impossible and they are setting the
freedom computing movement back by years by brainwashing people in to
thinking that modern x86 hardware can be free.

They could have made an OpenPOWER laptop that is actually owner
controlled and libre from the factory but they simply refuse to do
anything like that.

Doesn't anyone find it odd how the tech media loves those two to the
point where they issue glorified press releases but never covers their
honest competitors? Seriously those so called journalists do zero
research on their claims of things like "disabled me" "open source
firmware" and "made in usa" both of which are not at all true.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0bbc42a0-0328-e9ab-13cc-36d53a231f9f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Gaming on Qubes 4.0

[taii...@gmx.com]

On 11/19/2018 04:16 AM, Black Beard wrote:
> 
> Hey guys,
> 
> i updated all of my Domains and bought Crossover Linux. This Software i 
> installed on my Fedora 29 Domain. 
> 
> An example
> 
> I wanted buy a game yesterday via bank transfer and I automatically forwarded 
> to the appropriate page. 
> 
> Unfortunately, I can not see the opened page properly and therefore cant do 
> anything. Only if I click  chaoticall on it, i see that there is content.
> 
> Is it even possible to game on the domain, or would I have to install a 
> separate HVM or similar?

Look up vfio/xen gaming.

It is possible but maybe difficult or impossible depending on your
hardware...which is?

> 
> About messages i happy.
> 
> regards and thx in advance
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ff50d54-8236-cde1-938e-b2c7bae2fe93%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Thinkpad T400s RYF

[taii...@gmx.com]

On 11/13/2018 05:43 AM, qubes-...@tutanota.com wrote:
> Outch, bad news :-( Basically I have only two options than: run reasonably 
> secure QubesOS on a flawed-by-design-HW, or use RYF HW with not so secure OS. 
> I am not maximalist, but you know, one doesn't go on boat that has holes in 
> it, even he has nicely and safely packed cookies on board.
> 
> Or is there any other RYF laptop which could run QubesOS? Sad days, these 
> days.
> 

pre-sandy/ivybridge intel stuff IOMMU doesn't work on coreboot and would
be almost pointless anyways as it is a very poor implementation security
wise.

I would get a G505s (AMD FT3 platform w/o ME/PSP), it isn't RYF but it
is owner controlled and the video and power management blobs can
theoretically be removed and as the cpu/ram hw init code is foss via
coreboot agesa the IOMMU would theoretically protect you from issues. It
is currently the best choice with the second best being the various
sandy/ivybridge laptops that run coreboot with open cpu/ram init and a
nerfed ME via mecleaner (disabling ME is impossible).

I have gotten like 10+ people to buy them so there is a nice little
community of people to help you with the process including myself if you
run in to any issues.

The main issue that people have is forgetting to properly enable
microcode updates which is required on almost every x86 device.

Installing coreboot isn't that difficult and someone with the aptitude
to use linux can surely pull it off you just need a screwdriver, a USB
CH341A flasher and a SOIC-8 tester clip so like $20 of stuff to do it.

In terms of workstation hardware for qubes there are many more choices
than laptops though and one can really have 100% such as
KGPE-D16/KCMA-D8 etc libreboot/openbmc compatible boards and of course
for non-qubes virt with kvm-qemu there is OpenPOWER.

awokd: Let us not use intel's marketing terms - Qubes requires IOMMU >:D

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08c89301-42cd-825e-7e37-4bddc042d7c9%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

On 11/17/2018 02:23 AM, 799 wrote:
> Hello,
> 
> Am Sa., 17. Nov. 2018, 02:50 hat taii...@gmx.com 
> geschrieben:
> 
>> [...]
>> ME/PSP is impossible to disable on modern x86 anyone who tries is
>> wasting money and setting back the freedom computing movement but the
>> pur.idiots seem to not really care about that anyways.
>>
> 
> So do you think it is better for the freedom computing movement if my
> neighbour who is not an "IT guy" buys a Windows 10 surface book or a
> MacBook instead of a Purism Laptop?

I think it is better to not support dishonest companies period.

> Maybe he wants to choose exactly between this laptops because he don't want
> to buy old hardware (which is exactly the freedom he should have).
> 
> 
> If not, im sure you know a few me modules more ore less is completely
>> irrelevant from a security point of view.

It is relevant.

Don't take offense but if you lack understanding of how firmware does
hardware initiation you should not be talking about this.

C2Q era: can really disable the ME, no code/blobs, doesn't load at all.
ivy/sandybridge core era: ME can be nerfed to

> 
> 
> Why is this irrelevant? Is itbalso irrelevant to run Coreboot?
> 
> Also, i wasnt able to find a statement of Purism about the fact that, in
>> the beginning, they claimed the ME was "completely disabled and removed". I
>> mean, that was > obviously not true right?

They say "disabled ME" everywhere and it is in many news articles just
like system76's "made in usa" computer where only the case is made here
as if it is an accomplishment to make a metal box in america - note that
other companies do in fact sell motherboards/cpus that are made here
like raptorcs (openpower cpus are made in fishkill ny and the board is
made in texas) although I bet even they probably still would not make
the legal standard and they should note that some components are
imported (although at least the cpu is from here it is the most
important part)

>>
> 
> Which quote on the website are you arguing against 

"open source coreboot firmware" "librem" "disabled me" so on and so on
not to mention "our pureos libre distro" but it is just a debian clone
and it still has binary blobs.

> and have you asked them
> in a nice way to change it so that users are more informed that Intel ME
> can't be fully disabled?

I have.

They still refuse to be honest and up front.

> What was the answer from Purism?

That they think their marketing is fine and won't be changing anything.

> 
>>
> They do claim that it is "disabled" which it is not and they also claim
>> they have "open source coreboot firmware" which they don't since the hw
>> init process is entirely blobbed making coreboot nothing more than a
>> simple wrapper layer.
>>
> 
> I don't know enough about the coreboot details, basically the coreboot
> Purism is using is less (reasonable) secure than the coreboot installation
> we are running on X2xx, T4xx etc.?

It is much less secure since it is not open source.

> What is the difference? I am really interested.

10 years ago coreboot meant open source firmware but now new hardware
has its hardware initiated via binary blobs as intel/amd don't release
code or documentation required to make code

coreboot/intel fsp is an 10%/90% work situation.

Pretty much purisms "coreboot" is just a wrapper layer (it does no
actual hw init) for the intel fsp binary blob that does all the work of
initiating the hardware.

Let me know if you have any more questions.
> 
> but advertising hardware which runs almost entirely on closed source
>> software (certainly, all the important parts do), that just sound highly
>> dishonest in my ears
>>
> 
> Do you really think that the biggest attack vector is the not fully
> disabled Intel Me stuff/Blobs?

There is plenty of time for dirty tricks in Intel FSP plus the not
actually disabled ME (Mask ROM, plus the Bup/kernel layer)

The kernel, mask roms and the hw init blob still runs hence me is not
disabled.

> In this case it wouldn't make a difference if users run Windows on top of
> Purism hardware.

No it would, obviously running windows is an *up front* security issue
rather than simply theoretical backdoors intentional or otherwise in
intel firmware which is what we are talking about.

> Hardly to believe.
> 
> Puridiots pretend as though making a modern, fast and affordable owner
>> controlled libre computer simply can't be done which isn't true and
>> various companies do it (raptor computing systems, various riscv
>> sellers, bunnylabs etc)
>>
> 
> Will those computers have the same specs as Purism and do they run Qubes?

I am referencing computers in general not laptops...my point is that
they pretend that there isn't any new real open hardware out there as
though OpenPOWER and Risc-V don't exist.

(Let me know if you want help picking an owner controlled system like
kcma-d8 or g505s laptop and building/flashing corebloot)

> 
> Nothing is stopping them from making an OpenPOWER laptop since the
>> 

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

On 11/17/2018 02:06 AM, 799 wrote:> Hello Taiidan,
>
> Am Sa., 17. Nov. 2018, 03:21 hat taii...@gmx.com 
> geschrieben:
>
>> [...]
>> I am the counterpart to you guys somehow getting the tech media to
>> publish glorified press releases for you and everything I say is true.
>>
>
> Which articles do you mean?
Here are two examples of how the tech media glorifies them

https://www.zdnet.com/article/purism-adds-open-source-security-firmware-to-its-linux-laptop-line/

https://www.pcworld.com/article/2860446/this-freedom-loving-laptop-discovered-how-to-make-intel-cpus-boot-without-closed-firmware.html
>
> People need to know the truth about what they would be purchasing, this
>> issue isn't and never was the fact that you are selling non-free laptops
>> - it is that you are claiming they are somehow open source
>> firwmare/libre/me disabled when they are not and could never be.
>>
>
> So a free laptop is a laptop that has everything Purism does but including
> disabled ME?
No, a free laptop has no hardware enforced code signing, no me/psp and
100% open source hardware init - purism has none of those.

> At the same time you're saying it is impossible to do so?
Impossible with new x86 hardware.

> So Purism would be the most free laptop you can buy today from shelf, is
> this correct?
No you can buy a g505s (owner controlled) or one of the various
ivy/sandybridge laptops that run coreboot all of which are more free.

> Doesn't sound to bad to me ;-)
>
> Remember any code exploit for ME is illegal in the US and buying new
>> intel/amd x86 hardware supports further anti-feature development...why
>> not make an OpenPOWER laptop? nothing is stopping you besides the false
>> belief that it is somehow impossible to make and sell owner controlled
>> hardware that is fast and modern - other companies are doing instead of
>> trying.
>>
>
> Where can I buy a OpenPOWER Laptop and how will this help me and will
Qubes
> OS run on it (today)?
There aren't any thats what I am trying to say - but it is possible and
since other companies are creating real owner controlled hardware with
Risc-V, OpenPOWER, etc (not laptops tho) since those two archs CPU's
have TDP's in the laptop range there is nothing stopping them.

>
> The business model of somehow keeping up open source firmware releases
>> with new x86 hardware without any vendor cooperation is impossible - it
>> would take years and millions to reverse engineer FSP thus x86 will
>> never be free.
>>
>
> This maybe correct, but then there is no need to use this argument in
every
> discussion.
> We must try to do what is currently possible.
> This is also how I understand the "reasonable" in the quote "reasonable
> secure".
> Best effort and delivering is most time a better approach than trying
to be
> perfect.
>
> Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
>> and install coreboot - myself and various others are willing to help
>> owner controlled system users for free if you run in to trouble.
>>
>
> The G505s is a very ugly have and old machine which seems to be a consumer
> notebook.
> In my opinion (!) I totally respect that others have a different opinion.
> But please do also accept that some people just don't want to buy this
> laptop for their own personal reasons.
>
> Todd weaver started and owns the company so he isn't mis-informed he is
>> simply used to making claims he can't deliver because he has no ethics,
>> no real technical skills and he still fails to listen to those who do.
>>
>
> Do you know Todd? What is the problem for blaming people. I think it's
> great that people have choices!!
> You have even the choice to setup your own company ;-)
I don't have millions in VC so no I can't set up my own company I can
barely feed myself since no one hires native people where I live these days.

>
>
> I really don't understand why there is so much engagement blaming purism.
> I think it is really great if people have the chance to by "other"
laptops.
> And a Purism Laptop is "very likely higher on the reasonable secure" scale
> than a normal Windows Laptop and even from a laptop running Qubes without
> Coreboot and Co.
I simply want them to stop lying! - have them stop being dishonest
marketing!

>
> Honestly I wouldn't feel much more secure even if Intel ME is completely
> gone, I think that  the attack surface is reduced when running Qubes,
> Coreboot or if I buy purism.
>
> Purism is good in marketing and this is not a crime.
It is a crime since it is very dishonest - in america that is considered an
anti-competitive practice.

> There are so much
> people who will never ever buy hardware which is 5years old, and spent
lots
> of time installing Linux/Coreboot etc.
> But still they might be interested running "better" hardware or software
> and are interested in getting support.
> Therefore I am lucky that companies are selling Linux to those people.
>
> Purism, thinkpenguin, all others -> THANKS!
Thinkpenguin is honest - the others 

Re: [qubes-users] Keeping your QubesOS clean

[799]

Hello Pieter,

Am Mo., 26. Nov. 2018, 14:15 hat pieter lems 
geschrieben:

> I was wondering what the best way is to keep your Qubes system clean.
> Currently I'm running bleachbit on each different qube weekly. This seems
> kind of inconvenient tho.
>
Is there someone that has a better way of doing this?


I have looked what bleachbit is and it seems to be something like CCleaner
for Windows.
I have never used those tools and I thing it is even less needed when
running Qubes as it is very easy to use disposable VMs which will clean up
everything just because the machine disappears after usage.

If I need to remove specific data I like to find out where the data is
stored and then just write a script to remove data.
It's easy to find out where data is stored by creating checksums of your
system, then run the application and look which files have been tampered.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vEyNisqBtk290LHHs5O6JEma%2BCdZUaJCZBYVFmKhzUaw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VPN qubes preventing some websites from loading properly

['Christophe Pfeifer' via qubes-users]

‐‐‐ Original Message ‐‐‐
On Sunday, November 25, 2018 11:59 PM, Chris Laprise  wrote:

> On 11/25/2018 04:47 PM, Christophe Pfeifer wrote:
>
> > On Sunday, November 25, 2018 7:43 PM, Chris Laprise tas...@posteo.net wrote:
> >
> > > On 11/25/2018 10:32 AM, 'Christophe Pfeifer' via qubes-users wrote:
> > >
> > > > Hi,
> > > > I followed the tutorial "Set up a ProxyVM as a VPN gateway using
> > > > iptables and CLI scripts" [1], then I subscribed to NordVPN and
> > > > configured OpenVPN over UDP (since my ISP blocks OpenVPN over TCP).
> > > >
> > > > My final architecture is the following:
> > > > AppVM > VPN (ProxyVM) > Firewall VM > Network VM
> > > >
> > > > Firewall VM rules: Deny all but:
> > > > Address   |   Service   |   Protocol
> > > > *       | OpenVPN | UDP
> > > > *       | OpenVPN | TCP
> > > > *       | HTTPS     | TCP
> > > >
> > > > Problem: this is working for mostly all websites I use, except some
> > > > ones, like Protonmail, Facebook, etc. These latter sites are either
> > > > showing first some contents just after logging in, or the logging in is
> > > > impossible, and then loading endlessly.
> > > > It seems like a "Keep-alive connection issue".
> > > >
> > > > Investigation:
> > > >
> > > > 1.  I allowed full access on the firewall for 5 minutes
> > > > 2.  I launched Wireshark on the VPN VM
> > > > 3.  I tried to log in to Protonmail
> > > > Results: (excerpt)
> > > >
> > > >
> > > > -   10.137.0.14 -> 82.221.139.122 OpenVPN 110 MessageType: P_DATA_V2
> > > >
> > > > -   192.168.43.1 -> 10.137.0.14 ICMP 592 Destination unreachable
> > > > (Fragmentation needed)
> > > >
> > > > -   185.70.40.151 -> 10.8.8.20 TCP 68 [TCP Dup ACK 711#1] 443 → 42938
> > > > [ACK] Seq=69096 Ack=1868 Win=66 Len=0 SLE=3193 SRE=3194
> > > >
> > > > -   10.137.0.9 -> 185.70.40.151 TCP 1381 [TCP Retransmission] 42938 → 
> > > > 443
> > > > [ACK] Seq=1868 Ack=69096 Win=3261 Len=1325
> > > > [...]
> > > >
> > > > -   10.137.0.9 -> 185.70.40.151 TCP 56 [TCP Keep-Alive] 42954 → 443 
> > > > [ACK]
> > > > Seq=977 Ack=1262 Win=32640 Len=0
> > > >
> > > >
> > > > Do you know any solution to prevent this from happening? Maybe a
> > > > configuration trick of OpenVPN or of the VPN VM ?
> > >
> > > Did you download the openvpn config from NordVPN or write it yourself?
> > > Its preferable to download it. I see that NordVPN's config includes
> > > 'ping' and 'ping-restart' which is similar to using the 'keepalive' 
> > > option.
> > > The issue with only certain sites not working could indicate that a
> > > third-party service like a CDN has blocked the IP addresses that your
> > > VPN provider is using. I've also seen some services block VPN IPs on
> > > certain servers but not others. I see this occasionally when connecting
> > > through Private Internet Access. The solution rests with the VPN
> > > operators to block abusive network patterns and switch to IPs that
> > > haven't been blacklisted... its basically a VPN reputation thing.
> > > BTW, you might find Qubes-vpn-support project better to use overall for
> > > VPNs. You can control it as a system service and it uses connection
> > > parameters that keep openvpn operating more smoothly (although for this
> > > particular problem I don't think it would have an effect)...
> > > https://github.com/tasket/Qubes-vpn-support
> > >
> > > Chris Laprise,tas...@posteo.net
> > > https://github.com/tasket
> > > https://twitter.com/ttaskett
> > > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
> >
> > I am using NordVPN's config files and now (thanks to your advice) 
> > Qubes-vpn-support.
> > I have compared this with NordVPN's autoconfig script [1] and with another 
> > ISP.
> > Here are some results (for the very same remote VPN server):
> > -With another ISP
> > OpenVPN over UDP
> > Qubes-vpn-support: OK
> > NordVPN script: OK
> > OpenVPN over TCP
> > Qubes-vpn-support: OK
> > NordVPN script: OK
> > -With my ISP over 4G network
> > OpenVPN over UDP
> > Qubes-vpn-support: some websites are stalled
> > NordVPN script: OK
> > OpenVPN over TCP
> > Qubes-vpn-support: ALL websites are stalled
> > NordVPN script: OK
> > Therefore, it is surprising that NordVPN's script works but not 
> > Qubes-vpn-support with NordVPN's config files!
> > I compared the Wireshark captures in both cases, when I try to log in to 
> > Protonmail, and here is something interesting.
> >
> > -   For NordVPN's script (at a certain moment in time):
> >
> > -   192.168.43.1 -> 10.137.0.16 ICMP 592 Destination unreachable 
> > (Fragmentation needed)
> > -   10.137.0.16 -> 82.221.114.154 IPv4 1412 Fragmented IP protocol 
> > (proto=UDP 17, off=0, ID=f7e7) [Reassembled in #3066]
> >
> > -   For Qubes-vpn-support (at a certain moment in time):
> >
> > -   192.168.43.1 -> 10.137.0.20 ICMP 592 Destination unreachable 
> > (Fragmentation needed)
> > -   

Re: [qubes-users] Possible to use WindowsVM as a NetVM?

[qubesusermarco]

> You havent looked at my other posts, I think.
> Have you checked the raw table? By default a netvm restricts traffic on
> a vif to the allocated IP: you need to remove that restriction.
> 
> I made some notes on using an openBSD HVM as a netvm -
> https://github.com/unman/notes/blob/master/openBSD_as_netvm
> You should be able to adapt them to your own case.
> 
> unman

Oh my! Looked into every other table except for the raw one... What a shame!
Anyways, upon removal of that sneaky one helluva rule, everything works like a 
charm now.
Thanks a million, sir!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d672f039-1e44-4b12-897d-eb9712f7d34d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Keeping your QubesOS clean

[pieter lems]

Hello everyone,
I was wondering what the best way is to keep your Qubes system clean.
Currently I'm running bleachbit on each different qube weekly. This seems
kind of inconvenient tho. Is there someone that has a better way of doing
this?
Thanks in advance!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAK8vAnXceMBJrc7m5Xc-xv%3DpJhgN%3DHRdV407H6Dw%3DERB2G%2BMiw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Recovering TemplateVM from boot failure caused by incorrect /etc/fstab

[aaq via qubes-users]

mandag den 26. november 2018 kl. 12.46.29 UTC+1 skrev fabio_p7cc62u:
> I made an accidental edit to /etc/fstab which is causing my TemplateVM to 
> timeout on boot with error Cannot connect to qrexec agent for 60 seconds
> 
> Is there a way to edit a particular VM's etc/fstab without booting it up? Can 
> I perhaps mount it's root filesystem?
> Attempted solutions
> 
> 1. I've tried adding init=/bin/bash to the kernel opts, starting the 
> templateVM and then running sudo xl console TEMPLATE_NAME from Dom0 but I did 
> not reach a command-prompt before fstab was read and executed.
> 
> 
> 
> 2. I tried mounting the root filesystem for the TemplateVM from Dom0 with: 
> sudo mount /dev/qubes_dom0/vm-fedora-26-root mnt but got error wrong fs type, 
> bad option, bad superblock...
> 
> Any suggestions on how I could edit /etc/fstab for my TemplateVM before it 
> gets executed?
> Steps to reproduce the behavior:
> Edit your /etc/fstab to be incorrectly formatted
> Run qvm-start YOUR_FAULTY_TEMPLATE
> 
> 
> 
> Related issue: 
> https://unix.stackexchange.com/questions/44027/how-to-fix-boot-failure-due-to-incorrect-fstab

Hello!

Please this issue: 
https://groups.google.com/forum/#!topic/qubes-users/rWRNIt0NOc4

Hope this helps :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8824b60f-afb7-499c-94e8-4e269e55180c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Recovering TemplateVM from boot failure caused by incorrect /etc/fstab

[Ivan Mitev]

On 11/26/18 1:46 PM, 'Fabio' via qubes-users wrote:

I made an accidental edit to /etc/fstab which is causing my TemplateVM to 
timeout on boot with error Cannot connect to qrexec agent for 60 seconds

Is there a way to edit a particular VM's etc/fstab without booting it up? Can I 
perhaps mount it's root filesystem?


for R4:

https://groups.google.com/forum/#!searchin/qubes-users/losetup|sort:date/qubes-users/rWRNIt0NOc4/VaFHp42rBgAJ

Alternatively the following command will configure a loopback device 
automatically:


qvm-start --hdisk dom0:/dev/qubes_dom0/vm-...-root vmname


R3.2 uses files by default instead of LVM volumes, I can't remember 
where they were located (/var/lib/qubes/ or something like that) but the 
procedure should be more or less the same.





Attempted solutions

1. I've tried adding init=/bin/bash to the kernel opts, starting the templateVM 
and then running sudo xl console TEMPLATE_NAME from Dom0 but I did not reach a 
command-prompt before fstab was read and executed.

2. I tried mounting the root filesystem for the TemplateVM from Dom0 with: sudo 
mount /dev/qubes_dom0/vm-fedora-26-root mnt but got error wrong fs type, bad 
option, bad superblock...


It's not recommended to access VMs' files in dom0. Once you set up a 
loopback device and the volume pops up in the device tray, attach it to 
a trusted VM and fix fstab there.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a303a7f7-6b8f-5ff3-7e46-13154b8edda4%40maa.bz.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Optional: Enable AppArmor

[qubes123456]

if I enter this command in the anon-Whonix terminal: sudo aa-status --enabled; 
echo $? then comes with me answer: 0, this is right. but if I enter this 
command at sys-Whonix Terminal: sudo aa-status --enabled; echo $? then comes 
with me Answer: 3, is that correct or must come as an answer 0?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c5d394cd-bc45-4e63-bf01-d83d853ce7e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] alternative to bloated templates for faster work and minimal boot time/resources used

[pieter lems]

Hello Chris,
I was wondering, if i run a qube based on a fedora template it uses about
3.5GB of memory when just browsing. I decreased it to 2500 and it works
exactly the same. Will there be any negative effects by decreasing the
memory manually?
Thanks for the info btw!

Op vr 16 nov. 2018 om 03:27 schreef Chris Laprise :

> On 11/15/2018 12:29 PM, 799 wrote:
> > Hello,
> >
> > Am Do., 15. Nov. 2018, 09:44 hat  > > geschrieben:
> >
> > Is it possible to transfer sys-net/sys-usb/sys-vpn/sys-whonix to
> > 100mb templates based on musl/busybox/sysvinit linux ?
> > (...)
> >
> >
> > my sys-vms are based on fedora-28-minimal templates.
> > Honestly I like the idea and think smaller is better, but as I am
> > running lots ~8-12 AppVMs when working productively most ressources are
> > used by those VMs.
> >
> > I don't think that you gain that much ressources by switching sys-vms.
> > And honestly storage capacity is not a big deal today ;-)
>
> Disk capacity shouldn't be a big issue unless you like to make lots of
> template variations.
>
> For RAM efficiency the available templates are already pretty efficient,
> but the Qubes RAM allocation algorithms could be better. Manually
> setting the maximum RAM has worked great on my 8GB system: about 350MB
> for each service VM, 700-900MB for media playback, 1500-2500MB for
> browsing and other heavy apps. Finally, I set the dom0 max to 1500MB in
> /etc/default/grub. Using debian-9 templates, these ranges result in a
> system that is *much* more usable than it would be with the default RAM
> allocation; I highly recommend it.
>
>
>
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/d272fbef-32ad-5db6-1a7a-9ad012f8e072%40posteo.net
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAK8vAnV1eEMLpGfRrOyzcHjKyDXrdM5TSTBeojc6CibWzqfTfw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Recovering TemplateVM from boot failure caused by incorrect /etc/fstab

['Fabio' via qubes-users]

I made an accidental edit to /etc/fstab which is causing my TemplateVM to 
timeout on boot with error Cannot connect to qrexec agent for 60 seconds

Is there a way to edit a particular VM's etc/fstab without booting it up? Can I 
perhaps mount it's root filesystem?

Attempted solutions

1. I've tried adding init=/bin/bash to the kernel opts, starting the templateVM 
and then running sudo xl console TEMPLATE_NAME from Dom0 but I did not reach a 
command-prompt before fstab was read and executed.

2. I tried mounting the root filesystem for the TemplateVM from Dom0 with: sudo 
mount /dev/qubes_dom0/vm-fedora-26-root mnt but got error wrong fs type, bad 
option, bad superblock...

Any suggestions on how I could edit /etc/fstab for my TemplateVM before it gets 
executed?

Steps to reproduce the behavior:

- Edit your /etc/fstab to be incorrectly formatted
- Run qvm-start YOUR_FAULTY_TEMPLATE

Related issue: 
https://unix.stackexchange.com/questions/44027/how-to-fix-boot-failure-due-to-incorrect-fstab

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/xjsJZbjJh0LZCzSjpINQmk18PXFKUJRsGr4cjJPg12wGVf6NzbMEqX1wc480zbb9cim2pMqbF5JvU6cYd34ybm6xNauHvdoJ90rZdx3544E%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Setup NextCloud in Qubes

[Achim Patzner]

Am Sonntag, den 25.11.2018, 14:44 -0800 schrieb pr0xy:
> Looking through past messages here it seems that others have got
> OwnCloud and NextCloud working. I wonder if they were able to do this
> with bind-dirs, or whether they had to use a StandaloneVM.

Again: What do you want to gain? Having access to the same files on
multiple VMs? Having copies on all of them (plus the copy on the
storage VM) seems like a bit of overkill to me.

> There are some other aspects of NextCloud aside from the file sharing
> like Calendar, Contacts, Notes and others that might also me nice to
> have internally.

And to be honest: I do not trust all those plugins that far. They are
complicating things and complicated things cannot be easily verified.
Why not do everything on the same VM (which would be a risk you could
at least try to assess)? And where would be the limit? The Password
application? Giving external  users access because you need to share
files?

I'm not against a centralized "file service and storage VM" but it
would take considerable work to really find a secure way to do it;
access would likely have to use an RPC mechanism like current file
copying. It might be better to find out if it was possible to implement
something like WebDAV on top of a Qubes RPC services with a fuse front
end.


Achim Patzner

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a8b29e7afb1678b92924c2926258849663d736c.camel%40noses.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Setting up automated appvm backups using cron?

[gdrub51]

Le dimanche 25 novembre 2018 22:33:18 UTC+1, Stumpy a écrit :
> I was wanting to back up some of my more important appvms, like vault, 
> on a regular basis. I am lazy so was thinking that cron might be an 
> option? Its been awhile since I used cron but I assume I could make a 
> job with a line like:
> 
> qvm-backup -d vault -p /tmp/vault-key ?
> 
> I am not sure about the last part as I would like to put it on an 
> external drive so in 3.2 I could have pointed it to the ext drive on 
> dom0 but now I am not quite sure where to point it? Ideas?

Hi,

So here is how I do it manually only once a week :

---%<---
#!/bin/sh

VM_LIST=sys-net\ sys-firewall\ sys-net2\ sys-net3
MOUNT_PATH="/mnt/removable"
BACKUP_DIR="backupVM_desktop"

# all vm-shutdown
qvm-shutdown --wait --all --exclude=sys-net --exclude=sys-usb
qvm-run sys-net "sudo ifconfig ens5 down; sudo modprobe -r r8169"
qvm-shutdown --wait sys-net

# qvm-backup
qvm-backup --compress --verbose --passphrase-file /home/gdrub/read_in --dest-vm 
sys-usb $MOUNT_PATH/$BACKUP_DIR fedora-28-minimal-LAMP kali hyneview fedora-26 
sys-net sys-net2 sys-net3 sys-firewall sys-firewall3 debian-8 debian-9 win10 
docker dockerhost personal work dom0

# rotate

# /usr/bin/mv backup.1 backup.2 > /dev/null 2>&1
qvm-run sys-usb "sudo mv $MOUNT_PATH/$BACKUP_DIR/backup.1 
$MOUNT_PATH/$BACKUP_DIR/backup.2"
# /usr/bin/mv backup backup.1 > /dev/null 2>&1
qvm-run sys-usb "sudo mv $MOUNT_PATH/$BACKUP_DIR/backup 
$MOUNT_PATH/$BACKUP_DIR/backup.1"
# /usr/bin/mv $lastfile backup > /dev/null 2>&1
qvm-run sys-usb "sudo mv $MOUNT_PATH/$BACKUP_DIR/qubes-backup* 
$MOUNT_PATH/$BACKUP_DIR/backup"
sleep 3

# vm-start
for VM in $VM_LIST
do
qvm-start $VM
done

sleep 30

qvm-start personal
qvm-start work
---%<---

Best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7fe4c781-1bee-4206-83c9-2fcf942fe5aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.