Re: [qubes-users] Experimenting with Wireguard VPN @Mullvad.net
On 11/11/2017 10:44 AM, Grogins wrote: > Have tried to get Wireguard up on multiple occasions with both Debian > and Fedora I get similar results every time. i.e. at step 3: > > [root@wireguardtey)mp ~]# qvm-copy-to-vm vpn /lib/modules/$(uname > -r)/extra/wireguard.ko > qfile-agent: Fatal error: stat wireguard.ko (error type: No such file or > directory > > I've searched for file "wireguard.ko" but no results. > Any ideas? It must have failed to build the .ko during install. Probably the best way around this in Qubes 3.2 is to switch to the in-template kernel, per the link I sent. If you're using Qubes 4.0 the kernel switch process is simpler: qvm-prefs vmname kernel '' -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/81e28b48-839c-b00e-a5d6-2bafc407a320%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] /var/log excessive filesystem usage
On 11/11/2017 03:38 PM, taii...@gmx.com wrote: Wait fedora doesn't sign their stuff? Damn that's terrible! So when you dnf something there isn't any gpg verification of the files? Fedora signs packages individually. But nearly all (except Fedora) sign the overall repository manifest as well. Lack of repo signatures allows an attacker to selectively prevent individual updates from being installed. On a typical non-Fedora distro, the attacker can only hold back the entire repository (and they can't change the timestamp to make it appear current). -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a0840c91-4c56-d504-18aa-9d81af2edaa7%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Experimenting with Wireguard VPN @Mullvad.net
On 11/11/2017 10:44 AM, Grogins wrote: Sent with ProtonMail <https://protonmail.com> Secure Email. Original Message Subject: [qubes-users] Experimenting with Wireguard VPN @Mullvad.net Local Time: November 6, 2017 4:51 PM UTC Time: November 6, 2017 4:51 PM From: tas...@posteo.net To: qubes-users <qubes-users@googlegroups.com> Mullvad recently added trial Wireguard VPN support, so I wrote a howto for setting it up on Qubes: https://github.com/tasket/Qubes-vpn-support/wiki/Wireguard-VPN-connections-in-Qubes-OS This is Debian-oriented but easy to adapt for Fedora. Chris Laprise,tas...@posteo.net <mailto:tas...@posteo.net> https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com <mailto:qubes-users+unsubscr...@googlegroups.com>. To post to this group, send email to qubes-users@googlegroups.com <mailto:qubes-users@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/58ea7822-448d-e745-e6f7-1a1fb3a2f927%40posteo.net. For more options, visit https://groups.google.com/d/optout. > Have tried to get Wireguard up on multiple occasions with both Debian > and Fedora I get similar results every time. i.e. at step 3: > > [root@wireguardtey)mp ~]# qvm-copy-to-vm vpn /lib/modules/$(uname > -r)/extra/wireguard.ko > qfile-agent: Fatal error: stat wireguard.ko (error type: No such file or > directory > > I've searched for file "wireguard.ko" but no results. > Any ideas? You could search the different kernel versions under the /lib/modules dir, as the wg installer sometimes makes an erroneous decision that the kernel version you're running is not really the kernel that will be used. Alternately, on Qubes 3.2: https://www.qubes-os.org/doc/managing-vm-kernel/#using-kernel-installed-in-the-vm -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8471d233-97c5-e8ff-4452-7518e68c9f90%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: 4.RC2 CANT create / install VM from local iso
On Saturday, October 28, 2017 at 1:25:33 PM UTC-4, Filip Magic wrote:
> On 10/28/17 11:29, Foppe de Haan wrote:
> > On Saturday, October 28, 2017 at 11:27:36 AM UTC+2, Foppe de Haan wrote:
> >> On Saturday, October 28, 2017 at 9:49:19 AM UTC+2, Roy Bernat wrote:
> >>> On Friday, 27 October 2017 11:26:01 UTC-4, Outback Dingo wrote:
> So we need updated docs or somethings broken...
>
> i copied the iso to /home/user from the AppVM tried to create an hvm
> appvm got a unrecognized argument... ok
> then tried without --hvm... seems ok however. qvm-start
> results in a traceback
>
> [dingo@dom0 ~]$ qvm-create BSD --hvm --label blue
> usage: qvm-create [-h] [--verbose] [--quiet] [--class CLS]
> [--property NAME=VALUE] [--pool VOLUME_NAME=POOL_NAME]
> [-P POOL_NAME] [--template VALUE] [--label VALUE]
> [--help-classes]
> [--root-copy-from FILENAME | --root-move-from FILENAME]
> [VMNAME]
> qvm-create: error: unrecognized arguments: --hvm
> [dingo@dom0 ~]$ qvm-create BSD --label blue
> sudo qvm-start BSD
> --cdrom=/home/dingo/FreeBSD-11.1-RELEASE-amd64-disc1.iso
> Traceback (most recent call last):
> File "/bin/qvm-start", line 9, in
> load_entry_point('qubesadmin==4.0.9', 'console_scripts',
> 'qvm-start')()
> File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_start.py",
> line 160, in main
> drive_assignment = get_drive_assignment(args.app, args.drive)
> File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_start.py",
> line 98, in get_drive_assignment
> backend_domain_name, ident = drive_str.split(':', 1)
> ValueError: not enough values to unpack (expected 2, got 1)
> [dingo@dom0 ~]$ qvm-start BSD
> --cdrom=/home/dingo/FreeBSD-11.1-RELEASE-amd64-disc1.iso
> Traceback (most recent call last):
> File "/usr/bin/qvm-start", line 9, in
> load_entry_point('qubesadmin==4.0.9', 'console_scripts',
> 'qvm-start')()
> File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_start.py",
> line 160, in main
> drive_assignment = get_drive_assignment(args.app, args.drive)
> File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_start.py",
> line 98, in get_drive_assignment
> backend_domain_name, ident = drive_str.split(':', 1)
> ValueError: not enough values to unpack (expected 2, got 1)
> [dingo@dom0 ~]$ qvm-start BSD
> --cdrom=/home/dingo/FreeBSD-11.1-RELEASE-amd64-disc1.iso
> Traceback (most recent call last):
> File "/usr/bin/qvm-start", line 9, in
> load_entry_point('qubesadmin==4.0.9', 'console_scripts',
> 'qvm-start')()
> File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_start.py",
> line 160, in main
> drive_assignment = get_drive_assignment(args.app, args.drive)
> File "/usr/lib/python3.5/site-packages/qubesadmin/tools/qvm_start.py",
> line 98, in get_drive_assignment
> backend_domain_name, ident = drive_str.split(':', 1)
> ValueError: not enough values to unpack (expected 2, got 1)
>
> [user@personal dom0]$
> >>> You dont need to use --hvm . it is the default in version 4.
> >>> Regarding the cdrom i have also the same issue it seems that this switch
> >>> has beed deprecated .
> >>>
> >>>
> >>> Roy
> >> try qubes-vm-boot-from-device or qvm-start VMNAME --cdrom=VMNAME:/path ;
> >> or use the interface from the second page of the VM settings GUI.
> > (Btw, if you type qvm-, or qubes-, bash spits out a
> > list of commands starting with those characters; you can usually find the
> > command you are looking for that way; beyond that, --help or 'man
> > qvm-command' will also provide hints as to available switches, except in
> > the case of qvm-pci currently.)
> >
> Is qubes-vm-boot-from-device working for you guys ? I'm not able to
> install any OS from ISO in StandaloneVM.
nope having the same issue here, it starts the VM then exits. Going to try a
block device to see if that works.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/44a31819-112b-43ca-bf08-9466a2b7dbc7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Installing Debian template 4.0rc2
On 11/11/2017 07:54 AM, Yuraeitha wrote: On Saturday, November 11, 2017 at 12:23:28 PM UTC, JPL wrote: For some reason the debian template didn't install when I installed Qubes, even though I selected it. No matter I thought, I'll do it manually. However following the instructions here: https://www.qubes-os.org/doc/templates/debian/ namely: [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8 I get "Nothing to do. Complete" qvm-ls reveals that debian-8 is absent. Is this instruction out of date or do I need to enable something first? Any tips appreciated. The template re-install is currently broken, and requires fixing in a future patch. I've had/seen mixed results with the plain template install too (rather than re-install), so I suspect it's at least partly broken too? Either way it's not you, this is something that likely needs patch fixing. Possibly you can re-install Qubes and hope debian installs (sometimes work?, see below), or you could try move debian from one of your 3.2. backup archives, and then update it in Qubes 4 (hope for the best that the 3.2. template Qubes tools won't get in the way). Occasionally the template install goes wrong. The first thing to try is 'sudo dnf remove qubes-template-debian-8' to get the package out of there. Another option is trying the current Debian release, version 9. There is one issue (2913) where it takes 90sec to boot, but this should be corrected soon and its easy to fix: After 90sec run a terminal and enter 'sudo rm /etc/systemd/system/multi-user.target.wants/wpa_supplicant@.service'. (Make sure you include the at-sign.) -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33b48103-2a2d-33d2-f3dd-f791edc58b91%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
On 11/10/2017 05:51 PM, taii...@gmx.com wrote: In this case you should ask the luks/dmcrypt mailinglist as that is what qubes uses for disk crypto. Would be simpler off the bat to limit discussion to asymmetric crypto, as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and most other disk encryption uses symmetric crypto. I believe qvm-backup crypto is also symmetric (although IIRC it may have specific security issues that need to be addressed). Finally, there is anti-evil-maid; I think it uses symmetric but not certain. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd59baee-8a77-bf2e-20eb-c30965a0f3ad%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] /var/log excessive filesystem usage
On 11/10/2017 05:57 PM, taii...@gmx.com wrote: On 09/26/2017 03:56 AM, Alex wrote: On 09/26/2017 09:44 AM,taii...@gmx.com wrote: Update: deleting the contents of /var/log, /tmp and /var/tmp caused my system to be unbootable which is silly as these are not meant to be permanent locations I received errors about qmemmman not being able to write a file, to which I had to revert the changes and re-create it's directory to render the system bootable again. That's very strange - not the fact that qmemman does not work if you remove its log directory, but the size on disk. I've had this R3.2 installation since october 2016, and my /tmp has 4KB worth of data, /var/tmp 20KB and the biggest is /var/log with 1.8GB. But inside /var/log the biggest directory is journald/, that takes 99% of the space, while qubes/ takes only 3.2 MB - the second biggest directory being xen/ at 8.3MB. To check directory size I used "du", with a line like this: /var/log# du --max=1 -h Please check settings in /etc/systemd/journald.conf to make sure journald only logs what you need (and, in my case, does not discard what it thinks I don't need). Thanks, I don't normally use systemd on my other computers You can also run 'journalctl' to prune the logs. That's what I've done since Fedora doesn't come with a sensible default setting. Another reason to hate systemd. Systemd linux takes 1min+ to boot vs 15 seconds on devuan's plane jane SysVinit (redhat only created systemd to run a hostile takeover of the linux community ... you must be new to Linux. :) Redhat has long exercised undue influence over Linux development. When "desktop Linux" was a trend over a decade ago, they threw their weight around in that arena too. Unfortunately the community is stupid enough to let an unabashed server-only company determine the direction of desktop development. OTOH, going back to init instead of fostering one of the alternatives has exposed a regressive streak in the community. Sysvinit sucked eggs for use cases involving power management (sleep/wake/etc), peripheral hotplug, anything where the system had to enter different global states. It probably still does suck and somehow I can't believe that devuan is thoroughly testing for PC use cases (doubt they even recognize 'use case' as a development concept); On my last survey, no one except Canonical does this. The tragedy here is that Ubuntu tried to address the issue reasonably in their usual fashion (follow Apple's lead) and Redhat and their neckbeard camp said "No". Over the years: No apt, No Mir, No upstart, No addressing desktop security bug reports, No repo signing on Fedora (can't compete with RHEL on update security!), No certification of PCs... They'll wait 7-10 years until their boys get around to doing it over. Redhat are the Knights Who Say NIH (Not Invented Here). Now Canonical is taking their business and they are flailing about. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/537740c4-d943-8f3e-0a8c-1e2c1c21efda%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] installing a clean template
On 11/09/2017 06:36 PM, Unman wrote: On Tue, Oct 24, 2017 at 09:31:21PM -0500, Ted Brenner wrote: Hi all, I'd like to install a clean version of my debian-8 template. I tried following the instructions on this page <https://www.qubes-os.org/doc/templates/debian/> but the command didn't work. I see a message that "No Match for argument qubes-template-debian-8". Perhaps out of date or only works if you don't already have a debian-8 template? Is there a way to create a new fresh version of the standard templates? The reason I ask is that I installed some non supported binaries in my debian 8 template to support playing DVDs. I'd like to use my debian 8 template to also do email but am nervous about using the same template for something I'd like to be secure along side something I don't expect to be secure. Namely multimedia. Obviously I should have cloned my debian 8 template before installing the multimedia packages. Oh well. Thanks! Hi Ted Which Qubes version are you using? There's no reason why you cant reinstall a standard template. If you want to keep your existing template, I suggest you clone it, and then delete the template before reinstalling from the ITL repository. You can also download the template from yum.qubes-os.org, copy it to dom0 and install it there. If you're on Qubes 3.2, you can reinstall a template in one step: https://www.qubes-os.org/doc/reinstall-template/ This function doesn't work yet in R4.0. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a698409a-640d-16b9-691e-751fdb7dc221%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Recommendations for VPN on the debian8 template ?
On 11/09/2017 06:57 PM, brutellealexan...@gmail.com wrote: On Friday, 10 November 2017 00:39:32 UTC+1, Chris Laprise wrote: On 11/09/2017 05:51 PM,wrote: I've successfully installed a VPN Tunnel as a proxy-VM (on a Fedora 23 template) in my set up. However I don't seem to able to reproduce the same template and make another one using the Debian8 template. Is the process any different ? When trying I get a TLS Error. Hope someone can help ! Setup is the same on the different templates (only variation is in Qubes R4.0 which isn't in the doc yet). How does the connection go when you start it manually from the terminal? I just get this message : SSL3_CLIENT_HELLO:no ciphers available + these two error messages : TLS Error, incoming plain text read error, TLS handshake failed. This is something I got several times before being actually able to set up my first VPN, but I don't remember how I solved this... Check that the configuration files in /rw/config/vpn are the same. Also, compare the version of openvpn in fedora-23 with the one in debian-8... IIRC they had an upgrade that introduced an incompatibility with older services. That could mean you need to get an updated config file from your VPN provider. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49790214-650f-bf56-e507-823cd169f17a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Recommendations for VPN on the debian8 template ?
On 11/09/2017 05:51 PM, brutellealexan...@gmail.com wrote: I've successfully installed a VPN Tunnel as a proxy-VM (on a Fedora 23 template) in my set up. However I don't seem to able to reproduce the same template and make another one using the Debian8 template. Is the process any different ? When trying I get a TLS Error. Hope someone can help ! Setup is the same on the different templates (only variation is in Qubes R4.0 which isn't in the doc yet). How does the connection go when you start it manually from the terminal? -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7a97745-37dc-6bd4-5a98-f845bcc02390%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] work: volume qubes dom0/vm-work-private missing
On 11/09/2017 04:44 PM, Jon Solworth wrote: I'm unable to start up work qubes, with the above error message. The problem might be related to attempts to remove the debian 8 templates after problems with it. Jon Do you see that volume (or one with a similar name) when you list them with 'sudo lvs'? -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c47e639-ca1c-78d6-e84e-a2a34cd3ce7a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] reboot and shutdown qubes 4 rc2
On 11/08/2017 12:54 PM, Roy Bernat wrote: Hi all until now i am not able to have shutdown or reboot without press the physical. some one has some idea ? seems that it is stuck on failed to read reboot parameter : no such file or directory . on shutdown it stuck on watchdog . any idea ? Roy I think its a common problem. What I use is this: qvm-shutdown --all --wait --timeout=20 sudo poweroff -f -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/439b2086-efe8-5caa-0ae8-f318e2d72639%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to make /lib/modules/* writable on R4.0 standalone?
I'm trying to manually add a kernel module to a standalone (from debian template) VM, but I can't re-mount the modules dir as read-write. I also tried to bind-mount a copy of modules to /lib/modules but modprobe doesn't see the new module. (insmod does see it, but it doesn't take care of dependencies like modprobe does). Is there a way to do this permanently? -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fafd1dc5-d372-6d2c-ce88-841ac9f8d7d2%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to change updates proxy VM on Qubes R4
I tried setting the global updatevm to the VM I created to handle updates, and I enabled 'qubes-updates-proxy' on it. However all the update traffic appears to go through sys-net anyway. How to configure this properly? -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d867e15-794b-bfb4-bc4e-da9944ce2308%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't remove VM
On 11/02/17 12:41, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 02, 2017 at 12:31:11PM -0400, Chris Laprise wrote: On 11/02/17 12:15, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 02, 2017 at 11:34:01AM -0400, Chris Laprise wrote: On 11/02/17 11:28, yuraei...@gmail.com wrote: On Thursday, November 2, 2017 at 3:11:03 PM UTC, bm-2ctrx1tl5lg8cfa...@bitmessage.ch wrote: Hi, I restore my backup from Qubes OS R3.2 to Qubes OS 4.0 and after successful restored I tried to delete one VM that was useless but I can't and I don't know why. In the picture,"9870361_11.jpg" at the very last line, "domain is in use: 'disp-sys-net'". As long as there are other templates or AppVM's tied to this disp-sys-net AppVM, then you cannot delete it. I don't know any easier method, but you can run this command user@dom0: qvm-prefs fedora-25 default_dispvm to print out in the terminal, which disvm is in use, or if any at all. Just replace fedora-25 for all your other templates/AppVM, and you'll eventually find all the VM's tied to your disp-sys-net VM. It should take a few minutes, depending on how many VM's you have to run through. If you want to remove it altogether, then use user@dom0: qvm-prefs fedora-25 default_dispvm False or if you want to change it to another dispvm, then use user@dom0: qvm-prefs fedora-25 default_dispvm disp-VM-of-choice I'm having the same problem with 'disp-no-netvm' and 'disp-no-netvm1' after restoring R3.2 backups. I've made sure no VMs use those... its easy to do with 'qvm-ls' command. Details (including what VM use it where) are logged in dom0 logs (see journalctl). It is not included in the error message for privacy reasons (the same message could be also obtained through Admin API from different VM). Journal says its used by 'personal.default_dispvm'. My personal vm dispvm setting is 'default(none)'. Is the same reported by qvm-prefs? qvm-prefs is not the same... it shows the 'disp-no-netvm' vm name. I reset it with `qvm-prefs -D` on a few vms and was finally able to remove the extras. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20606622-19d3-6fa5-dc0d-9970ede60f54%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't remove VM
On 11/02/17 12:15, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 02, 2017 at 11:34:01AM -0400, Chris Laprise wrote: On 11/02/17 11:28, yuraei...@gmail.com wrote: On Thursday, November 2, 2017 at 3:11:03 PM UTC, bm-2ctrx1tl5lg8cfa...@bitmessage.ch wrote: Hi, I restore my backup from Qubes OS R3.2 to Qubes OS 4.0 and after successful restored I tried to delete one VM that was useless but I can't and I don't know why. In the picture,"9870361_11.jpg" at the very last line, "domain is in use: 'disp-sys-net'". As long as there are other templates or AppVM's tied to this disp-sys-net AppVM, then you cannot delete it. I don't know any easier method, but you can run this command user@dom0: qvm-prefs fedora-25 default_dispvm to print out in the terminal, which disvm is in use, or if any at all. Just replace fedora-25 for all your other templates/AppVM, and you'll eventually find all the VM's tied to your disp-sys-net VM. It should take a few minutes, depending on how many VM's you have to run through. If you want to remove it altogether, then use user@dom0: qvm-prefs fedora-25 default_dispvm False or if you want to change it to another dispvm, then use user@dom0: qvm-prefs fedora-25 default_dispvm disp-VM-of-choice I'm having the same problem with 'disp-no-netvm' and 'disp-no-netvm1' after restoring R3.2 backups. I've made sure no VMs use those... its easy to do with 'qvm-ls' command. Details (including what VM use it where) are logged in dom0 logs (see journalctl). It is not included in the error message for privacy reasons (the same message could be also obtained through Admin API from different VM). Journal says its used by 'personal.default_dispvm'. My personal vm dispvm setting is 'default(none)'. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d94d825-9173-55e8-0747-8330c8b167b8%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't remove VM
On 11/02/17 11:56, yuraei...@gmail.com wrote: On Thursday, November 2, 2017 at 3:34:21 PM UTC, Chris Laprise wrote: On 11/02/17 11:28, yuraei...@gmail.com wrote: On Thursday, November 2, 2017 at 3:11:03 PM UTC, bm-2ctrx1tl5lg8cfa...@bitmessage.ch wrote: Hi, I restore my backup from Qubes OS R3.2 to Qubes OS 4.0 and after successful restored I tried to delete one VM that was useless but I can't and I don't know why. In the picture,"9870361_11.jpg" at the very last line, "domain is in use: 'disp-sys-net'". As long as there are other templates or AppVM's tied to this disp-sys-net AppVM, then you cannot delete it. I don't know any easier method, but you can run this command user@dom0: qvm-prefs fedora-25 default_dispvm to print out in the terminal, which disvm is in use, or if any at all. Just replace fedora-25 for all your other templates/AppVM, and you'll eventually find all the VM's tied to your disp-sys-net VM. It should take a few minutes, depending on how many VM's you have to run through. If you want to remove it altogether, then use user@dom0: qvm-prefs fedora-25 default_dispvm False or if you want to change it to another dispvm, then use user@dom0: qvm-prefs fedora-25 default_dispvm disp-VM-of-choice I'm having the same problem with 'disp-no-netvm' and 'disp-no-netvm1' after restoring R3.2 backups. I've made sure no VMs use those... its easy to do with 'qvm-ls' command. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 Are you sure your qvm-ls command shows the disposible VM's on each VM? Mine only shows "State", "Class", "Label", "Template", and "NetVM". It doesn't show any Disp_VM. Maybe you can't remove it because it doesn't show the disp_vm's? or is there an option in the qvm-ls that I missed out on that prints disp_vm's too? I can't detect any useful ones with 'qvm-ls -h' or 'qvm-ls --help-formats' though I may have missed it. I've tried them all, can't find any disp_vm information. qvm-ls --format disk qvm-ls --format full qvm-ls --format network qvm-ls --format simple qvm-ls shows the network, but I went into each VM settings to see what the dispVM setting was and they're all 'none'. Chris -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f3e937a-a9e7-2a01-d51e-3eb0bd37%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I can't remove VM
On 11/02/17 11:28, yuraei...@gmail.com wrote: On Thursday, November 2, 2017 at 3:11:03 PM UTC, bm-2ctrx1tl5lg8cfa...@bitmessage.ch wrote: Hi, I restore my backup from Qubes OS R3.2 to Qubes OS 4.0 and after successful restored I tried to delete one VM that was useless but I can't and I don't know why. In the picture,"9870361_11.jpg" at the very last line, "domain is in use: 'disp-sys-net'". As long as there are other templates or AppVM's tied to this disp-sys-net AppVM, then you cannot delete it. I don't know any easier method, but you can run this command user@dom0: qvm-prefs fedora-25 default_dispvm to print out in the terminal, which disvm is in use, or if any at all. Just replace fedora-25 for all your other templates/AppVM, and you'll eventually find all the VM's tied to your disp-sys-net VM. It should take a few minutes, depending on how many VM's you have to run through. If you want to remove it altogether, then use user@dom0: qvm-prefs fedora-25 default_dispvm False or if you want to change it to another dispvm, then use user@dom0: qvm-prefs fedora-25 default_dispvm disp-VM-of-choice I'm having the same problem with 'disp-no-netvm' and 'disp-no-netvm1' after restoring R3.2 backups. I've made sure no VMs use those... its easy to do with 'qvm-ls' command. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/250f5146-70ff-6eea-fe6a-782eeef47fa4%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How to qvm-attach VM volume to another VM?
On 11/02/17 00:13, aphidfar...@gmail.com wrote: On Wednesday, November 1, 2017 at 7:40:01 PM UTC-7, Chris Laprise wrote: I'm trying to repair a debian-9 root volume by first attaching it to an appVM, but the new syntax doesn't seem to allow it. I tried the following so far: qvm-block attach tempvm lvm:qubes_dom0/vm-debian-9-root qvm-block attach tempvm dom0:qubes_dom0/vm-debian-9-root qvm-block attach tempvm dom0:/dev/mapper/qubes_dom0-vm--debian--9--root I'm also interested in a replacement for the old qvm-block -A functionality. In the meantime I use losetup to get a block device for use with the new qvm-block, works for me but it's messier. That's good to know because even with private volumes you occasionally need to attach one to an appVM for fixes/inspection without mounting it as /home. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/effde288-6143-7de5-19f2-f90c584cd04a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Debian 9 running on R4rc2 (was: How to qvm-attach...)
On 11/02/17 03:33, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Nov 01, 2017 at 10:39:36PM -0400, Chris Laprise wrote: I'm trying to repair a debian-9 root volume by first attaching it to an appVM, but the new syntax doesn't seem to allow it. I tried the following so far: qvm-block attach tempvm lvm:qubes_dom0/vm-debian-9-root qvm-block attach tempvm dom0:qubes_dom0/vm-debian-9-root qvm-block attach tempvm dom0:/dev/mapper/qubes_dom0-vm--debian--9--root qvm-block generally allow to attach only devices listed by it (qvm-block ls). VM volumes are specifically excluded there. I'd propose alternative approach for fixing debian-9: enable debug mode, boot it, login (you'll have VGA console), then remove xserver-xorg-legacy package. It should fix the GUI there. Already had it in debug mode; Just discovered you have to wait several minutes for the console. But I removed xserver-xorg-legacy and its still not right. After waiting a minute I can get xterm to run but Gnome stuff (gnome-terminal) is broken: > Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0: Failed to execute child process "dbus-launch" (No such file or directory) FWIW, I did an upgrade of a debian-8 template and that seems good so far. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8e9f6d62-328c-4900-bd72-12819d2a9fe7%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to qvm-attach VM volume to another VM?
I'm trying to repair a debian-9 root volume by first attaching it to an appVM, but the new syntax doesn't seem to allow it. I tried the following so far: qvm-block attach tempvm lvm:qubes_dom0/vm-debian-9-root qvm-block attach tempvm dom0:qubes_dom0/vm-debian-9-root qvm-block attach tempvm dom0:/dev/mapper/qubes_dom0-vm--debian--9--root -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6973d6a-57ca-201a-f147-376acdc55b20%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0-rc2 :: VMs fail to start
On 10/31/17 05:21, RSS wrote: I see I am not alone here. Having the information on which laptops Qubes 4 "should" run or even more where it is running (Dev Users?) would help. The HCL https://www.qubes-os.org/hcl/ does not help me, as it has no information if 4.x is ok for the X230. It looks to me like a bigger problem, not necessarily device specific: https://github.com/QubesOS/qubes-issues/issues/3221 Remember this is not a public release, this is RC2. Release CANDIDATE 2. That means it is a version meant for TESTING, not necessarily ready for anything more. TEST_FAILED As mentioned before I am running Coreboot, should I go back to stock ROM? In fact I have an x230 without Coreboot, and I too cannot reliably even get sys-net to run, let alone sys-firewall, which I do not think I have seen running once. FYI the internal ethernet controller seems to give RC2 sys-net big problems. I had to remove it from my sys-net Devices list, so there is only wifi. So my sys-net will usually start, but not the other VMs following it. Personally I am going to close the lid and wait for the next release. (Unless anyone would like to collect some debug information from me.) -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5655a465-7622-9a2b-11a1-e19704e144be%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0-rc2 :: VMs fail to start
On 10/30/17 16:29, Roy Bernat wrote: On Wednesday, 25 October 2017 13:26:51 UTC-4, [799] wrote: Hello, As at least one other Qubes user has the same problem, that VMs won't start, I'll add this as special topic. I've made a clean install of Qubes 4-rc2 but ~70% of the time I can't boot the VMs. This includes sys-net, sys-firewall, but also others. I tried to check the logs but I don't get any valuable information. See screenshot. I started the following command in dom0: watch -n 1 xl list When I try to launch a VM I can see that the VMs appears in the xl list output, but the State is -- and the Time(s) is 0.0. After ~30sec the start is aborted with error message: Cannot execute qrexec-daemon. Questions: 1) is anyone running Qubes 4.0-rc2 on a Lenovo X230? 2) is someone additionaly running Coreboot? 3) I am running the Qubes Installation with the default settings, any options to tweak on the Grub command line [799] Gesendet von ProtonMail mobile no one has any idea ? i tried to look for some logs with no solution . what i have found that it happen mpre if i update the dom0 before i am updating the templates . maybe Roy Over the past couple days, this has usually worked: 1. Close any appVMs that appear to be using lots of RAM and are not giving it back. 2. Start an isolated (network setting is "none") appVM... it should start up. Leave it running... 3. Start the VMs you intend to use; they should also start now. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c17cfc69-9019-9cff-30ae-5b1584af2ba1%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc2 :: VMs fail to start
On 10/25/17 13:26, '[799]' via qubes-users wrote: Hello, As at least one other Qubes user has the same problem, that VMs won't start, I'll add this as special topic. I've made a clean install of Qubes 4-rc2 but ~70% of the time I can't boot the VMs. This includes sys-net, sys-firewall, but also others. I tried to check the logs but I don't get any valuable information. See screenshot. I started the following command in dom0: watch -n 1 xl list When I try to launch a VM I can see that the VMs appears in the xl list output, but the State is -- and the Time(s) is 0.0. After ~30sec the start is aborted with error message: Cannot execute qrexec-daemon. Questions: 1) is anyone running Qubes 4.0-rc2 on a Lenovo X230? 2) is someone additionaly running Coreboot? 3) I am running the Qubes Installation with the default settings, any options to tweak on the Grub command line I created an issue for my VM start problems: https://github.com/QubesOS/qubes-issues/issues/3221 There is no libxenlight error, and I think the problem may be related to the initial run of sys-net. Shutting down sys-net (and all VMs) and starting it again seems to make a difference. Also, there is a RAM allocation problem that (so far) hasn't shown up after I re-start sys-net. Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1ce1b0a4-5e39-a446-65c1-8ffa0b295f82%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 Display free disk space
On 10/26/17 15:32, Chris Laprise wrote: I'm looking for an easy way to show free drive space in Qubes R4, since Xfce's widget doesn't handle lvm. There is lots of advice for checking lvm space that doesn't seem to apply to thin-provisioned volumes, which is what R4 uses. (As a side-note, lvm thin-provisioning doesn't appear to be in wide use.) Some suggestions are to use 'pvs' and 'vgs' commands, for example. The closest I've got to a real assessment of allocated/free space is 'lvs' which shows a _percentage_ of used space for each of the many logical volumes... but not a total. Reading this doesn't even provide a vague picture of free space because the logical volume sizes are arbitrary (over-provisioned). Got a somewhat workable estimate from this: $ sudo lvs | grep '^ pool00' The two percentage numbers on the right (data+metadata) can be added together for the total space used. Expect lvm to consume one unit of disk space for metadata for every two units of data -- I may be mistaken but this seems quite high. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/532996d0-3cd3-3289-27c4-11afe80ebd9c%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0RC2 KDE - NO SDDM
On 10/26/17 13:00, Chris Laprise wrote: On 10/26/17 12:35, Outback Dingo wrote: seems kde plasma isnt even installable right now, i tried based on the doc yet its missing dependencies in 4.0RC2 https://www.qubes-os.org/doc/kde/ Would be best to open an issue for this. See here: https://github.com/QubesOS/qubes-issues/issues/3212 https://github.com/QubesOS/qubes-issues/issues/2968 -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a4597bd-7ec5-f95d-d3d2-f324bcb7ebb6%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0RC2 KDE - NO SDDM
On 10/26/17 12:35, Outback Dingo wrote: seems kde plasma isnt even installable right now, i tried based on the doc yet its missing dependencies in 4.0RC2 https://www.qubes-os.org/doc/kde/ Would be best to open an issue for this. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/35946477-ce73-6144-eaa9-04d92af81bbf%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0RC2 KDE - NO SDDM
On 10/25/17 05:09, Outback Dingo wrote: i tried to follow this page for KDE however it seems sddm is not installed https://www.qubes-os.org/doc/kde/ I'd also prefer to have KDE running on R4. Except for one issue, it has been great to use on R3.x. So I'm curious if you can get it running before I try :) Have you tried manually installing sddm? -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2d6002c6-ddbc-3575-0cef-1c3aef8768f6%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] R4rc2 debian-9 template not working at all
The debian-9 template appears to install OK, but neither it nor VMs based on it will start properly. The menu list contains only the "VM Settings" entry. Starting in debug mode the last thing I see in the console window is "Probing EDD...ok" then a much larger blank window opens. Then it will just sit like that forever. The vm-debian-9.log says: Starting debian-9 Setting Qubes DB info for the VM Starting Qubes DB Activating the debian-9 VM In addition, all VMs (any template) are not starting consistently. There is < 50% success rate and I often have to try starting a second or third time. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f44a670d-85d3-58a3-794c-4c613a0b271b%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] XEN)QUBES END POINT SECYRITY
On 10/19/2017 01:44 PM, Νικος Παπακαρασταθης wrote: Hello Is there any kind of end point security fore qubes xen hv except of isolation? Something like usual ...internet security software used in windows(antivirus antispam etc unified).If not how for example payments are safe? Hi, The typical Qubes thinking doesn't hold threat-scanning software (which is what I believe you're referring to) in high regard; it is seen as offering a false sense of security or creating additional attack surface. However, this doesn't mean you can't install AV scanners in your VMs... its up to you. In addition to isolation, Qubes' templates offer some inherent protection as well because VMs based on them can resist rootkits. This idea is extended somewhat here: https://github.com/tasket/Qubes-VM-hardening (the 'systemd' branch is experimental but has an ability to scan files). OTOH, one of the best things you can do to increase security of your appVMs is to practice some regular caution. You can, for instance install HTTPS Everywhere in your banking VM's browser and can even tell it to reject non-encrypted traffic. Also, avoid clicking on links in emails; if you copy-paste first you can review the actual domain name of the link. And email clients like Thunderbird try to detect phishing scams. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11d068df-fd93-6c22-bd51-1c013296ce5b%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Read-only file system in applVM
On 10/12/2017 06:42 AM, Foppe de Haan wrote: On Wednesday, October 11, 2017 at 10:08:18 PM UTC+2, Chris Laprise wrote: On 10/11/2017 04:05 PM, Chris Laprise wrote: I can explain the steps. You may wish to backup your appVM before continuing. 1. Start a dispVM (I'll call it disp1). Your appVM should not be running. 2. In dom0 run 'qvm-block -A /var/lib/qubes/appvms/yourappvm/private.img' Substitute 'yourappvm' in above command with the name of your appVM. Correction: This command should be 'qvm-block -A disp1 dom0:/var/lib/qubes/appvms/yourappvm/private.img' -- PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 just for my information: why not just run that from dom0 directly (e.g. sudo fsck /var/lib/qubes/appvms/bla/bla.img)? is there a security risk involved with the invocation of fsck? Actually, yes there is a risk. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/48446dad-4edf-9c2d-7bc4-ff06c88e2130%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Read-only file system in applVM
On 10/11/2017 04:05 PM, Chris Laprise wrote: On 10/11/2017 11:00 AM, Franz wrote: On Tue, Oct 10, 2017 at 2:18 PM, Chris Laprise <tas...@posteo.net <mailto:tas...@posteo.net>> wrote: On 10/10/2017 02:31 AM, Franz wrote: On Mon, Oct 9, 2017 at 9:36 PM, Chris Laprise <tas...@posteo.net <mailto:tas...@posteo.net> <mailto:tas...@posteo.net <mailto:tas...@posteo.net>>> wrote: On 10/09/2017 08:48 AM, Franz wrote: Hello, Trying to save a long document I got an error. So tried to open a new document to copy there the content of the older. But it gives an error: read only file system. Any idea why this applVM now decided to be a read only file system? and if is there a fix other than rebooting? Best Fran It probably means there is a logical inconsistency (corruption) in that filesystem, or it filled-up. You can avoid the latter by expanding the Private storage max size in the VM's settings. It should be corruption, because there is plenty of space. Anyway I had to reboot and after that it worked again even if an alert of Python not working appears. Is there some way to fix corruption cases? Best fran Using 'fsck' on it might fix it. Before doing that, you may have to re-mount the volume as read-only; or you could use qvm-block to attach the private.img to a dispVM and then run fsck /dev/xvdi . The second seems easier, but the same I am confused. Is there a tutorial somewhere? Best Fran I can explain the steps. You may wish to backup your appVM before continuing. 1. Start a dispVM (I'll call it disp1). Your appVM should not be running. 2. In dom0 run 'qvm-block -A /var/lib/qubes/appvms/yourappvm/private.img' Substitute 'yourappvm' in above command with the name of your appVM. Correction: This command should be 'qvm-block -A disp1 dom0:/var/lib/qubes/appvms/yourappvm/private.img' -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb249663-15fd-bfa3-569c-5dd13eba0454%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Read-only file system in applVM
On 10/11/2017 11:00 AM, Franz wrote: On Tue, Oct 10, 2017 at 2:18 PM, Chris Laprise <tas...@posteo.net <mailto:tas...@posteo.net>> wrote: On 10/10/2017 02:31 AM, Franz wrote: On Mon, Oct 9, 2017 at 9:36 PM, Chris Laprise <tas...@posteo.net <mailto:tas...@posteo.net> <mailto:tas...@posteo.net <mailto:tas...@posteo.net>>> wrote: On 10/09/2017 08:48 AM, Franz wrote: Hello, Trying to save a long document I got an error. So tried to open a new document to copy there the content of the older. But it gives an error: read only file system. Any idea why this applVM now decided to be a read only file system? and if is there a fix other than rebooting? Best Fran It probably means there is a logical inconsistency (corruption) in that filesystem, or it filled-up. You can avoid the latter by expanding the Private storage max size in the VM's settings. It should be corruption, because there is plenty of space. Anyway I had to reboot and after that it worked again even if an alert of Python not working appears. Is there some way to fix corruption cases? Best fran Using 'fsck' on it might fix it. Before doing that, you may have to re-mount the volume as read-only; or you could use qvm-block to attach the private.img to a dispVM and then run fsck /dev/xvdi . The second seems easier, but the same I am confused. Is there a tutorial somewhere? Best Fran I can explain the steps. You may wish to backup your appVM before continuing. 1. Start a dispVM (I'll call it disp1). Your appVM should not be running. 2. In dom0 run 'qvm-block -A /var/lib/qubes/appvms/yourappvm/private.img' Substitute 'yourappvm' in above command with the name of your appVM. 3. In disp1 run 'sudo fsck /dev/xvdi' After fsck finishes you can shutdown disp1 and try to use your appVM. Or you can also use disp1 to explore the disk volume and copy data out of it (e.g. 'sudo mount /dev/xvdi /somedir; qvm-copy destvm /somedir/somefile'). -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3268822-0184-5440-65b6-18af7ac5a0c5%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Read-only file system in applVM
On 10/10/2017 02:31 AM, Franz wrote: On Mon, Oct 9, 2017 at 9:36 PM, Chris Laprise <tas...@posteo.net <mailto:tas...@posteo.net>> wrote: On 10/09/2017 08:48 AM, Franz wrote: Hello, Trying to save a long document I got an error. So tried to open a new document to copy there the content of the older. But it gives an error: read only file system. Any idea why this applVM now decided to be a read only file system? and if is there a fix other than rebooting? Best Fran It probably means there is a logical inconsistency (corruption) in that filesystem, or it filled-up. You can avoid the latter by expanding the Private storage max size in the VM's settings. It should be corruption, because there is plenty of space. Anyway I had to reboot and after that it worked again even if an alert of Python not working appears. Is there some way to fix corruption cases? Best fran Using 'fsck' on it might fix it. Before doing that, you may have to re-mount the volume as read-only; or you could use qvm-block to attach the private.img to a dispVM and then run fsck /dev/xvdi . -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/adb30baf-1497-d955-6b84-d158eceb8729%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] (Urgent) How do I uninstall qubes or install anything else over it
On 10/09/2017 07:29 PM, Mikhail Nairne wrote: I installed qubes os on my ssd hard-drive with windows 7 and now I'm trying to get back windows but for some reason I can't. can some one please help me out with this because I know my material is still on my drive but how do I get back the windows because I had alot of Important files on my original windows desktop... I hope I'm making sense. I even tried to install Windows again and it wouldn't let me for some reason. so right now im stuck with qubes OS and i cant get to any of the files i had before i installed qubes os. I bought a sata and took out my hard-drive and tried to remove the files that i needed of but the hard-drive didn't show up on the other computer I was using which has never happened before. It wouldn't come up for some reason I think it's becauae of the qubes. please some what help Are you sure you didn't inadvertently erase your Windows partitions when installing Qubes? When you moved the drive to a different computer, this was a Windows computer? If so you should be able to find any existing Windows partitions using Disk Manager: https://technet.microsoft.com/en-us/library/cc770943(v=ws.11).aspx -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/70ec9ae4-3b24-e823-0cce-db371c15ec49%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Read-only file system in applVM
On 10/09/2017 08:48 AM, Franz wrote: Hello, Trying to save a long document I got an error. So tried to open a new document to copy there the content of the older. But it gives an error: read only file system. Any idea why this applVM now decided to be a read only file system? and if is there a fix other than rebooting? Best Fran It probably means there is a logical inconsistency (corruption) in that filesystem, or it filled-up. You can avoid the latter by expanding the Private storage max size in the VM's settings. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0e16511e-287b-f4b4-1ba5-26f18fe60748%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Mac-Spoofing Doesn’t Work
On 10/08/2017 05:34 AM, Sean Hunter wrote: On Fri, Oct 06, 2017 at 11:55:04PM -0400, Chris Laprise wrote: On 10/06/2017 11:26 PM, Person wrote: Cloning VMs is quite troublesome right now, so it is hard to update Fedora and Debian in order to use NetworkManager. You can easily install the Fedora 25 template that should already have the correct version of NM: $ sudo qubes-dom0-update qubes-template-fedora-25 Yup confirmed here - I've just tried turning on mac spoofing using the NetworkManager instructions and the fedora-25 template in 4.0rc1 and spoofs the mac address on sys-net fine for me. One thing is it seems it is now preferred to use "wifi.assigned-mac-address" etc rather than "wifi.cloned-mac-address". "cloned-mac-address" is deprecated. I found this on the "nm-settings" manpage. It seems that way on the man page, but the way it was explained to me on NM mailing list is that page is for the dbus NM interface and cloned-mac-address is deprecated there but it is still what they expect you to use in the config file. There was no page that fully explained the possible values for the config file itself. My internal qubes still seem to have pretty standard Xen mac addrs (not that it matters). I'm guessing I'm not actually running Networkmanager on them. The internal MAC addresses shouldn't matter. Sean -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8bf308c0-a424-9a5f-1e92-477a3029431e%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kswapd0 using 100% CPU with not even a MB swap in use
On 10/08/2017 08:18 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Oct 07, 2017 at 10:29:11AM +, Holger Levsen wrote: Hi, so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin and noisy… and that Qube is hardly using any swap at all: $ free totalusedfree shared buff/cache available Mem:1888212 776484 640712 70296 471016 1031616 Swap: 1048572 716 1047856 So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used but kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to do… Any hints / ideas? I've seen this some time ago and `echo 3 > /proc/sys/vm/drop_caches` helped. No idea why it is spinning... What VM kernel are you using? I saw a great reduction in this problem when I upgraded to the latest 4.9 kernels; currently using 4.9.45-21 and the problem isn't reappearing. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cf1f1c77-bba3-5fe1-3966-eec90f149625%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Mac-Spoofing Doesn’t Work
On 10/06/2017 11:26 PM, Person wrote: Cloning VMs is quite troublesome right now, so it is hard to update Fedora and Debian in order to use NetworkManager. You can easily install the Fedora 25 template that should already have the correct version of NM: $ sudo qubes-dom0-update qubes-template-fedora-25 -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a5dbc84-e928-f942-c998-6d3ccb4c35c1%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Mac-Spoofing Doesn’t Work
On 10/02/2017 11:08 PM, Person wrote: I followed the directions for enabling mac-spoofing on Qubes, and it didn’t work. https://www.qubes-os.org/doc/anonymizing-your-mac-address/ I think I may have done something wrong. I could have not saved the gedit file correctly, or I spelled wlpos1 wrong. Or perhaps I didn’t restart sys-net enough times. The doc has two different methods: Network Manager and macchanger. If using the first (recommended) you wouldn't need to configure 'wlpos1' directly, and it should work as long as your Wifi card has proper support for address changes. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4fbd74b5-1745-1ae0-1648-699affebf76d%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HCL — ASUS Q325UA
On 08/01/2017 09:49 PM, Tao Effect wrote: Ran into all of the same issues that Mike Freemon experienced: - https://groups.google.com/forum/#!searchin/qubes-users/display$20resolution|sort:relevance/qubes-users/BUe4tFfERtA/buazJHIzCQAJ <https://groups.google.com/forum/#%21searchin/qubes-users/display$20resolution%7Csort:relevance/qubes-users/BUe4tFfERtA/buazJHIzCQAJ> - https://groups.google.com/forum/#!msg/qubes-users/Eq2zZU5yXEs/qs94AX1uAAAJ <https://groups.google.com/forum/#%21msg/qubes-users/Eq2zZU5yXEs/qs94AX1uAAAJ> But, while attempting to follow Mike's recommendations, I ran into additional obstacles as described here: https://github.com/QubesOS/qubes-issues/issues/2945 Ultimately I was able to get the laptop working. HVM: Yes IOMMU: Yes SLAT: Yes TPM: `qubes-hcl-report` says 'unknown`, but I think I remember reading somewhere that it does? Qubes: R3.2 Kernel: Supports the one in unstable (4.8.12-12), and in fact requires it for proper screen resolution support Remark: What I wrote above, including all relevant links Hi Tao, Could you post the report's yml file? Thanks... -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/474193ab-79ff-77ff-5a64-6eeb448dd344%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HCL Dell Latitude 7480 + dock usb-c problems (dell wd15)
On 08/20/2017 11:31 AM, cyrinux wrote: It is a dock in thunderbolt* Hi cyrinux, If you'd like this computer to be listed on the HCL page, could you attach a yml file from the qubes-hcl-report script? -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/69cebfb2-21d3-0d05-d273-3b06ff8cb0f8%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to recover VMs copied before reinstall?
On 09/25/2017 07:12 PM, Ron Hunter-Duvar wrote: Hi, My first Qubes install ended up unbootable, and I didn't have a recent enough backup of my VMs. So I booted from a Ubuntu live cd, mounted the partitions, and copied everything off to a backup drive and did a clean reinstall. Now I've copied my appvms back to /var/lib/qubes/appvms/, but they don't show up in the VM Manager. Can anyone tell me how to get these appvms useable again? Thanks, Ron Try using `qvm-add-appvm vmname templatename`. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9d07c73b-df84-cf14-e0ec-e6f21034a269%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Connect to LAN while VPN is running?
On 09/17/2017 11:56 AM, Stumpy wrote: I have noticed that I can't connect to my home server on my LAN when the VPN vm is running, or at least can't connect to the LAN using AppVMs that are using the VPN netvm. Is there a way I can make an exception or something similar to make it so that at least a few of my AppVMs can access the lan? There have been a couple discussions about this in the past. In general, the best way to handle this securely is to connect your LAN-using AppVMs to a non-VPN proxyVM (sys-firewall for example) instead of the VPN VM. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46c42350-77bb-a381-aa10-4938f1702f96%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reboot a VM that is connected as net/proxy VM
On 08/14/2017 04:40 AM, mittend...@digitrace.de wrote: Hi there, from time to time a net or proxy vm crashes - connected App/Proxy-VMs are obviously no longer able to connect to an (external) network. In Qubes 3.2, the user has to disconnect connected VMs manually before the user is allowed to reboot the crashed VM. Suggestion: Qubes could and I think even should do this (disconnect, reboot, reconnect) automatically. However, there should be a warning telling the user which VMs (s)he is about to disconnect. What do you thin? I think its a good idea to support this use case, because having to manually re-connect many connected appVMs can be daunting. I wonder if this is already a feature request? -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bafef829-184b-080a-9b02-399e3dc54195%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Additional VPN destinations via CLI config?
On 09/11/2017 01:37 PM, anguilla1...@gmail.com wrote: I followed the tutorial here, specifically "Set up a ProxyVM as a VPN gateway using iptables and CLI scripts" https://www.qubes-os.org/doc/vpn/ I like having the iptables anti-leak rules. However, it's connecting automatically to my VPN providers destination that I downloaded their .ovpn for. Is it possible to compile multiple locations and be able to select which one? OR perhaps I'm going about this the wrong way? Should I instead use the GUI way via NetworkManager? Can I configure that for multiple destination choices then perhaps still add the iptables anti-leak rules? What's the best way? Thanks! If all the VPN links are the same provider or have the same trust profile, then switching with a menu should be OK. But there is no "best" way; It depends greatly on how you use the VPNs. With the VPN doc scripts, you could move the contents of rc.local to a custom script in /rw/config so it isn't directly executed on startup. Then at the start of the script read all the ovpn files from /rw/config/vpn into an array and print that as a menu, then read input from the user. Next, link the chosen file to openvpn-client.ovpn. You could start this script automatically from rc.local using 'systemd-run xterm ' etc. -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0f5aaa9d-773f-a48b-b69c-05b1e27608ee%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] trying to setup VPN on NetVM, can't connect and no error
On 09/11/2017 12:45 PM, André Borud wrote: I'm trying to setup a vpn in the NetVM by importing .ovpn settings. The import of settings is successful and adds the newly imported VPN to the list of possible VPNs to connect to. But when clicking on one to connect I get a little message saying its not possible to connect almost the same instance, like it actually didn't try to connect. These are the settings I'm trying to use: client dev tun proto udp remote ***-a05.*.com 443 resolv-retry infinite nobind persist-key persist-tun persist-remote-ip ca ca.**.com.crt verify-x509-name ***-a05.*.com name auth-user-pass comp-lzo verb 3 auth SHA256 cipher AES-256-CBC keysize 256 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA and then I use a username and password. Is there a way to see an error message or something atleast to fix whatever the problem is? Using QubesOS 3.2 on an Intel NUC i7. If you're trying to import an ovpn file into Network Manager, its error-prone and I've never gotten it to work. The other problem I see is putting the VPN connection in netvm, when it should be in a proxyvm for security. The Qubes VPN doc provides two ways to setup a proxyvm for VPN: An easy way using Network Manager, and a script-based method that uses pre-existing ovpn files -- the latter has anti-leak protection: https://www.qubes-os.org/doc/vpn/ I also have a project that uses the anti-leak features and is simpler to install: https://github.com/tasket/Qubes-vpn-support -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e4d5c4c4-977a-db34-4c58-2c0404121615%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: to firejail or not to firejail
On 08/29/2017 03:54 AM, pixel fairy wrote: On Monday, August 28, 2017 at 10:46:22 PM UTC-7, Eric wrote: The question as always is, what are you protecting? If it's your user data, compartmentalize differently. If it's some kind of root privilege escalation, that's a lost cause, as the vm sudo page explains. If it's some kind of malware that could get written with root privileges, well, that gets erased by rebooting the VM, unless it's persistent in your user data, but if it is, it's incredibly unlikely to be runable (at least not without explicit user action). I raise these questions because the answer to many of the "OMGWTFBBQ passwordless sudo" threads that appear every so often, come back down to either "whatever you're proposing wouldn't make a difference read the doc again" and "are you sure you read the doc and understood why the decision was made the way it was?" I believe the direction of the recurring discussion has been following a somewhat different arc. Joanna and Marek have lately been receptive (even supportive) to internal domU security... at least ways to enable it. I think the impetus for the shift boils down to these points: 1. VMs shouldn't passively amass malware, even if its not a threat to Xen isolation; its a nuisance at best that can affect other computers/devices. DispVMs help in prevention, but not for many normal PC usage scenarios. 2. DomU OS's have unobtrusive security features ready for use with little or no burden to us: With 'vmsudo' auth prompts configured, using basic domU security is very easy: Say yes/no to the prompt shown in dom0. This is not about passwords in AppVMs. 3. Such domU defenses, while judged to be inferior in general, do receive patches and could allow Qubes systems to thwart attacks ultimately aimed at the hypervisor. This matters even if Linux, etc. remains "swiss cheese" and saves our bacon in only a small percentage of scenarios. 4. Qubes' read-only templates provide a basis for anti-threat persistence measures like 'Qubes-VM-hardening'[1], but only if domU auth is enabled. 5. Xen security was not quite as good as was hoped. Guest OS's supposedly compete on the basis of security, so its probably best to let them do their job in this regard. Especially if all that requires from us is to not switch off security or a little bit of PAM configuration. this wasnt specifically because of the passwordless sudo. its a general access control and hardening thing. i see firejail as complementary to qubes-os. ssh shouldnt access the x server. firefox shouldnt write outside of its own folder and Downloads. neither should shell out and call sudo. when they do, or try to, id really like to know about it. firejail can log such access, and you can have another process follow that log to alert you. but having firejail do that, and watching that log, are more processes, more attack surface. to add to extremely unlikely, ive only known of one ssh client exploit in the wild, and i think it was over 10 years ago. FWIW, AppArmor does work with Qubes VMs and doesn't revolve around a special launcher. [1] https://github.com/tasket/Qubes-VM-hardening/tree/systemd -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/378ae919-6e19-16bd-58de-205093399c27%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Problem connecting via VPN ProxyVM (VPN works, but AppVM can't connect)
o function with proxyVM + appVMs, you can then add these commands in proxyVM to prevent appVMs from having non-VPN access: iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP These need to show up at the _top_ of the FORWARD chain, which is why '-I' insert is used; You can ensure they'll be at the top by executing them last after a connection is made (probably from /rw/config/qubes-firewall-user-script). -- Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba46841a-0dd1-b974-af7b-257fdb638c5e%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Problem connecting via VPN ProxyVM (VPN works, but AppVM can't connect)
On 08/21/2017 05:19 PM, PhR wrote:
Any more ideas?
- PhR
Some more questions:
Is this Qubes 3.2?
What changes does the Cisco client make to the routing table ('route'
command)?
What changes (if any) to 'FORWARD' chain ('iptables -L')?
Does running '/usr/lib/qubes/qubes-setup-dnat-to-ns' update the PR-QBS
chain ('iptables -L -t nat)? Does that allow appVM to communicate?
What firewall rules are in the appVM's settings (Qubes Manager)? For
testing (and probably for use) it should be set to "Allow network access
except" and also allow DNS and ICMP with a blank list below.
Is the appVM based on a regular Linux template such as fedora-25 or
debian-8?
Further:
The 'vpnc' package may be a viable alternative to Anyconnect (the open
source counterpart is 'openconnect'). Also, Network Manager has an
openconnect plugin; you would need to install the plugin in the template
then enable NM for the proxyVM.
If you request help from the Cisco community, you can describe the
proxyVM as being like an external router, but my limited searching
suggests Cisco doesn't support this type of configuration.
Another option: Simply run the Anyconnect client in the appVM (no
proxyVM for the VPN client). This may be the simplest route.
--
Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/5ca02e5c-9a53-e1ad-c7e9-bd0ed40ea39d%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Problem connecting via VPN ProxyVM (VPN works, but AppVM can't connect)
On 08/20/2017 05:38 PM, 'PhR' via qubes-users wrote: Hello, I have successfully setup a fedora 25 bases ProxyVM, which has Cisco's Anyconnect Secure Mobility Client installed. I can successfully connect via VPN and can also ping/reach servers via VPN. Unfortunately the App-VM which uses the VPN Proxy VM can't connect. The Setup: sys-net <-- sys-firewall <-- my-vpn (Proxy VM) <-- my-work (App VM) As I can connect from the Proxy my-vpn VM, it seems the problem is between the connection of my App-VM to the new Proxy VPN VM. How can I troubleshoot and investigate the issues? - PhR You could ping a known IP address from the appVM. If it works the problem is likely limited to DNS. In the proxyVM, check the contents of /etc/resolv.conf after your Cisco client connects. If its updated (not a 10.137.x.x number) you can run /usr/lib/qubes/qubes-setup-dnat-to-ns to enable DNS forwarding over the VPN. Another setting to check is /proc/sys/net/ipv4/ip_forward which should contain a value of '1'. Also, the iptables 'POSTROUTING' chain should have a masquerade target: $ cat /proc/sys/net/ipv4/ip_forward $ sudo iptables -L -t nat - Chris Laprise, tas...@posteo.net https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b65b147-fb6d-d840-4fba-77eeb646ae5f%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Use of qubes question
On 08/02/2017 01:51 PM, Patrick Bouldin wrote: Hi, I'm trying to use app vms to test an app called splunk.. Anyway, am I thinking about this correctly? This is what I did: * I created a special template vm called - splunk-template * I then downloaded the rpm package to that template's tmp folder * I verified it was there. * I then restarted the template. * Then I created an appVM pointed to the splunk-template I then looked in the /tmp folder and it wasn't there by name, here was the contents of that folder: firefox_user qubes-session-env qubes-session-waiter ssh-fnBwiL4QxbUY systemd-private-1789b20d2d894850aa8d42bf8e0075f7-rtkit-daemon.service-d4xIHy I thought I would be able to install it from the appVM at that point, is this some kind of security thing? Am I even thinking about the process correctly? Because I want to be able to install it in different appVMs as part of my learning process. Thanks. Patrick The /tmp folder would not hold onto files after a shutdown. You could put the rpm in a folder like /opt, or you could install it into the template with 'rpm -i'. Or it may be simpler not to use a special template at all and put the rpm in the /rw folder of the appVM. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20ac3ec0-3419-ef7c-2a5f-43c71637c92a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Not able to connect with 2 firewall-proxy/vpns at same time
On 07/31/2017 07:54 PM, 'Essax' via qubes-users wrote: AUTH: Received control message: AUTH_FAILED This sounds like an issue with the provider. If they ask for more detail you can set '--verb 5' for more verbosity from openvpn. -- Chris Laprise, tas...@openmailbox.org https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36f1ac3c-c800-2f56-57a4-aee985e11d75%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes OS Systemfiles are read only to root, need help
On 07/25/2017 03:15 PM, darkstrange...@gmail.com wrote: how i can change it to change and edit system files? If your shell is running in dom0 and root can't alter system files, then has your / filesystem been mounted as read-only? This can happen if a problem was encountered during boot. Running 'mount' command by itself will tell you if / was mounted as read-only. If so, you can try re-mounting it with the '-o remount,rw' options. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4bdb6911-55cb-8fa1-6812-821a800101fb%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run problem with strings containing & ?
On 07/25/2017 12:49 PM, mittend...@digitrace.de wrote: Hello Qubes users. I use qvm-run to start a firefox in a disp-vm. The command is /usr/bin/qvm-run --dispvm firefox "$url" or /usr/bin/qvm-run --dispvm "firefox "$url"" This works fine, as long as there is no & in the url. If there is an &, this letter and all following symbols are removed. If I use firefox "$url" the correct url is opened up in the current VM as expected Is this a bug in qvm-run or is there an error in the command? Thanks. Than again, maybe not quite a bug. The quotes you supply are used-up by the dom0 shell. This is expected. Running the command with --pass-io, you can see that everything to the right of & is run as a separate command on the target VM, except when its escaped as \&. qvm-run --pass-io untrusted "notify-send HI" ...results in "WHAT not found" in red lettering (from untrusted VM). But using \& works as a single command. You can also supply an additional set of quotes like this: qvm-run --pass-io untrusted "notify-send \"HI\"" This quoting method seems mose usable because you don't have to be vigilant about escaping different characters... just escaping the extra quotes should do it. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f8f6955a-5bdf-877a-85b6-791e91757c52%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run problem with strings containing & ?
On 07/25/2017 12:49 PM, mittend...@digitrace.de wrote: Hello Qubes users. I use qvm-run to start a firefox in a disp-vm. The command is /usr/bin/qvm-run --dispvm firefox "$url" or /usr/bin/qvm-run --dispvm "firefox "$url"" This works fine, as long as there is no & in the url. If there is an &, this letter and all following symbols are removed. If I use firefox "$url" the correct url is opened up in the current VM as expected Is this a bug in qvm-run or is there an error in the command? Thanks. Might be a bug. As a workaround, have you tried escaping the character with a backslash like this: \& -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1ec8474f-451a-9611-527d-a075be4b3dfb%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Setup sys-vpn?
On 07/21/2017 07:00 AM, pixel fairy wrote: On Friday, July 21, 2017 at 3:35:23 AM UTC-7, jaki...@gmail.com wrote: any instructions on setting up a netvm on openvpn? Rather then installing the vpn on the OS itself. I have a work VM. I have one site I use for work and it blocks the packets from tor/whonix. What I would prefer to do is set that before and access the site via vpn there for the browser access thru that VM only. https://www.qubes-os.org/doc/vpn/ You're also welcome to try a project that greatly simplifies the setup process and makes the VPN more manageable: https://github.com/tasket/Qubes-vpn-support/ I just released it as 'beta' but operation is smooth so far. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b47ef195-0284-0b93-cedd-505f4a1d8310%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't access the net via my VpnVM now? (could before)
On 07/18/2017 06:02 PM, Gaiko wrote: > On Tuesday, July 18, 2017 at 11:27:00 AM UTC-4, Chris Laprise wrote: >> On 07/17/2017 07:37 PM, Gaiko wrote: >>> On Sunday, July 16, 2017 at 9:41:53 PM UTC-4, Chris Laprise wrote: >>>> On 07/16/2017 09:23 PM, Gaiko Kyofusho wrote: >>>> >>>>> Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address: >>>>> vpnprovidermod'dname.com <http://dname.com/>: No address associated with >>>>> hostname >> >> Did you put any restrictions on your sys-firewall? Attaching the VPN >> directly to sys-net is usually sufficient. >> >> Also, you could try removing internal firewall output restriction with: >> sudo iptables -P OUTPUT ACCEPT >> >> then run openvpn again. >> >> -- >> >> Chris Laprise, tas...@openmailbox.org >> https://twitter.com/ttaskett >> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > So it is safe to connect my vpn directly to sys-net? (I didn't realize that). Its generally as safe as the VPN service provider you're using -- they should use certificate validation config like 'remote-cert-tls' as most do. > > Well, that (hopefully) narrows things down a bit more... kinda. the VpnVM > works if I just connect it directly to the sys-netvm, though before, places > other than my new home setup I was usually able to connect to the net with > the appvm->vpn->firewallvm->sys-netvm setup no problem, its a mystery why it > would work most other places but not with this ISP (or modem perhaps). > -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c7b7d72-9e7d-9b65-0e14-1327eff2750d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Enigmail not working with Split GPG
I already have Split GPG working with git, but after following the Split GPG doc for Thunderbird I'm getting errors (from the Enigmail Preferences dialog): > GnuPG cannot be executed with the path provided. Enigmail is therefore > deactivated... and > Cannot connect to gpg-agent. Maybe your system uses a specialized tool > for passphrase handling (e.g. gnome-keyring, seahorse-agent, KDE wallet > manager, ...). Unfortunately Enigmail cannot control the passphrase > timeout for the tool you are using. Therefore the respective timeout > settings in Enigmail are disregarded. I'm using Debian 9 appVMs. Issue #2170 doesn't appear to be the same as this problem. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/01e7b4fb-ac0d-c7ca-05fa-74ef09bbbc4a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't access the net via my VpnVM now? (could before)
On 07/17/2017 07:37 PM, Gaiko wrote: On Sunday, July 16, 2017 at 9:41:53 PM UTC-4, Chris Laprise wrote: On 07/16/2017 09:23 PM, Gaiko Kyofusho wrote: Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address: vpnprovidermod'dname.com <http://dname.com/>: No address associated with hostname Did you put any restrictions on your sys-firewall? Attaching the VPN directly to sys-net is usually sufficient. Also, you could try removing internal firewall output restriction with: sudo iptables -P OUTPUT ACCEPT then run openvpn again. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/44474816-db0a-47da-bc22-ef68d8972891%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't access the net via my VpnVM now? (could before)
On 07/16/2017 09:23 PM, Gaiko Kyofusho wrote: Sun Jul 16 21:16:22 2017 us=614593 RESOLVE: Cannot resolve host address: vpnprovidermod'dname.com <http://dname.com/>: No address associated with hostname Hmmm, looks like a malformed address to me. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39e0c64f-55e7-3fcc-6132-a2a4d46e11a2%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't access the net via my VpnVM now? (could before)
On 07/16/2017 07:56 PM, Gaiko Kyofusho wrote: Thanks for the response. I didn't look at the openvpn log, sorry but where would that be (in my VpnVM I know but where there I am less sure). I def do not get the usual VPN connected popup I am not able to ping any ip addresses from a appvm using the vpnvm If your setup is from the VPN doc (iptables/CLI), the best way to look at log output is to run openvpn manually: sudo pkill openvpn sudo openvpn --cd /rw/config/vpn/ --config openvpn-client.ovpn --verb 4 If you used a different method for setup, your best bet is 'journalctl'. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ec8eccb-ead0-1679-ddda-39bc23451ace%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't access the net via my VpnVM now? (could before)
On 07/16/2017 02:53 PM, Gaiko Kyofusho wrote: I can't figure this one out. two things are indeed different, I am on a new ISP using a new modem and when I try to use my VpnVM I can't access the Internet (or local LAN for that matter) _however_ I am able to access the Internet on the same computer if I connect only using the firewallVM. Strangely enough, I am able to connect to the net using the same VPN provider installed on an iphone with the VPN provider software, and on an android using OpenVPN... I am stumped because on other networks I am able to connect to the Internet through my VpnVM no problem?! I had originally contacted my ISP but of course they said it was the VPN providers fault, I was then going to try to contact the modem/router manufacturer but while waiting (forever) I figured out vpn access was working on my phones. Any help/thoughts would _*really*_ be appreciated. Have you looked at the openvpn log messages? Do you see a popup saying the link is up? Can you ping IP addresses from an appVM? -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a97fc0e-a809-108a-e7dd-39c512b61748%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN-ProxyVM: "Leakproof VPN" by Rudd-O vs. "more involved" method in Qubes Wiki
On 07/12/2017 06:46 AM, Connor Page wrote: after testing the 3 existing solutions I think the official command line solution is t he most strict and protected. I just don't get it why "sleep 2" is outside if statement in qubes-user-firewall-script. why block all vpn traffic for 2 seconds every time vms connect to or disconnect from the VPN vm? The iptables command using --gid-owner won't recognize a system group immediately after the group is created, so a delay is necessary (otherwise the rule will be refused). Delay is outside the 'if' because rc.local and qubes-firewall run asynchronously to each other so it seemed appropriate to have it wait for either case. Of course, if this workaround fails in any way then traffic becomes blocked - so its safe. You could get rid of the delay by adding the qvpn group to your template. The gid-owner rule is there to satisfy an added requirement to block unintended non-VPN traffic coming from the proxyVM itself; it is not the main anti-leak feature (for downstream VMs). BTW, I'm working on an update of the Qubes-VPN-support project (similar scripting to the doc) that runs as a systemd service. New version will have a simplified installer, which I will be posting in the next day or so: https://github.com/tasket/Qubes-vpn-support -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4d76de3b-1dc5-586c-76d6-d614e0f041e0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Attaching non-PCI block devices to VM
On 07/11/2017 04:25 AM, Noor Christensen wrote: Hi, I am curious if it is possible to attach "arbitrary" block devices to a VM, similar to how additional disks drives can be specified for HVMs. For example, let's say I have a backup disk image on dom0 that I would like to read from another VM without having to copy the entire file. Is this possible? -- noor |_|O|_| |_|_|O| Noor Christensen |O|O|O| n...@fripost.org ~ 0x401DA1E0 Yes, have a look at 'qvm-block -a' and 'qvm-block -A' in dom0. Also remember you don't have to use dom0 or sys-usb as a source; you can specify any VM that contains the volume. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fc7a8f4-53d6-5b7b-afc8-834cdaf9f603%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Why does VPN needs its own firewall VM?
On 07/10/2017 03:15 PM, yreb-qusw wrote: On 07/09/2017 11:56 PM, Chris Laprise wrote: On 07/09/2017 11:48 PM, yreb-qusw wrote: at the end of the VPN CLI setup it says : == If you want to be able to use the Qubes firewall, create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM. Then, configure AppVMs to use your new FirewallVM as their NetVM. == is there some reason why I should or should not just use the existing firewall, or should each of the VPN VMs each have it's own firewall VM for some reason? Qubes firewall creates DNS accept rules that target only the upstream netVM. This has no side-effect until you start whitelisting in the presence of a tunnel; then DNS queries become blocked by the "Deny except" rule even if "Allow DNS" is selected. One workaround is to use a firewall VM between the VPN VM and downstream VMs, as suggested in doc. You need one for each VPN VM where you intend to whitelist. The existing sys-firewall normally interfaces to sys-net; In that configuration it can't filter any traffic that gets routed through the tunnel. But you can re-assign it to use a VPN VM instead of sys-net; The only downside is if you have any VMs that need direct non-VPN access to the net, in which case its still good to keep sys-firewall connected to sys-net and use other proxyVMs as VPN firewalls. - A different workaround is to use 'sed' to update iptables with the correct DNS entries, as in this script which can replace "qubes-vpn-handler.sh": https://github.com/tasket/Qubes-vpn-support/blob/new-1/rw/config/vpn/qubes-vpn-ns ...then add this to the end of "qubes-firewall-user-script": /rw/config/vpn/qubes-vpn-ns fwupdate Thanks, and if I DONT intend to white list anything, then is there any reason to use the separate fw-VPNs for each VPN VM? No reason to use separate fw-VPNs in that case. As, I think this white listing fw stuff has always been 'over my head' . And I use suspend function daily, and it's a bit hassle to get the VPNs up and running again, even with the launcher workaround, very often I must use the launcher rc.local multiple times , and ping to see if it works, and quite often they don't restart properly This has become a problem with newer openvpn versions: It appears to give up due to an internal error instead of reconnecting. My VPN support project solves this by setting up a systemd service for the VPN; this forces openvpn to restart after it exits. It also makes it more manageable via systemctl start/stop/restart/status etc... https://github.com/tasket/Qubes-vpn-support -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e7e60589-53af-f2f1-5a1f-a69bdce4a9f5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes silently ditches Librem
On 07/10/2017 10:56 AM, Unman wrote: This simply isn't true - it's clear from the Purism statement that Librem 13v2 has not been entered for certification. Since Qubes 4 is still at an early stage of development (not even RC1), there is little prospect of ANY machine being certified for it at this stage. The fact that there are issues with Coreboot now is irrelevant - there are issues with all sorts of things in 4 as it stands. But it was stated that Qubes certified hardware should run on open source boot firmware, and I dont think that has changed. I dont think that Librem users have been "left in the lurch". It was made clear that the Librem13 was not likely to be certified for Qubes 4. This doesnt mean that the machine wont work with 4 - if you look at the requirements page for 4, minimal are VT-x,VT-d SLAT. A quick look at the HCL and the purism site confirms that the 13 has CoreI5 6200U, and that CPU does have VT-x, VT-d and SLAT. So in what sense does OP have grounds for feeling "left in the lurch"? unman And I think its worth re-stating that Qubes wants a formal certification process (which Purism chose not to continue). Qubes should be lauded for creating this process and standing by it; It guards against the erroneous perceptions people have about "PC hardware" being a uniform blank canvas for creating an OS. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/295976f4-a103-f66a-7526-25dfa56e121d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN gateway using iptables and CLI scripts fails
On 07/10/2017 09:28 AM, Gaijin wrote: On 2017-07-10 02:40, Chris Laprise wrote: On 07/09/2017 05:35 PM, Gaijin wrote: I've been trying to setup my VPN using the instructions here: Set up a ProxyVM as a VPN gateway using iptables and CLI scripts https://www.qubes-os.org/doc/vpn/ I can get the VPN to work in the terminal using an openvpn config. After adding the DNS-handling script and firewall script the VPN fails to connect. I get several errors: write UDPv4: Operation not permitted (code=1) Then the socket is closed and the script tries to connect again. It will keep trying until I kill it. I've tried to recreate several ProxyVMs, copying and pasting the settings from the Qubes Docs. The result has been the same. I'm wondering if anyone else has run into this or how I might work around it. In the firewall script you can try changing the output policy from: iptables -P OUTPUT DROP to: iptables -P OUTPUT ACCEPT This will relax the rules a bit without negatively affecting the leak protection for connected appVMs. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 That got things moving. Thanks. It worked on the first try but I tried rebooting a few times to try to get the LINK IS UP part of the routine to work. I couldn't get that working and then the connection stopped working altogether. I reverted to the original DROP, and the VPN still worked. I just can't get the LINK IS UP/DOWN part to show. Running OpenVPN from the CLI I can see that the 'up' seems to be being passed. The script is executable, but it doesn't seem to be showing when it's run. The notifications use 'notify-send' so that needs to be working correctly in your chosen template. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd4be3cd-890d-37a8-135e-f074d7f3b017%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Why does VPN needs its own firewall VM?
On 07/09/2017 11:48 PM, yreb-qusw wrote: at the end of the VPN CLI setup it says : == If you want to be able to use the Qubes firewall, create a new FirewallVM (as a ProxyVM) and set it to use the VPN VM as its NetVM. Then, configure AppVMs to use your new FirewallVM as their NetVM. == is there some reason why I should or should not just use the existing firewall, or should each of the VPN VMs each have it's own firewall VM for some reason? Qubes firewall creates DNS accept rules that target only the upstream netVM. This has no side-effect until you start whitelisting in the presence of a tunnel; then DNS queries become blocked by the "Deny except" rule even if "Allow DNS" is selected. One workaround is to use a firewall VM between the VPN VM and downstream VMs, as suggested in doc. You need one for each VPN VM where you intend to whitelist. The existing sys-firewall normally interfaces to sys-net; In that configuration it can't filter any traffic that gets routed through the tunnel. But you can re-assign it to use a VPN VM instead of sys-net; The only downside is if you have any VMs that need direct non-VPN access to the net, in which case its still good to keep sys-firewall connected to sys-net and use other proxyVMs as VPN firewalls. - A different workaround is to use 'sed' to update iptables with the correct DNS entries, as in this script which can replace "qubes-vpn-handler.sh": https://github.com/tasket/Qubes-vpn-support/blob/new-1/rw/config/vpn/qubes-vpn-ns ...then add this to the end of "qubes-firewall-user-script": /rw/config/vpn/qubes-vpn-ns fwupdate -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee9bfdd5-d36b-1fde-1396-8df628397030%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Lenovo Thinkpad 335-72G - freeze during installation at networking setup
On 07/09/2017 02:09 PM, amdamdes amdamdes wrote: I just noticed, Fedora24 was there already and not missing. I created a netVM )is that already the sys-net or something on top?) and tried to setup an Mobile Broadband Networking Connection using the connection manager UI. At the very end the save button is greyed out and I can only click cancel. I suggest checking the Devices tab of your netVM to make sure your network interfaces are available to that VM. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c897fcf3-c234-3576-8ef9-20a45f2c606d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN gateway using iptables and CLI scripts fails
On 07/09/2017 05:35 PM, Gaijin wrote: I've been trying to setup my VPN using the instructions here: Set up a ProxyVM as a VPN gateway using iptables and CLI scripts https://www.qubes-os.org/doc/vpn/ I can get the VPN to work in the terminal using an openvpn config. After adding the DNS-handling script and firewall script the VPN fails to connect. I get several errors: write UDPv4: Operation not permitted (code=1) Then the socket is closed and the script tries to connect again. It will keep trying until I kill it. I've tried to recreate several ProxyVMs, copying and pasting the settings from the Qubes Docs. The result has been the same. I'm wondering if anyone else has run into this or how I might work around it. In the firewall script you can try changing the output policy from: iptables -P OUTPUT DROP to: iptables -P OUTPUT ACCEPT This will relax the rules a bit without negatively affecting the leak protection for connected appVMs. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0252ddfe-509e-5cb6-c1cb-40abb289621a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Lenovo Thinkpad 335-72G - freeze during installation at networking setup
On 07/09/2017 05:43 AM, amdamdes wrote: Dear all, my laptop freezes during install as soon as it tries to setup networking. I can avoid this by selecting"Do not configure anything (for advanced users)" It leaves me with the following VMs then: I have -dom0 -debian-8 Template -whonix-gw Template -whonix-ws Template Do NOT have -NetVM -FirewallVM -Fedora 23 Template -Work -Personal -Untrusted -Vault Since I will use an external network card anyway, I would not need to get the built-in one running. Anyway, is there a way to install without the freeze or -more important for me-, is there an easy way to add the missing VMs? Thanks a lot! The first priority should be to setup a working netVM. Then you can install Fedora 24 and anything else you feel is missing. If you create a 'sys-net' using Debian 8 as the template, are you able to add the networking interfaces that you need? For example, if you have an external USB Wifi dongle, can you add the USB controller(s) to sys-net and then use the dongle? -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/feba4069-5a5a-a3b0-650d-a4ca3716e56d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] almost HCL?
On 07/09/2017 08:41 AM, pixel fairy wrote: finally got lemur7 working in qubes, but had to install it from a desktop, then put the drive in. also, suspend crashes it. should this go on the HCL? maybe as a warning to anyone thinking of buying this for qubes? its nice hardware for ubuntu, but not so much for qubes. i suspect a newer dom0, fedora 25 maybe, would be able to suspend as that works on bare metal. so, my plan was to wait for qubes-4 first. Its up to you if you want to run the script and submit a yml file. Negative reports can be valuable, too. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1e39a0de-23da-7adb-03df-d631f169c275%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] here is how to randomize mac address
On 07/08/2017 05:07 PM, Ausaf Rashid wrote: I made a new net VM(named my new net VM) based on Debian 9 followed the website and changed the configuration settings by putting that mac.conf file in the location ( did this by opening Gedit from my net VM:"new net VM" as root, writing the given codes and saving it at the given location, this was the right method right? That is , to save that config file from the " new net VM" vm)? Then I changed the net VM of sys- firewall(that was the only one using Sys-net VM, the default NetVM) to "my new net VM". Again is it the right thing to do? But now the problem is that I can't see any interface to connect to WiFi ( wireless network) although I am able to connect to Ethernet. Note that I am able to use the old NetVM and the WiFi interface and WiFi works properly. Also that when I checked it I found out that my "new net VM" doesn't have Linux firmware installed. If this helps. Thank you a lot. (Posting back to qubes-users.) It sounds like you almost got it: The conf file is saved in the template, not the netVM. After you do that, shutdown both the template and the netVM, then re-start the netVM. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f8b967d0-981b-2f6f-c16f-8a3fda001601%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] BIOS check before Qubes installation
On 07/08/2017 12:16 PM, Max wrote: Hello, How to check if BIOS require digital signatures on BIOS firmware updates? IIRC, a firmware setup menu that has an 'anti-rollback' protection setting (to prevent earlier firmware versions from being accepted) should have signature verification. As of 2012 the UEFI spec did not require this feature. I believe this has changed since then -- you can look for such a requirement at http://www.uefi.org/specifications . You will probably get a more definitive answer for this type of question if you ask the Coreboot and Libreboot communities, as they regularly deal with such protection measures. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/031665fa-4269-5dba-e7b1-ac23265d758b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ntp in debain-VMs
On 07/04/2017 07:45 AM, haaber wrote: Dear qubes-community, my debian-based VM's all have almost random date/time settings. I tried to tackle this by setting up ntp correctly in the template VM, but this does simply have no effect to the derived appVMs. Culd someone help me with that? Thank you, Bernhard I'm getting consistent time in my Debian 9 VMs. Do you have your 'ClockVM' setting populated in your Qubes Manager Global Settings? Its normally set to sys-net. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b6c89f1f-8f01-ef8d-0eb9-ffe9b76b85c5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HCL -- Lenovo Yoga 3 Pro?
On 06/25/2017 03:27 AM, mitch.g...@gmail.com wrote: Hi, I'm a little stuck doing an HCL report and submitting a how-to wiki. Could you please help me collect some mailing-list experiences and debug info? I'm stuck in a loop on 3 issues -- any tips to make things simpler? 1. I get the "nmi watchdog soft lockup" error every three boots or so -- I think this issue screws up other things like attaching a USB device, as well. I've tried the Xen configs in the UEFI Troubleshooting wiki, but I can't tell any change in behavior. Sometimes Plymouth hangs the boot, sometimes unlocking the drive hangs it ... Could you please help me collect debug info at this level? With a little refresher, I could capture boot logs onto a USB. 2. Wifi is not working for me. What info would be useful here? I'm not sure what commands to run. 3. I've had trouble finding a USB ethernet dongle that works out of the box. My StarTech dongle needs the asix.ko driver ... Fedora ships this, but loading modules into Qubes seems like a pain. My 3 leads seem really hard, like I'm doing something wrong. Am I even close? Would appreciate your help a lot, Mitch Hi Mitch, If you are not yet to the point of submitting an HCL report (from the qubes-hcl-report script), it would be best to repost your issues to qubes-users separately without the 'HCL' subject. This will get more attention from the other users. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e42a4d70-6027-4a13-c170-920a5fc9c4ff%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] HCL - HP Pavilion
On 05/22/2017 01:54 PM, Michael wrote: I bought a new laptop and just took the SSD drive out of the old laptop and put it into the new laptop. I turned the laptop on and booted up like nothing had changed... Worked seamlessly Hi Michael, Thanks for the report. Could you provide a model number for this laptop? -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/279095d0-a60f-f5e4-3288-cbde4a8f2ef5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] here is how to randomize mac address
On 07/04/2017 11:20 AM, Ausaf Rashid wrote: So this is what I need to do: Upgrade to Debian 9(I had Debian 8 installed, it was just that it wasn't being used by any of the VMs) And then upgrade Fedora 23 to fedora-24. I need maximum security/Anonymity so I'll be using Debian 9 as you suggested. Then I need to change the templates of all the VMs using Fedora to Debian 9, right (I am not sure whether I need to this step)? Here's the pic of my VM manager which shows which of my VMs use Fedora(upgrade to Fedora 24 is not done yet and Debian 9 upgrade is going on) https://drive.google.com/file/d/0B6WGzRCGUJYCeFU0SFliSTVzbzQ/view?usp=drivesdk Also, just check that the NetVMs of all my VMs are correct(assuming that I need to use tor under the protection of Whonix in Anon-whonix app-vm). I messed with the NetVMs so it'll be great if you just checked and confirmed that it's right. Also do I need to do steps under:" Compacting the Upgraded Template" in upgrading Debian 9 website? So after Debian 9 upgrade and changing the Template VM of the VMs, I can follow the rest of the steps on the website, right? Yeah, its pretty straightforward in that you upgrade to Debian 9 (best to do this in a clone of Debian 8 but not absolutely required). then create a netVM (you can call it sys-net2 or similar) and add your network devices to the Devices tab in the VM settings. If you switch the old sys-net over to Debian 9 and use that, the settings from the older Network Manager could cause problems. You don't have to move the other VMs over to Debian, and you will find that the Debian template comes with fewer apps pre-installed. This can cause frustration if you expect all the usual apps to be there; menu items will disappear. One way to address this is to use 'sudo tasksel' after the upgrade completes; selecting a Gnome desktop will bring in most of the usual apps. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa629b67-40ab-4a86-475a-2a8cf0bfc899%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] here is how to randomize mac address
On 07/04/2017 01:34 AM, Ausaf Rashid wrote: I have a doubt. My template VM of my NetVM is fedora-23(by default). So.. should I need to upgrade to Debian 9 or do I need to upgrade to Fedora 24? That may seem a noob question, but in the Qubes Website they have shown to upgrade to Debian 9, not fedora 24, so will upgrade of Debian 9 work in my case? Or should I upgrade my fedora? Thanks a lot. (Posting back to public list...) Its best to install a Fedora 24 or Debian 8 template, then upgrade it. Fedora 23 template is obsolete and shouldn't be used. You can install new template in dom0: sudo qubes-dom0-update qubes-template-debian-8 Then upgrade: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/ I personally prefer Debian because it has more software and its update process is more secure than Fedora. Hope that helps! -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a25270d-d343-25dc-548b-5c66c3214db5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] here is how to randomize mac address
On 07/03/2017 01:51 PM, Chris Laprise wrote: On 07/03/2017 11:11 AM, ausafrashid...@gmail.com wrote: I did this exactly and it worked. The Mac address was changed. But can you confirm it is the right way/most Anonymous way of anonymizing mac address, because there are some different and very complicated instructions(which I can't understand ) on Qubes Official website: https://www.qubes-os.org/doc/anonymizing-your-mac-address/ How different is this method from the one given in the official website? Is it less Anonymous/secure than the official method? Thanks a lot! There are problems with older versions of Network Manager improperly reacting to randomization settings (whether its own or coming from systemd), causing the original address to be exposed under some conditions. There is more than one issue with these pre-1.4.2 versions. So its best to use a recent version of Network Manager that supports randomization properly, then it can be configured directly in a more fine-grained way than systemd parameters allow... a user can decide if they want scan-only randomization or guide the randomization with a MAC bitmask, for example. The Qubes doc basically amounts to: 1) upgrade template (Debian 9 or Fedora 25 will do) 2) check Network Manager version 3) create a settings file in /etc/NetworkManager/conf.d folder. The "Configuring Qubes with macchanger" section is a separate method that often fails; it should be disregarded. It should be noted that Wifi NICs can be identified by more than just MAC address. Software developers are just beginning to grapple with this issue so don't rely on this for thorough anonymization. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d35e1b3-d062-6196-8bda-951924088601%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Best Desktop for Qubes
On 07/03/2017 02:09 AM, taii...@gmx.com wrote: On 07/02/2017 09:18 PM, Chris Laprise wrote: It may have an IOMMU, but does Xen 4.6 work properly with it? Someone had reported that a different AMD desktop configuration appeared on the surface to be IOMMU compatible in Qubes, but in actually it wasn't being enabled at startup. Of course why wouldn't it? The issue with desktops is that the OEM's fail to properly implement it in their proprietary firmware as to differentiate their server motherboard lines. Who said that anyway? A couple references I can recall: https://groups.google.com/d/msgid/qubes-devel/fa59ad53-8543-480a-878f-9043036a3cd6%40googlegroups.com?utm_medium=email_source=footer https://forum.level1techs.com/t/ryzen-iommu-pcie-passthrough-works-but-level-one-techs/113862/80 https://groups.google.com/d/msgid/qubes-users/f72aa22b-bebe-4c9d-9d32-4562f8991dc4%40googlegroups.com?utm_medium=email_source=footer Don't know how much of this is firmware or other factors... -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5b670e59-d6c4-aa68-4ef6-a08f95ed7969%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Best Desktop for Qubes
On 07/02/2017 02:51 PM, taii...@gmx.com wrote: On 07/02/2017 01:28 PM, Zbigniew Łukasiak wrote: A companion to the Best Laptop for Qubes thread :) Most of the HCL is filled with laptops - very few desktops are there, especially on the high end. Currently I have a Dell Inspiron - works but 16GB RAM is max there (and it is a non-ECC so most probably more than that does not make much sense), and 16BG is not enough for me (browsers seem to eat unbelievable amounts of RAM). Is there a recommended desktop system for Qubes with over 16GB RAM? The KCMA-D8 (less expensive, $330) or KGPE-D16 ($415) as I mentioned in the laptop thread. Both support 128GB RAM with a libre version of coreboot. (coreboot is not necessarily free firmware) See my buyers guide on the coreboot wiki's kgpe-d16 page if you want to know what CPU's to get, plus install info and of course you can email me any questions. Those are the only systems that tick all the qubes 4.0 boxes, including SLAT (RVI), owner CRTM TPM (optional addon module), iommu, etc. If you really wanted to you could also make a DIY laptop with a KCMA-D8 and a 35W CPU. It may have an IOMMU, but does Xen 4.6 work properly with it? Someone had reported that a different AMD desktop configuration appeared on the surface to be IOMMU compatible in Qubes, but in actually it wasn't being enabled at startup. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fcccb11-daad-bf5b-3acc-af1d6dbd7470%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Terrible audio quality in one VM
On 07/01/2017 12:35 PM, Andrew Morgan wrote: I've had this problem for a while now, but so far haven't been able to pinpoint the cause. I have many VMs based on fedora-25 (this has been an issue since f23), but one of them always has very low-quality/scratchy bass in it. Unfortunately that happens to be the VM I do all my web-browsing in, making listening any music online a sub-par experience. I also have a VM specifically for watching media based on the same template, that has absolutely no problems with audio quality. There's no different between the different VMs in pavucontrol. Anyone have any idea on what may be causing this? Andrew Morgan I would guess its a pulse audio setting in your home folder. Easy way out may be to simply copy your data files over to a new appVM. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/51e755f1-ee53-3083-5102-8621c87c3d59%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Rules for when "Update VM" is an active menu item
On 07/01/2017 01:33 PM, motech man wrote: On Saturday, July 1, 2017 at 5:37:53 AM UTC-5, Chris Laprise wrote: On 06/29/2017 01:13 PM, motech man wrote: I updated the fedora 23 template with changes to the hosts /etc/file, and I noticed that all other VMs that used that template had the update flag set. That makes perfect sense. So when I was done I shutdown the template VM and now the Update VM item is grayed out in the dom0 menu. Restarting the fedora 23 template or any of the VMs that use it in any order or combination does not allow me to update the VMs that use that template. I made sure all VMs that use that template were shutdown. In fact the only VM running is dom0. What is the correct procedure for updating the hosts file for all VMs dependent on fedora 23 (what is the rule for when the 'Update VM' menu is active)? You perform updates on templates themselves, not on the VMs which use them. The indicator you're referring to as "update flag" simply shows that the VM's template has been changed in some way. Shutting down the template and re-starting the derivative VM is how you make the update take effect in the VM. -- Chris Laprise, tasket@openmailbox dot org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 I am aware of the template / AppVM relationship. However simply restarting the AppVM to obtain the updated hosts file does not work. I also mentioned an odd symptom associated with changing the hosts file in a subsequent post. Niether are explained by your reply, but thx for it anyway. "...now the Update VM item is grayed out in the dom0 menu." This reference to 'menu' gave me the impression you were trying to perform normal OS updates, but for the appVMs directly. Re: hosts file, here was some discussion: https://groups.google.com/forum/#!topic/qubes-users/xy2eYiZHvW4 FWIW, Fedora 23 is outdated and something may not be working quite right. I tried modifying hosts in a Debian 9 template and the change did propagate to the derivative VMs. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da8377b7-6bc8-2b8e-53ff-0bef5463df2d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Rules for when "Update VM" is an active menu item
On 06/29/2017 01:13 PM, motech man wrote: I updated the fedora 23 template with changes to the hosts /etc/file, and I noticed that all other VMs that used that template had the update flag set. That makes perfect sense. So when I was done I shutdown the template VM and now the Update VM item is grayed out in the dom0 menu. Restarting the fedora 23 template or any of the VMs that use it in any order or combination does not allow me to update the VMs that use that template. I made sure all VMs that use that template were shutdown. In fact the only VM running is dom0. What is the correct procedure for updating the hosts file for all VMs dependent on fedora 23 (what is the rule for when the 'Update VM' menu is active)? You perform updates on templates themselves, not on the VMs which use them. The indicator you're referring to as "update flag" simply shows that the VM's template has been changed in some way. Shutting down the template and re-starting the derivative VM is how you make the update take effect in the VM. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d2653010-e44b-92a4-c09c-14e2f1abe2e6%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] System-wide equalizer in dom0 (alsaeq or pulseaudio-equalizer)
On 06/30/2017 10:44 AM, daltong defourne wrote: Hello! I'd like to get system-wide EQ in Qubes, is it possible to install any of the "classical" linux equalizers? Alsaeq seems to not be in qubes repositories, and I can not figure out if pulseaudio-equalizer is (but seems not) So if anyone managed to get an equalizer thing going for Qubes, some hand-holding and advice would be very appreciated You can try 'dnf search' in a Fedora VM; This will show you what the exact package names are. If the packages are available there, go to dom0 and use qubes-dom0-update to see if the particular packages are available to dom0. It should also be possible to dnf download the packages in a Fedora 23 template, then transfer them to dom0 (which is also Fedora 23) for installation. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ff0885b8-17d1-07b3-b25c-0acb599f572c%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Copying between VMs from dom0
On 06/29/2017 02:11 PM, Vít Šesták wrote: I feel this to be controversial. It is right as long as you implement it carefully (How would you handle the separator being present in the content of the file? How would you sanitize the filenames? And so on…) AND you don't exceed the complexity of tar format. Regards, Vít Šesták 'v6ak' A lot is implied once you're parsing on the receiving end. Can't be avoided. Have to decide whether that "a lot" is better than tar's level of complexity. But I think its manageable; qvm-copy isn't too complex after all. I think it passes the file size along with filename. That will nail-down the separator issue, for example. Being aware of file syntax (special purpose application) can help. At the end of the day, maybe its better to trust tar, or not consider dest VM security important, or re-use qvm-copy code for a utility that works in a dom0-initiated mode. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba72fb7c-8a10-7fb8-21b4-fc5d3815ae74%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is it possible to change sys-net's network class in case of collisions with VPN networks?
On 06/28/2017 02:05 PM, Dominique St-Pierre Boucher wrote: On Wednesday, June 28, 2017 at 12:10:44 PM UTC-4, peterw...@gmail.com wrote: Hi I have a VPN which uses 10.0.0.0/8 this makes collisions with all the subnets that sys-net uses, I was wondering if I could switch out the networks and use a class B network instead. Let me know if this info is not sufficient, I am going home from work so I'm in a hurry :P Thanks for your time. Best regards, Petur. I am also interested by this request. I have no idea how to change this! Dominique Seems the definition of a /8 block could be the cause; this looks sloppy on the part of the VPN service provider. You could monitor the logs of your VPN client to see what ip/route commands are being pushed down (assuming a protocol similar to openvpn) and then add an override to the local config that uses a more specific block like /16. But you have to consider if there are many (addressable to you) hosts on that VPN net and if their effective host addresses range beyond 16 bits; there probably aren't but if so then this solution may not work. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/018189b1-84a1-e8cb-9c88-cbafea3643a8%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How can I test that my AEM configuration is correct?
On 06/29/2017 06:47 AM, loke...@gmail.com wrote: I enabled AEM some time ago, and so far it's worked the way I'd expect it to. Based on what I have read here, I came to the understanding that after upgrading the dom0 kernel I'd get an AEM error when I reboot the machine, since the kernel is different from the last boot. Yesterday, I installed a new dom0 update which included an updated kernel package. I was expecting to see an AEM error when I rebooted, but that never happened. This suggests to me that my AEM configuration is incorrect. Is there a way I can test whether it works or not? Perhaps my manipulating something in the boot process that would trigger an AEM failure? Its a little unsettling, but AEM doesn't display an error message when this happens. There is simply a lack of your verification phrase and (be careful) an opportunity to unlock your HD which leads to re-sealing with the new config. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc1d1032-7159-8a78-4955-056760b47e06%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Copying between VMs from dom0
On 06/29/2017 09:09 AM, wordswithn...@gmail.com wrote: On Wednesday, June 28, 2017 at 4:21:36 PM UTC-4, Chris Laprise wrote: On 06/28/2017 12:19 PM, wordswithn...@gmail.com wrote: Thanks, and point taken on not focusing on security implications. I found a thread from last year where some third-party devs are concerned about the implications of letting qvm-run -p run wild: https://github.com/SietsevanderMolen/i3-qubes/issues/15 It's a good idea, but I think I'm looking for a more secure solution - if it's out there. IIUC, having dom0 parse the file list is whats worrying you? Otherwise, passing data through dom0 (no parsing) should be considered secure. You can have dom0 pipe between machines like so: qvm-run -p sys-net "tar -cf - /etc/NetworkManager/system-connections" | qvm-run -p sys-net-profiles "tar -xf -" This entails a small amount of risk to the profiles VM (because tar file is parsed there), but not to dom0. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 So in this case, sys-net could return whatever malicious file it desired, it would be passed through dom0 one character at a time without absolutely no interpretation, ending up at the destination VM? Or would dom0 collect the entire text of the file, and then pipe it in one piece to the destination VM? Transfer through pipe is done by character or block, so no expansion or parsing in dom0 in this case. Another idea is to cat all the files together in a single file with a special separator like ' filename' between them. Then you can pipe them without tar and use a text sanitizer on the receiving VM before separating them. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d55f5cd1-9df5-1c8d-5c15-f771f159498d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-devel] Re: [qubes-users] Re: Request for feedback: 4.9 Kernel
On 06/15/2017 04:51 PM, Zrubi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/15/2017 10:02 PM, Reg Tiangha wrote: On 06/15/2017 01:53 PM, Zrubi wrote: Maybe it is a know issue, but: online netvm change on a disposable VM is also broken on the latest 4.9 VM kernel. (Qubes Manager shows it is changed, but not working in practice) I've *never* ever had this work for me (although it might have worked once in R3.0 or something old like that); I've always had to shut down the Disp VM first, alter the dvm template, and then start up a new one in order to change NetVMs. well this is such a basic feature I would go crazy if that would not work... I'm using this feature from the beginning. And it was always working in general. I remember for some broken kernel releases. But this feature should work in general. As it is working with my setup, in case of kernel VM 4.4 - but not in case of VM kernel 4.9 I noticed this, too. So reverting a dispVM's template back to 4.4 should fix it? -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3915cfa4-50e1-be0f-c615-8f837cc13971%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Copying between VMs from dom0
On 06/28/2017 12:19 PM, wordswithn...@gmail.com wrote: Thanks, and point taken on not focusing on security implications. I found a thread from last year where some third-party devs are concerned about the implications of letting qvm-run -p run wild: https://github.com/SietsevanderMolen/i3-qubes/issues/15 It's a good idea, but I think I'm looking for a more secure solution - if it's out there. IIUC, having dom0 parse the file list is whats worrying you? Otherwise, passing data through dom0 (no parsing) should be considered secure. You can have dom0 pipe between machines like so: qvm-run -p sys-net "tar -cf - /etc/NetworkManager/system-connections" | qvm-run -p sys-net-profiles "tar -xf -" This entails a small amount of risk to the profiles VM (because tar file is parsed there), but not to dom0. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/53f323e2-6b45-7ce2-4077-f809db3a81cb%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How much inital and max memory for sys and template VMs?
On 06/28/2017 08:18 AM, jakis2...@gmail.com wrote: looking at my memory on sys-firewall it has initial 500mb but max 3gb and its using 3gb which is eating up alot of space for other things. Whats the best setting for this? I find a fixed size (no memory-balancing) of 250MB works well for sys-net, sys-firewall and VPN. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7de0e4ad-480b-fec3-3e75-fb3a2f477ac5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes Community Event in Cologne, Germany on July 15th
On 06/26/2017 09:10 AM, Robert Mittendorf wrote: Hello fellow Qubes users, the "Kölner Kreis", a group of regulars that are interested in IT-Security and IT-Forensics, will organize a "Qubes Community Event" in Cologne on July 15th 10.00 - 16.00. Major objective of this event is to "spread the word", say we want to introduce Qubes OS to new people and after this introduction there will be an install party. As this is not intend as a international community meet-up and for the sake of simplicity this event will be in German. The invitation with further details (in German) is attached to this email. If a community member that does not speak German but English happens to be in Cologne on that day (s)he is warmly welcome to join us and share user experiences, of course. Wish I could be there! Some advice from a long-time Linux enthusiast: Set your prospective users' expectations carefully as you are working with the compatibility quirks of Linux multiplied-by Xen (both projects which focus on server hardware). Urging attendees to bring machines from more compatible product lines can help keep the experience a positive one. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ace69324-6140-2a5d-16fd-e0b07ac4e1af%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Best Laptop For Qubes
On 06/27/2017 01:16 AM, Jean-Philippe Ouellet wrote: I have friends happily running qubes on other thinkpads (X230, T430, and various editions of the X1 carbon), and even one happily running qubes on a macbook. One friend ran it on a dell and gave up due to bad hw support (graphics & suspend/resume issues) and no patience for messing with kernel versions, etc. YMMV. Dell were the most notorious cost-cutters for a long time. But in all fairness, I think one must discern between the consumer and business product lines when discussing compatibility issues and quality. So even though I have a warm spot for Thinkpads, I also recognize that other 'primary' PC brands -- namely Dell and HP -- have business laptops that fare well. And I can't imagine why anyone would want to spend hours and days of their time trying to get understandably-finnicky software like Qubes running on whatever consumer models happen to be laying around. (Well, I can imagine, but I know it has to do with an unexamined delusion that "PC hardware" represents some kind of blank slate that Windows just happens to run on instead of the reality that they are Windows-focused and full of undocumented shortcuts and bugs that greatly impact non-Windows systems.) -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9d5ca068-19a6-28f2-df9a-95e985b555fa%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Best Laptop For Qubes
On 06/27/2017 01:34 AM, Jean-Philippe Ouellet wrote: As for the Raptor Talos and POWER in general, yes, I totally agree it's leaps and bounds better than other commodity options, but I couldn't afford one, it wouldn't fit in my backpack, and even if it would I'm also not interested in carrying around a car battery just to power my CPU for 5 minutes. I'd love to be proven wrong, but I don't see it as a realistic option. Lol... That was my impression of Talos as well: A bit monstrous in the physical aspects. How did POWER diverge from PowerPC so radically in this respect? Is the latter technically moribund or patent-encumbered? This is somewhat offtopic from Qubes, but oh well. That's where this topic has drifted to, and the essay-rant is already written, so too bad :P I'm always glad to see the question of hardware platforms raised with Qubes, esp when discussing compatibility. There is no strictly compatible system for Qubes and this makes me think the project should eventually get into the business of detailed hardware specification... what ideal Qubes hardware looks like. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc78874d-1b8b-f36a-59e7-219170a5255c%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] switch to integrated Intel graphic
On 06/25/2017 03:14 PM, Eva Star wrote: After I remove Radion card, system loaded. But resolution is only 1280x800 and no network access (network managed do not see wired network) Is it because Qubes installeted on Radion card? Or I have too old integrated intel graphic (hd 2000 ) ? I'd guess that the PCI order/ID of your devices changed when you removed the Radeon card, causing the NIC to no longer be recognized by its old ID. If you go into Devices tab for your sys-net and remove/re-add the NIC (then restart) it may work. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fa42aa05-bb66-a629-e68b-aafd892fc70a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Debian 9 templates
On 06/22/2017 09:21 AM, Unman wrote: On Thu, Jun 22, 2017 at 02:37:14PM +0200, cubit wrote: Is there existing any pre-made templates for Debian 9? Not yet. What is the prospect of having shipped with new Qubes releases? I'm asking this because Stretch seems better-behaved than Debian 8. -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/03715427-6200-5c93-c13f-c0f38e944ebc%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Screen recorder for Qubes..?
On 06/22/2017 09:08 AM, mathdegiov...@gmail.com wrote: Hello, The threat model is pretty similar to Qubes' Trusted PDF feature. Not quite. The PDF processing happens in a throwaway VM, whereas here the video processing as done today happens in dom0. I was suggesting the compression could be done in an appVM... it should be trivial to do so. The result is supposed to be a sanitized, trusted document. I think this is about as realistic for video as it is for PDFs. I was able to do the following, which I believe is more in line with Qubes' philosophy and allows recording of screencasts using *any* software running in an AppVM *and* realtime streaming (desktop sharing - but view only) on teleconferencing software. Here's the outline of the solution: - Install and load v4l2loopback on the AppVM you want to record/simulate cam - Capture the screen on DOM0 using ffmpeg -f x11grab -f rawvideo - Open a qubes-rpc channel to an AppVM - Send the stream to /dev/video0 on the AppVM, enconding to the appropriate format. Basically, the following script on DOM0: ** #!/usr/bin/sh qvm-run -p \ --localcmd="/home/matheus/ffmpeg-static/ffmpeg \ -f x11grab -r 15 -s 800x600 -i :0.0+0,0 \ -pix_fmt yuv420p -threads 0 -f rawvideo -" \ untrusted \ "sleep 3 ; /home/user/Downloads/ffmpeg-static/ffmpeg \ -f rawvideo -s:v 800x600 -pix_fmt yuv420p -re -i pipe: \ -f v4l2 /dev/video0" ** The trickiest points (for me) were to compile and install v4l2loopback as a kernel module on the template-vm (I had unmatching kernel version and headers installed - had to manually download and install the headers to compile it) and discover the combination of ffmpeg that would deliver the correct image. Ideally, we could "extract" the x11grab code from ffmpeg and write a simpler utility that only grabs the screen and redirects all the output to the RPC channel, removing the need to bring ffmpeg into DOM0. If that utility were built into a qubes repo I believe that would pretty much eliminate any attack vectors (as DOM0 is only being used as an input source to another AppVM which does the heavywork encoding and streaming the data). This looks interesting... Thanks! -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78d1473a-9c3d-908e-daec-3556d0d2af0f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
