Re: [qubes-users] Re: sys-firewall freezing on resume from suspend
On Fri, Jun 03, 2022 at 04:00:20PM +0200, 'qtpie' via qubes-users wrote: So, apparently, this is not a sys-firewall, but a clocksync issue. To root out any causes, I moved the clocksync service to a separate, brand new qube (named sys-clock). And voila: sys-firewall no longer 'crashes' on resume from suspend, now it's sys-clock. This should probably be filed as an issue: github.com/QubesOS/qubes-issues -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YpssUiKTrfhVS/og%40danwin1210.de.
Re: [qubes-users] Re: How to check that an 'in-place upgrade' from Qubes R4.0 to R4.1 was successful?
On Tue, May 31, 2022 at 11:54:24PM -0700, Viktor Ransmayr wrote: I've performed the same task today - and - the same 14 packages were removed again ... So it's clear now that something went wrong with my 'in-place upgrade' ! Anything that I could try, beside a completely fresh installation of Qubes OS R4.1 ? I've had similar issues: https://github.com/QubesOS/qubes-issues/issues/7503 Maybe try some of the ideas suggested there? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YpfiIoiraPydfevk%40danwin1210.de.
[qubes-users] Re: qubes.TemplateSearch is missing
On Thu, Apr 28, 2022 at 07:51:14AM +, tetrahe...@danwin1210.de wrote: Where can I get the TemplateSearch service? The solution is to ensure the UpdateVM is using a 4.1-compatible template: https://github.com/QubesOS/qubes-issues/issues/7120 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YmpfbuBeLQneMzT1%40danwin1210.de.
[qubes-users] qubes.TemplateSearch is missing
The process of upgrading my debian-11 and fedora-34 templates to 4.1 did not work out, and I need to reinstall those templates. When I go to do sudo qubes-dom0-update --action=reinstall qubes-template-debian-11 I get the error: $ sudo qubes-dom0-update --action=reinstall qubes-template-debian-11 Redirecting to 'qvm-template reinstall debian-11' [Qrexec] /bin/sh: /etc/qubes-rpc/qubes.TemplateSearch: No such file or directory ERROR: qrexec call 'qubes.TemplateSearch' failed. Where can I get the TemplateSearch service? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YmpHNFL4o1fYfB%2BG%40danwin1210.de.
[qubes-users] Whonix upgrade fails after interruption
I started uprading Whonix using the salt command, but the process was interrupted. On retrying, it fails, unable to create the whonix WS VM due to "permission denied". From journalctl: Oct 08 11:24:35 dom0 qubesd[2098]: permission denied for call b'admin.vm.Create.AppVM'+b'whonix-ws-16' (b'dom0' → b'dom0') with payload of 31 bytes (see below for the salt output) When I run the qvm-create command from the salt output manually, it also fails, because the whonix-ws-16 template doesn't exist: $ qvm-create --verbose whonix-ws-16-dvm --class=AppVM --template=whonix-ws-16 --label=red 2021-10-08 11:33:54,499 [MainProcess qvm_create.main:177] app: Error creating VM: Got empty response from qubesd. See journalctl in dom0 for details. I assume all this is related to the failed previous attempt. How do I reset the state so that I can successfully do the upgrade? [user@dom0 ~]$ sudo qubesctl state.sls qvm.anon-whonix [WARNING ] /var/cache/salt/minion/extmods/states/ext_state_qvm.py:146: DeprecationWarning: BaseException.message has been deprecated as of Python 2.6 status = Status(retcode=1, result=False, stderr=err.message + '\n') [ERROR ] == ['features'] == Virtual Machine does not exist! == ['tags'] == [SKIP] Skipping due to previous failure! [ERROR ] == ['present'] == == stderr == /usr/bin/qvm-create whonix-ws-16-dvm --class=AppVM --template=whonix-ws-16 --label=red app: Error creating VM: Got empty response from qubesd. See journalctl in dom0 for details. == ['prefs'] == Virtual Machine does not exist! == ['features'] == [SKIP] Skipping due to previous failure! == ['tags'] == [SKIP] Skipping due to previous failure! local: -- ID: template-whonix-ws-16 Function: pkg.installed Name: qubes-template-whonix-ws-16 Result: True Comment: Package qubes-template-whonix-ws-16 is already installed Started: 11:24:14.138294 Duration: 5796.629 ms Changes: -- ID: whonix-ws-tag Function: qvm.vm Name: whonix-ws-16 Result: False Comment: == ['features'] == Virtual Machine does not exist! == ['tags'] == [SKIP] Skipping due to previous failure! Started: 11:24:19.979281 Duration: 271.503 ms Changes: -- ID: whonix-ws-update-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy Result: True Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct state Started: 11:24:20.261980 Duration: 14.769 ms Changes: -- ID: whonix-get-date-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.GetDate Result: True Comment: File /etc/qubes-rpc/policy/qubes.GetDate is in correct state Started: 11:24:20.277092 Duration: 12.533 ms Changes: -- ID: template-whonix-gw-16 Function: pkg.installed Name: qubes-template-whonix-gw-16 Result: True Comment: Package qubes-template-whonix-gw-16 is already installed Started: 11:24:20.289981 Duration: 1.316 ms Changes: -- ID: whonix-gw-tag Function: qvm.vm Name: whonix-gw-16 Result: True Comment: == ['features'] == [SKIP] Feature already in desired state: ENABLE 'whonix-gw' = Enabled == ['tags'] == [SKIP] All requested tags already set: created-by-dom0,whonix-updatevm Started: 11:24:20.291708 Duration: 4714.395 ms Changes: -- ID: whonix-gw-update-policy Function: file.prepend Name: /etc/qubes-rpc/policy/qubes.UpdatesProxy Result: True Comment: File /etc/qubes-rpc/policy/qubes.UpdatesProxy is in correct state Started: 11:24:25.006518 Duration: 7.468 ms Changes: -- ID: sys-net Function: qvm.exists Result: True Comment: /usr/bin/qvm-check sys-net None Started: 11:24:25.014322 Duration: 2048.565 ms Changes: -- ID: sys-firewall Function: qvm.exists Result: True Comment: /usr/bin/qvm-check sys-firewall None Started: 11:24:27.065077 Duration: 1868.662 ms Changes: -- ID: sys-whonix Function: qvm.exists Result: True Comment: /usr/bin/qvm-check sys-whonix None Started: 11:24:28.935733 Duration: 1744.59 ms Changes: -- ID: whonix-ws-16-dvm Function: qvm.vm Result: False Comment: == ['present'] == == stderr == /usr/bin/qvm-create whonix-ws-16-dvm --class=AppVM --template=whonix-ws-16 --label=red app: Error creating VM: Got empty response from qubesd. See journalctl in dom0 for details. == ['prefs'] == Virtual Machine does not exist!
[qubes-users] Re: Trezor error with qubes
Ah, I think I forgot to verify. You need to install the public key so you can verify the trezor-bridge RPM file. Unfortunately I don't remember how to do this. On Fri, Sep 24, 2021 at 01:58:34PM +, taran1s wrote: Dear tetrahedra, I am just resending the email in case it didn't catch your attention last time. Could you please have a look at the issue and guide me a little? I tried everything but wasn't able to make it run. Thank you a ton! taran1s taran1s: have you seen this? https://github.com/Qubes-Community/Contents/blob/e7443c960228c1abec9b97f2c2027dbc01f45f63/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md Actually I did do the process based on this guide. Everything is set up except bridge verification. The issue is that once I download the bridge from https://wallet.trezor.io/#/bridge I cannot verify it with gpg2 --verify It returns: [user@fedora-33-min-trezor ~]$ gpg2 --verify trezor-bridge-2.0.27-1.x86_64.rpm gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line. If I try to use rpm directly, it returns this: [user@fedora-33-min-trezor ~]$ sudo rpm -i trezor-bridge-2.0.27-1.x86_64.rpm warning: trezor-bridge-2.0.27-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY package trezor-bridge-2.0.27-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY Fedora min template has following packages installed: gnome-keyring qubes-core-agent-nautilus qubes-mgmt-salt-vm-connector qubes-usb-proxy and of course trezor-common On Tue, Aug 31, 2021 at 02:53:47PM +, 'taran1s' via qubes-users wrote: Hello, In my last message I mentioned my attempts to start using the Trezor with qubes. I try to follow this guide, from the official trezor website: https://wiki.trezor.io/Qubes_OS I use the sys-usb based on debian-10 and tried the same with sys-usb based on debian-10-minimal with similar error. My online AppVM in anon-whonix. After I finished the procedures described in the guide, I installed the trezor Bridge and Udev rules in the sys-usb, and the Trezor Suite in the anon-whonix, with sudo dpkg -i required-package. Once I start both sys-usb and anon-whonix and attach the trezor-T I get following error (suite is seen by the sys-usb): 2021-08-31T14:38:06.967Z - ERROR(process-trezord): Status error: request to http://127.0.0.1:21325/ failed, reason: connect ECONNREFUSED 127.0.0.1:21325 Do you see any workarounds to make it work? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/753fdebf-f149-5ba4-8f24-f19802a0b525%40mailbox.org. -- Kind regards taran1s gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YU8wtsy8Y8/P7lwX%40danwin1210.me.
Re: [qubes-users] Qubes-backup verify only verifies dom0, not appVMs
On Thu, Aug 26, 2021 at 07:11:49AM -0700, Andrew David Wong wrote: It's possible to create "backup profiles," but I haven't personally used them, so I'm not familiar with the details of how they work. This option is mentioned in the `--help` text for qvm-backup but not qvm-backup-restore. It looks like the profiles are stored in /etc/qubes/backup/. I checked that directory and there are no profiles, so that can't be the problem. Unfortunately at this point I'm all out of ideas for troubleshooting this -- even though it's a very important issue! Unverified backups are very dangerous, and I've caught problems before because backups failed to verify. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YT%2BOWhaS0TGZke4v%40danwin1210.me.
Re: [qubes-users] Trezor in Qubes
On Fri, Sep 03, 2021 at 07:54:56AM +, taran1s wrote: Thank you for the guide. I tried to follow the official guide on trezor wiki, abstaining from fedora a bit more, but still erroring. To your guide. The last 4 lines: copy to fedora-3x in fedora-3x sudo rpm -i /path/to/trezor.rpm ...are to be done in the fedora-3x template, right? Will it work on fedora-33-minimal too, or it needs to be full template? I don't know. All done, but I wasnt able to find any signed hash of the bridge or something and so I get this error: [user@fedora-33-min-trezor ~]$ sudo rpm -i trezor-bridge-2.0.27-1.x86_64.rpm warning: trezor-bridge-2.0.27-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY package trezor-bridge-2.0.27-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY Weird. You have to install the Trezor verification key. I had to do this the first time I installed, but after re-imaging my system, it wasn't necessary on the most recent install, so I took the section out of my notes. Unfortunately I don't remember what the steps were to install the key! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YTPfjQCizVDm8sen%40danwin1210.me.
Re: [qubes-users] Trezor error with qubes
have you seen this? https://github.com/Qubes-Community/Contents/blob/e7443c960228c1abec9b97f2c2027dbc01f45f63/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md On Tue, Aug 31, 2021 at 02:53:47PM +, 'taran1s' via qubes-users wrote: Hello, In my last message I mentioned my attempts to start using the Trezor with qubes. I try to follow this guide, from the official trezor website: https://wiki.trezor.io/Qubes_OS I use the sys-usb based on debian-10 and tried the same with sys-usb based on debian-10-minimal with similar error. My online AppVM in anon-whonix. After I finished the procedures described in the guide, I installed the trezor Bridge and Udev rules in the sys-usb, and the Trezor Suite in the anon-whonix, with sudo dpkg -i required-package. Once I start both sys-usb and anon-whonix and attach the trezor-T I get following error (suite is seen by the sys-usb): 2021-08-31T14:38:06.967Z - ERROR(process-trezord): Status error: request to http://127.0.0.1:21325/ failed, reason: connect ECONNREFUSED 127.0.0.1:21325 Do you see any workarounds to make it work? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/753fdebf-f149-5ba4-8f24-f19802a0b525%40mailbox.org. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YTPcR2PRFOL/AjKf%40danwin1210.me.
Re: [qubes-users] Trezor in Qubes
On Thu, Aug 26, 2021 at 02:27:35PM +, 'taran1s' via qubes-users wrote: Hello all, I would like to start to use Trezor with my qubes. I would like to follow this guide here https://wiki.trezor.io/Qubes_OS. My intention is to use the Trezor HW wallet in a anon-whonix AppVm with Trezor Suite qube through Tor. I run qubes on X230 Nitropad. I would like to check if the guide to install the Trezor Bridge and Udev rules in the sys-usb (see the official Trezor guide) is advised by qubes community or is it good practice not to install anything in the sys-usb and instead install the packages (bridge, udev rules and suite) in the target anon-whonix AppVM. It should be fine. See my pull request for step by step instructions: https://github.com/Qubes-Community/Contents/pull/145 https://github.com/Qubes-Community/Contents/blob/3e1785a11e90b52e086fb8b3b246e5c2de7faca5/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YSjVraLa/O2lQYOX%40danwin1210.me.
Re: [qubes-users] Qubes-backup verify only verifies dom0, not appVMs
On Wed, Aug 25, 2021 at 07:31:33AM -0700, Andrew David Wong wrote: And in fact only dom0 gets verified, the others seem to be ignored. I cannot seem to reproduce this. My verify-only attempts also verify domUs. I'm using the same qvm-backup-restore command, just without `--verbose`. That's very strange. Are restore settings stored anywhere on the local machine, like how VMs can have an "exclude from backups" option? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YSeUe5O1IEUt12if%40danwin1210.me.
[qubes-users] Qubes-backup verify only verifies dom0, not appVMs
When I verify my backups, it happens ~instantaneously. It used to take hours, because it would extract every VM backup and verify it. Judging by the logs, it's only verifying dom0. Unless something has changed with how Qubes verifies its backups, there may be a bug that causes verification to only check dom0, rather than verifying the AppVMs as well. This is really bad, because what I care about is the data in the AppVMs... being able to restore the AppVMs is more important than being able to restore dom0! Here's how I back up: ``` nice qvm-backup \ --verbose \ --passphrase-file $PASSFILE \ --exclude $IGNORE_VM \ --dest-vm $DEST_VM \ --compress \ --yes \ $BACKUP_DIR ``` And here's how I restore: ``` qvm-backup-restore \ --dest-vm $DEST_VM \ --passphrase-file $PASSFILE \ --verify-only \ --verbose \ $BACKUP_FILE ``` When it starts restoring, it shows that none of my VMs will be restored, except for dom0: ``` The following VMs are included in the backup: +--+---+-++ name | type | template | netvm | label | +--+---+-++ dom0 | AdminVM | n/a | (default) | black | myvm | StandaloneVM | n/a | my-net-vm-x | orange | <-- Excluded from restore my-other-vm-xxx |AppVM | debian-10 | (default) | blue | <-- Excluded from restore another-vm-xx |AppVM | fedora-33 | (default) | green | <-- Excluded from restore [... continuing for the list of all VMs ...] ``` And in fact only dom0 gets verified, the others seem to be ignored. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YSYjit8%2BhYGbkJrI%40danwin1210.me.
Re: [qubes-users] Survey from HackerNCoder: Colors in QubesOS
On Mon, Mar 15, 2021 at 10:16:04PM +, hackerncoder wrote: I have created a survey about colors in Qubes, to help understand users: Are there too many colors? Too few? What do users associate with the colors? what are they used for? There wasn't any space in the survey for general comments, so let me say here: more colors, please! I find it makes the most sense to be able to isolate *both* by threat level and theme, and there simply aren't enough colors to do that. Colors are not just about preventing one VM from pretending to be another VM. Colors also really help prevent *user error*, where you accidentally confuse e.g your chat window with Mom with the chat window you use for communicating with journalistic sources -- and end up asking Mom to get undercover footage from North Korea. Woops! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YFD9hgjWUbvDtUvA%40danwin1210.me.
[qubes-users] Qubes AEM: write protecting BIOS is not possible
The [Qubes AEM docs](https://github.com/QubesOS/qubes-antievilmaid) recommend: Some hints: connect the write protect pin on BIOS flash chip to ground (prevents attacker from booting their own software which would bypass BIOS protections and overwrite it) and make sure physically accessing the chip will be tamper-evident by eg. covering the screws holding laptop body together in glitter and taking high-res photos, then examining before each use. However, the given suggestion will do nothing on most laptops, providing a false sense of security. The reason is that many/most BIOS flash chips require the SRWD and block protect bits to be set **in software** before the **hardware** write protect pins will do anything. Unfortunately, Flashrom does not currently support setting these bits, though there is an open proposal to add support: https://github.com/flashrom/flashrom/issues/142 https://github.com/flashrom/flashrom/issues/185 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YEagdOwtmnEOZ6PR%40danwin1210.me.
Re: [qubes-users] Opening applications using qvm-run
On Sun, Feb 28, 2021 at 08:03:47PM +0100, airelemental via qubes-users wrote: Try: $ qvm-run --service anon qubes.StartApp+janondisttorbrowser $ qvm-run --service untrusted qubes.StartApp+firefox $ qvm-run --service personal qubes.StartApp+thunderbird Thanks, that did the trick! Two questions: 1. Is there any way to pass arguments? 2. for some applications the name I have to pass to qubes.StartApp is not the same as the command used on the command line (e.g `janondisttorbrowser` instead of `torbrowser`). How do I find out the correct name for an arbitrary application? is it always the same as the name of the .desktop file in /usr/share/applications? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YDwdXuakojz8gdV8%40danwin1210.me.
Re: [qubes-users] Opening applications using qvm-run
On Sun, Feb 28, 2021 at 11:49:04PM +, unman wrote: It's not Torbrowser specific for me, that was just an example using a Whonix Workstation VM. (it does work as stated -- I did test it) In actuality I want to launch specific applications (that launch fine using applications menu) from a dom0 script, but the only way I can find to launch them without blocking the script execution is using gnome-terminal. And that opens an extra (unneeded) terminal window. Do you have the same problem with non Whonix qubes? I dont use Whonix, and dont have this problem with any of my other template based qubes. Yes. But the other solution (qubes.StartApp) did the trick. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YDz2ddi0Rrp6RuLw%40danwin1210.me.
Re: [qubes-users] Opening applications using qvm-run
On Sat, Feb 27, 2021 at 11:57:32PM +, unman wrote: Is this Torbrowser specific? Because it doesn't block with other programs (or at least doesn't seem to do so for me). On what is the "anon" qube based? How is it configured to run torbrowser with no path? It's not Torbrowser specific for me, that was just an example using a Whonix Workstation VM. (it does work as stated -- I did test it) In actuality I want to launch specific applications (that launch fine using applications menu) from a dom0 script, but the only way I can find to launch them without blocking the script execution is using gnome-terminal. And that opens an extra (unneeded) terminal window. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YDuQ6zSFT31ESepY%40danwin1210.me.
[qubes-users] Opening applications using qvm-run
I'm trying to figure out how to open applications in VMs from dom0 using qvm-run, and how to do so without blocking the terminal in dom0. For example: ``` $ qvm-run anon "torbrowser qubes-os.org" Running 'torbrowser qubes-os.org' on anon ``` The above command sucessfully launches Tor Browser in the `anon` VM, but I can't run another command in the same dom0 terminal window until Tor Browser (in the VM) finishes (exits). Alternately I can do something like ``` $ qvm-run anon "gnome-terminal -- torbrowser qubes-os.org" ``` but that leaves a terminal window running in the `anon` VM. I've also tried all the usual variations on `nohup`, `disown`, `&`, and the like, but none of them seem to do the trick. Any ideas? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YDpUQIsYO4hJyRt4%40danwin1210.me.
[qubes-users] Opening applications using qvm-run
I'm trying to figure out how to open applications in VMs from dom0 using qvm-run, and how to do so without blocking the terminal in dom0. For example: ``` $ qvm-run anon "torbrowser qubes-os.org" Running 'torbrowser qubes-os.org' on anon ``` The above command sucessfully launches Tor Browser in the `anon` VM, but I can't run another command in the same dom0 terminal window until Tor Browser (in the VM) finishes (exits). Alternately I can do something like ``` $ qvm-run anon "gnome-terminal -- torbrowser qubes-os.org" ``` but that leaves a terminal window running in the `anon` VM. I've also tried all the usual variations on `nohup`, `disown`, `&`, and the like, but none of them seem to do the trick. Any ideas? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YDjjDMmmzJzTkk0J%40danwin1210.me.
Re: [qubes-users] [unofficial] Qubes security advisory
On Mon, Oct 26, 2020 at 04:04:30PM -0400, Chris Laprise wrote: On 10/25/20 10:24 PM, 'J.M. Porup' via qubes-users wrote: One morning last week, I launched a disposable Debian 10 template with my preset defaults of no netvm and a blank page preset--but instead a default page of "https://www.youtube.com/"; appeared. It only happened once, but it was enough. So to clarify, you launched a dispVM with no networking, and a youtube page was loaded and rendered on screen? That seems highly unlikely to be an accidental input or glitch. No, he's saying the Firefox homepage in his Debian-10 template was changed from about:blank to youtube.com, leading the debian-10 template-based DispVM to launch Firefox with youtube.com as the default page. Ergo someone compromised his Debian-10 template and changed the Firefox homepage... or, there was an error in the template configuration leading to him accidentally changing the hompeage in what sounds like a stressful situation. J.M., assuming you are indeed correct about a major attack, most of the major Xen vulnerabilities that threaten a Qubes full compromise involve sys-net. Since Five Eyes may get advance notice of Xen holes, if your machine was indeed fully rooted it could be you were hit by the PCI vulnerability from a while back. Due to precisely these kinds of issues, there is discussion for using the much-harder-to-exploit OpenBSD as an operating system for the sys-net VM: https://github.com/QubesOS/qubes-issues/issues/5294 You may want to give it a go (after buying a new laptop, of course). Additionally, if a sys-net based attack is indeed a concern for your threat model, consider disabling wi-fi entirely and using an ethernet cable, wi-fi drivers are generally terrible. Nevertheless if you are really up against serious Five Eyes type adversaries then it's unlikely you'll be able to keep *any* computer secure for long and should probably buy that cabin in the Rockies you always wanted... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201105222013.GA1107%40danwin1210.me.
Re: [qubes-users] Calling all humans! (from Nina)
On Sun, Oct 11, 2020 at 11:42:27PM +0500, Stumpy wrote: Thanks for this, I have filled it out and volunteered but really really really wanted to iterate one big (for me) point, and that is include at least some of the things listed in the documentation as an option in the setup. Side idea: include the documentation in the base install! And then it's easier to point to the relevant bits of the documentation post-install... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201012180112.GC1220%40danwin1210.me.
[qubes-users] Google requiring login to access qubes-users
WHen I try to access the Google Groups qubes-users site, sometimes (circa 50%) I'm presented with a Google login prompt and can't access the qubes-users group unless I have a Google account. Since Qubes is privacy-focused it seems like maybe the Qubes mailing lists should migrate to a less Orwellian mailing list provider. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200815193919.GA1104%40danwin1210.me.
Re: [qubes-users] Some questions about Electrum split wallet
On Sun, Jun 21, 2020 at 03:33:57PM +, 'Totally Zoid' via qubes-users wrote: The instructions for using Electrum split wallet on the Qubes website recommend installing electrum with dnf. However this gives electrum 3.3.4, which is not the most recent version, that is 3.3.8, available from electrum's website. Would it be safer to install the most recent version from the website? For the "hot" side of the wallet you probably want the most recent version. For the "cold" / offline side it should not matter. Also does anyone know if it's possible to have a split wallet with a bitcoin-core own node instead of relying on electrum? Yes, see the howto using `electrs` or Electrum Personal Server: https://github.com/qubenix/qubes-whonix-bitcoin Note that for real privacy you will need to use JoinMarket. I don't know if Qubenix takes donations but if so it's definitely worth supporting him for putting together such an epic HOWTO! Another thing is that a lot of menu options in electrum lead to web addresses and these very frustratingly open in Firefox inside the electrum VM. Is there a way to force these links to open in a dispVM? That should work the same as changing the default URL for any other application. I think that is already covered in the Qubes docs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200621170258.GC1138%40danwin1210.me.
Re: [qubes-users] Re: A lot of dom0 updates recently
On Fri, Jun 19, 2020 at 07:28:52AM -0700, Lorenzo Lamas wrote: Security issues are always published in Qubes Security Bulletins, which are also in the News section of Qubes website. The only recent Security Bulletin is about the new Intel CPU vulnerabilities, but that isn't in the stable updates repository yet, so unless you updated dom0 with testing repository, all your recent updates are not security updates. Thanks! Yes, I haven't seen any announcements, so that's why I was wondering. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200621165753.GB1138%40danwin1210.me.
Re: [qubes-users] A lot of dom0 updates recently
On Fri, Jun 19, 2020 at 04:41:03AM +, Logan wrote: I've been noticing this, too. Something interesting has been occurring in about half of my Dom0 updates lately: In the "details" section of the Qubes Updater it shows no detail, only: Fairly ambiguous. Did it even update? Same thing happening to me. Must be those NSA "ghost updates" when they install the backdoor :) note to tinfoil hat crowd: JUST KIDDING (hopefully) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200621165723.GA1138%40danwin1210.me.
[qubes-users] A lot of dom0 updates recently
dom0 seems to be getting a lot of updates at the moment (3x in the last 1-2 weeks?) ... are there any security holes we should know about? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200617045326.GA5613%40danwin1210.me.
Re: [qubes-users] Hallo, es kann langsam losgehen mit Qubes Deutschland Forum, sowie mit der Software Übersetzung in deutsche Sprache
On Fri, May 15, 2020 at 10:27:06AM -0700, wirsindei...@gmail.com wrote: Hallo liebe Mädels und Jungs, das ist jetzt mein Qubes Forum in deutsche Sprache. https://qubes-deutschland-forum.gegenseitige-hilfe.org/index.php Bitte schaut mal rein und sagt mir, was man noch verbessern bzw. umsetzen kann. Ihr könnt euere Verbesserungsvorschläge hier reinschreiben. https://qubes-deutschland-forum.gegenseitige-hilfe.org/viewforum.php?f=138 Verbesserungsvorschlag: email-liste statt Webforum! Oder mindestens Discourse (was beides macht) (ich, vermutlich auch andere, finde es viel leichter Updates per Mail zu bekommen) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200515182324.GB1086%40danwin1210.me.
Re: [qubes-users] Salt worm
On Fri, May 08, 2020 at 02:29:02PM +0100, unman wrote: If there is a basic writeup out there with examples how to automate tempalte setup for Qubes ... that would be really great. I ran some training a few years back, and the notes are here: https://github.com/unman/notes/tree/master/salt Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200515181443.GA1086%40danwin1210.me.
Re: [qubes-users] Salt worm
On Wed, May 06, 2020 at 02:17:15PM +0100, unman wrote: Salt is used to provision the qubes at initial install - I'd also argue that you *should* use salt to set up and control your templates and qubes, since it allows you to rebuild your system automatically. No more trying to remember what packages you installed in a template, or how you set up a particular qube. That sounds excellent. I've never used Salt. Is there a writeup anywhere explaining how to use it for setting up & controlling templates? In Qubes, by default, there is one minion, in dom0, which isn't networked. So there is no scope for this vulnerability to impact the salt configuration that Qubes uses, and to undermine the security of dom0. Great, thanks for clearing this up! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200506164258.GA2789%40danwin1210.me.
[qubes-users] Salt worm
Qubes uses Salt, and there's something nasty going around: https://saltexploit.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200506055615.GA1083%40danwin1210.me.
[qubes-users] Making boot-from-CD permanent for an appVM
Is it possible to make the `--drive` option for `qvm-start` permanent? For example, to configure a Tails AppVM with no persistency but also without creating a separate TemplateVM, DispVM template, and then DispVM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200419102746.GA1095%40danwin1210.me.
Re: [qubes-users] Cloning a DVM: some apps don't start disposably
On Fri, Mar 27, 2020 at 09:09:12AM +, tetrahedra via qubes-users wrote: I have a dispVM `my-dvm` where everything works as it should: if I open Firefox, that Firefox instance starts in a new disp VM. I want to clone that dispVM and create a new dispVM connected to a different network-providing VM, so I do exactly that: clone `my-dvm` and set the netVM for `my-new-dvm` to `my-other-netvm`. When I start XTerm in `my-new-dvm` the new XTerm window starts in a disp disposable VM, as it should. When I start Firefox in `my-new-dvm`, however, Firefox starts up in the underlying `my-new-dvm` template, not in a disp disposable VM. This means that the Firefox browsing history and prefs are saved, any malware gets to persist, etc. Comparing the output of `qvm-prefs my-new-dvm` and `qvm-prefs my-dvm`, all settings are identical except for things that should obviously be different (the netvm, the GUID, the IP address, etc). After further testing, the problem does not appear when cloning a Whonix workstation dispVM -- the problem only appears when cloning a Fedora-based dispVM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200331213554.GA1071%40danwin1210.me.
[qubes-users] Cloning a DVM: some apps don't start disposably
I have a dispVM `my-dvm` where everything works as it should: if I open Firefox, that Firefox instance starts in a new disp VM. I want to clone that dispVM and create a new dispVM connected to a different network-providing VM, so I do exactly that: clone `my-dvm` and set the netVM for `my-new-dvm` to `my-other-netvm`. When I start XTerm in `my-new-dvm` the new XTerm window starts in a disp disposable VM, as it should. When I start Firefox in `my-new-dvm`, however, Firefox starts up in the underlying `my-new-dvm` template, not in a disp disposable VM. This means that the Firefox browsing history and prefs are saved, any malware gets to persist, etc. Comparing the output of `qvm-prefs my-new-dvm` and `qvm-prefs my-dvm`, all settings are identical except for things that should obviously be different (the netvm, the GUID, the IP address, etc). Any idea what the problem could be? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200327090912.GA1402%40danwin1210.me.
Re: [qubes-users] Why not make it possible to use a custom key combination for changing the keyboard layout when installing Qubes OS ?
On Tue, Mar 10, 2020 at 11:58:21AM -0700, 'M' via qubes-users wrote: torsdag den 5. marts 2020 kl. 14.19.59 UTC+1 skrev tetra...@danwin1210.me: On Thu, Mar 05, 2020 at 03:33:54AM -0800, A wrote: >When installing Qubes OS, it’s possible to choose between some predetermined key combinations for changing the keyboard layout. > >Why not also make it possible for the user to make his or her own key >combination for changing the keyboard layout when installing Qubes OS ? I still haven't figured out how to change the key combination once the install is complete... You can't. It's made as so as a security measure. This makes no sense to me. The Qubes security model is that dom0 is assumed clean, and if dom0 is compromised the whole machine is compromised. How would making it impossible to change the key combination from dom0 improve security? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200313184016.GA2050%40danwin1210.me.
Re: [qubes-users] Obtaining genuine Qubos installer
On Thu, Mar 05, 2020 at 06:33:38PM +, Mark Fernandes wrote: By the way, I consider that I am being completely reasonable with my threat model, whilst also employing critical thinking. How hard is it to go to a large PC store, and pick at random one Linux distribution, to take home, to better ensure you have system integrity? Sounds like the solution is pretty easy: go to a large PC store, buy a PC and pick a random Linux distribution off the shelf, then use all that to do your verifying. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200307145241.GA1104%40danwin1210.me.
Re: [qubes-users] Why not make it possible to use a custom key combination for changing the keyboard layout when installing Qubes OS ?
On Thu, Mar 05, 2020 at 03:33:54AM -0800, A wrote: When installing Qubes OS, it’s possible to choose between some predetermined key combinations for changing the keyboard layout. Why not also make it possible for the user to make his or her own key combination for changing the keyboard layout when installing Qubes OS ? I still haven't figured out how to change the key combination once the install is complete... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200305131950.GD1307%40danwin1210.me.
Re: [qubes-users] Building an X-230 into a Qubes machine.
On Wed, Mar 04, 2020 at 04:51:38AM -0800, ggg...@gmail.com wrote: As I could not afford a Privacy Beast, I bought a refurbished X-230 Core I5, 4 GB RAM to convert on my own. Soon I will get the 16 GB of RAM to put into it. I am looking to buy a ch-431a to program it from Amazon. I know the guys at Insurgo list on they use from China, but right now, I am not much interested in ordering one delivered from China. Not sure when it would be delivered, and whether I want it into my house. Most of these products come from China. If you use a Raspberry Pi then it comes from the UK, I think. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200305131754.GC1307%40danwin1210.me.
Re: [qubes-users] Manual VPN installation issues
On Tue, Mar 03, 2020 at 09:18:54AM -0500, Chris Laprise wrote: Assuming nothing's terribly wrong, it may be worth posting your public key fingerprint used for code signing somewhere! The B281C952 key is a subkey of F07F1886; Import both and the former will be listed under the latter. Ok, thanks for clarifying! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200305131627.GB1307%40danwin1210.me.
Re: [qubes-users] Anyone gotten bitcoind to install via snapcraft on an AppVM?
On Tue, Mar 03, 2020 at 11:17:53AM +, qubenix wrote: That's true, but using a pruned bitcoind will limit its usefulness as a backend for other software (eg. electrum servers, block explorers). You may be able to use it for a specific purpose (eg. joinmarket), but the point of my guides is that you can keep adding new software that comes out (eg. btcpayserver, lnd, c-lightning, esplora) and connect it to your bitcoind VM without having to reindex the chain. Makes sense. - it would be really nice to use bind-dirs to avoid creating a second Whonix WS templateVM (which takes up lots of disk space) -- unfortunately I haven't figured out how to create a new user and keep that user persistent (see prior email) This is a good point. Unfortunately I don't have a lot of extra time/motivation currently to make sweeping changes like that. That's why my btcpayserver branch hasn't been worked on since November. Yes, I tried to do it (see earlier email in this thread) but it's not quite trivial. Bind-dir'ing /etc/passwd and related files seemed to break `adduser`. It's nice to know that someone somewhere is paying attention to work I've done with these. Thank you for that. Thank you for doing them! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200305131523.GA1307%40danwin1210.me.
Re: [qubes-users] Manual VPN installation issues
On Sun, Feb 16, 2020 at 10:50:55AM -0500, Chris Laprise wrote: If the process seems too complicated, you can try my VPN support tool, which automates most of the steps (you would download the config files from the second link to use with this): https://github.com/tasket/Qubes-vpn-support -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 Unfortunately the PGP key in your signature doesn't match the GPG key used to sign your Git commits for Qubes-vpn-support: gpg: Signature made Fri 05 Jul 2019 05:15:24 AM UTC gpg:using RSA key 0573D1F63412AF043C47B8C8448568C8B281C952 Assuming nothing's terribly wrong, it may be worth posting your public key fingerprint used for code signing somewhere! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200303123643.GA1101%40danwin1210.me.
Re: [qubes-users] Anyone gotten bitcoind to install via snapcraft on an AppVM?
On Thu, Feb 27, 2020 at 03:18:30PM +, tetrahedra via qubes-users wrote: Current best solution for running bitcoind on an AppVM: Download the binaries, run bitcoind as `user` For future reference, the current Bitcoin-on-Qubes howtos appear to be here: https://github.com/qubenix/qubes-whonix-bitcoin Comments for qubenix: - Some systems have limited disk space (e.g SSDs) so it may make sense to run a pruned node - it would be really nice to use bind-dirs to avoid creating a second Whonix WS templateVM (which takes up lots of disk space) -- unfortunately I haven't figured out how to create a new user and keep that user persistent (see prior email) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200303085202.GA1147%40danwin1210.me.
[qubes-users] Anyone gotten bitcoind to install via snapcraft on an AppVM?
Current best solution for running bitcoind on an AppVM: Download the binaries, run bitcoind as `user` Disadvantages: - bitcoind runs as the main VM user, no isolation - no automatic updates of bitcoind - no systemd service file, have to hack something together with `rc.local` to get bitcoind to start on VM boot Nicer approach: install bitcoind via the Snapcraft Store, so we have systemd integration, automatic updates, bitcoind running as a separate user Attempted implementation steps: - on debian-10 template, `sudo apt install -y snapd qubes-snapd-helper` - reboot template and appVM - on VM run `sudo snapd install bitcoin-core` - reboot VM Result: - bitcoind does not appear as a service, `bitcoind` at the command line produces file-not-foud Additionally, trying to manually create a `bitcoind` user doesn't work. After linking /etc/passwd, group, gshadow, passwd-, shadow, subgid, subuid into bind-dirs using /rw/config/qubes-bind-dirs.d/50_user.conf, `sudo adduser` produces the error: $ sudo adduser bitcoind Adding user `bitcoind' ... Adding new group `bitcoind' (1001) ... groupadd: failure while writing changes to /etc/group adduser: `/sbin/groupadd -g 1001 bitcoind' returned error code 10. Exiting -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200227151830.GB1180%40danwin1210.me.
Re: [qubes-users] Running sshd on an AppVM
On Mon, Feb 17, 2020 at 09:28:37AM +0100, dhorf-hfref.4a288...@hashmail.org wrote: How do I set up an SSH server on my AppVM? i deviate from the regular "how to do portforwards with qubes" for this and have a qubes-rpc service that basicly just does "exec sudo sshd -i" in the target vms, then do a socat/systemdsocket bounce to the rpc service straight from sys-net. that way the "messing with firewalls" is limited to exactly one INPUT rule in sys-net, plus one qubes-rpc policy, and there are no perma-running services in the target vm at all! Very nice! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200224150148.GB1499%40danwin1210.me.
Re: [qubes-users] Running sshd on an AppVM
On Mon, Feb 17, 2020 at 10:03:26AM +0100, dhorf-hfref.4a288...@hashmail.org wrote: On Mon, Feb 17, 2020 at 08:59:18AM +, tetrahedra via qubes-users wrote: like only debian's `apt-search` will search the binary names, fedora's `dnf search` appears not to. dnf whatprovides sshd Did not know about that! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200224145953.GA1499%40danwin1210.me.
Re: [qubes-users] Running sshd on an AppVM
On Mon, Feb 17, 2020 at 08:16:32AM +, tetrahedra via qubes-users wrote: I need to set up a reverse SSH tunnel -- where a remote machine, behind a firewall, connects to my local machine, running sshd. The documentation for exposing a VM port to the outside world is clear enough. But sshd doesn't appear to be installed on any template, nor does it appear to be installable (`dnf search sshd` only returns apache-sshd). No documentation mentions sshd. There are references to sshd in the qubes-users archive that indicate sshd used to be available. But it seems to be no longer available. How do I set up an SSH server on my AppVM? Answering my own question: the package is `openssh-server` (on both Fedora and Debian). It looks like only debian's `apt-search` will search the binary names, fedora's `dnf search` appears not to. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200217085918.GA1673%40danwin1210.me.
[qubes-users] Running sshd on an AppVM
I need to set up a reverse SSH tunnel -- where a remote machine, behind a firewall, connects to my local machine, running sshd. The documentation for exposing a VM port to the outside world is clear enough. But sshd doesn't appear to be installed on any template, nor does it appear to be installable (`dnf search sshd` only returns apache-sshd). No documentation mentions sshd. There are references to sshd in the qubes-users archive that indicate sshd used to be available. But it seems to be no longer available. How do I set up an SSH server on my AppVM? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200217081200.GA1044%40danwin1210.me.
Re: split-mail setups (was: Re: [qubes-users] Will Thunderbird 78 kill Qubes Split gpg?)
On Tue, Feb 11, 2020 at 06:53:58PM -0600, Sven Semmler wrote: mutt in a no-netvm mua-vault? with fetchmail-vms feeding it through qubesrpc-procmail? and separate vms for qubesrpc-msmtp for sending? or msmtp-vms mixed with the fetchmail-vms based on credentials-overlap? but, yes. not really a solution for the masses. :) lol... just mutt/fetchmail/postfix/qubes-split-gpg in a firewalled qube. however, I am afraid that you have already successfully placed a virus in my head. That setup sounds like a challenge. Any documentation you could link? I'd be more interested in a defense against the DoS vulnerability in Qubes users (aka xkcd nerd sniping)that dhorf appears to have discovered :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200212035705.GA1233%40danwin1210.me.
Re: [qubes-users] Re: Upgrade to 16 GB RAM for an X230
On Sun, Feb 09, 2020 at 03:37:45PM +, unman wrote: Any other suggestions of fixes, upgrades, or tests to make? Replace Intel wifi with Atheros. What's the benefit of the Atheros chip over Intel? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200210031057.GA1045%40danwin1210.me.
Re: [qubes-users] dom0 refusing to update
On Sat, Feb 01, 2020 at 11:07:20AM +0100, David Hobach wrote: find: '/var/lib/qubes/dom0-updates/var/cache': No such file or directory Qubes OS Repository for Dom0 18 MB/s | 32 kB 00:00 This has been happening for a while, it seems like something about the dom0 update process is broken. It just worked fine for me. Are you on stable? Yes. I rebooted and after rebooting it worked. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200201113515.GA1034%40danwin1210.me.
[qubes-users] dom0 refusing to update
I could just create the cache directory, but there's probably something more fundamentally wrong: $ sudo qubes-dom0-update --> Running transaction check ---> Package anaconda-core.x86_64 1000:25.20.9-17.fc25 will be installed ---> Package anaconda-gui.x86_64 1000:25.20.9-17.fc25 will be installed ---> Package anaconda-tui.x86_64 1000:25.20.9-17.fc25 will be installed ---> Package anaconda-widgets.x86_64 1000:25.20.9-17.fc25 will be installed ---> Package qubes-anaconda-addon.noarch 0:4.0.11-1.fc25 will be installed ---> Package qubes-usb-proxy-dom0.noarch 0:1.0.27-1.fc25 will be installed --> Finished Dependency Resolution /var/lib/qubes/dom0-updates/packages/anaconda-core-25.20.9-17.fc25.x86_64.rpm already exists and appears to be complete /var/lib/qubes/dom0-updates/packages/anaconda-gui-25.20.9-17.fc25.x86_64.rpm already exists and appears to be complete /var/lib/qubes/dom0-updates/packages/anaconda-tui-25.20.9-17.fc25.x86_64.rpm already exists and appears to be complete /var/lib/qubes/dom0-updates/packages/anaconda-widgets-25.20.9-17.fc25.x86_64.rpm already exists and appears to be complete /var/lib/qubes/dom0-updates/packages/qubes-anaconda-addon-4.0.11-1.fc25.noarch.rpm already exists and appears to be complete /var/lib/qubes/dom0-updates/packages/qubes-usb-proxy-dom0-1.0.27-1.fc25.noarch.rpm already exists and appears to be complete find: '/var/lib/qubes/dom0-updates/var/cache': No such file or directory Qubes OS Repository for Dom0 18 MB/s | 32 kB 00:00 This has been happening for a while, it seems like something about the dom0 update process is broken. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200201013600.GA1045%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Tue, Jan 28, 2020 at 11:52:56PM +, 'Andrey Arapov' via qubes-users wrote: Hum, I have just realized that you have also noticed one more error: libxl_pci.c: libxl__device_pci_reset: The kernel doesn't support reset from sysfs for PCI device :00:14.0 It looks like this error is related to this code https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=tools/libxl/libxl_pci.c;h=6f8f49c7c0a80478b244c52ae65e75f8a78c6481;hb=b03cee73197f4a37bf2941b9367105187355e638#l1150 [https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=tools/libxl/libxl_pci.c;h=6f8f49c7c0a80478b244c52ae65e75f8a78c6481;hb=b03cee73197f4a37bf2941b9367105187355e638#l1150] where, it appears to me at the first sight, we are not patching it. I raised that question here https://github.com/QubesOS/qubes-issues/issues/3518#issuecomment-579526805 Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200129062741.GC1043%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Tue, Jan 28, 2020 at 10:59:00PM +, 'Andrey Arapov' via qubes-users wrote: Hi tetrahedra, The original error ("unable to reset PCI device...") still occurs when trying to start disp-sys-usb. Despite have the "no-strict-reset" set to True, you will continue to see the "Unable to reset PCI device: ... no FLR, PM reset or bus reset available" "error" message each time you are trying to attach a PCI device that does not support the FLR (Function Level Reset) [2]. The "no-strict-reset" enablement patch [1] allows you (libvirt) to assign a PCI device to domU, even when the device does not support any reset method . The error message is kept there for the informational purposes so this way a person may become aware of that his PCI device may not be working as desired because it does not support any reset method, despite of which it still gets assigned to domU when "no-strict-reset" is set to True, thanks to the patch [1]. Hi Andrey, All that may be true but it does not explain why the error message was accompanying an *error condition* -- specifically that the VM refused to start. If the error had simply been printed in the logs and the VM started normally (with USB controllers) then it would not have been an issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200129062707.GB1043%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Tue, Jan 28, 2020 at 12:22:00PM +, unman wrote: Now *that* confusion is cleared up, I assume your problem has gone away? Yes (so far). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200129062428.GA1043%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Mon, Jan 27, 2020 at 11:37:01AM +, unman wrote: I run named disposable sys-usbs, from a usb template. In my experience it is *not* necessary to pass the reset option on each boot. The option is set once and applies on every boot. (On one x230 I have a separate print usb, and just switch between the standard named usb and print qube without any issues. Again the reset option is set once.) I cant account for what's happening in your set-up. I'm assuming that your original sys-usb worked fine. Take a step back: delete all the disposable sys-usb, and confirm that your sys-usb works fine. Then create a disposable template - confirm tat *that* works fine. Then create disposable sys-usb. If you hit a problem, tell us what hardware you have. You quoted a different message than the one you were replying to... The confusion appears to have been that I thought no-strict-reset was a setting applied to a PCI device. Instead it appears to be an option applied to a specific connection between a PCI device and a VM. Therefore, when *attaching* a PCI device to a VM, you must pass `--option no-strict-rest=True` *each time you attach the device manually.* If you use `--persistent` with qvm-pci then naturally the option is passed every time you start the VM. This means that it is not sufficient to do: ``` qvm-pci attach --persistent --option no-strict-reset=True VMNAME DEVICE qvm-pci attach --persistent OTHER_VMNAME DEVICE ``` Instead you must do: ``` qvm-pci attach --persistent --option no-strict-reset=True VMNAME DEVICE qvm-pci attach --persistent --option no-strict-reset=True OTHER_VMNAME DEVICE ``` And under no circumstances may you do: ``` qvm-pci attach --persistent --option no-strict-reset=True VMNAME DEVICE qvm-pci detach VMNAME DEVICE qvm-pci attach --persistent VMNAME DEVICE ``` -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200128033013.GA2550%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Mon, Jan 27, 2020 at 02:18:42AM +0100, tetrahedra via qubes-users wrote: it looks like the underlying disp-sys-usb template started, rather than an actual DispVM (the running VM is named `disp-sys-usb` instead of `disp`) ... Testing this hypthothesis (by creating a file in the home directory on disp-sys-usb, and rebooting it) indicates that I'm wrong and disp-sys-usb actually is running as a disposable VM (the created file vanishes after reboot). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200127014335.GB1100%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Mon, Jan 27, 2020 at 02:18:42AM +0100, tetrahedra via qubes-users wrote: On Sun, Jan 26, 2020 at 08:11:45AM +0100, tetrahedra via qubes-users wrote: The original error ("unable to reset PCI device...") still occurs when trying to start disp-sys-usb. The error is now also happening when I try to start sys-usb! It looks like no-strict-reset=True has to be passed *every time* you attach a PCI device to a VM... that it was passed before when attaching to a different VM is not enough! Detaching all USB controllers from sys-usb and then manually reattaching with $ qvm-pci attach --option no-strict-reset=True --persistent sys-usb dom0:00_14.0 resulted in a slightly different error when trying to start sys-usb: $ qvm-start sys-usb Start failed: internal error: Unable to reset PCI device :00:14.0: internal error: libxenlight failed to create new domain 'sys-usb', see /var/log/libvirt/libxl/libxl-driver.log for details $ sudo tail /var/log/libvirt/libxl/libxl-driver.log libxl: libxl_pci.c:1199:libxl__device_pci_reset: The kernel doesn't support reset from sysfs for PCI device :00:14.0 However attaching all controllers to disp-sys-usb (using the above command) worked, and my USB devices are recognized by disp-sys-usb. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200127014220.GA1100%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Sun, Jan 26, 2020 at 08:11:45AM +0100, tetrahedra via qubes-users wrote: The original error ("unable to reset PCI device...") still occurs when trying to start disp-sys-usb. The error is now also happening when I try to start sys-usb! I was able to get disp-sys-usb start (without any attached USB controllers!) and found another problem: it looks like the underlying disp-sys-usb template started, rather than an actual DispVM (the running VM is named `disp-sys-usb` instead of `disp`) ... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200127011842.GA2269%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Sat, Jan 25, 2020 at 05:35:20AM +0100, tetrahedra via qubes-users wrote: On Thu, Jan 23, 2020 at 02:22:20PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: Following the directions here: https://www.qubes-os.org/doc/disposablevm-customization/#create-the-sys-usb-disposablevm In step 5, did you include the option? I used the Qube Manager GUI to attach but -- since the USB controllers were still marked as attached to disp-sys-usb when I ran `qvm-pci` with disp-sys-usb powered off, I assume the answer is "yes." Just in case I removed all the USB controllers from disp-sys-usb, then ran the step 5 command with all USB controllers (including the `--persistent` option) and tried starting disp-sys-usb. The original error ("unable to reset PCI device...") still occurs when trying to start disp-sys-usb. The error is now also happening when I try to start sys-usb! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200126071145.GA1509%40danwin1210.me.
Re: [qubes-users] Qubes, Fedora, and package signing
On Thu, Jan 23, 2020 at 02:30:52PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: A few times people have observed that Fedora's package signing leaves a few things to be desired. While Qubes' security model doesn't depend on Fedora entirely, a compromised template compromises the machine -- and package repos are a good way to compromise a template. Why does Qubes still seem to use Fedora as the "primary" choice and Debian as the "secondary" one? Start here https://github.com/QubesOS/qubes-issues/issues/1919 and work your way backwards. :) My question was intentionally phrased not to be about dom0 :p There has been some discussion on this list about alternative sys-* VMs but it still seems to me that Qubes views Fedora as the "primary" choice -- perhaps because dom0 is Fedora. Of course a compromise in the package signing would also potentially compromise dom0, so it's still an issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200125044204.GB1051%40danwin1210.me.
Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
On Thu, Jan 23, 2020 at 02:22:20PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: Following the directions here: https://www.qubes-os.org/doc/disposablevm-customization/#create-the-sys-usb-disposablevm In step 5, did you include the option? I used the Qube Manager GUI to attach but -- since the USB controllers were still marked as attached to disp-sys-usb when I ran `qvm-pci` with disp-sys-usb powered off, I assume the answer is "yes." Just in case I removed all the USB controllers from disp-sys-usb, then ran the step 5 command with all USB controllers (including the `--persistent` option) and tried starting disp-sys-usb. The original error ("unable to reset PCI device...") still occurs when trying to start disp-sys-usb. Did you detach the USB controller from your existing sys-usb (or at least shut it down)? I shut down sys-usb but did not detach the devices from it. I tried removing the devices from sys-usb (so they were exclusively attached to disp-sys-usb) but the error still appears after doing so. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200125043520.GA1051%40danwin1210.me.
[qubes-users] Qubes, Fedora, and package signing
A few times people have observed that Fedora's package signing leaves a few things to be desired. While Qubes' security model doesn't depend on Fedora entirely, a compromised template compromises the machine -- and package repos are a good way to compromise a template. Why does Qubes still seem to use Fedora as the "primary" choice and Debian as the "secondary" one? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200121102630.GA1045%40danwin1210.me.
[qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"
Following the directions here: https://www.qubes-os.org/doc/disposablevm-customization/#create-the-sys-usb-disposablevm I already had a sys-usb VM so did not need to hide USB controllers from dom0. After finishing with the given steps, I run `qvm-start disp-sys-usb` and get the error: ``` $ qvm-start disp-sys-usb Start failed: internal error: Unable to reset PCI device :00:14.0: no FLR, PM reset or bus reset available, see /var/log/libvirt/libxl/libxl-driver.log for details ``` The corresponding log entry: ``` 2020-01-21 01:57:18.598+: libxl: libxl_pci.c:1199:libxl__device_pci_reset: The kernel doesn't support reset from sysfs for PCI device :00:14.0 ``` `qvm-pci | grep USB` indicates that no-strict-reset is already configured for all my USB devices. Any suggestions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200121020700.GA1756%40danwin1210.me.
Re: [qubes-users] Open several files in THE SAME dispVM
On Fri, Jan 17, 2020 at 05:40:50PM +0100, r.wiesb...@web.de wrote: Hey, Is there a way to open a bunch of files in the same dispVM ? Yes, I can copy/move those files and open them in the dispVM, that is what I do right now - but it would be nice if there was a simpler way to do so. I agree, the `qvm-open-in-dvm` script should follow the same syntax as `qvm-move` and `qvm-copy` -- it should be able to take multiple files as an argument. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200118021444.GA1049%40danwin1210.me.
Re: [qubes-users] Xen doesn't recognize that a VM has finished starting
On Wed, Jan 15, 2020 at 11:22:12PM +, Claudia wrote: When I try to start another VM which has been set to use the new-sys-net VM as its NetVM, the startup times out and I get the error "libxenlight has failed to create new domain NEWVM"... /var/log/xen/console/guest-NEWSYSNET-dm.log doesn't show anything obviously wrong, apart from some call traces of unclear origin. Not sure, but it sounds like maybe the guest's qrexec isn't connecting to the host. Make sure it's installed and running properly in the guest. Check `systemctl status qubes-qrexec-agent.service` in the guest, and /var/log/qubes/qrexec..log on dom0. That's very possible. The guest is OpenBSD so no systemctl :) Here is the other discussion about this, I have not yet gotten a chance to try the suggested fix, but I anticipate that it will work: https://github.com/QubesOS/qubes-issues/issues/5294#issuecomment-574225742 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200116022739.GA1043%40danwin1210.me.
Re: [qubes-users] How do vif-route-qubes and DNS forwarding work?
On Tue, Jan 14, 2020 at 04:46:16PM +0100, David Hobach wrote: You'll find the explanations in the respective iptables and/or nftables rules of the next hop networking VM. What do you mean by "next hop networking VM"? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200115024415.GA1862%40danwin1210.me.
[qubes-users] How do vif-route-qubes and DNS forwarding work?
(originally sent to qubes-devel, but I guess failed moderation) I can't quite tell from the source code -- when / where / how does it run? Is it used to change routing on sys-net, or is it used to set routing in other VMs so they work with sys-net? How does DNS forwarding work? (the Qubes networking docs page mentions DNS forwarding, but does not explain it) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200114130130.GA1181%40danwin1210.me.
[qubes-users] Xen doesn't recognize that a VM has finished starting
I have a HVM VM that I'm trying to set up as a new sys-net. However, when I boot it, Xen / Qubes doesn't seem to recognize that the domain has finished starting. The Qubes menu at the top right shows the red circling progress logo, even though the domain has booted already. When I try to start another VM which has been set to use the new-sys-net VM as its NetVM, the startup times out and I get the error "libxenlight has failed to create new domain NEWVM"... /var/log/xen/console/guest-NEWSYSNET-dm.log doesn't show anything obviously wrong, apart from some call traces of unclear origin. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200114122900.GA1040%40danwin1210.me.
Re: [qubes-users] Re: Making a HVM VM start in headless mode
On Sun, Jan 12, 2020 at 12:31:15AM -0800, alex.bari...@gmail.com wrote: The following settings work for me: 1. Set "debug" to "False" in qvm-prefs 2. Set "gui" to "False" and "gui-emulated" to "False" The only problem is qubes (or xen) keeps cashed info on whether to show emulated console. Sometimes the settings work immediately, sometimes after a reboot, sometimes I need to delete old vm files laying abound. Ah thanks. How do I call up the console window if I need it -- is `xl console` (or qvm-console-dispvm) the only option? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200112124533.GA4046%40danwin1210.me.
[qubes-users] Making a HVM VM start in headless mode
When I create a HVM VM, by default I have the console window of the VM open all the time when it is running. Sys-net is HVM by default but there is no console window. How do I set this up for other HVM VMs? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200112032814.GA3399%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Sun, Dec 29, 2019 at 01:44:28PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: On Fri, Dec 27, 2019 at 09:57:16AM +0100, tetrahedra via qubes-users wrote: Unfortunately I need to get work done so have to reboot to "just make it go away" but I am still interested in troubleshooting ideas (for when it happens next). Investigate xl top more thoroughly. You can identify offending VMs with it, and see if all your RAM is in use which triggers swapping to (slow) disk. Looks like my RAM is about 43% free, according to xentop (xl top). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200104082914.GB3032%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Mon, Dec 30, 2019 at 05:31:58PM -0500, Steve Coleman wrote: I have had graphics slowdown issues in the past on two occasions that acted like this, so here are some things to try: 1) Add the 'nopat' argument to the 'kernel opts:' boot command line. > qvm-prefs -s kernelopts nopat I just checked, and the VMs in question (all VMs on my system?) already have `nopat` in the kernelopts 2) The second, I can not seem to locate that email exchange at the moment, but it was a option on the graphics subsystem that needed to be turned off. Something like backing store, but I'm sure that is not the correct name for it. I'll keep looking for that one until I hear back if #1 above fixed your problem or not. Ok, I still could not find that email exchange, but the second thing to try is in the XFCE "Window Manager Tweaks" Compositor tab, and try to disable the "Enable display compositing" entry. Disabling display compositing does seem to have improved performance, but no so much that it fixed the problem. It seems to be something separate from whatever's going on. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200104082643.GA3032%40danwin1210.me.
Re: [qubes-users] Mounting a VM's storage on a different machine
On Fri, Jan 03, 2020 at 02:48:15AM +0100, tetrahedra via qubes-users wrote: (subject line is incorrect, should be "mounting on a different VM") On Fri, Jan 03, 2020 at 02:47:00AM +0100, tetrahedra via qubes-users wrote: I have a VM that's having serious problems. Is there any way to mount the VM's private storage (/rw/*) on a different VM, in order to recover the data? Solved: https://www.reddit.com/r/Qubes/comments/chgb3h/is_it_possible_to_access_files_inside_a_vm/f8ur03m/ Also put in a PR for qubes-comunity-docs with this info, since I saw a few posts around the Internet for people asking how to do it and not finding an answer. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103023859.GA1491%40danwin1210.me.
[qubes-users] What happened to "paranoid mode"?
From back in the 3.2 era: https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/ $ qvm-backup-restore --paranoid-mode On my 4.0 install this option does not appear. Is it no longer considered necessary? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103015531.GB1330%40danwin1210.me.
Re: [qubes-users] Mounting a VM's storage on a different machine
(subject line is incorrect, should be "mounting on a different VM") On Fri, Jan 03, 2020 at 02:47:00AM +0100, tetrahedra via qubes-users wrote: I have a VM that's having serious problems. Is there any way to mount the VM's private storage (/rw/*) on a different VM, in order to recover the data? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103014700.GB1285%40danwin1210.me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103014815.GA1330%40danwin1210.me.
[qubes-users] Mounting a VM's storage on a different machine
I have a VM that's having serious problems. Is there any way to mount the VM's private storage (/rw/*) on a different VM, in order to recover the data? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103014700.GB1285%40danwin1210.me.
Re: [qubes-users] Booting VM to single user mode
On Fri, Jan 03, 2020 at 01:25:36AM +, 'awokd' via qubes-users wrote: Unfortunately there is still the problem that the VM is killed after 60 seconds because Qubes can't connect to the qrexec agent... anyone know how to disable this? Try qvm-prefs with qrexec_timeout. 0 might disable, or some high number. using 0 gives the error "no such property: 'qrexec_timeout'" High number works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103014549.GA1285%40danwin1210.me.
Re: [qubes-users] Booting VM to single user mode
On Fri, Jan 03, 2020 at 01:58:06AM +0100, tetrahedra via qubes-users wrote: is it possible? I tried using `sudo virsh edit MYVM` to add `single` / `init=/bin/bash` (for fedora & debian, respectively) to the kernel but the settings would not validate, and after I selected "ignore" to force it, the machine still did not boot into single-user mode. Solution: qvm-prefs MYVM kernelopts "nopat single" where `nopat` is whatever kernel options were previously listed in the output of `qvm-prefs MYVM kernelopts` Unfortunately there is still the problem that the VM is killed after 60 seconds because Qubes can't connect to the qrexec agent... anyone know how to disable this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103011849.GA1204%40danwin1210.me.
[qubes-users] Booting VM to single user mode
is it possible? I tried using `sudo virsh edit MYVM` to add `single` / `init=/bin/bash` (for fedora & debian, respectively) to the kernel but the settings would not validate, and after I selected "ignore" to force it, the machine still did not boot into single-user mode. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200103005806.GA1058%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Sun, Dec 29, 2019 at 01:44:28PM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: On Fri, Dec 27, 2019 at 09:57:16AM +0100, tetrahedra via qubes-users wrote: Unfortunately I need to get work done so have to reboot to "just make it go away" but I am still interested in troubleshooting ideas (for when it happens next). Investigate xl top more thoroughly. You can identify offending VMs with it, and see if all your RAM is in use which triggers swapping to (slow) disk. My disk is a pretty fast SSD, and I did use xentop (`xl top` is just an alias for xentop) and it didn't show anything unusual as far as I can recall. Perusing the xentop man page doesn't show any potentially relevant options except for `--full-name` and that option doesn't seem to do anything. Pressing "B" (for "vBds") seems to list a number of devices for each VM but none of them have any 2-digit unique identifying number (as `iotop` seems to display). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191230043233.GE1185%40danwin1210.me.
Re: [qubes-users] Qubes Structure
On Sun, Dec 29, 2019 at 10:56:31AM +0100, xao wrote: Hi! Sorry for the bad question structure, don't know how to write it properly. I've seen some examples of how people setup their system and the most paranoid ones create separate standalone vm for each application and firewall that allows only this application to connect to the internet. Currently, I have 4 template vms - debian 10 with all programs I use installed in it, fedora 30 minimal for netvms, and whonix templates. All my vms that I use on day to day basis are made with debian template. After seeing all those setups I feel that my system is an open garden for hackers and they can do whatever they want, and I will find it out only after I get completely hacked. So, my question is how to setup your system for maximum security? Is there any guidelines on how to do so? I understand that it may be a silly question because it mostly depends on from whom I protect myself, but let's imagine I need to protect from everyone. If you need to protect from everyone then you should turn your computer off, lock it in a vault, embed the vault in a block of solid concrete, bury the whole mess at the bottom of a mine, and post an armed guard at the door. Then you *may* be safe. Ultimately your security is not the product of some "setup" but of the degree to which you understand how your setup works and what the implications are of the choices that you make. If you understand very little, then the most paranoid of setups will get you very little in terms of security, because you will end up making choices that compromise that security -- or you will just end up wasting a great deal of time on things that don't matter. If you need security but don't understand computers, avoid using computers! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191230042414.GC1185%40danwin1210.me.
Re: [qubes-users] sys-net interfaces
On Fri, Dec 27, 2019 at 08:46:35AM +, 'awokd' via qubes-users wrote: What responsibilties does sys-net have in terms of forwarding DNS? The documentation specifies how things work for AppVMs, and it says there is no DNS server in the "network driver domain" (sys-net), but it does not say what sys-net actually has to do. It looks like the documentation is assuming sys-net has many more virtual NICs than it actually does? Did you check the Qubes source code responsible for setting these up? The qubes-devel mailing list might also be appropriate here... The documentation mentions the vif-route-qubes utility, but I can't tell if dom0 runs this on sys-net (to set up routing to serve AppVMs) or runs it on AppVMs / etc ... the documentation does not mention any other source code (which would be used to e.g set up DNS forwarding). I will ask on qubes-devel. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191228025332.GA1654%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Fri, Dec 27, 2019 at 09:57:16AM +0100, tetrahedra via qubes-users wrote: Unfortunately I need to get work done so have to reboot to "just make it go away" but I am still interested in troubleshooting ideas (for when it happens next). One thing I noticed on reboot -- the initial round of stop jobs (when shutting down the system, things like unmounting LUKS volumes) all timed out. Not sure if related. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227091041.GA1085%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Fri, Dec 27, 2019 at 08:49:02AM +, 'awokd' via qubes-users wrote: Further inspection shows there's a LOT of disk I/O going on. after installing iotop in dom0, this appears to be coming from command [NN.xvda-0], presumably one of the VMs. How do I map the NN (number) to a given running VM? Check xl top. I think you can find the offending VM with that. You might be running out of system RAM too, which would be shown at the top. xl top / xentop doesn't show any two-digit number identifying a VM. However by trial and error it looks like the extreme levels of disk I/O are a symptom rather than a cause. After shutting down all slowed-down VMs the disk I/O ended. Then when I re-started a DispVM with Firefox, the high levels of disk I/O (constant read > 50MB/sec) came back and Firefox was slow (as before). Unfortunately I need to get work done so have to reboot to "just make it go away" but I am still interested in troubleshooting ideas (for when it happens next). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227085716.GA2170%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Fri, Dec 27, 2019 at 09:05:52AM +0100, tetrahedra via qubes-users wrote: On Fri, Dec 27, 2019 at 08:33:10AM +0100, tetrahedra via qubes-users wrote: Periodically all graphics-heavy apps (Firefox, ...) in all VMs seem to slow down simultaneously. Rebooting fixes the situation. Running `sudo journalctl -f` in dom0 doesn't show anything unusual. What would you suggest as a next step towards locating the problem? vim also appears to be affected by the slowdown. Further inspection shows there's a LOT of disk I/O going on. after installing iotop in dom0, this appears to be coming from command [NN.xvda-0], presumably one of the VMs. How do I map the NN (number) to a given running VM? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227083340.GA1952%40danwin1210.me.
Re: [qubes-users] Troubleshooting Qubes graphical slowness
On Fri, Dec 27, 2019 at 08:33:10AM +0100, tetrahedra via qubes-users wrote: Periodically all graphics-heavy apps (Firefox, ...) in all VMs seem to slow down simultaneously. Rebooting fixes the situation. Running `sudo journalctl -f` in dom0 doesn't show anything unusual. What would you suggest as a next step towards locating the problem? vim also appears to be affected by the slowdown. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227080552.GA1906%40danwin1210.me.
[qubes-users] Troubleshooting Qubes graphical slowness
Periodically all graphics-heavy apps (Firefox, ...) in all VMs seem to slow down simultaneously. Rebooting fixes the situation. Running `sudo journalctl -f` in dom0 doesn't show anything unusual. What would you suggest as a next step towards locating the problem? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227073310.GA1647%40danwin1210.me.
Re: [qubes-users] sys-net interfaces
On Thu, Dec 26, 2019 at 11:47:37AM +, 'awokd' via qubes-users wrote: There's a brief discussion at https://www.qubes-os.org/doc/networking/, but there may be more detailed notes in the source code for Qubes' VM networking components. Qubes uses Xen's networking, so that might be the best place to begin research. What responsibilties does sys-net have in terms of forwarding DNS? The documentation specifies how things work for AppVMs, and it says there is no DNS server in the "network driver domain" (sys-net), but it does not say what sys-net actually has to do. Also, the docs don't appear to be entirely accurate. The documentation specifies a fairly complex set of routing tabels for the "network driver domain" (sys-net, I assume), but the actual routing table on my sys-net is fairly simple The table from the documentation: Destination Gateway Genmask Flags Metric Ref Use Iface 10.137.0.16 0.0.0.0 255.255.255.255 UH 0 0 0 vif4.0 10.137.0.7 0.0.0.0 255.255.255.255 UH 0 0 0 vif10.0 10.137.0.9 0.0.0.0 255.255.255.255 UH 0 [... many lines removed ...] 192.168.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 The table from my sys-net: [user@sys-net ~]$ sudo ip route [user@sys-net ~]$ sudo route Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface default _gateway0.0.0.0 UG60000 wls7 10.137.0.5 0.0.0.0 255.255.255.255 UH32747 00 vif5.0 192.168.0.0 0.0.0.0 255.255.255.0 U 60000 wls7 It looks like the documentation is assuming sys-net has many more virtual NICs than it actually does? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227070535.GA1464%40danwin1210.me.
Re: [qubes-users] sys-net interfaces
On Thu, Dec 26, 2019 at 11:47:37AM +, 'awokd' via qubes-users wrote: tetrahedra via qubes-users: I haven't been able to find any documentation for what network interfaces sys-net is expected to expose internally. If I want to create my own sys-net from scratch, how does Xen/Qubes send network traffic to sys-net, to be sent onwards to my NIC? There's a brief discussion at https://www.qubes-os.org/doc/networking/, but there may be more detailed notes in the source code for Qubes' VM networking components. Qubes uses Xen's networking, so that might be the best place to begin research. Thanks, that's very helpful. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191227061022.GA1186%40danwin1210.me.
[qubes-users] sys-net interfaces
I haven't been able to find any documentation for what network interfaces sys-net is expected to expose internally. If I want to create my own sys-net from scratch, how does Xen/Qubes send network traffic to sys-net, to be sent onwards to my NIC? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191221153318.GA1931%40danwin1210.me.
Re: [qubes-users] Mike's emails
On Fri, Dec 13, 2019 at 08:59:16AM +0100, David Hobach wrote: I am getting very many duplicate copies of Mike's emails, but only of emails from Mike. Is this happening to anyone else? Probably because he clicked "reply all" on one of your questions like I just did. No, when that happens (as it does with everyone who replies-all to my emails) I only get 2 messages. However I currently have 15 copies of Mike's "Qubes won't help in that situation" email...! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191213230930.GA1701%40danwin1210.me.
[qubes-users] Mike's emails
On Thu, Dec 12, 2019 at 05:23:47PM +, Mike Keehan wrote: Qubes won't help in this situation - see https://www.qubes-os.org/doc/disposablevm/#disposablevms-and-local-forensics They recommend using Tails for this type of situation. Mike. I am getting very many duplicate copies of Mike's emails, but only of emails from Mike. Is this happening to anyone else? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191213023409.GA6832%40danwin1210.me.
Re: [qubes-users] sys-net keeps dying
On Wed, Dec 11, 2019 at 11:46:04AM +, 'awokd' via qubes-users wrote: This should work, but make sure sys-firewall is shutdown before attempting to change. If it still isn't, try changing with qvm-prefs sys-firewall. Ok, I didn't realize sys-firewall had to be shutdown. Most of the time you can change a VM's networking without shutting it down first... in any case, once sys-firewall was off, changing networking worked fine. Unfortunately, creating a new sys-net does not appear to have fixed the issue, crashes still occur. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191212041425.GA5975%40danwin1210.me.
Re: [qubes-users] sys-net keeps dying
On Thu, Dec 05, 2019 at 03:05:42PM +, Claudia wrote: I am wondering if it would make sense to re-create sys-net from scratch. Could it be that this is something from fedora-29 that is not working well with fedora-30? Did you keep the fedora 29 template installed? If so, I think you could just change the template back to 29 for sys-net and see if that fixes it. If not, perhaps you could downgrade it, or try explicitly installing the fedora 29 template. No, I just deleted the fedora-29 template recently, not realising it might be the root of the issue :/ There doesn't seem to be much documentation on how to do this. One post suggests you just create a new VM and call it sys-net: https://www.reddit.com/r/Qubes/comments/amvkz3/how_to_create_net_and_firewall_again_with_default/efpl5i2/ However that doesn't seem right, isn't something extra needed to get the NetworkManager wifi menu widget set up? Not that I know of. As far as I know, system tray icons are just like a regular window, in that any VM can create them without any special configuration, and they're colored according to the VM. So when you start NetworkManager it should just appear in the tray. I don't know anything about that guide, but it may be worth trying. You can create a new VM called sys-net2 or whatever so you don't have to overwrite your existing sys-net. Then just create a temporary AppVM with sys-net2 as its NetVM to test it. I did create sys-net2 and NetworkManager started automatically (no configuration needed!) and connected to wifi. However, when I try to configure sys-firewall to use sys-net2 instead of sys-net for networking, I get the error: ERROR Basic tab: Failed to access 'netvm' property I have sys-net2 set up in HVM mode, with "provides network" checked in the Advanced tab, the NICs configured in Devices, etc. Other than that the only option I can think of is to debug your current sys-net and fix whatever is causing it to crash. Check /var/log/qubes, /var/log/xen, and `xl dmesg`. I did find some relevant log entries, but I'm not sure how to interpret them. I will post to the relevant Github issue about this: https://github.com/QubesOS/qubes-issues/issues/4658 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191210081042.GA4088%40danwin1210.me.
Re: [qubes-users] Days since last backup
On Tue, Nov 26, 2019 at 05:26:54AM +0100, tetrahedra via qubes-users wrote: I've created a script and user-mode anacrontab to automatically remind the user if it's been more than N days since the last backup. Are the qubes-community-docs the best place to document this, or is there a better place for things that involve scripts? Put in a PR for qubes-community-docs, in case anyone wants to review and merge it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191209111246.GB2944%40danwin1210.me.
Re: [qubes-users] Dom0 screencapture with cron
On Thu, Nov 28, 2019 at 09:13:22AM -0800, hoff8h...@gmail.com wrote: I'm just running through some ideas. Something every hour is a little much, but I would like to take a screenshot of the whole window after a script is run. Still the same question. It's not quite capturing screenshots, but here's a quick script I use to keep track of what I'm doing at regular intervals, logging the current time and active window name to a log file: #!/bin/bash TZ='UTC-0'; export TZ LOGFILE="time.log" INTERVAL=300 # 5 minutes { while : do date xdotool getwindowname $(xdotool getactivewindow) sleep $INTERVAL done } | tee $LOGFILE -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191209110902.GA2944%40danwin1210.me.
[qubes-users] sys-net keeps dying
see the corresponding issue: https://github.com/QubesOS/qubes-issues/issues/5508 The tldr is that ever since I upgraded to fedora-30, sys-net has started dying intermittently (or less intermittently, nearly every time) I put my laptop to sleep. This is really problematic. I am wondering if it would make sense to re-create sys-net from scratch. Could it be that this is something from fedora-29 that is not working well with fedora-30? There doesn't seem to be much documentation on how to do this. One post suggests you just create a new VM and call it sys-net: https://www.reddit.com/r/Qubes/comments/amvkz3/how_to_create_net_and_firewall_again_with_default/efpl5i2/ However that doesn't seem right, isn't something extra needed to get the NetworkManager wifi menu widget set up? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191208195653.GA1977%40danwin1210.me.
Re: [qubes-users] Activating FDE on lid close
On Fri, Nov 01, 2019 at 07:38:53AM +0100, tetrahedra via qubes-users wrote: The original scenario is that the user shuts the laptop lid knowing that an adversary is about to take control of the machine. In this case, an evil maid attack is not really an issue... by the time the user gets the laptop back, the old infosec adage "nuke it from orbit, it's the only way to be sure" is liable to apply. It looks like someone has figured out how to encrypt the laptop on lid suspend, which is fairly close to the original goal: https://github.com/QubesOS/qubes-issues/issues/2890 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191208032843.GA1049%40danwin1210.me.
Re: [qubes-users] AppVM stuck as disposable in menu
On Mon, Nov 25, 2019 at 03:20:16AM +0100, tetrahedra via qubes-users wrote: After creating an AppVM, I experimented with making it (the basis of) a disposable VM, but then un-did the settings and went back to using it as a regular AppVM. Unfortunately it's still showing up in the applications launcher menu as a Disposable VM, and the menu items no longer work for running the VM. If I do `qvm-run VMNAME gnome-terminal` then the VM starts and everything is fine. I've been through all the documentation related to making an AppVM into a disposable VM and the settings all *seem* to have been correctly reverted. I just can't figure out why the menu entries are still wrong. Does anyone have any ideas what could be wrong? The solution turned out to be: qvm-features --unset VMNAME appmenus-dispvm -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191203051616.GA1429%40danwin1210.me.
Re: [qubes-users] Fedora 29 has reached EOL
On Fri, Nov 29, 2019 at 11:58:03PM -0600, Andrew David Wong wrote: No, those were not related to EOL. P.S. -- Please do not write to both lists. Ok thanks. Sorry for sending to both, I hit "reply all" and didn't look at the result. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191130065248.GB3966%40danwin1210.me.
[qubes-users] What's the logic behind many similar templates?
By default Qubes comes with two templates for AppVMs: a Debian template and a Fedora one. But many people seem to clone templates, so they also have an e.g "fedora-minimal" template or a "-multimedia" one or any number of other variations. Why not just have "one template to rule them all" for each distribution (Fedora and Debian)? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191130061640.GA3966%40danwin1210.me.