Re: [qubes-users] Salt management questions
Please consult https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ https://www.qubes-os.org/news/2017/10/03/core3/ for more information about admin possibilities and how they’re supposed to work. There are simple demo examples as well. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c72a555c-8f94-48a8-9c4c-71c06a1407f2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] template debian-9 no network (Q4r4) ?
you probably ticked update over Tor option when installing. templates do not connect to network directly, they use an updates proxy. I' not sure it can be changed in GUI, but you can find the appropriate rpc policy in /etc/qubes-rpc alternatively you can temporarily set template vm's network provider, but that is considered less secure. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3845366-0dc3-4751-a377-83e1e97f4a80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] after update no VM 'starts' apps anymore.
sudo xl console -t serial Work -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/45dfccdf-1f00-4b08-92bf-fc5950bd6298%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0-rc3
The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3c4f1c36-44f1-4363-931f-07462dadf83c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Enable PCI_HOTPLUG
Hmmm, this kind of makes qvm-pci useless... I think this should be enabled in vm kernels and then users who want hotplug enabled could just add that kernel flavour to their grub. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a08f453-cd23-4ac7-84a1-53f006187d3a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
I’ll disagree with comparison of btrfs to lvm. there is a very significant difference between btrfs and lvm. btrfs is like a namespace and lvm volumes are block devices. one can put a namespace on a block device. but yes, layers and layers of metadata processing required. BTW, has anyone started a btrfs driver for storage pools? I think it could very tricky if at all possible. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b559ee0-bf28-436f-8391-ba53d451b425%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
sudo lvcreate -L --type thin-pool --thinpool qvm-pool --add lvm_thin -o volume_group=,thin_pool= qvm-create -P ... or qvm-clone -P set desired private image size using standard tools. this will put the private volume in the new thin pool. private volumes are mounted in /rw btrfs may be tricky but you can try in-place conversion in a test vm. don’t forget to check fstab. I don’t remember if the fs type is hardcoded there. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8fca5540-a2cb-430a-b2bc-c37b9c960ba7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
I agree with Chris. Data specific to a qube should be stored on one of that qube’s volume. Backups work then. so in short, first create a qubes storage pool qvm-pool --add qvm-create -P if you go for a thin pool, create it first and use volume group and thin pool names as options for qvm-pool. P.S. I’m not sure lvm backend operates properly. File-based backend can also be used instead. Just mount the secondary drive in dom0 and use the old trusty file driver if worried. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fdeceedb-549a-4cb5-97b1-087199b34d8f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q4: vm-templates and updates
Please refer to Qubes issue #3118 which spells it out. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/27de156b-aed8-4167-b8fc-316793097622%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [HOWTO] use 2nd drive partition as 'home' drive.
I hope you do understand that there is no encryption in what you propose. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2de3ab58-6409-4db7-91c3-fcd0739a5e3a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Q4: vm-templates and updates
did you update it in R4 before cloning and upgrading? templates establish a connection to a proxy running in some netvm defined in dom0 over a vchan. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0c7b5ea-c3eb-4b40-8356-3cc1a7572842%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Q4: vm-templates and updates
did you update it in R4 before cloning and upgrading? templates establish a connection to a proxy running in some netvm defined in dom0 over a vchan. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/22d38540-b053-4a5f-9cf5-c23ab5260465%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Where is ability to backup and restore backups on 4?
There are more critical problems than lack of gui frontend at the moment. Still, backup ui is on the devs' list. See issue #3354 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/615aef9e-5a9d-4f8e-ae38-d6a6b242d935%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to change / swap behavior of Ctrl, Alt, Win, and fn keys?
AFAIK fn does not emit a code and bios will process it only in combinations with predefined keys. other keys can probably be remapped. but from my exprience I failed to swap fn and ctrl. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/873db90b-1612-4b8f-8475-668684e2323e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN-ProxyVM: "Leakproof VPN" by Rudd-O vs. "more involved" method in Qubes Wiki
On Thursday, February 2, 2017, Chris Laprise <tas...@openmailbox.org> wrote: > On 02/01/2017 07:36 PM, Connor Page wrote: > >> actually I think that reliance on mangle can be avoided since routing >> table selection can be done by source address rather than firewall marks. >> marks are good to differentiate different types of traffic but in our case >> all traffic should be trated the same. >> there is difference in how traffic from the vpn vm is routed. this leads >> to two different attack vectors by a potentially compromised server. for >> the official solution routing tables can be manipulated, for Rudd-O's tool >> problems may arise from martian packets. some thought need to be given to >> proper firewalling. >> > > That's why I have iptables block according to the *interface*, which > bypasses issues caused by odd routing. Anti-leak measures are best > performed by watching below the IP layer. > > Chris > after testing the 3 existing solutions I think the official command line solution is t he most strict and protected. I just don't get it why "sleep 2" is outside if statement in qubes-user-firewall-script. why block all vpn traffic for 2 seconds every time vms connect to or disconnect from the VPN vm? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ39Boo7r7yu%3DPo51SzmBJCokGH1A75Pa1gx-%2BksC%3DPBP9_J1g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Bug in qubes-backup or tar?
qvm-backup has a different syntax and vms are excluded from rather than included in a backup. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/90133a68-60e2-404a-b3f2-3f6d14415779%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: PFSense
I don't do hotplugging to pfSense. I've created separate Fedora based netvms with bridges named LAN and DMZ and connected pfSense to those at start. Then other VMs can use those netvms and connect either to a bridge or do the usual Qubes routing. Physycal NIC's can be added to tjose vms and bridges. In case of routing one needs to masquerade selectively on the bridge interface (qubes does masquerading on all interfaces except lo and vif+ by default). In case of bridging, vm's config file has to invoke vif-bridge script, provide source bridge name and vm's ip address. Then the script will do the rest. qvm-start --custom-config=... This may be not optimal as bridges consume cpu cycles and irq processing. On the other hand Qubes currently doesn't support HVM netvms so until v4.0 that's the only solution I see. I'll keep playing with it but I suspect virtualised pfSense is not a good idea for real life use. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4e3f85fe-53ef-405d-8497-19caa5b144d1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: PFSense
I've encountered some problems myself. Out of two identical standard Realtek cards only one is recognised. :( -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/34ba6327-1bf2-465d-9750-43f7abcc637d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: PFSense
Drew, as I've said my wifi card is not supported . Perhaps, yours isn't either. I need to test something that pfsense can talk to. all I changed in VM config was to do with virtual interfaces. those are correctly recognised as xn0 and xn1. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f353b9dc-b188-4c31-86a0-05d56e8b3bb9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] PFSense
I've managed to install pfSense as a HVM. not sure if it makes sense to run it as a trusted firewall but that is possible. I created 2 netvms called LAN and DMZ and created bridges in those. i made a copy of pfSense HVM config and changed interface type to bridge, added a second virtual interface and linked them to bridges in LAN and DMZ backends. a pci network interface was also delegated to that domain (thought it would become the WAN) but pfSense didn't recognize it. I created an alternative config for a Manjaro HVM to connect to the bridge in LAN and after manually setting addresses on all network interfaces and bridges and a bit of tinkering with iptables I could login to pfSense admin portal from Manjaro I think putting it together with standard appvms and proxyvms in one network topology is possible but I haven't tried yet. for reference re multiple network interfaces connecting to bridges http://libvirt.org/formatdomain.html#elementsNICSVirtual -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0283ea0-6d6b-43ee-97de-f4d528357218%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] sys-net internet stops after a few minutes
you can create a debian-based sys-net and assign network cards to that. hope you can get Qubes working for you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7f939573-976d-48c8-9c48-927c1c4fd764%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] traveling - best practice
if you're afraid of cameras, just cover it all when entering sensitive information like citizen four did. don't ever enter LUKS passphrase if someone else had an opportunity to boot your laptop without your direct supervision.in that case yes, a live USB drive is your friend until it is safe to confirm that boot sequence wasn't altered and you can trust the bootloader, kernel etc. I am not that paranoid, so just use a yubikey as a second factor for crowded places and under cameras. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2fa85933-7a19-4a24-8aa0-8c1a9a534d57%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] traveling - best practice
if you're afraid of cameras, just cover it all when entering sensitive information like citizen four did. don't ever enter LUKS passphrase if someone else had an opportunity to boot your laptop without your direct supervision.in that case yes, a live USB drive is your friend until it is safe to confirm that boot sequence wasn't altered and you can trust the bootloader, kernel etc. I am not that paranoid, so just use a yubikey as a second factor for crowded places and under cameras. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/df582865-94b2-43d3-af6c-77e0d6be401b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Two ways of "true" security.
I have successfully castrated ME firmware on 2 Haswell laptops so I'd go for something more recent but well supported by Linux, reflash and put a non-Intel network card for peace of mind. ideally a free BIOS would be desirable but that restricts the selection to quite old generations of chips where another problem exists - they all have errors that Intel either can't or won't fix... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/77afe505-4ff9-4e1b-a19c-5413329ee550%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN-ProxyVM: "Leakproof VPN" by Rudd-O vs. "more involved" method in Qubes Wiki
actually I think that reliance on mangle can be avoided since routing table selection can be done by source address rather than firewall marks. marks are good to differentiate different types of traffic but in our case all traffic should be trated the same. there is difference in how traffic from the vpn vm is routed. this leads to two different attack vectors by a potentially compromised server. for the official solution routing tables can be manipulated, for Rudd-O's tool problems may arise from martian packets. some thought need to be given to proper firewalling. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6603fa95-46f6-488b-8b90-13ee95543c18%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] VPN-ProxyVM: "Leakproof VPN" by Rudd-O vs. "more involved" method in Qubes Wiki
Rudd-O's solution uses a separate routing table thus ensuring that all traffic from VMs go either to VPN or a "blackhole". This is more robust than relying on the main routing table that can be messed up. However, that requires relaxing the reverse path filter and I don't remember any mitigation for potential attacks by VPN servers exploiting this. The main advantage is that an rpm package is produced so there's an easy way for creating and maintaining multiple VPN VMs based on the same template = easier updates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1b7aff2c-c714-4520-a45c-b14314192c10%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fedora 25
I guess qubes tools need to be recompiled against new libraries but userspace pulseaudio version is not a problem. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/51b13e2c-f5f0-4650-9516-b1806d2d0e79%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Fedora 25
I've been using only f25 for about a month now. the upgrade was smooth. just needed to tweak qt5 styles and scaling. looks like now there is a version conflict. qubes-gui-vm requires pulseaudio 9 but I guess f25 has moved on to version 10. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c51a2258-2153-453c-a14b-800c4a3d5c13%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Linux HVM through Whonix Gateway or VPN
Linux HVMs don't get network settings from stub domains so all the IPs have to be set manually. When network topology is changed, new addresses have to be entered. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/737bba86-ff84-42e0-a762-02e36d7639ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Cannot persistently mount extra partitions
you can specify your modified config copy in qvm-start --custom-config=/path/to/config vm-name -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/642d1eae-a1d2-4961-b739-b7bc1b5071f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Disable Intel ME
thank you for the link. I have successfuly tried it on a Haswell notebook. it doesn't disable ME but (supposedly) limits it's functionality by removing all modules but 2. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/443c2293-5cb6-4a44-bcc5-56ccc56a90e7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Query - Why unable to clone net-sys VM ?
you would have to create a new VM, configure it properly and then copy the private image from the source VM. same limitation apply to proxyvms :( -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9272b630-7042-4de0-9906-71912fe07cd6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
Sorry Drew, you asked what needs to be installed to make another dom0, not the
bare minimum that is required. Every Qubes specific package provides a list of
prerequisites and version conflicts. For instance,
Name: qubes-core-dom0
Version:%{version}
Release:1%{dist}
Summary:The Qubes core files (Dom0-side)
Group: Qubes
Vendor: Invisible Things Lab
License:GPL
URL:http://www.qubes-os.org
BuildRequires: ImageMagick
BuildRequires: systemd-units
# FIXME: Enable this and disable debug_package
#BuildArch: noarch
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: python, pciutils, python-inotify, python-daemon
Requires: qubes-core-dom0-linux >= 3.1.8
Requires: qubes-core-dom0-doc
Requires: qubes-db-dom0
Requires: python-lxml
Requires: python-psutil
# TODO: R: qubes-gui-dom0 >= 2.1.11
Conflicts: qubes-gui-dom0 < 1.1.13
Requires: libvirt-python
%if x%{?backend_vmm} == xxen
Requires: xen-runtime
Requires: xen-hvm
Requires: libvirt-daemon-xen >= 1.2.20-6
%endif
Requires: createrepo
Requires: gnome-packagekit
Requires: cronie
Requires: bsdtar
# for qubes-hcl-report
Requires: dmidecode
Requires: PyQt4
Dom0 is created by installing qubes tools that pull in their dependencies and
so on. Yum Extender in dom0 can give you all the prerequisites. Of course here
we rely on developers being precise when defining them.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/7df0a801-2325-4a52-b144-27f266ed1506%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Is Fedora Really A Good Choice For QubeOS?
why wouldn't you consult the list of actually installed packages? https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/conf/comps-qubes.xml -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ddaf1b18-3b91-475d-b998-9c1a9597f534%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] mounting a disk image or volume in app-vm, fast backups
On Monday, 14 November 2016 19:24:06 UTC, Unman wrote: > qvm-block -A allows you to attach an image file to a qube. BTW, what's the correct way to detach one image file? it's not mentioned in the man page :( -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c1f7742-b9f6-4db2-bd55-e025802c4960%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Display Calibration
the filename of the colour profile .icc-file is stored in the X atom _ICC_PROFILE. perhaps, if that is available then the correct profile can be selected by gnome settings manager which currently says there are no colour managed devices in vms. I think colord service would need to be enabled as well. darktable should work then out of box. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ac07ec85-322b-452b-8bc6-ae347dfa4346%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Display Calibration
darktable and firefox can use a defined profile without colord. the profile has to be in a specific place and selected as the display profile (with colord option switched off). for firefox the full path to the profile should be entered in some property that I don't remember exactly right now but it starts with "gfx". the rendering intent and colour management mode is set there as well. those are documented by Mozilla, you need to google what those codes actually mean. I never found the time to write my own guide but I could possibly review or contribute to yours. sorry I can't be more specific as I'm travelling without my qubes laptop now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b0601c1-7142-4e42-a903-804b6785ab22%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Display Calibration and Audio Equalizer for Dom0 ?
On Friday, 28 October 2016 12:19:56 UTC+1, Laszlo Zrubecz wrote: > Can you please describe in more details what and how you achieved? > Found this in bash history backup: dispcal -H -y l -R (this is to adjust the brightness to the recommended level) dispcal -v -m -y l -q l -t 6500 -g 2.2 lenovo_6500_22 (this creates the calibration file with selected quality, white point and gamma. inspect the file, transfer it to dom0 and apply with dispwin .cal ) targen -v -d 3 -G -f 128 lenovo_6500_22 (creates a set of patches,you can change the number of patches) dispread -v -N -H -y l -k lenovo_6500_22.cal lenovo_6500_22 (shows patches and measures them) colprof -v -D "Lenovo Yoga 2 40% 6500K 2.2" -C "2016 CP" -q m -a G -n c lenovo_6500_22 (generates an ICC profile, try that, see if you need to tweak settings to improve it) The Gnome calibration tool uses the same utilities as above but it doesn't know that the calibration curves don't get applied in a vm. It should work in dom0 with direct access to USB and X server though. In any case don't forget to apply the calibration file in dom0! Hope this helps. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f74cf4fc-a77c-4511-adcc-232b42339100%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Display Calibration and Audio Equalizer for Dom0 ?
On Friday, 28 October 2016 12:19:56 UTC+1, Laszlo Zrubecz wrote:
> On 09/03/2016 12:49 AM, Connor Page wrote:
> > I have calibrated my yellow screen using argyllcms.
> > I don't attach usb devices to dom0 so installed it in sys-usb as well.
> > used
> > https://encrypted.pcode.nl/blog/2013/11/24/display-color-profiling-on-linux/
> > as a rough guide.
> > to get the calibration done you just need to run dispcal and then transfer
> > the calibration file to dom0.
> > then test it with "dispwin xxx.cal" in dom0. if happy, create an autostart
> > item with that command (probably,
> > using the full path to the calibration file) and you're done.
>
> I just started to experiment with display color correction things.
>
> I wonder how it is workig in Qubes because as far as i know:
>
> - the display profile is used only the programs are aware of icc profiles.
Some window managers do this too.
>
> - the X server runs in dom0, the apps are in AppVMs - but no
> communication about display prifiles (colord) because of the qubes gui
> protocol.
True. There's even no display object to have profile attributes, so colord is
useless.
>
> > I went further and created an icc profile for use in firefox and photo
> > software.
> If no colord is runnin in an appvm, how they apply your prifile then?
> You just manually configure all of the icc profile aware apps??
>
Yes and no. ICC profiles consist of two parts, vcgt and colour correction. vcgt
is used by X server to set gamma and white point. it can be produced separately
("calibration file"), and loaded by dispwin in dom0. this corrects tint and
sets midtones as you need them (gamma).
when calibration is working then you can create a colour correction matrix for
the specific rendering intent you're going to use in icc aware applications.
that matrix can be saved as an icc profile for vms and manually selected in
apps. that profile should be used only with the calibration file that was
loaded when creating the icc profile. as I use only one display and at a
specific brightness setting then there's no need to change settings anymore.
when re-calibration is due then files can just be overwritten with new ones.
>
> Can you please describe in more details what and how you achieved?
follow the guide I referenced above and remember to transfer the calibration
file to dom0 and apply it there before proceeding. the settings in the guide
are rather crude but for a first pass they're ok. if it works for you then you
can try higher quality settings.
>
> Thanks.
>
>
> --
> Zrubi
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/f0182eb7-7313-41c7-b8f2-6ba898d63efd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] проблемы с установкой usb wi-fi адаптера rtl8188eus
контроллер usb должен быть в той же виртуальной машине. please use English on this mailing list. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0848d9f3-95bf-446b-b95c-9ac520843ef4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: BTRFS?
Thanks Rusty. People should be aware of this. I think I did reclaim all space but fiddled too much with the settings. Anyway, it was a good excercise, I learned about btrfs, LUKS and dracut, that wouldn't happen otherwise. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/395b69cc-e910-4e59-a921-6acdfd6627a2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] BTRFS?
In fact, I think the right question is "Will Qubes 4 be compatible with btrfs root if vm storage is expected to reside on a LVM thin pool?" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/faba39bf-b1fb-4071-a361-a99a0dcf0366%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: BTRFS?
I have root, home and var as subvolumes on a btrfs volume. I intended to create snapshots before updates. The tricky bit was to put it on a LUKS partition as somehow the installer encrypted only the swap partition. Maybe it was my fault, not sure now. Anyway, if you do it check that it is on top of an encrypted partition. If not, you're in for some practice in manipulating btrfs volumes and manual setup of dm-crypt ;) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c1ca2764-84f6-4a9f-92f9-7dc35840b1d9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
world writable script executed as root is the worst advice I've ever seen on this mailing list. please don't do that! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e7e78db5-7bcb-43f0-9464-518747a10d37%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Does QubesOs does not source ~/.profile on purpose?
the source code of qvm-run is your best documentation of how applications are run without logging in :) here is the session that is started in vms. I like the hangman :) https://github.com/QubesOS/qubes-gui-agent-linux/blob/master/appvm-scripts/usrbin/qubes-session -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9cf3e541-d1ea-4e56-99f1-42bb8d5bd181%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: rc.local iptables persistence on reboot
would you mind posting the whole script? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c57c2660-fa29-4895-9e68-454a776b2226%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Blank screen after 10 minutes
try Presentation mode in the power manager panel plugin. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2aeeb353-0061-4c94-ab59-21519323781f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Proper way of implementing unlock with keyfile instead of passphrase
https://www.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_crypto_luks_key_on_removable_device_support -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/84b34823-f1e7-4eaa-ac94-2e21782b9cba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] rc.local iptables persistence on reboot
does it start with this? #!/bin/sh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b8b9442e-92eb-4c19-8e56-57277ca0e1da%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: netvm doesn't recognize physical hardware switch state
no. it looks exactly as acpi problem. have you tried a Fedora live dvd/usb? If it doesn't work then the problem is not specific to Qubes. please try. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9bf38a1-c63c-4e97-9faa-59cd41146cdd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: netvm doesn't recognize physical hardware switch state
with such a fairly fresh kernel you probably should make sure you also have the latest bios. some people also claim that resetting bios settings miraculously makes their wifi work in Linux. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31c41e26-5c1c-48a9-afec-07c54e853081%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] netvm doesn't recognize physical hardware switch state
does it work in plain Fedora? your problem most probably is not directly related to the network card itself. it could be caused by bios settings and wrong acpi config in kernel. I used to have the same problem when I first tried Qubes R2 on Lenovo Yoga 2 13. ideapad_laptop module back then would work for all models except for my Yoga. nothing could help but patching the module and recompiling dom0 kernel. then around kernel version 3.18 it was fixed upstream and Qubes kernel has been good for me ever since. live distros based on Debian stable ( kernel version 3.16) can never initialise the built-in wifi card. i found the patch on some Ubuntu forum. you haven't provided any information about the kernel and Qubes versions that you've tried but I hope this information can be helpful. and check your bios settings just in case. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/930c8f51-0690-45c4-a2f9-dfe868b80e6f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Newbie Qubes questions.. please help!
Think of Whonix as a possible compartment of your digital life that gives more anonymity online. It would be more or less securely separated from other compartments. In order to save space and admin effort common parts of these compartments (i.e., the root filesystem, kernels, modules) are made as templates. Templates cannot be persistently modified by a running vm based on that template. this is quite different from plain virtualbox machines. moreover, the type of virtualisation of Linux-based vms is different for the time being. you can compile your own kernel for dom0 but then you're on your own. there is a good reason to stick to LTS version though. no boot partition won't stop from decrypting and mounting a LUKS partition from any live DVD/ISO if the passphrase is known. wrong LUKS header may actually help (if you carry the correct one on a USB stick) but that is a very dangerous route. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/250a1f5f-d419-4e24-8cba-2e0e34e0ce28%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Streisand - AntiCensorship software
agree, when I looked at it some time ago I could not imagine why I would need all of that. too large an attack surface for my taste. however, I did investigate what individual elements are capable of and borrowed some ideas, like using port 636 and tls-auth for openvpn. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5bcb49ca-8310-43c7-8d93-778f05c3f9fc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Networking between Linux and Windows VMs
they should be connected to the same firewallvm, not netvm. iptables in netvms are set up differently. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3955b649-e8b3-495d-8a4c-7315f3c2909f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Recovery Disk & Suggest Live Linux CD to recovery system like WinPE
I think nowadays many live installers that have capability to install on encrypted partitions give possibility use the tools in a terminal window. For instance, when I realised that somehow only a swap partition got encrypted in a fresh Qubes install I launched Manjaro live ISO, dd root partition to a temp location, created a new dm-crypt/LUKS partition, mounted that, dd root partition back, chroot'ed into that updated crypttab and grub config, rebooted and was happy. I think it would be most appropriate to use a distro with a recent kernel not much older or newer than Qubes dom0 kernel. Caution: you should trust the recovery system. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25b714fa-2f13-42ac-a44e-ad77c6e17098%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] security question: keepass vault password
it makes an evil maid's mission a bit more complicated -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/47b5f46c-0719-403b-9e65-b8eb223cc3f7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Display Calibration and Audio Equalizer for Dom0 ?
I have calibrated my yellow screen using argyllcms. I don't attach usb devices to dom0 so installed it in sys-usb as well. used https://encrypted.pcode.nl/blog/2013/11/24/display-color-profiling-on-linux/ as a rough guide. to get the calibration done you just need to run dispcal and then transfer the calibration file to dom0. then test it with "dispwin xxx.cal" in dom0. if happy, create an autostart item with that command (probably, using the full path to the calibration file) and you're done. I went further and created an icc profile for use in firefox and photo software. note that some displays use proprietory colour-mixing algorithms so Linux tools may be ineffective with them :( (e.g., pentile matrix on some very high resolution screens) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c473caf8-240d-420e-b08b-77a0c998543e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Suggestions for running media server?
No. 4 makes sense. sys-usb shouldn't know the encryption keys. encrypted block device can be attached to a server vm where it would be appropriately decrypted and mounted, possibly from dom0 via qvm-run (you can start a vm, attach storage, decrypt and mount it by a short script using qvm-* command line tools) . server software should be run as a different user that can't login or use sudo. enabling services is a bit tricky in template-based vms, so the easiest solution is to create a small template with just the bare necessities for the server software, enable the service in it and then use it just for one server vm. I would suggest attaching that server vm to a separate firewall vm. that way allowing incoming traffic in iptables should be both easier and more secure. firewall rules are created in different scripts in proxyvm vs netvm and appvm. follow Qubes documentation and don't forget to make scripts executable :) although I used to run file and web servers on a Qubes PC I now tend to think that Qubes is meant to protect clients, not servers. P.S. Qubes networking uses NAT so LAN won't actually see any broadcast messages from the server unless it runs in a netvm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4ab36370-8472-4b28-b72c-f337654b3bfc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Custom initramfs
after giving it a thought I decided keep usb devices out of dom0. the solution for debian is real 2FA but ykfde is for lazy people. I gave it as an example of dracut hooks. theoretically you can rearrange hooks so that yubikey authentification happens before rd.qubes.hide_all_usb is processed but there is a risk that qubes hooks might fail and leave usb controllers in dom0. if you already have a controller in dom0 then perhaps it wouldn't make security worse. while initially I thought it would be interesting to try, the only situation when yubikey could actually improve security is having to boot a Qubes PC under unavoidable surveilance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20ae7d75-db1c-42eb-be2a-b66c8644dd5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Custom initramfs
this is an interesting idea. initramfs is generated by dracut. read this https://github.com/nj0y/ykfde/blob/master/README-dracut.md -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67468a7d-dc9d-4fa3-9dc7-8e8871f6221a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Manual dpi control in vm's for HIDPI diplays
this is not a universal approach but should work fine for gnome apps. you should type them in terminal applications in each vm. a more comprehensive approach to cover all bases is to set proper dpi for X server, Xft, gsettings (if gnome-settings-daemon runs), xsettings (IIRC Debian template needs that), dom0 desktop environment (KDE, Xfce) and use hidpi themes/window decorations. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f8570bd-8f60-4c52-be07-d8c221608a7f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Fedora Minimal ProxyVPN template?
you can install dunst for minimalist notifications. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cabbb300-d9a5-4243-843a-794e9e8bc3df%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Play Audio from AppVm on device attached to USB Cube
Read the last part at https://www.qubes-os.org/doc/usb/ This should solve your problem unless you want to mix sound from multiple vms. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/03a8699f-3bc5-4964-aa5f-6c2fd40b8ebc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: What do you think about the idea of a FileVM?
I used to run samba server on Archlinux inside Qubes. Actual data was stored on a separate volume group and mounted in the server vm on boot. The main difficulty was to do routing and firewalling properly on every change of network topology. The main risk was that eventually many vms had to be connected to one proxyvm and that was not safe. When I realised that the data is more often accessed from outside than inside I just created a NAS (Turnkey fileserver running in an unprivileged container actually :) ) Having done all that I believe there should be no traditional network services inside Qubes. A storage domain owning storage controllers and disconnected from network would make sense but it would require great care in dealing with concurrent file access. And it definitely must not have access to images of other vms. I agree with Axon. A need for simulteneous access can be justified only in case of different OS'es. My solution to that is simple - ditch Windows :))) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b44ac1e8-a1c2-484f-85b8-bff7f0b81324%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] VIF interfaces
use arp to see ip and mac addresses of vms connected to interfaces. lookup ip in qvm-ls -n or qubes-manager mac addresses are visible in qvm-prefs. assuming your vms don't spoof these addresses ;) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9ce6bad1-e08f-4df4-b81e-8810e676dabf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
