[qubes-users] qubes-tunnel missing dependency on sssd-client for fedora 36 and 37?
Hi there, sudo journalctl -u qubes-tunnel: systemd[1]: Starting qubes-tunnel.service - Tunnel service for Qubes proxyVM... su[640]: PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: > su[640]: PAM adding faulty module: /usr/lib64/security/pam_sss.so su[640]: (to user) root on none su[640]: pam_unix(su-l:session): session opened for user user(uid=1000) by (uid=0) su[640]: pam_unix(su-l:session): session closed for user user systemd[1]: qubes-tunnel.service: Control process exited, code=exited, status=1/FAILURE qtunnel-setup[751]: STOP-ing network forwarding! systemd[1]: qubes-tunnel.service: Failed with result 'exit-code'. systemd[1]: Failed to start qubes-tunnel.service - Tunnel service for Qubes proxyVM. /usr/lib64/security/pam_sss.so is part of sudo dnf install sssd-client (directly, not part of the dependencies libsss_nss_idmap or libsss_idmap) notably, fedora-34 template does not have sssd-client or its dependencies libsss_nss_idmap or libsss_idmap installed and the .so file does not exists there, but nevertheless "sudo journalctl -u qubes-tunnel" does not show the error notably even with this error my openvpn-configuration works fine! Does somebody know: 1) What this dependency is used for 2) Why this dependency is not needed in fedora 34 3) Which circumstances cause the need for this dependency 4) how to properly report this? https://github.com/QubesOS-contrib/qubes-tunnel has "issues" disabled ... Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/29416411-eaef-547a-bc0a-9e4f5c4bd56c%40web.de.
Re: [qubes-users] How Qubes handles the start of services
Hi uman, that was the reference in qubes-doc that I found before and that I could not find today when I was writing this email. However, it does not explain what the advantage of this two-switch-model is compared to just run the services defined in the per-qube services tab/setting without the dependence on being enabled in the template. That approach would render adding support for [any generic] systemd service not only "pretty simple" but would make every systemd service compatible "by design". Am 27.03.23 um 17:03 schrieb unman: On Mon, Mar 27, 2023 at 03:48:15PM +0200, r.wiesb...@web.de wrote: Hi there, every VM/qube has a "services" tab in its settings window. It seems like Qubes is designed in a manner that requires two switches for a service: it needs to be enabled in the template *and* requires an entry in "services" tab. My expectation was that when selected in the "services" tab, qubesrc (or any other instance) will just start the corresponding service in the VM. During troubleshooting I found out that it is designed as above, but I could not find the reason for this design decision. At least the "services tab" should have a red text warning that it is required to enable the service in the template as well in order to not confuse users the way it confused myself. best, Ron This is a long standing design. The process is explained at https://www.qubes-os.org/doc/qubes-service/ The text on the service tab is unclear - it *does* say that the service will be turned on. I've raised an issue to have this clarified. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1220e333-5413-e3fd-d3de-78e1c67bd9c6%40web.de.
[qubes-users] How Qubes handles the start of services
Hi there, every VM/qube has a "services" tab in its settings window. It seems like Qubes is designed in a manner that requires two switches for a service: it needs to be enabled in the template *and* requires an entry in "services" tab. My expectation was that when selected in the "services" tab, qubesrc (or any other instance) will just start the corresponding service in the VM. During troubleshooting I found out that it is designed as above, but I could not find the reason for this design decision. At least the "services tab" should have a red text warning that it is required to enable the service in the template as well in order to not confuse users the way it confused myself. best, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/818b8e19-a1b7-7365-a059-2ac8b134c9a9%40web.de.
[qubes-users] Reason to not start services via qubesrc?
Hi there, According to https://www.qubes-os.org/doc/qubes-service/ VMs need a qubes-specific configuration to support the usage of the VM settings "Services" tab. I assume there is a good reason for implementing it this way, so I would like to know what this reason is. My approach would be to use qubesrc to run the services (even if they might be disabled in the template). This way it would be much more intuitive for users to understand. I myself had to spend quite some time to figure out why a service that I added to the "Services" settings tab did not run, because from the (lack of) description in the GUI I expected an equivalent to "service %name% start" being executed in the vm (for example by qubesrc) If there is no good reason (which I doubt) I would create a feature request for changing it. if there is s good reason I would create a request for improving the GUI in a manner that allows users to correctly understand what they can configure in this tab. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c83f3501-a439-15ad-8939-4ffe21ae3e70%40web.de.
Re: [qubes-users] Qube-Firewall: How to handle changing IPs?
Sorry, I just noticed that I missed your answer because you did not answer me directly, but only to the list. The issue you reference to is quite long to read and parts of it are several years old, is there something ready for testing? You say "less often", for my imap-server imap.web.de this semms to appen about every second weeks I think. Am 29.07.22 um 17:43 schrieb David Hobach: See [1]. It happens less often than one might think though. [1] https://github.com/QubesOS/qubes-issues/issues/5225 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/81d7bf81-8049-d036-ee09-fc41674f5cb9%40web.de.
Re: [qubes-users] Qube-Firewall: How to handle changing IPs?
Is there really no approach to fix this? What about a cron job which checks for a change DNS resolve every now and then and updates the ip-filter, for example? Am 29.07.22 um 11:08 schrieb r.wiesb...@web.de: Hi there, many large providers use CDNs or similar structures, which results in the same FQDN being resolved to different IPs. Afaik the Qube-Firewall-Settings resolve a DNS entry only once (on add/edit) and internaly use that IP. This is a problem with my mail-provider (web.de) as well es for Updates of Thunderbird Add-Ons. Besides workarounds like manually refreshing the firewall settings or temporary allowing full web access: is there a fix for these issues? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8e612d9c-e5a2-fb2c-89de-0c4c308b013f%40web.de.
[qubes-users] Qube-Firewall: How to handle changing IPs?
Hi there, many large providers use CDNs or similar structures, which results in the same FQDN being resolved to different IPs. Afaik the Qube-Firewall-Settings resolve a DNS entry only once (on add/edit) and internaly use that IP. This is a problem with my mail-provider (web.de) as well es for Updates of Thunderbird Add-Ons. Besides workarounds like manually refreshing the firewall settings or temporary allowing full web access: is there a fix for these issues? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6553491-58b3-c286-9f39-7b46499b0b81%40web.de.
[qubes-users] Minimize to tray not possible (KeepassXC) - for security reasons?
Today I noticed that KeepasXC cannot minimize to Tray in Qubes. Is this for security reasons (so windows/applications cannot hide from the user) or is this a bug? And if so, it is about Qubes, Fedora, XFCE or KeepassXC? (Maybe someone has a non-Qubes fedora to quickly test that out) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/637d2ff6-a9f0-c834-18dd-7f0ef1a01558%40web.de.
[qubes-users] How is the "update qube" selected/ how do I select it manually?
it seems like the docs don't answer that, do they? https://www.qubes-os.org/doc/how-to-update/ There is only a global setting for dom0 Updates, but how does it work for other qubes? Thanks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/670b51f8-4671-2c4c-e4cf-4f2a79b09df9%40web.de.
Re: [qubes-users] Memory balancing very inefficient
Coming back to this topic again. I am using Qubes 4.1 rc1 now and have made the same observations again. Start of new VM/Qube is aborted due to low RAM even though some of the running qubes have >>500MB free. So again I start to manually limit all VMs to RAM sizes that seem reasonable to me. Memory balancing really seems to fail hard, even in the current version. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ff15cab-c07a-ba80-3fe8-d5ea8babe120%40web.de.
[qubes-users] Extract image file from Qubes 4.x
In Qubes 4.x the images are no longer ordinary files accessible from the dom0 file system. So how can I extract them as VM images (.img files in Q 3.x) in Qubes 4.x? In the wiki I only find how to delete, but not how to extract an image fom LVM. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0fed5931-2d81-5b89-39b7-28aea06aa153%40web.de.
Re: [qubes-users] Memory balancing very inefficient
Am 22.02.21 um 20:40 schrieb haaber: This behaviour might be linked to errors (e.g. my qubes install does not support 5.x xen kernels: crashes can be caused by "memory stress" and even if not, they always finish by loads of qmemman log entries, before deep freeze (not even a kernel panic, just sudden death) What does "your qubes install" mean? Mine has been auto-updated to kernel 5.4.88-1 I current think about limiting all small VMs to 256MB and dom0 to 2 GB of RAM (by GRUB parameter) lacking any idea for a better approch. Tell us if that works! My qubes has no grub. But you can set kernel params in /boot/efi/EFI/qubes/xen.cfg Again: What is special about "my qubes" ? I modified /boot/grub2/grub.cfg (changing all dom0_mem=max:4096M values) and this works as expected. After a few hours I could not figure out limitations having the limits in place. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b75d5bc8-4013-f462-c30f-4e1e17cc8e19%40web.de.
[qubes-users] Memory balancing very inefficient
Today I noticed that many VMs do get a lot more RAM than they actually use. While using only about 200-300MB small vms like -net and -firewall get gigabytes of memory and this seem to be the case even if memory is running out (sum of all VMs approaches physical RAM size). Also dom0 is using only about 700MB but gets 4GB. 1) does memory balancing take back memory from a VM at all? 2) how does it happen that VMS get assigned this ridiculously larger amount of memory compare to their usage? 3) is there something that can be done besides manually setting limits for all VMs? I current think about limiting all small VMs to 256MB and dom0 to 2 GB of RAM (by GRUB parameter) lacking any idea for a better approch. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/153dd9e6-50b7-c313-c343-f8c9db33e778%40web.de.
Re: [qubes-users] Qubes Manager Feature Requests: Connect to not-running NetVM, restart NetVM with connected machines, force-restart a NetVM
On 2/15/21 7:51 PM, donoban wrote: On 2/15/21 12:44 PM, r.wiesb...@web.de wrote: 1) Connect to not-running NetVM If a not-running NetVM is chosen there should not be an error message but a choice between "Start NetVM" and "Abort" This is already done in R4.1 version. Beautiful! Respect this there is a "Cascade shutdown" that will power off all the connected VM's in recursive mode. I understand that is not what you mean, you want a option for restart this VM without touching any others... I understand that you find it helpful for some kind of hardware problem (sleep / wake up?) but it seems more a hack than a real solution. In my scenario it is a workaround for a bug and I would not use the cascading shutdown, however if this option is reworked I think this option should be available as well as there are definitely usecases for that (e.g. if you leave the office you shutdown lan-office and all office-VMs that are connected to it as well) Uhm more than a force-reboot option, ideally the restart option should trigger a timeout and if it expires ask you if you want to kill it or keep waiting (same that shutdown option). Is it not the current behavior? There is a 20 second timeout and a "kill?" dialogue for VM shutdown, I don't think there is for restart. The timeout and question is useful in many cases, however if you already noticed that the VM is dead (e.g. you start a program and nothing happens) then you don't want to wait the extra 20 seconds. I use a simple shell script to restart my sysnet sometimes after the system is suspended, as it does not restart correctly occasionally. Thanks, that is a nice approach that I could use with the kill. For my specific issue I can also think of a menu entry which kill-restarts the sys-usb. Just need to find out how to manually add entries to the quebes menu, I think that can be done rather easily. This is it:- -- # # reboot-sys-net # # Have to restart sys-net after suspend sometimes. qvm-prefs sys-firewall netvm none sleep 1 qvm-shutdown --wait sys-net sleep 2 qvm-start sys-net sleep 1 qvm-prefs sys-firewall netvm sys-net --- All I can say is it works for me. Mike. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0bf174c6-9fa8-8685-31ea-9ed678fc1696%40web.de.
[qubes-users] Qubes Manager Feature Requests: Connect to not-running NetVM, restart NetVM with connected machines, force-restart a NetVM
Hello fellow Qubes users, I have 3 feature requests today regarding Qubes Manager: 1) Connect to not-running NetVM If a not-running NetVM is chosen there should not be an error message but a choice between "Start NetVM" and "Abort" 2) restart netVM with connected machines Sometimes NetVMs have issues that are easily solved by a restart. Nastily Qubes prevents restarting the netVM if VMs are connected. What should optionally happen is either that the connected VMs are disconnected, the NetVM is restarted and the VMs are reconnected (that is what I do manually whenever this is needed) or alternatively that all connected VMs are restarted as well. 3) force-reboot a VM Users can kill a VM, but this way the user has to wait until the VM was terminated and then start the machine again (kill + start). It would be useful to have a single option for both tasks. That happens to me almost daily with the USB-VM. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d51d00cb-5013-0a69-bcd9-0677378ec04f%40web.de.
[qubes-users] Kernel panic when booting with Kernel 4.19.100 - reinstall kernel?
Obviously something went wrong with the kernel update, because with Kernel 4.19.100 I get a kernel panic error (failed to mount / ), but Kernel 4.19.94 works fine. In qubes, how can I reinstall the new kernel? thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/90dadddf-9b4b-2455-d61a-2fae969113f0%40web.de.
[qubes-users] Open several files in THE SAME dispVM
Hey, Is there a way to open a bunch of files in the same dispVM ? Yes, I can copy/move those files and open them in the dispVM, that is what I do right now - but it would be nice if there was a simpler way to do so. Thank you -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8a0e0ace-ede1-752d-6453-a73828a1a9a4%40web.de.
