Re: [qubes-users] IMG sharing
Hey, On 04/24/2018 09:54 PM, 799 wrote: > Hello Drew, > > Drew Whiteschrieb am Di., 24. Apr. 2018, 07:14: > >> Is it possible for every guest to share one virtual drive for cacheing and >> auto mounting to same location for file transfers? >> >> i.e. One file always mounted to each guest and one reads while one writes. >> etc. no need to mount and unmount? And it can be multiple images on >> different locations at once? >> > > I haven't understand yet what you are trying to accomplish. > You want a file location ("drive") that is shared between VMs, and you want > that most VMs have read permissions to this location and one can write to > it? > > As mentioned by others this kind of breaks the security model of Qubes but > I had a similar use case to work with data stored in a cloud service. > > I wanted to separate data editing, local data storage and synchronization > to the cloud service. > The idea was that data is always encrypted in the "storage AppVM". Other > "AppVMs" can access this Storage AppVM using SSHfs. > I am using certificates and tight firewall configuration: > - the AppVM can request connection to the storage VM via ssh, login is done > via certificates. > - after authentication the remote location is mounted via SSHfs > - the data is encrypted with encfs and the decryption keys are only stored > on the AppVM which is accessing the data (not the storage VM) > > This setup works quiet well for my usecase as it is less complex than > setting up a Fileserver with NFS to share data between AppVMs. > > I know that this may not the best thing for a die hard Qubes user, but it > allows me to setup inter-AppVM data flows if needed for specific use cases. > > I have also scripted everything so that the firewall ports will only be > opened when needed. > > If you are interested I can upload my scripts/how-to to my GitHub account. Sounds like a good candidate for the Qubes-Community project :) > > [799] > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/afd0011c-9a51-57aa-3894-a99b0151e2b7%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IMG sharing
On Tue, Apr 24, 2018, at 20:54, 799 wrote: > I have also scripted everything so that the firewall ports will only be > opened when needed. > > If you are interested I can upload my scripts/how-to to my GitHub account. > Please do that, very interesting! Thanks. Regards, Teqleez -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1524639561.1575805.1349917712.24EC6883%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IMG sharing
Hello Drew, Drew Whiteschrieb am Di., 24. Apr. 2018, 07:14: > Is it possible for every guest to share one virtual drive for cacheing and > auto mounting to same location for file transfers? > > i.e. One file always mounted to each guest and one reads while one writes. > etc. no need to mount and unmount? And it can be multiple images on > different locations at once? > I haven't understand yet what you are trying to accomplish. You want a file location ("drive") that is shared between VMs, and you want that most VMs have read permissions to this location and one can write to it? As mentioned by others this kind of breaks the security model of Qubes but I had a similar use case to work with data stored in a cloud service. I wanted to separate data editing, local data storage and synchronization to the cloud service. The idea was that data is always encrypted in the "storage AppVM". Other "AppVMs" can access this Storage AppVM using SSHfs. I am using certificates and tight firewall configuration: - the AppVM can request connection to the storage VM via ssh, login is done via certificates. - after authentication the remote location is mounted via SSHfs - the data is encrypted with encfs and the decryption keys are only stored on the AppVM which is accessing the data (not the storage VM) This setup works quiet well for my usecase as it is less complex than setting up a Fileserver with NFS to share data between AppVMs. I know that this may not the best thing for a die hard Qubes user, but it allows me to setup inter-AppVM data flows if needed for specific use cases. I have also scripted everything so that the firewall ports will only be opened when needed. If you are interested I can upload my scripts/how-to to my GitHub account. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vvTj%3DmF2dcx537LF6u3TKCxAu0-ma_dMbOzsL9D4DMzw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IMG sharing
On 04/24/2018 09:01 AM, Drew White wrote: > On Tuesday, 24 April 2018 15:28:40 UTC+10, Ivan Mitev wrote: >> On 04/24/2018 08:14 AM, Drew White wrote: >>> Is it possible for every guest to share one virtual drive for cacheing and >>> auto mounting to same location for file transfers? >> >> It isn't possible unless you set up a clustered file system, which >> implies having in-band or out-of-band communication channels between >> guests. This breaks compartmentalization, which is Qubes' raison d'etre, >> so if you really need this you're better off ditching Qubes and go with >> plain kvm (or xen) VMs. >> > > I'm not talking about for all guests. and the channel would be one image > file, read only. Writable only by one guest that does the downloading > securely and checks and writes the files. AFAIK it's not possible. You need a clustered FS to see changes in real time; If you share an image/device you'll have to - make sure the guest with write rights has fsync'ed the changes to the FS and/or that no cache is involved. - unmount/remount the shared volume in R/O guests each time you need to read new files. I have no idea if Qubes allows sharing a volume between guests; I'd imagine that qvm-* commands won't allow that so that users don't shoot themselves in the foot, but you may be able to achieve this with lower level commands or by tweaking the qvm-* commands' source. But since you're sending content from a VM to other guests, the security level of your R/O guests is basically dependent on the one you download files to, so you could open some firewall ports and setup a networked clustered FS like glusterfs. > > One guest has cache and write permissions, nothing else does. Thus, secure. > More secure than downloading the same thing 50 times. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2b77ccc9-bed7-3095-7b47-b4616cb3f0e1%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IMG sharing
On Tuesday, 24 April 2018 15:28:40 UTC+10, Ivan Mitev wrote: > On 04/24/2018 08:14 AM, Drew White wrote: > > Is it possible for every guest to share one virtual drive for cacheing and > > auto mounting to same location for file transfers? > > It isn't possible unless you set up a clustered file system, which > implies having in-band or out-of-band communication channels between > guests. This breaks compartmentalization, which is Qubes' raison d'etre, > so if you really need this you're better off ditching Qubes and go with > plain kvm (or xen) VMs. > I'm not talking about for all guests. and the channel would be one image file, read only. Writable only by one guest that does the downloading securely and checks and writes the files. One guest has cache and write permissions, nothing else does. Thus, secure. More secure than downloading the same thing 50 times. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/48f543f9-1120-4443-ac73-092ac09156fe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] IMG sharing
On 04/24/2018 08:14 AM, Drew White wrote: > Is it possible for every guest to share one virtual drive for cacheing and > auto mounting to same location for file transfers? It isn't possible unless you set up a clustered file system, which implies having in-band or out-of-band communication channels between guests. This breaks compartmentalization, which is Qubes' raison d'etre, so if you really need this you're better off ditching Qubes and go with plain kvm (or xen) VMs. > i.e. One file always mounted to each guest and one reads while one writes. > etc. no need to mount and unmount? And it can be multiple images on different > locations at once? > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/85bffea7-d097-8570-f5a4-7d96cd9f4e73%40maa.bz. For more options, visit https://groups.google.com/d/optout.