Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
Claudia: > Is there anything special about any VMs, other than: > sys-net: provides network, assigned PCI network devices by default, > clocksyncd service > sys-usb: assigned USB controllers by default These two need to be HVMs vs. the default PVH to support PCI passthrough, which mean several additional requirements like memory balancing disabled, etc. > sys-firewall: provides network, netVM=sys-net (as opposed to the global > default of sys-firewall or sys-whonix) > sys-whonix: provides network, netVM=sys-firewall (as opposed to the global > default of sys-whonix in some installations) It is best to use the Salt commands to recreate *whonix*. They do some additional steps with qvm-features. The Salt commands are plaintext and somewhat human readable, so you can see what they do. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cda9f143-76f3-1fcf-2927-72260192043c%40danwin1210.me.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
January 22, 2020 12:21 PM, "unman" wrote: > On Wed, Jan 22, 2020 at 03:09:31AM +, Claudia wrote: > >> January 21, 2020 7:04 PM, "Dan Krol" wrote: >> >> So to clarify: >> >> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. >> >> When you say "need it enabled", you're just referring again to "provides >> network", is that correct? >> >> And secondly: Do I understand correctly so long as any qube sits in between >> two other qubes in the >> networking chain, it automatically acts as a basic firewall? That's all that >> sys-firewall is? >> >> From what I understand, sys-firewall is special in that it dynamically >> changes firewall rules for >> different VMs. That's where the firewall rules in the VM Settings GUI and >> qvm-firewall are applied. >> If you just create a new blank VM in place of sys-firewall, you can set up >> static firewall rules, >> but it won't by default know how to do any of the dynamic / user-defined >> rule stuff. > > This isn't quite true - there's nothing special about sys-firewall. *Any* qube > which provides network (and has relevant packages installed) will > provide dynamic firewall. If you use the full templates it will work > automatically. O, so that's what "provides network" means? Now it's starting to make sense. Thanks for clarifying. Is there anything special about any VMs, other than: dom0: obviously debian-10, fedora-30, whonix-{ws,gw}-15: install path is controlled by rpm, i.e. reinstalling the package would overwrite the templateVM image - unlike a user-created or cloned TemplateVM sys-net: provides network, assigned PCI network devices by default, clocksyncd service sys-usb: assigned USB controllers by default sys-firewall: provides network, netVM=sys-net (as opposed to the global default of sys-firewall or sys-whonix) sys-whonix: provides network, netVM=sys-firewall (as opposed to the global default of sys-whonix in some installations) So in other words, you could delete any of these, and then just make a new VM with the same template and the same VM settings, and it would function just like the original, without any modifications inside the VM itself? I've heard that recreating a broken sys-net for example is not that simple, so I assumed there was something special about the sys-* VMs (or at least sys-net). Is that not actually the case? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3317508c056ed1da28cddac69d8ca63%40disroot.org.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
On Wed, Jan 22, 2020 at 03:09:31AM +, Claudia wrote: > January 21, 2020 7:04 PM, "Dan Krol" wrote: > > > So to clarify: > > > >> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. > > > > When you say "need it enabled", you're just referring again to "provides > > network", is that correct? > > > > And secondly: Do I understand correctly so long as any qube sits in between > > two other qubes in the > > networking chain, it automatically acts as a basic firewall? That's all > > that sys-firewall is? > > >From what I understand, sys-firewall is special in that it dynamically > >changes firewall rules for different VMs. That's where the firewall rules in > >the VM Settings GUI and qvm-firewall are applied. If you just create a new > >blank VM in place of sys-firewall, you can set up static firewall rules, but > >it won't by default know how to do any of the dynamic / user-defined rule > >stuff. > This isn't quite true - there's nothing special about sys-firewall. *Any* qube which provides network (and has relevant packages installed) will provide dynamic firewall. If you use the full templates it will work automatically. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200122122131.GB5704%40thirdeyesecurity.org.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
January 21, 2020 7:04 PM, "Dan Krol" wrote: > So to clarify: > >> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. > > When you say "need it enabled", you're just referring again to "provides > network", is that correct? > > And secondly: Do I understand correctly so long as any qube sits in between > two other qubes in the > networking chain, it automatically acts as a basic firewall? That's all that > sys-firewall is? >From what I understand, sys-firewall is special in that it dynamically changes >firewall rules for different VMs. That's where the firewall rules in the VM >Settings GUI and qvm-firewall are applied. If you just create a new blank VM >in place of sys-firewall, you can set up static firewall rules, but it won't >by default know how to do any of the dynamic / user-defined rule stuff. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4bee0fcbad6da1abf3ee7def4eb6fa81%40disroot.org.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
> So to clarify: > > > Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. > > When you say "need it enabled", you're just referring again to "provides > network", is that correct? > Yes. > And secondly: Do I understand correctly so long as any qube sits in between > two other qubes in the networking chain, it automatically acts as a basic > firewall? That's all that sys-firewall is? > > Thanks again! I don't know. You can compare iptables rules between your VMs to find out. You're welcome. BTW, this mailing list prefers users to reply below the previous message. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/482KyN1jh8z6tmJ%40submission01.posteo.de.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
So to clarify: > Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. When you say "need it enabled", you're just referring again to "provides network", is that correct? And secondly: Do I understand correctly so long as any qube sits in between two other qubes in the networking chain, it automatically acts as a basic firewall? That's all that sys-firewall is? Thanks again! -Dan On Tue, Jan 21, 2020 at 7:45 AM shroobi wrote: > > Hello, > > > > I was wondering if there are guides in the docs that I missed which > > describe proper creation/upgrades of "special" VMs (sys-net, > sys-firewall, > > and possibly vault). I preferred Debian for my vault. I created a new VM > with a > > black lock icon and no network connectivity. Other than chosen OS, the > > config looks identical to the out-of-the-box vault VM. Is that all I > need? > > (From a brief look, the salt files seem to imply that it is) > > > "Vault" VMs have no network access, besides that there is nothing special > about > them. You might like to customize its template, though. For instance, > multimedia use. > > > > Similar question for getting my sys-net and sys-firewall onto fedora30 > The packages that sys-net and sys-firewall need to function are included > in templates, > except for the minimal templates. That's why the guides mention them > specifically. > Provide sys-net with a device and make sure that they provide networking > to the next qube > in line. Sys-net and sys-firewall (and sys-vpn if you use it) will need it > enabled. If > you plan to incorporate whonix into your configuration (with a DispVM and > as the > UpdateVM) then I recommend that you use salt to create everything it needs. > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/4827Xt5j9gz9rxX%40submission02.posteo.de > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAWRcS-nFQY57gUhyjPo9pc-uddmEr%3DennLA9t-3jBO-bfJcAA%40mail.gmail.com.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
> Hello, > > I was wondering if there are guides in the docs that I missed which > describe proper creation/upgrades of "special" VMs (sys-net, sys-firewall, > and possibly vault). I preferred Debian for my vault. I created a new VM with > a > black lock icon and no network connectivity. Other than chosen OS, the > config looks identical to the out-of-the-box vault VM. Is that all I need? > (From a brief look, the salt files seem to imply that it is) > "Vault" VMs have no network access, besides that there is nothing special about them. You might like to customize its template, though. For instance, multimedia use. > > Similar question for getting my sys-net and sys-firewall onto fedora30 The packages that sys-net and sys-firewall need to function are included in templates, except for the minimal templates. That's why the guides mention them specifically. Provide sys-net with a device and make sure that they provide networking to the next qube in line. Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. If you plan to incorporate whonix into your configuration (with a DispVM and as the UpdateVM) then I recommend that you use salt to create everything it needs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4827Xt5j9gz9rxX%40submission02.posteo.de.
[qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
Hello, I was wondering if there are guides in the docs that I missed which describe proper creation/upgrades of "special" VMs (sys-net, sys-firewall, and possibly vault). The closest things I found were these, both of which seem to be for more advanced use cases: * https://www.qubes-os.org/doc/templates/minimal/ * https://www.qubes-os.org/doc/salt/ For instance, I preferred Debian for my vault. I created a new VM with a black lock icon and no network connectivity. Other than chosen OS, the config looks identical to the out-of-the-box vault VM. Is that all I need? (From a brief look, the salt files seem to imply that it is) Similar question for getting my sys-net and sys-firewall onto fedora30 (current ones on fedora29). Should I: * Simply change the TemplateVM on existing sys vms to fedora30, and expect it to automagically work after restart? * Create new fedora30 based VMs, checking certain settings ("provides network", maybe others)? * Use Salt to configure new ones from scratch? Thanks in advance, -Dan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAWRcS8d%3DQEncmytOcnXkyY8aYeA2puhJmjTO_SRXu8YteNAtw%40mail.gmail.com.