Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
Claudia: > Is there anything special about any VMs, other than: > sys-net: provides network, assigned PCI network devices by default, > clocksyncd service > sys-usb: assigned USB controllers by default These two need to be HVMs vs. the default PVH to support PCI passthrough, which mean several additional requirements like memory balancing disabled, etc. > sys-firewall: provides network, netVM=sys-net (as opposed to the global > default of sys-firewall or sys-whonix) > sys-whonix: provides network, netVM=sys-firewall (as opposed to the global > default of sys-whonix in some installations) It is best to use the Salt commands to recreate *whonix*. They do some additional steps with qvm-features. The Salt commands are plaintext and somewhat human readable, so you can see what they do. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cda9f143-76f3-1fcf-2927-72260192043c%40danwin1210.me.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
January 22, 2020 12:21 PM, "unman" wrote:
> On Wed, Jan 22, 2020 at 03:09:31AM +, Claudia wrote:
>
>> January 21, 2020 7:04 PM, "Dan Krol" wrote:
>>
>> So to clarify:
>>
>> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled.
>>
>> When you say "need it enabled", you're just referring again to "provides
>> network", is that correct?
>>
>> And secondly: Do I understand correctly so long as any qube sits in between
>> two other qubes in the
>> networking chain, it automatically acts as a basic firewall? That's all that
>> sys-firewall is?
>>
>> From what I understand, sys-firewall is special in that it dynamically
>> changes firewall rules for
>> different VMs. That's where the firewall rules in the VM Settings GUI and
>> qvm-firewall are applied.
>> If you just create a new blank VM in place of sys-firewall, you can set up
>> static firewall rules,
>> but it won't by default know how to do any of the dynamic / user-defined
>> rule stuff.
>
> This isn't quite true - there's nothing special about sys-firewall. *Any* qube
> which provides network (and has relevant packages installed) will
> provide dynamic firewall. If you use the full templates it will work
> automatically.
O, so that's what "provides network" means? Now it's starting to make
sense. Thanks for clarifying.
Is there anything special about any VMs, other than:
dom0: obviously
debian-10, fedora-30, whonix-{ws,gw}-15: install path is controlled by rpm,
i.e. reinstalling the package would overwrite the templateVM image - unlike a
user-created or cloned TemplateVM
sys-net: provides network, assigned PCI network devices by default, clocksyncd
service
sys-usb: assigned USB controllers by default
sys-firewall: provides network, netVM=sys-net (as opposed to the global default
of sys-firewall or sys-whonix)
sys-whonix: provides network, netVM=sys-firewall (as opposed to the global
default of sys-whonix in some installations)
So in other words, you could delete any of these, and then just make a new VM
with the same template and the same VM settings, and it would function just
like the original, without any modifications inside the VM itself?
I've heard that recreating a broken sys-net for example is not that simple, so
I assumed there was something special about the sys-* VMs (or at least
sys-net). Is that not actually the case?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c3317508c056ed1da28cddac69d8ca63%40disroot.org.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
On Wed, Jan 22, 2020 at 03:09:31AM +, Claudia wrote: > January 21, 2020 7:04 PM, "Dan Krol" wrote: > > > So to clarify: > > > >> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. > > > > When you say "need it enabled", you're just referring again to "provides > > network", is that correct? > > > > And secondly: Do I understand correctly so long as any qube sits in between > > two other qubes in the > > networking chain, it automatically acts as a basic firewall? That's all > > that sys-firewall is? > > >From what I understand, sys-firewall is special in that it dynamically > >changes firewall rules for different VMs. That's where the firewall rules in > >the VM Settings GUI and qvm-firewall are applied. If you just create a new > >blank VM in place of sys-firewall, you can set up static firewall rules, but > >it won't by default know how to do any of the dynamic / user-defined rule > >stuff. > This isn't quite true - there's nothing special about sys-firewall. *Any* qube which provides network (and has relevant packages installed) will provide dynamic firewall. If you use the full templates it will work automatically. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200122122131.GB5704%40thirdeyesecurity.org.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
January 21, 2020 7:04 PM, "Dan Krol" wrote: > So to clarify: > >> Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. > > When you say "need it enabled", you're just referring again to "provides > network", is that correct? > > And secondly: Do I understand correctly so long as any qube sits in between > two other qubes in the > networking chain, it automatically acts as a basic firewall? That's all that > sys-firewall is? >From what I understand, sys-firewall is special in that it dynamically changes >firewall rules for different VMs. That's where the firewall rules in the VM >Settings GUI and qvm-firewall are applied. If you just create a new blank VM >in place of sys-firewall, you can set up static firewall rules, but it won't >by default know how to do any of the dynamic / user-defined rule stuff. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4bee0fcbad6da1abf3ee7def4eb6fa81%40disroot.org.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
> So to clarify: > > > Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. > > When you say "need it enabled", you're just referring again to "provides > network", is that correct? > Yes. > And secondly: Do I understand correctly so long as any qube sits in between > two other qubes in the networking chain, it automatically acts as a basic > firewall? That's all that sys-firewall is? > > Thanks again! I don't know. You can compare iptables rules between your VMs to find out. You're welcome. BTW, this mailing list prefers users to reply below the previous message. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/482KyN1jh8z6tmJ%40submission01.posteo.de.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
So to clarify: > Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. When you say "need it enabled", you're just referring again to "provides network", is that correct? And secondly: Do I understand correctly so long as any qube sits in between two other qubes in the networking chain, it automatically acts as a basic firewall? That's all that sys-firewall is? Thanks again! -Dan On Tue, Jan 21, 2020 at 7:45 AM shroobi wrote: > > Hello, > > > > I was wondering if there are guides in the docs that I missed which > > describe proper creation/upgrades of "special" VMs (sys-net, > sys-firewall, > > and possibly vault). I preferred Debian for my vault. I created a new VM > with a > > black lock icon and no network connectivity. Other than chosen OS, the > > config looks identical to the out-of-the-box vault VM. Is that all I > need? > > (From a brief look, the salt files seem to imply that it is) > > > "Vault" VMs have no network access, besides that there is nothing special > about > them. You might like to customize its template, though. For instance, > multimedia use. > > > > Similar question for getting my sys-net and sys-firewall onto fedora30 > The packages that sys-net and sys-firewall need to function are included > in templates, > except for the minimal templates. That's why the guides mention them > specifically. > Provide sys-net with a device and make sure that they provide networking > to the next qube > in line. Sys-net and sys-firewall (and sys-vpn if you use it) will need it > enabled. If > you plan to incorporate whonix into your configuration (with a DispVM and > as the > UpdateVM) then I recommend that you use salt to create everything it needs. > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/4827Xt5j9gz9rxX%40submission02.posteo.de > . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAWRcS-nFQY57gUhyjPo9pc-uddmEr%3DennLA9t-3jBO-bfJcAA%40mail.gmail.com.
Re: [qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
> Hello, > > I was wondering if there are guides in the docs that I missed which > describe proper creation/upgrades of "special" VMs (sys-net, sys-firewall, > and possibly vault). I preferred Debian for my vault. I created a new VM with > a > black lock icon and no network connectivity. Other than chosen OS, the > config looks identical to the out-of-the-box vault VM. Is that all I need? > (From a brief look, the salt files seem to imply that it is) > "Vault" VMs have no network access, besides that there is nothing special about them. You might like to customize its template, though. For instance, multimedia use. > > Similar question for getting my sys-net and sys-firewall onto fedora30 The packages that sys-net and sys-firewall need to function are included in templates, except for the minimal templates. That's why the guides mention them specifically. Provide sys-net with a device and make sure that they provide networking to the next qube in line. Sys-net and sys-firewall (and sys-vpn if you use it) will need it enabled. If you plan to incorporate whonix into your configuration (with a DispVM and as the UpdateVM) then I recommend that you use salt to create everything it needs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4827Xt5j9gz9rxX%40submission02.posteo.de.
[qubes-users] Upgrading/creating "special" VMs (sys-net, vault, etc)
Hello,
I was wondering if there are guides in the docs that I missed which
describe proper creation/upgrades of "special" VMs (sys-net, sys-firewall,
and possibly vault). The closest things I found were these, both of which
seem to be for more advanced use cases:
* https://www.qubes-os.org/doc/templates/minimal/
* https://www.qubes-os.org/doc/salt/
For instance, I preferred Debian for my vault. I created a new VM with a
black lock icon and no network connectivity. Other than chosen OS, the
config looks identical to the out-of-the-box vault VM. Is that all I need?
(From a brief look, the salt files seem to imply that it is)
Similar question for getting my sys-net and sys-firewall onto fedora30
(current ones on fedora29). Should I:
* Simply change the TemplateVM on existing sys vms to fedora30, and expect
it to automagically work after restart?
* Create new fedora30 based VMs, checking certain settings ("provides
network", maybe others)?
* Use Salt to configure new ones from scratch?
Thanks in advance,
-Dan
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAAWRcS8d%3DQEncmytOcnXkyY8aYeA2puhJmjTO_SRXu8YteNAtw%40mail.gmail.com.
