On Friday, March 24, 2017 at 6:07:51 PM UTC-4, Unman wrote: > On Thu, Mar 23, 2017 at 08:00:57PM -0700, Nemo wrote: > > On Thursday, March 23, 2017 at 10:37:58 PM UTC-4, Andrew David Wong wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA512 > > > > > > On 2017-03-23 19:28, Nemo wrote: > > > > I've been writing a bash script that manages firewall settings > > > > from dom0, via qvm-firewall and qvm-run for ping. > > > > > > > > Everything had been safe until an hour ago, when I added in the > > > > qvm-run/ping function. I let it run for about 20 mins, and when I > > > > came back three of my qubes were damaged in a way that made them > > > > unmountable. > > > > > > > > I don't have the terminal readout (I was running bash -x), so I > > > > can't use that to determine where/when the issue occurred. How > > > > else can I access logs to troubleshoot my script, and determine > > > > whether I need to post a bug report? > > > > > > > > I'm new to Linux, but a quick learner. > > > > > > > > > > Can you post the script you were running? > > > > > > - -- > > > Andrew David Wong (Axon) > > > Community Manager, Qubes OS > > > https://www.qubes-os.org > > > > Script is attached. It's my first attempt at a bash script, and still in > > progress (and obviously potentially dangerous). > > > > The script is designed to create exclusive access to certain services (eg > > Facebook) for VMs where they should be used (eg Personal). It does this by > > preventing inappropriate VMs from accessing those addresses. > > > > So, all the addresses listed under Banking will be blocked for the other > > VMs laid out in the $vms array, unless that VM is also allowed access. > > > > Services that run round-robin DNS, eg google.com, need to be blocked > > multiple times to ensure there is no access to the service. I tested > > > > `qvm-firewall banking -a google.com any` > > > > and determined that running it multiple times in succession will eventually > > block all the (current) round-robin IP addresses. > > > > So, I added a verification feature to the script, which launches a while > > loop. It waits for > > > > `qvm-run -ap banking 'ping -c1 google.com'` > > > > to return "Destination Host Prohibited", indicating that the entire > > round-robin has been blocked. Until then (or until 10 iterations) it will > > continue to qvm-firewall block google.com. > > > > I believe that the verification function is what caused the problem, but I > > don't know how investigate it. Your thoughts are appreciated! > > > > Can you check the size of the firewall rule files for the qubes that > won't start - I assume that that is what you mean by unmountable? > The files are /var/lib/qubes/appvms/<name>/firewall.xml > > 'ls -lh' will show the size > You can use 'ls -lh /var/lib/qubes/appvms/*/firewall.xml' to check them > all.
By unmountable I mean that they can't start - sorry, that wasn't clear. When I attempt to start them, I get Error starting VM 'shopping': (2, 'no such file or directory') I've restored two of the VMs from backups, but left 'shopping' to troubleshoot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9ed25ae2-f821-45ff-8d1a-c48ccf2a28ed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
