Sorry - I didn't realize you meant on dom0. Yes the firewall size was the issue. I manually deleted the firewall entries through Qubes VM Manager and the shopping qube will now start.
Thank you for your help! On Fri, Mar 24, 2017 at 6:52 PM, Unman <un...@thirdeyesecurity.org> wrote: > On Fri, Mar 24, 2017 at 03:32:47PM -0700, Nemo wrote: > > On Friday, March 24, 2017 at 6:07:51 PM UTC-4, Unman wrote: > > > On Thu, Mar 23, 2017 at 08:00:57PM -0700, Nemo wrote: > > > > On Thursday, March 23, 2017 at 10:37:58 PM UTC-4, Andrew David Wong > wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > Hash: SHA512 > > > > > > > > > > On 2017-03-23 19:28, Nemo wrote: > > > > > > I've been writing a bash script that manages firewall settings > > > > > > from dom0, via qvm-firewall and qvm-run for ping. > > > > > > > > > > > > Everything had been safe until an hour ago, when I added in the > > > > > > qvm-run/ping function. I let it run for about 20 mins, and when I > > > > > > came back three of my qubes were damaged in a way that made them > > > > > > unmountable. > > > > > > > > > > > > I don't have the terminal readout (I was running bash -x), so I > > > > > > can't use that to determine where/when the issue occurred. How > > > > > > else can I access logs to troubleshoot my script, and determine > > > > > > whether I need to post a bug report? > > > > > > > > > > > > I'm new to Linux, but a quick learner. > > > > > > > > > > > > > > > > Can you post the script you were running? > > > > > > > > > > - -- > > > > > Andrew David Wong (Axon) > > > > > Community Manager, Qubes OS > > > > > https://www.qubes-os.org > > > > > > > > Script is attached. It's my first attempt at a bash script, and > still in progress (and obviously potentially dangerous). > > > > > > > > The script is designed to create exclusive access to certain > services (eg Facebook) for VMs where they should be used (eg Personal). It > does this by preventing inappropriate VMs from accessing those addresses. > > > > > > > > So, all the addresses listed under Banking will be blocked for the > other VMs laid out in the $vms array, unless that VM is also allowed > access. > > > > > > > > Services that run round-robin DNS, eg google.com, need to be > blocked multiple times to ensure there is no access to the service. I tested > > > > > > > > `qvm-firewall banking -a google.com any` > > > > > > > > and determined that running it multiple times in succession will > eventually block all the (current) round-robin IP addresses. > > > > > > > > So, I added a verification feature to the script, which launches a > while loop. It waits for > > > > > > > > `qvm-run -ap banking 'ping -c1 google.com'` > > > > > > > > to return "Destination Host Prohibited", indicating that the entire > round-robin has been blocked. Until then (or until 10 iterations) it will > continue to qvm-firewall block google.com. > > > > > > > > I believe that the verification function is what caused the problem, > but I don't know how investigate it. Your thoughts are appreciated! > > > > > > > > > > Can you check the size of the firewall rule files for the qubes that > > > won't start - I assume that that is what you mean by unmountable? > > > The files are /var/lib/qubes/appvms/<name>/firewall.xml > > > > > > 'ls -lh' will show the size > > > You can use 'ls -lh /var/lib/qubes/appvms/*/firewall.xml' to check > them > > > all. > > > > By unmountable I mean that they can't start - sorry, that wasn't clear. > > > > When I attempt to start them, I get > > > > Error starting VM 'shopping': (2, 'no such file or directory') > > > > I've restored two of the VMs from backups, but left 'shopping' to > troubleshoot. > > > > Did you check the size? > > Look at www.qubes-os.org/doc/firewall/ and see if you have breached the > 3kb limit referred to. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAEHqQqRC3hXojf8LgG9DFR_vJjBWZMuoR1PXkNYfMjMTxymLjg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
