On 7/28/19 1:36 AM, Chris Laprise wrote:
On 7/27/19 8:27 PM, Jon deps wrote:
pardon my non-sysadmin query :
any chance of some real world examples? quite a few new terms there .
so install into Debian-9
but step 2 am already lost
eg how and where amd I "activating" vm-boot-protect in the templatevm ?
or during install there is going to appear a choice of which service
to start , then when one opens a TBAVM based on the specified Deb-9
template the protection work at that point ?
Go to the VM's Settings / Services tab, and add "vm-boot-protect" as a
service.
Can I install it in a fresh Deb-9 , and if its breaking things, just
delete the fresh Deb-9 template, or is it touching dom0 ?
It has a second-stage installation step that changes sudo/root access
inside the template. And for that new root config to work, you have to
add a couple dom0 config lines (it shows you the dom0 lines at the end
of the install process).
If you remove the altered Deb-9, the dom0 config lines will stay unless
you change them back. However, in practice there is really no impact on
your unmodified templates, so whether or not to remove the dom0 lines is
a question of tidiness.
As an alternative, per the Readme step 3, you can sidestep the whole
sudo auth reconfiguration.
I guess once installed there is no un-installing ?
Currently there is no "purge everything" function or uninstall. You can
remove the service manually by deleting the following:
/lib/systemd/system/vm-boot-protect.service
/usr/lib/qubes/init/vm-boot-protect.sh
/etc/default/vms
I just ended up using vm-boot-protect-root for the sys-net and
sys-usb in qube settings services
per the "Where to use basic examples"
and vm-boot-protect for regular appVMs
think I'll skip it for anything else
sys-net is working (I am using fedora-30: because of the past clock sync
issue) otherwise Deb-9 but just curious what the "additional
networks VMs would be here" proxyVPNVMs ?
"The sys-net VM should work 'out of the box' with the
vm-boot-protect-root service via the included whitelist file. Additional
network VMs may require configuration, such as cp sys-net.whitelist
sys-net2.whitelist."
PS: the appVMs seem a bit slower to boot, but could be my imagination ? :)
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/b0b50d07-c98b-6230-6ca9-85bc1b5c3843%40riseup.net.