Re: [qubes-users] Install DNSSEC on ProxyVM type (debian) ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-12 23:18, ThierryIT wrote: > Hi, > > I think that I have missed something concerning Qubes. When I > installed, let's say "Unbound" packages, after a reboot of the VM > it disappear ... Normal ? > > Thx > You have to install it in the TemplateVM (or, for more advanced users, pick a persistent dir and/or use bind-dirs): https://www.qubes-os.org/doc/templates/ - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYoWLcAAoJENtN07w5UDAwAoQQAM+eiQ77VRPjYIf/0pKepUh0 eMpVANLYuKUC1yOnkyQR4p+eZBY1aRxLenC1y5pZXfk0ZFySKATa+lw2gZR0A6dn oMzZVtMxqDpVs3SQOImFvGEJCrhmaro1NmyL7+xNTgbEIO7Q35Az+AMLT3nNUa5N qclPsdCi48MWki4YhCMOaNLxxeFYlJoN1JMdqVg9wWKfPWWL7t15koO0gB2hWAj0 izroJeb9jDOW73PCo13zIs3nBrgmUnP/1VTg7emipVTfeQabHbpads61dNNSCgfv TEQfXI8+b4TX1ajN5mT90sX5N11OOY0rePRHhhSlRlGMNM+2P6rxjMPvXTrxkF1q 6TX12i2f2MxKg0uY7wJj2bCqG20Mo9sIsbxybvtFXKphnHZYOGaRmasdw4QciW/m 1Ojy9dFUdLlqRSsbJRsk91CE6MwhmCqGQAsJsFd1WKdY6+EyH1cSuNpr+PEt01xl hY91+ljOpI2/wYAQ+cumRV7JAydeCVv59Qs3k5yeFnpeqPMbPe9hKOnTj6eLyDbb WCCHJzmJJ0NIqzEvdsaiJnfOy9gTSKVdX4YIOoC5b2wjW4+vqJwqPUssSC511zpa OxEmKTSN7raMuuNLG370oplr5pRnrA/iolg/W/tDM2TbyfGQuEOHZXh91C6vyKKv mFM7z+UCGxMljbNCEuDN =laqs -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/79cbb644-75b3-bf3c-5fc9-48ba236c472b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Install DNSSEC on ProxyVM type (debian) ?
Hi, I think that I have missed something concerning Qubes. When I installed, let's say "Unbound" packages, after a reboot of the VM it disappear ... Normal ? Thx -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e04e8da9-5ac4-4f15-aa8c-543db8258506%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] please help: realtek pci-express nic not detected by sys-net
On 02/12/2017 12:44 PM, Surf Nx wrote: The nic works fine on Fedora Live Tried all the following over the last 4 (now 6) days. Please help if possible. rpm -q linux-firmware : linux-firmware-20161205-69.git91ddce49.fc24.noarch Failed with DMA setting at: qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=16384" dom0 dmesg: 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev ff) dom0 lspci -k: 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev ff) Kernel driver in use: pciback Kernel modules: r8169 dom0 lspci -nn: 02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev ff) sys-net dmesg: pci :00:00.0 [10ec:8168] type 7f class 0xff pci :00:00.0 unknown header type 7f, ignoring device sudo dmesg | grep pci pciback :02:00.0: timed out waiting for pending transaction; performing function level reset anyway ExecStartPre as per the following also failed: [Unit] Description=Netvm Fixup Before=qubes_netvm.service [Service] ExecStart=/bin/sh -c 'echo :02:00.0 > /sys/bus/pci/drivers/pciback/permissive' Type=onshot RemainAlertExit=yes [Install] WantedBy=multi-user.target Realtek nics are garbage, that series does weird things with interrupts so it doesn't play well with iommu. I would say buy something else but I am assuming you have a laptop? then you'd have to buy a new laptop unless you know how to do component re-working. If you have a desktop, then any recent server grade nic is generally a good choice make sure to look for one that supports SR-IOV so that you know it supports FLR and thus can be assigned. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b6fa64c1-b9e7-ced7-7efd-20690a7f88aa%40gmx.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Installation Media Self-Check Confusion
Hello, I have been trying to install R3.2 and even though I have tried burning both usbs and dvds and using different burning programs (including just dd for the usb) it always results in it saying that the .iso is unsupported and the install media is fragmented (20 count with a md5 sum(I can include that if it helps)). The weird part though is that it says it before the media check starts and if I let it finish the check it say's that it passed and will continue to the graphical interface. I also verified it before burning and the files were (reasonably) trust-able. Does anyone have any advice on if it can be trusted in general or have had this happen before? Thanks in-advance for even glancing -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/469e96af-72a1-4bcf-88f3-1896798b8471%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Cant start the AppVM - uninstalled python-numpy.
Hi community :) I ran this on a standalone debian 8 appvm apt-get purge python-numpy Yes, I now know that is not the most cleaver command to run.. It resulted in the following packages got removed: python-numpy python-qwt4-qt4 qubes-core-agent gimp gpsd-clients live-usb-install python-glade2 python-matplotlib qubes-gui-agent w3af python-kivy python-gtk2 python-scipy python-pygame So now I can not boot that AppVM normally.. I can connect to it using: sudo xl console Lab from dom0's console and get a prompt (login as root) but I am missing the /rw directory and everything seems readonly (I wanted to reinstall the uninstalled packages) When i try to run apt-get install (all the packages listed above) it just fails with "Unable to write to /var/cache/apt" because /var is not there and /rw is also not there.. :/ Is there a way to fix this ? Regards Keld. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0c8cea8-5f06-4740-b6db-a4f28fcda43e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
On Friday, February 10, 2017 at 6:21:49 PM UTC-5, Unman wrote: > On Fri, Feb 10, 2017 at 04:10:06AM -0800, Joe Ruether wrote: > > On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > > > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > > > Hello! > > > > > > > > I am trying to set up a proxy vm that will redirect DNS requests to a > > > > local DNS server, for the purposes of adblocking. > > > > > > > > Here is the setup: > > > > > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> > > > > appvm_with_firefox > > > > > > > > I have created a proxyvm based on a debian-8 template, and have > > > > installed PiHole (https://pi-hole.net/) as an adblocker. PiHole works > > > > by starting a DNS server (dnsmasq) and rejecting any dns queries to > > > > domains that serve ads. > > > > > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 > > > > and open firefox (in the proxyvm), I can verify that the adblocker is > > > > working correctly. > > > > > > > > The issue I am having is when I used the proxyvm as the netvm for > > > > another appvm. Without any other changes, my appvm's firefox has > > > > internet access, but the adblocker has no effect. Of course, some > > > > additional setup is needed, but I'm not exactly sure how to do that. > > > > > > > > I'm not very good with iptables, and every attempt I have made to > > > > redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both > > > > the proxyvm and the appvm to lose the ability to browse). Here are the > > > > commands I ran (in the proxyvm): > > > > > > > > #!/bin/bash > > > > DNS=127.0.0.1 > > > > NS1=10.137.4.1 > > > > NS2=10.137.4.254 > > > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > > > > > --- > > > > > > > > I pieced this together from what I could find from the VPN > > > > documentation on the qubes website as well as the contents of > > > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any > > > > impact. > > > > > > > > So! My question is, am I going about this correctly? I think I need to > > > > modify the iptables in the proxyvm to redirect any incoming (from the > > > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > > > think I need to ensure that there are rules that allow all other > > > > traffic to pass through unhindered. > > > > > > > > Or is there a different, qubes-specific way of handling DNS that I > > > > should be using? After inspecting the sys-firewall ipconfig and > > > > iptables, it is clear that something behind-the-scenes is happening > > > > where an additional NIC is created for each attached appvm, and the > > > > iptables are being populated automatically somehow. I'm not sure how > > > > the proxyvm is supposed to get the addresses of the appvm and > > > > sys-firewall (my script above had addresses hardcoded). > > > > > > > > Thank you for any help! If I get all this working, I'm planning on > > > > making a Salt file that can create the adblocking proxyvm. > > > > > > > > > > I don't see any reason why this shouldn't work. > > > I wouldn't be so specific in the nat rules but that's your call. Just > > > protocol and post would suffice. > > > > > > One obvious point is that you are ADDING those rules to the end of the > > > PR-QBS chain without flushing it first. If you already have redirect > > > rules there they will trigger first. > > > What does your nat table look like after you run that script? > > > > > > Another point may be that you don't have an incoming rule in the INPUT > > > chain allowing inbound traffic to the DNS ports. Unless you've changed > > > this the default rule will block inbound traffic from any vif interface. > > > So you need to ensure you are allowing that traffic with an: > > > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > > > > > Finally, you need to consider the effects of the qubes-firewall and > > > qubes-netwatcher services. > > > If you want to retain these you can use > > > /rw/config/qubes-firewall-user-script to override the automatic Qubes > > > configuration and insert your own iptables rules. > > > You can also use rc.local to set initial iptables rules. > > > Remember to make those files executable if you want to use them. > > > > > > Most of this is in the docs, although not easy to find. > > > > > > Hope this helps > > > > > > unman > > > > Thank you for your help, I have more information about my configuration > > be
Re: [qubes-users] Re: Running qvm-create-default-dvm against fedora-24-minimal hangs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-12 11:54, qu...@posteo.de wrote: > Hi Andrew, > > thx for adding it to the documentation. On 12.02.2017 03:22, Andrew > David Wong wrote: > >> Thanks. Added: >> >> https://github.com/QubesOS/qubes-doc/commit/308fa866e9533ccfb77b8c6c1b7b0f57446c7f85 >> >> > Can you also add it to > https://www.qubes-os.org/doc/dispvm-customization/ to the bottom > where qubes-core-vm is listed as a requirement? > > Thx again > Added (to the first section, which is a more logical place). - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYoL/VAAoJENtN07w5UDAwih4P/0+V+gmTs2i8rpWS3QmAmA5t ki7E+xsE3gD5RZ5gIpbMPf+8PSMCTVMyZ7RYFm7UWlgmx2QZwWO9ehKwcugNMozh VC46PFvEUr//CSBCWrk8twxEVN9uiIu3RpuWYorAXrC6YSCZofRkMQqQsO9Yakq2 eK4eYD5RYsF7H2GWjPYqs5HVLIEIoWLR8IkLGei4Bt24TG0ptpesABxhrPZc02VZ DZIGs8EL2Clp8AbRLZq/Cb9Bw/1VXkSBe1HcLeAm61On38ZXS/iFx5rdlpeDtesn Apq9VOkGwbmiqcZ7jxJcIgYRGCse9lgFMGaaIIBeXbw/EqpL4Rw/Ff9TccPBT3NN 8Gz3DTK5fUi1l1SsNzrMm0GCgu/8cKbaM0Hj4VPbP4pQImwsiweaP+EeYSwdXwiB t5YMn6QsyjaoSFbvcXPeSPzSoCHSLquBd4IaAZOuIKPI1rBcBVQ3TqrApbllzYLn kjyaGWT2kGwRiUugpQ9FdPr/x66NqliqaysFFaJqRBfVPJcTdDyySUd6oOTSu0/y VsiZKssO1AkTNc+6g+SJEdMiXG86C2fGFMWT/L2WPnki9XbZKHywod1hCtYdxZXE RgGdf4P7iBjC7sMsHib0G0PZDPHSwLWWY+eLXVQK2lc+zC6b38y3f/l1rRj1NYdB GVFfo/Teb+43B7+gUzIG =HGR2 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/641d8495-c322-f825-3591-aef690130327%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Install Qubes on external SSD? Photo edition tools?
On Sun, Feb 12, 2017 at 09:09:57AM -0800, ingrid.mary.vie...@gmail.com wrote: > Hi, > I'm currently using Windows and considering changing OS. > I would like to try Qubes, but first on an external device, while keeping > Windows on my hard drive. > 1. Can I install Qubes on an external SSD or should I try Live USB instead? > 2. Are there advanced photo edition tools for Qubes? For example, Darktable? > Thanks a lot!!! > > -- This is very sensible approach: the live USB is out of date and installing to external disk and booting from there is the best thing to do. Because you run individual qubes based on different templates, you have a range of OS that you can use. This means that you can try different Linux distributions and see what packages are available. You can even mix and match them to your data. What I mean is that you can put your data files in one qube, and start it using a Fedora template with photo editing tools installed. Then shut down, change template to a Debian or Ubuntu template and see what *those* tools are like. You might find that you like tools in one distro more than another, or would like to use some tools from one and some form another. Qubes allows you to do this quite simply, running two different photo editing qubes at the same time and sharing files between them. I'm honour bound to say that you can also run Windows under Qubes. I haven't tried it myself, but people do. There are Qubes tools available to make it easy to work within the Qubes system. I'm not sure what Windows version is supported. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212200127.GB20086%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Running qvm-create-default-dvm against fedora-24-minimal hangs
Hi Andrew, thx for adding it to the documentation. On 12.02.2017 03:22, Andrew David Wong wrote: Thanks. Added: https://github.com/QubesOS/qubes-doc/commit/308fa866e9533ccfb77b8c6c1b7b0f57446c7f85 Can you also add it to https://www.qubes-os.org/doc/dispvm-customization/ to the bottom where qubes-core-vm is listed as a requirement? Thx again -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c8b52096244b6dd96c10cc906ee7c14e%40posteo.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: What? Can I access a windows USB drive?
On Sun, Feb 12, 2017 at 09:56:43AM -0800, elsiebuck...@gmail.com wrote: > I'm still stuck here... anyone? > You really haven't given enough information for anyone to help you. I'm going to assume that you are using a default install of Qubes: your sys-usb is based on Fedora-23, and the qube you want to use the drive in is also based on the same template. Please correct me if this isn't correct. There's no such thing as a "windows USB drive". I assume you mean a drive that you used on Windows. You may or may not have formatted the drive: I don't know because you haven't told us. Drives for use on Windows can be formatted using various filesystems: FAT32, NTFS , EXFAT among them. I don't know what you have. Perhaps you don't know. We can find out. You say you know to attach the drive to a qube. Open a terminal in the target qube,and attach the USB drive. Then type 'dmesg' (without the quotes) You should see lots of stuff in the terminal, ending with some lines that say something like "blkfront: xvdi .". If you don't see this then the drive hasn't been attached to the qube. The "xvdi" bit shows the device name that's been allocated to the USB. Now type in "sudo cfdisk /dev/xvdi"(Or whatever device name you have) This will show you the partitions on the USB stick and how they are formatted. Take note. Quit from cfdisk. Open nautilus in the target qube, and look under "Other Locations" You should see the drives from the USB stick there. FAT32 partitions should just load in nautilus out of the box. So should NTFS partitions. If you have EXFAT format, then as Jean-Philippe has said, you will need to install extra packages in the template. If you need help with this, please ask. If you don't see ANY device or Id Type in cfdisk, then it's possible your drive is encrypted and you didn't realise(because it "just worked" under Windows. That's a separate issue but also solvable. So try this and report back what you find. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212194349.GA20086%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: What? Can I access a windows USB drive?
I'm still stuck here... anyone? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/47e61f57-dc82-4ce0-9c3a-dc3585e36582%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I have a bank vm, how do you restrict
On Sunday, February 12, 2017 at 3:01:23 AM UTC-5, Andrew David Wong wrote: ... > No. I explain the procedure in the first post of that thread. > Please try reading it again. ... Done, works exactly as advertised ! And both vm(s) actually work ! Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a94ae83-42b4-4902-8ec8-54eb9b7b2cb1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] please help: realtek pci-express nic not detected by sys-net
The nic works fine on Fedora Live Tried all the following over the last 4 (now 6) days. Please help if possible. rpm -q linux-firmware : linux-firmware-20161205-69.git91ddce49.fc24.noarch Failed with DMA setting at: qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=16384" dom0 dmesg: 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev ff) dom0 lspci -k: 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev ff) Kernel driver in use: pciback Kernel modules: r8169 dom0 lspci -nn: 02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev ff) sys-net dmesg: pci :00:00.0 [10ec:8168] type 7f class 0xff pci :00:00.0 unknown header type 7f, ignoring device sudo dmesg | grep pci pciback :02:00.0: timed out waiting for pending transaction; performing function level reset anyway ExecStartPre as per the following also failed: [Unit] Description=Netvm Fixup Before=qubes_netvm.service [Service] ExecStart=/bin/sh -c 'echo :02:00.0 > /sys/bus/pci/drivers/pciback/permissive' Type=onshot RemainAlertExit=yes [Install] WantedBy=multi-user.target -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/619aa1ef-b3bc-49cb-84d9-36e070c15fd0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Cannot install Qubes 3.2 - black screen of death
On Sun, Feb 12, 2017 at 08:01:23AM -0800, qubesnewbi...@gmail.com wrote: > Another update: > > After pilfering a spare AMD Radeon 5850 video card from one of my other > computers and installing it into the new system, I was able to install Qubes > 3.2 successfully. I saw some video anomalies with 4k, but once I downgraded > to 2540x1600 resolution it worked like a charm. It looks like Qubes/Xen > doesn't like the on-board INTEL graphics on my motherboard. > > A new problem has surfaced, however. I was unable to enable the root account > during setup even though I entered a password for it. I unchecked the "lock > root account" checkbox, but it kept re-checking itself. I am unsure how to > enable it, or if it's even possible. > > Everything else seems to be working fine, but I am still planning to get a > newer video card, so any suggestions would be greatly appreciated. I have > read that AMD/Radeon cards work best, and I was looking at the AMD Radeon > RX400 series or R9 300 series because they both offer Ubuntu/Linux drivers. > > Thank you in advance for your responses. > > -- I think that's the best route to take - there are issues with some cards and with the text installer - what you've done is the accepted workaround. On the question of the root account, I assume you have seen the comment I think that's the best route to take - there are issues with some cards and with the text insta;ller - what you've done is the accepted workaround. On the question of the root account, I assume you have seen the comment in the docs: www.qubes-os.org/doc/vm-sudo at bottom. In a default install the root/user distinction is pretty meaningless, as user has access to all the configuration of the Qubes machine, and has full access to all the data held on it. This is really difficult for some people to understand. (You can, of course, change this policy in dom0 if you wish, trading convenience for a small gain in security.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212165002.GB19422%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run --dispvm in dom0
On Sun, Feb 12, 2017 at 03:11:59PM +, Holger Levsen wrote: > hm, xfce4-terminal is a somewhat better terminal, IMHO, but what I really > want is one which I can easily configure to support font-size-resizing > via keyboard-ctrols (ctrl +- works out of the box in gnome-terminal) and > xfce4-terminal doesn't support that :/ sakura and roxterm-gtk(2|3) both satisfy this… -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212163611.GA28663%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: Digital signature
[qubes-users] Re: Cannot install Qubes 3.2 - black screen of death
Another update: After pilfering a spare AMD Radeon 5850 video card from one of my other computers and installing it into the new system, I was able to install Qubes 3.2 successfully. I saw some video anomalies with 4k, but once I downgraded to 2540x1600 resolution it worked like a charm. It looks like Qubes/Xen doesn't like the on-board INTEL graphics on my motherboard. A new problem has surfaced, however. I was unable to enable the root account during setup even though I entered a password for it. I unchecked the "lock root account" checkbox, but it kept re-checking itself. I am unsure how to enable it, or if it's even possible. Everything else seems to be working fine, but I am still planning to get a newer video card, so any suggestions would be greatly appreciated. I have read that AMD/Radeon cards work best, and I was looking at the AMD Radeon RX400 series or R9 300 series because they both offer Ubuntu/Linux drivers. Thank you in advance for your responses. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/224beca6-efc4-437a-8e87-a72a7c307087%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run --dispvm in dom0
On Sun, Feb 12, 2017 at 02:23:20PM +, Unman wrote: > > I'm just puzzled that this doesnt work: > > echo gnome-terminal |/usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 > > DEFAULT red > This comes up quite often - perhaps it should be in the FAQ. probably, though best with a satisfying answer :) > I cant do better than quote my last reply: > > This is because gnome-terminal is a stub that calls > gnome-terminal-server to open a new window and then exits. Because the > command you have called exits, the dispVM closes. It's expected > behaviour. ah. (some sort of expected behaviour ;) > There was a solution proposed in issues - #2581 if you are > interested, but it's ugly (proposer's words) and has significant security > risks. I wouldn't touch it, but then I tend not to sue gnome-terminal > anyway. > > And, as Marek pointed out in that thread, this is the reason why the > default config has xterm. hm, xfce4-terminal is a somewhat better terminal, IMHO, but what I really want is one which I can easily configure to support font-size-resizing via keyboard-ctrols (ctrl +- works out of the box in gnome-terminal) and xfce4-terminal doesn't support that :/ For now my workaround is: (using i3) $mod-Shift-Return gives me an xterm in a new disposable VM and then $mod-Return will give me a gnome-terminal in there… -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212151159.GB26296%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: Digital signature
Re: [qubes-users] qvm-run fails silently with chromium
On Sun, Feb 12, 2017 at 01:27:30AM -0800, m...@lamarciana.com wrote: > > try this: > > qvm-run -a -p qube "echo $0" > > It returns `bash` > > > and: > > qvm-run -a -p qube "ps aux" > > It includes a `/bin/bash /usr/bin/qubes-session` > > > You may be surprised. > > Also, `echo $SHELL` returns `/bin/bash`. > > I thought that maybe that `bash` process was in fact a subprocess of the > actual `zsh` shell, but `ps aux|grep zsh` returns nothing. > > So, yes, I'm very surprised, and now I understand even less why `~/.zprofile` > is sourced... :) > I'm probably wrong but I think what's happening is this: Look up the process list and you'll see the invocation: su -l user -c /usr/bin/xinit... That's su starting a shell as a login shell: as you have zsh as default shell, .zprofile is read to set env variables, including path. And I think you should have seen the output from qvm-run ps aux included something like "sh -c ps aux". That call to sh is coming from qrexec-fork-server, I think. I hope that makes it a little clearer. It would be interesting to see what happened if you were to relink sh to zsh in the template. I'm looking at a number of issues arising using some non default user shells(tcsh, fish) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212145841.GB18690%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run --dispvm in dom0
On Sun, Feb 12, 2017 at 01:48:36PM +, Holger Levsen wrote: > On Fri, Feb 03, 2017 at 04:44:14PM +, Unman wrote: > > echo xterm |/usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red > > > > will open term in new dispVM > > > > I have this as keyboard shortcut - you can obviously script it to take > > input for command to run. > > thanks, this is very handy! > > I'm just puzzled that this doesnt work: > > echo gnome-terminal |/usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 > DEFAULT red > > it starts a new disposible VM but no gnome-terminal pops up, despite it's > installed and when I start it manually from an xterm it comes up just fine?!? > (This is with a Debian 8 dvm.) > > > -- > cheers, > Holger This comes up quite often - perhaps it should be in the FAQ. I cant do better than quote my last reply: This is because gnome-terminal is a stub that calls gnome-terminal-server to open a new window and then exits. Because the command you have called exits, the dispVM closes. It's expected behaviour. There was a solution proposed in issues - #2581 if you are interested, but it's ugly (proposer's words) and has significant security risks. I wouldn't touch it, but then I tend not to sue gnome-terminal anyway. And, as Marek pointed out in that thread, this is the reason why the default config has xterm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212142320.GA18690%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Cannot install Qubes 3.2 - black screen of death
Update: Today I updated a few more settings in my BIOS (which for some reason got reset after the Fedora install), and I tried installing again. This time, I got sent to the text-based install after seeing a message about "X startup failed - falling back to text mode" I repeatedly encountered the following messages when trying to select destination media (for all options available): "Storage configuration failed: auto partition failed" "Encryption requested for LUKS device but no encryption key specified" I went down the road of investigating the "Rescue Qubes" option, but quickly discovered that's really only for an already installed OS, so I backed out of that. I have a second PC that is older, and doesn't have an SSD drive so I knew it wouldn't work so well with Qubes but I tried installing anyway. I noticed a big difference in the startup routines between both systems. In the older system (which has a EVGA GeForce GTX780 Hydro Copper video card installed), when the installer started I had a nice graphical interface with a big "Q" on it. In the custom system, I see a varying colored blue bar crawling across the bottom of the screen with the text "Generic 23" on the bottom right. At this point, I'm thinking my only option is to install a video card in the new system and try installing again. Does anyone have any suggestions for a card that will support a 4k monitor? Thank you, I appreciate any and all responses. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/598579bd-b745-403c-8df8-3e5473079be1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run --dispvm in dom0
On Fri, Feb 03, 2017 at 04:44:14PM +, Unman wrote: > echo xterm |/usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red > > will open term in new dispVM > > I have this as keyboard shortcut - you can obviously script it to take > input for command to run. thanks, this is very handy! I'm just puzzled that this doesnt work: echo gnome-terminal |/usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red it starts a new disposible VM but no gnome-terminal pops up, despite it's installed and when I start it manually from an xterm it comes up just fine?!? (This is with a Debian 8 dvm.) -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170212134836.GA25832%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: Digital signature
[qubes-users] offtopic: bitmask vpn
've seen a post asking for invite there. Got time to read about service. 'ven't found anything much more interesting than other vpn service. A lot of market advert claims that show things also available for other vpn services. Lack of technical explanation what innovations they made w/ their VPN compared to other VPN. Why should one prefer that service to anoher? :? Since this is offtopic you could prefer to answer directly. -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6OmdUjghEWKLRRN%2Bub6FWqSTQ-uDmrWW80aATiK8n6wdw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run fails silently with chromium
> try this: > qvm-run -a -p qube "echo $0" It returns `bash` > and: > qvm-run -a -p qube "ps aux" It includes a `/bin/bash /usr/bin/qubes-session` > You may be surprised. Also, `echo $SHELL` returns `/bin/bash`. I thought that maybe that `bash` process was in fact a subprocess of the actual `zsh` shell, but `ps aux|grep zsh` returns nothing. So, yes, I'm very surprised, and now I understand even less why `~/.zprofile` is sourced... :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23ff30d1-f131-467d-a729-2852fea32d58%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: I have a bank vm, how do you restrict
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-11 21:46, elsiebuck...@gmail.com wrote: > On Saturday, February 11, 2017 at 9:08:56 PM UTC-5, Andrew David > Wong wrote: >> >> You should try to the method I described here: >> >> https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion >> > >> >> > The difference being instead of google.com use 74.125.192.113, > 74.125.192.100, 74.125.192.102, 74.125.192.138 etc? > > And instead of accounts.google.com use 172.217.5.237? > No. I explain the procedure in the first post of that thread. Please try reading it again. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYoBZEAAoJENtN07w5UDAwE1EP/jvjA468umD0fY7g16rAVG0I LflMhBtvfEfl3XtxXcqorH9egBwC93l8xNh28QWSqR+W82AsKA5EuhxP8qWyF4MG dtRLonjIKeA8pSgmMnmTLpzsG4sjP+BqCCB2gdo93LNpb8/h/vakvGpQvUXak3eA /EMSFeS2lKd3fe1csaText2SrXbGiK6oqLFjuBbLiLQALkFQLxoyNI93kS8q4byr 4NgCABwhE2DWKCkQ9GiwJClp267DChHy2cTnr4BHOTJAX8kyNpsaKWHwPVyBZjBn I1xMqMhtiPyGajgwL0jqvVwImmfpjU8Jg6HzgBoGh0ujIx832MjmpIGiXhHa35zn Eon0Cihi6YXsL9ehBfH/klyvInBnZS8ywhz8i92x4qju/5w5SbzFyCRy7P8LrpAN tyX9lB0LU0RWSzRFsedtGMmFq5UOqK6Sm0CmMFkD2PCOxdOhD7yhZhha5Zs9NdVF 2Mevucet7GkXuiArOuZW7tTtqAvDssW0F1+KPyAWQk3I1ZA5hBK/hRZxF98dZFwz cwhIMoXbBabfQUFKXTvw0Fi8+aOM2XPvCdKhwSKnPMcpEyF156IuALFBcI6Wrj1N Sgs1hCRnjBIENZdhBED7aj8dItiEtrbuUd218qSfLCuSFSf25TksLvsplFVgZz39 LOjSir1xeVDRtmHcidiD =eWLb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/972797e5-c8e4-82e3-8766-9b28775e9ba9%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
